Configure Witopia VPN on Cisco

This post is part of the VPN series and it will show how to connect a Cisco IOS device using the EZVPN feature to a Witopia IPSEC gateway

When I left the States it was difficult to make do without accessing a series of services that had been available while connected to the Internet there. When you wish to use those services with a computer the solution is simple: load a VPN client and connect.Doing it with a Wii or an Apple TV is a bit more complex:

Network Diagram

Full Net Diagram

you need to connect to VPN the network where these devices are hosted. In order to do that you need a router that can connect to the VPN and then forward traffic between the network and the VPN.

Due to the number of services I am running on my network and my familiarity with Cisco IOS, more than 12 years ago I made up my mind and started using Cisco routers even for my home network. It was a winning choice: the router grows with technology and updates.
I kept my old 1751 voice for almost 10 years and I just replaced it not because it could not do its work but because maintenance contract was cheaper on a newer router.

Currently the pictured network is based on a Cisco 1921 Integrated Services Router Generation 2 (ISR G2) with a SEC K9 license (enabling the crypto features of the router). All examples are implemented and tested on this router; these can also be implemented in any router with the proper feature set (support of the EZVPN client feature). You can follow the Amazon links for pricing and availability.

The EZVPN remote feature on Cisco routers

This feature allows a IOS endpoint to act as VPN client moving the configuration burden to the server endpoint. The needed information in the remote router is very limited and do not involve configuring access-list or more detailed IPSEC configuration.

All of the Cisco’s configuration examples involve Cisco end point but are a great start to understand how the EZVPN feature works. This example shows how to configure a cisco 800 series to connect as VPN client to 1700 series router (configured as server). This will not be a complete guide to the Cisco EZVPN remote feature, more details can be found directly on the Cisco Website. Here I will show how a EZVPN configuration can be used to connect to Witopia which as I explained in a earlier post, is my VPN service provider of choice.

Cisco EZVPN remote with Witopia

The configuration involves three steps:
We need to:


  1. Configure the VPN parameters: name, connecting mode, group ID, mode (client/network/network plus), peer address, username and password and eXtended Authentication mode;
  2. Configure the outside interface
  3. Configure one or more inside interfaces
  4. Routing should also be (already) in place

Configure the VPN parameters
The name of the VPN configuration is a free text parameter used to ID this particular configuration. It will be referenced later when we will need to associate interfaces to the configuration.

The connecting mode tells the router if connection has to occur automatically or on request. In such case you need either to telnet to the router or open the web interface to the router and request a connection. I prefer that when there is traffic for the VPN the VPN connects and so it is set to auto.

The group is set to the default group and the password is witopia, which is required to authenticate the client to the Witopia servers

Mode is set to client to differentiate with network and network plus. This has to do on how the remote routing happens. Leaving at client is the only way it works with Witopia.

The peer address tells the router where to connect: i.e. where the remote VPN endpoint is. I am using the IAD (Dulles, Washington DC) end point but feel free to select any of the other IPSec gateway just by changing the peer address.

Username and password are self-explanatory and are the one of your Witopia account

and finally the extended authentication: use “xauth userid mode local” if you want the client to connect automatically, you will not be prompted since username and password are entered in configuration in the step above.

This is the resulting config:

crypto ipsec client ezvpn witopia_IAD
connect auto
group default key witopia
mode client
peer ipsec.iad.witopia.net
username {username}@witopia password {password}
xauth userid mode local

The router will (or should) have an external interface with a publicly routable IP address. In my case the interface is a Dialer (a virtual interface in the Cisco construct that dials out) that negotiates it IP address via PPPoE from the service provider. You might have a different setup but in any case under the outside interface you should configure:

crypto ipsec client ezvpn witopia_IAD

The router will have a second interface inside the network, this interface has an IP address assigned to it and the address should come out of the RFC1918 pool (private IP address space). Hosts on the inside network should use the interface address as the default gateway and their traffic will be routed out to the VPN. The interface needs to be designed as the inside interface with the following command in interface configuration mode:

crypto ipsec client ezvpn witopia_IAD inside

Finally the routing. The EZVPN remote can only be routed by default routing. I did try to select the traffic being forwarded to the VPN but even the Cisco Technical Assistance Center (TAC) could not solve the issue. So the default route should point to the outside interface and any traffic coming in the inside is Network Address Translated and sent out to the outside. This is because the EZVPN feature takes care of everything (setting up a loopback interface, create the NAT rules) and you cannot interfere with those inner workings. so the routing table should contain a default route pointing to the outside interface as follows:

ip route 0.0.0.0 0.0.0.0 interface Dialer 1

I will show how to select traffic going into the tunnel by using the same EZVPN config in a subsequent post but this would use another router (20-30 dollars on eBay ….). In the mean time I put forward a feature request for Cisco to implement a routable interface so any traffic sent to it (policy routing or otherwise) will be forwarded to the VPN. One year is gone by and still nothing …..

Go back to Index

About Fabio

Love of technology and flying have been the drivers of my life, more about me.
Tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *



Please solve the Sweet CAPTCHA below (when displayed) in order to post a comment.