I wanted to use the OS X VPN client to connect to my home network while on the road. I guess using an OS X server would be the easiest way to get a Mac-compatible VPN server up and running. Using a Cisco running IOS required quite a few lines of configuration.
The OS X VPN client provides terrible feedback. It will happily tell you that there was “no response from the VPN server” when in reality the server responds with a rejection of all the ISAKMP or IPsec transforms proposed by the client. Fortunately both the Cisco debugging messages and verbose output from tcpdump were quite helpful.
In about 3 hours I got it all working, including routing with other VRFs and DMVPN sites.
! Enable L2TP
! - Connect VPN clients to VRF private
! - Enable NAT using NVI (already otherwise configured)
! Must use "password" ("secret" won't work)
username roadwarrior password 0 <removed>
aaa authentication ppp l2tp-auth local-case
ip local pool l2tp-pool 10.1.11.100 10.1.11.199
vpdn enable
interface Virtual-Template1
vrf forwarding private
ip unnumbered Loopback0
ip nat enable
peer default ip address pool l2tp-pool
ppp mtu adaptive
ppp authentication ms-chap-v2 l2tp-auth
!
vpdn-group l2tp-group
! Default L2TP VPDN group
description L2TP clients
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
! ISAKMP policy:
! - OS X offers aes 256 and 128 (but not 192)
! - SHA1 is the default hash on Cisco IOS (does not show up in config)
! - OS X doesn't offer any of the PFS groups
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 2
lifetime 14400
!
! Internet is connected to VRF cable
crypto keyring l2tp-ring vrf cable
pre-shared-key address 0.0.0.0 0.0.0.0 key <removed>
!
! IPsec policy
! - Match OS X proposal
crypto ipsec transform-set l2tp-transform esp-aes 256 esp-sha-hmac
mode transport
!
! Require IPsec for all L2TP traffic
! - Vlan6 is in the cable VRF already
ip access-list extended l2tp-access
permit udp any eq 1701 any
!
crypto dynamic-map l2tp-map 10
set nat demux
set transform-set l2tp-transform
match address l2tp-access
!
crypto map l2tp 10 ipsec-isakmp dynamic l2tp-map
interface Vlan6
crypto map l2tp
!
! Import the routes into BGP for leaking them to other VRFs
! - BGP is already otherwise configured for route leaking
ip prefix-list l2tp seq 10 permit 10.1.11.0/24 le 32
route-map connected-to-bgp permit 10
match ip address prefix-list l2tp
!
router bgp 65111
address-family ipv4 vrf private
redistribute connected route-map connected-to-bgp
exit-address-family
!
! Redistribute into OSPF (for DMVPN connected sites)
! - XXX: Why isn't OSPF getting these from BGP redistribution?
route-map connected-to-ospf permit 10
match ip address prefix-list l2tp
!
router ospf 100 vrf private
redistribute connected subnets route-map connected-to-ospf
!