Network Guys

Share your knowledge!

Site2Site VPN Tunnel with ClientVPN @ Cisco IOS

Good Morning everyone!

I want to describe several VPN configurations on a Cisco router, ASA firewall and Sophos UTM. I will start with Cisco IOS on a Cisco router. In this example you will learn to configure a site2site VPN tunnel with a coincident client VPN access.

First we will configure the basic IPsec VPN settings. Start with Phase 1:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

There are other commands you can use for this like hash or lifetime. Not seeing this in your config means, that the default value is configured. For example: lifetime is by default 86400 seconds (1 day). After this we will configure the site2site parameters like remote IP address, pre shared key and Phase 2 values. In our example we (subnet /24) want to connect to to our Brasilia branch office (subnet /24).

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto isakmp key MyLittlePr3Sh@r3dK3y address no-xauth

crypto map MyCompanyMap 10 ipsec-isakmp
set peer
set security-association lifetime seconds 28800
set transform-set ESP-AES-SHA
match address vpn-brasilia

ip access-list extended vpn-brasilia
permit ip

interface Dialer1
description My WAN Link (can also be a Ethernet-Interface)
ip access-group wan_in in
crypto map MyCompanyMap

ip access-list extended wan_in
remark Protocols for VPN
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp

ip route Dialer1

ip access-list extended tonat
deny ip any
deny ip any
deny ip any
permit ip any

ip nat inside source list tonat interface Dialer1 overload

be sure to allow the protocols from outside to inside. I always choose AES and SHA because its more secure and much more faster than 3DES (three times DES). I also got problems with MD5 between Cisco and Juniper. On Brasilia Router you need to configure the same only with the opposite values such remote peer address and the access-list for vpn-interested traffic like our “vpn-brasilia”. Keep in mind to not (!) nat into this networks!

To add Cisco Client VPN (EasyVPN) to this config you need to add this:

We will use local authentication but you can also use a RADIUS server for this.

aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local

username drdoom password !nh3LL

!define the IP address pool for the connected VPN clients:
ip local pool vpn-pool

!define the network where your vpn clients can connect to; this will also be the route(s) for your client
ip access-list extended vpn-clients
permit ip

!configure a new VPN group; you can configure more than one
crypto isakmp client configuration group myVPNclients
key The3ndIsN3@r
domain mycompany.local
pool vpn-pool
acl vpn-clients
!this will enable saving the clients password to the cisco vpn client; its very insecure because the password is stored (encrypted) locally at C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles

crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA

crypto map MyCompanyMap client authentication list userauth
crypto map MyCompanyMap isakmp authorization list groupauth
crypto map MyCompanyMap client configuration address respond
crypto map MyCompanyMap 200 ipsec-isakmp dynamic DynamicPeers
! the dynamic crypto map needs to have the highest order number at the crypto map MyCompanyMap because your VPN clients are always coming from a dynamic WAN address and in other case the fix site2site VPN tunnels are not working.



Now you can download the Cisco VPN client at with a CCO account and can configure a new entry:




Feel free to comment and ask to this post, I can explaine in more detail and can extend this tutorial.

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives