I had a hard time to figure out how to configure a simple vpn gateway on a cisco without the need to use a cisco vpn client that most of the time will not work. At our office location we have a cisco 870 vpn box. And ofcourse we work with linux and windows, and some even with mac computers. So what will work on everything without the need to need a big nerd (like me) to configure a simple router like that.

Ok here it comes:

no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname hostname.you.fill.in
boot-start-marker
boot-end-marker
logging buffered 51200 debugging
logging console critical
enable secret 5 blablabla
enable password 7 blablabla
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
resource policy
ip subnet-zero
ip host-routing
ip cef

Ok this is the standard code for your cisco vpn box at your office. Now ofcourse most of the networks at your work have a DHCP server so fill in the next lines:

ip dhcp smart-relay
ip dhcp bootp ignore
no ip bootp server
ip ssh version 2
vpdn enable

Now we will enable the pptp server :)

accept-dialin
protocol pptp
virtual-template 1

Make a user to test with:

username dennis privilege 15 password 7 bladiebladiebla

This user also has right to login to the system, just lower the privilege if you don’t want the user to login to the router system. It is not a big hazard, because the user doesn’t know the enable password ofcourse.

Use fastethernet 4 for your external non firewalled ip address. And leave everything zero and only connect a utp cable on interface 0 to your internal lan where your dhcp also is.

Then give the vlan 1 an internal ip address:

interface Vlan1
ip address 192.168.0.250 255.255.255.0

Set your default route towards your internal gateway:

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.1

And now the most important thing, create your virtual template for your users and pptp authentication stuff:

interface Virtual-Template1
ip unnumbered Vlan1
ip mroute-cache
peer default ip address dhcp
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2

Now secure the rest up, and add your own security stuff to it.

Here you go:

no ip http server
no ip http secure-server
logging trap debugging
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 blablabla
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

Here you go now you can dial in on your external ip address with pptp, it works very well, with my 16mbit/s cable modem I can get download speeds of 1.1MB/sec, so it is nice to work with.