Saturday, January 1, 2011

Remote Access SSL VPN and DDNS setup

My environment:  IOS 15.1(3)T on ISR 892

I have been spending quite a lot of time on the road and it is much convenient if I have a way to remote access back to my home network.  In my home network I have setup the SSL VPN for remote access, as well as DDNS as I don’t have a fixed IP address for my home internet access.

1. You can register an account in to get your own DDNS entry

2.  Then you can configure DDNS update on the router, whenever there is an address change, it will update dynamically.

ip ddns update method DynDNS
interval maximum 1 0 0 0

3. Under your internet facing interface, configure the following command:

ip ddns update hostname
ip ddns update DynDNS host

4. These are the webvpn configuration of my router, you can modify it for your own setup:

ip local pool vpn-pool

webvpn gateway
ip address port 443 
ssl trustpoint TP-self-signed-3650870944
logging enable
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install svc flash:/webvpn/ sequence 2
webvpn context panda-context
ssl authenticate verify all
login-message "Welcome to Panda's home"
policy group panda-group
   functions svc-enabled
   banner "Login Successful"
   svc address-pool "vpn-pool"
   svc default-domain ""
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include
   svc dns-server primary
default-group-policy panda-group

svc split is the split tunnel configuration that allows inserting a specific route to the client’s routing table.  svc split include means that only this route will be inserted to the host, other routes including default route will be based on the client’s own routing table.

5. Then you can use the AnyConnect client to remote access in full tunnel mode.

No comments: