Cisco L2TP Dial-in

To continue my previous post, another major way of connecting to the internet is L2TP/PPTP VPN,
The option of the PPTP I already covered in one of the previous post's (PPTP VPN to a Cisco router)
Now for the L2TP – to demonstrate this I used GNS3 with the same topology as the previous post,
*To download the ready GNS3 topology click here 

On Server side :

Enable VPDN and configure a group
Server(config)#vpdn enable
Server(config)#vpdn-group L2TP
Server(config-vpdn)# no l2tp tunnel authentication
Server(config-vpdn)#  lcp renegotiation always
Server(config-vpdn)# accept-dialin
Server(config-vpdn-acc-in)#  protocol l2tp
Server(config-vpdn-acc-in)#  virtual-template 1
The pool of IP's for the client
Server(config)#ip local pool MyPool
Create a user for the authentication 
Server(config)# username test password 0 qwe123
Configure the template
Server(config)#interface Virtual-Template1
Server(config-if)# ip unnumbered FastEthernet0/0
Server(config-if)# peer default ip address pool MyPool
Server(config-if)# ppp authentication pap callin
Server(config-if)# ppp mtu adaptive
Configure phase 1
Server(config)#crypto isakmp policy 5
Server(config-isakmp)# encr 3des
Server(config-isakmp)# authentication pre-share
Server(config-isakmp)# group 2
Configure phase 2
Server(config)#crypto ipsec transform-set MySet esp-3des esp-sha-hmac
Advanced tunnel settings
Server(config)#crypto dynamic-map MyMap 10
Server(config-crypto-map)# set transform-set MySet
Append the settings to a crypto map
Server(config)#crypto map L2TP-MAP 10 ipsec-isakmp dynamic MyMap
Apply the crypto map on the desired interface
Server(config)#interface FastEthernet0/0
Server(config-if)# ip address
Server(config-if)# crypto map L2TP-MAP
Now to the client :

Create the class for L2TP
Client(config)#pseudowire-class L2TPv2
Client(config)#encapsulation l2tpv2
Create the dialer
Client (config)#interface Virtual-PPP1
Client (config-if)# ip address negotiated
Client (config-if)#ip virtual-reassembly
Client (config-if)#ppp pap sent-username test password qwe123
Client (config-if)#pseudowire 2 pw-class L2TPv2
and in case of WAN access 
Client(config)# ip route Virtual-PPP1

By default an windows XP client will not be able to connect unless we make changes to the registry and add a service  on it, To allow a client to connect anyway add the L2TP key on both sides
On the server
Server(config)# crypto isakmp key 123 address no-xauth
On the client add it under security tab in "IPSec settings"

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


  1. Hello,
    I tried to make a VPN L2TP as StrongVPN to make my anonymous connections. I would have preferred to use VPN IPsec, but no provider offers in reasonable price. I looking for if anyone has a configuration example of how to make an l2tp vpn client connection with cisco 880 serie. I saw that you know a PPTP and L2TP connection on Cisco router and I tell me that you could help me.
    Best regards,

    1. Sorry but i did not understand the question,
      what is the Cisco in you'r scenario the client, the server or just the router you need to pass through ?

      I posted both client and server configuration that i tested on a Cisco 870 so basically it should work on 880 also - just make sure it's allowed by the License of the device..

  2. thanks the best tutorial found on the web works perfect!!!