Cisco L2TP Dial-in

To continue my previous post, another major way of connecting to the internet is L2TP/PPTP VPN,
The option of the PPTP I already covered in one of the previous post's (PPTP VPN to a Cisco router)
Now for the L2TP – to demonstrate this I used GNS3 with the same topology as the previous post,
*To download the ready GNS3 topology click here 

On Server side :

Enable VPDN and configure a group
Server(config)#vpdn enable
Server(config)#vpdn-group L2TP
Server(config-vpdn)# no l2tp tunnel authentication
Server(config-vpdn)#  lcp renegotiation always
Server(config-vpdn)# accept-dialin
Server(config-vpdn-acc-in)#  protocol l2tp
Server(config-vpdn-acc-in)#  virtual-template 1
The pool of IP's for the client
Server(config)#ip local pool MyPool
Create a user for the authentication 
Server(config)# username test password 0 qwe123
Configure the template
Server(config)#interface Virtual-Template1
Server(config-if)# ip unnumbered FastEthernet0/0
Server(config-if)# peer default ip address pool MyPool
Server(config-if)# ppp authentication pap callin
Server(config-if)# ppp mtu adaptive
Configure phase 1
Server(config)#crypto isakmp policy 5
Server(config-isakmp)# encr 3des
Server(config-isakmp)# authentication pre-share
Server(config-isakmp)# group 2
Configure phase 2
Server(config)#crypto ipsec transform-set MySet esp-3des esp-sha-hmac
Advanced tunnel settings
Server(config)#crypto dynamic-map MyMap 10
Server(config-crypto-map)# set transform-set MySet
Append the settings to a crypto map
Server(config)#crypto map L2TP-MAP 10 ipsec-isakmp dynamic MyMap
Apply the crypto map on the desired interface
Server(config)#interface FastEthernet0/0
Server(config-if)# ip address
Server(config-if)# crypto map L2TP-MAP
Now to the client :

Create the class for L2TP
Client(config)#pseudowire-class L2TPv2
Client(config)#encapsulation l2tpv2
Create the dialer
Client (config)#interface Virtual-PPP1
Client (config-if)# ip address negotiated
Client (config-if)#ip virtual-reassembly
Client (config-if)#ppp pap sent-username test password qwe123
Client (config-if)#pseudowire 2 pw-class L2TPv2
and in case of WAN access 
Client(config)# ip route Virtual-PPP1

By default an windows XP client will not be able to connect unless we make changes to the registry and add a service  on it, To allow a client to connect anyway add the L2TP key on both sides
On the server
Server(config)# crypto isakmp key 123 address no-xauth
On the client add it under security tab in "IPSec settings"

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


  1. Hello,
    I tried to make a VPN L2TP as StrongVPN to make my anonymous connections. I would have preferred to use VPN IPsec, but no provider offers in reasonable price. I looking for if anyone has a configuration example of how to make an l2tp vpn client connection with cisco 880 serie. I saw that you know a PPTP and L2TP connection on Cisco router and I tell me that you could help me.
    Best regards,

    1. Sorry but i did not understand the question,
      what is the Cisco in you'r scenario the client, the server or just the router you need to pass through ?

      I posted both client and server configuration that i tested on a Cisco 870 so basically it should work on 880 also - just make sure it's allowed by the License of the device..

  2. thanks the best tutorial found on the web works perfect!!!


  3. Hi All,

    I need vpdn L2TP with nating because in client machine should ne coming my global ip because that ip address we can able access our client portal, Please you provide the configuration