Below is an example of a working configuration on a Cisco 2801 router with IOS Version 12.4(13b), RELEASE SOFTWARE (fc3). Note that authentication uses PAP, in most cases you probably want to use a more secure form of authentication. The router this config snippet came from uses RADIUS to authenticate the user. This configuration works with certificates. The change needed to allow pre-shared keys is quite small. I might add it later when I can get access to a non production router.

I’m using Fastethernet 0/1 as the external interface with IP address 123.123.123.123. The DHCP pool is in the 192.168.100.0 subnet. The DNS server is 192.168.200.1. I’ve called the crypto map VPNMAP.

vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
ip mtu adjust

crypto isakmp policy 20
encr 3des
hash sha
authentication pre-share
group 2

crypto isakmp policy 30
encr 3des
hash md5
group 2
!

crypto ipsec transform-set TRANSESP3DESMD5 esp-3des esp-md5-hmac
mode transport
!
!
!
crypto dynamic-map DYNMAP 1
set nat demux
set transform-set TRANSESP3DESMD5
match address 130
!
!
crypto map VPNMAP 65000 ipsec-isakmp dynamic DYNMAP
!
!
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN_CLIENT_POOL
ppp authentication pap
ppp ipcp dns 192.168.200.1
!
!
ip local pool VPN_CLIENT_POOL 192.168.100.1 192.168.100.99
!
access-list 130 remark Allow L2TP access
access-list 130 permit udp host 123.123.123.123 eq 1701 any
!
interface FastEthernet0/1
crypto map VPNMAP

I don’t think the “authentication pre-shared” is needed. I might remove it later when I have a chance to test it. The ISR seems to allow certificate authentication by default. Note that in my testing I found that the ISR would support both shared key and certificate authentication at the same time.

The router concerned also has a L2L (LAN to LAN) IPSec VPN tunnel configured. I might post the entire config at some later stage.