hostname VPN
!--- Enable authentication, authorization and accounting (AAA)
!--- for user authentication and group authorization.
aaa new-model
!--- In order to enable Xauth for user authentication,
!--- enable the aaa authentication commands.
aaa authentication login userauthen local
!--- In order to enable group authorization, enable
!--- the aaa authorization commands.
aaa authorization network groupauthor local
aaa session-id common
resource policy
!--- For local authentication of the IPsec user,
!--- create the user with a password.
username user password 0 cisco
!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!--- Create a group that is used to specify the
!--- WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!--- Create a dynamic map and apply
!--- the transform set that was created earlier.
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!--- Create the loopback interface for the VPN user traffic
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!--- Apply the crypto map on the interface.
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
interface Serial2/0
no ip address
interface Serial2/1
no ip address
shutdown
interface Serial2/2
no ip address
shutdown
interface Serial2/3
no ip address
shutdown
!--- Create a pool of addresses to be
!--- assigned to the VPN Clients.
ip local pool ippool 192.168.1.1 192.168.1.2
ip http server
no ip http secure-server
ip route 10.0.0.0 255.255.255.0 172.16.1.2
!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 101
!--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 101 interface FastEthernet1/0 overload
!--- The access list is used to specify which traffic is to be translated for the
!--- outside Internet.
access-list 101 permit ip any any
!--- Interesting traffic used for policy route.
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
!--- Configures the route map to match the interesting traffic (access list 144)
!--- and routes the traffic to next hop address 10.11.0.2.
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2