This guide provides step-by-step instructions for installing and configuring a basic FreeRADIUS service on a Raspberry Pi, enabling it to authenticate logins for Cisco equipment.
1. Update the System
First, ensure that your system is up to date with the latest software packages:
sudo apt update
sudo apt upgrade -y
2. Install FreeRADIUS
Install FreeRADIUS from the official Ubuntu repositories. The package freeradius provides the RADIUS server and all the necessary utilities:
sudo apt install freeradius freeradius-utils -y
This command installs FreeRADIUS and some helpful utilities for managing RADIUS clients and users.
3. Check FreeRADIUS Service Status
After installation, the FreeRADIUS service should automatically start. To confirm it is running, check the status:
sudo systemctl status freeradius
You should see an output indicating that the service is active and running. If it’s not running, start it with:
sudo systemctl start freeradius
To enable FreeRADIUS to start at boot time:
sudo systemctl enable freeradius
4. Configure FreeRADIUS
FreeRADIUS configuration files are located in /etc/freeradius/3.0/ (the version may vary depending on your Ubuntu version). The most important configuration files are:
/etc/freeradius/3.0/radiusd.conf: Main configuration file for the server.
/etc/freeradius/3.0/clients.conf: Used to configure clients (devices or servers that will use RADIUS).
/etc/freeradius/3.0/users: Used to configure user authentication.
You can edit these files to suit your requirements.
To configure clients, open the clients.conf file:
sudo nano /etc/freeradius/3.0/clients.conf
A simple example of a client configuration would look like this, where the ip address can be a host or the management subnet of the Cisco device. Add the following to the very top of the file:
client Cisco {
ipaddr = 172.16.255.0/24
secret = SuperSecretPassword#2025
require_message_authenticator = no
}
You can configure users by editing the users file:
sudo nano /etc/freeradius/3.0/users
Add new users at the very top of the file, for example:
testuser Cleartext-Password := “password”
Cisco-AVPair = “shell:priv-lvl=15”
Formatting is very important here, the Cisco-AVPair line must be “tabbed”.
5. Configure Cisco device:
The following commands will configure radius for authentication and authorization, falling back to local credentials.
This will configure the “default” group, so there’s no need to specify a AAA group on the VTY/Console lines.
The console line will receive authorization upon authentication.
Accounting has been configured to log locally to the device.
Enable AAA
aaa new-model
aaa authentication login default group radius local line
Please follow the below guide to securely terminate a fiber (FTTP) broadband service on a Cisco C1117-4P router.
This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.
The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.
This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.
Prerequisites
Please populate the below, ready to merge into the main config.
Enable password = #ENABLE_PASSWORD#
Login username = #USERNAME#
Login password = #PASSWORD#
Console and VTY fallback password = #FALLBACKPASSWORD#
Broadband username = #BROADBAND_USERNAME#
Broadband password = #BROADBAND_PASSWORD#
Configuration Steps
1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).
An enable secret is required following the first boot. Enter your enable password below.
The following will now be displayed:
As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.
Finally, if prompted to enter the initial config, type ‘no’.
2 – Enter global configuration mode and apply general ‘best practice’ fixups
service sequence-numbers service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service tcp-keepalives-in service tcp-keepalives-out service password-encryption logging buffered 10240000 login on-success log login on-failure log clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 no ip http server no ip http secure-server no ip http authentication local ntp server 134.226.81.3 hostname R1
3 – Define login credentials and secure remote access
! Secure console and VTY lines ip access-list standard SECURE_VTY 10 permit 192.168.1.0 0.0.0.255 exit
line con 0 password #FALLBACKPASSWORD# login local session-timeout 15 exit
line vty 0 15 password #FALLBACKPASSWORD# login local transport input ssh access-class SECURE_VTY in session-timeout 15 exit
4 – Configure Zones and ACLs to support stateful packet inspection
! Configure Zones zone security OUTSIDE zone security INSIDE exit
! Configure ACLs to match traffic. ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE 10 permit ip any any exit ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE 10 permit ip any any exit
! Configure class-maps to match ACLs. class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE exit class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE exit
! Configure policy maps to reference class maps. policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE inspect class class-default exit exit
policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE inspect class class-default exit exit
! Configure Zone pairs to reference policy-maps. zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
5 – Configure LAN interface and enable DHCP
! Configure VLAN 1 interface and DHCP interface Vlan1 description ### LAN DEFAULT GATEWAY ### ip address 192.168.1.254 255.255.255.0 ip nat inside zone-member security INSIDE no shutdown exit
ip dhcp excluded-address 192.168.1.0 192.168.1.10 ip dhcp excluded-address 192.168.1.240 192.168.1.254 ip dhcp pool VLAN_1 network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 1.1.1.1 8.8.8.8 exit
! Configure built-in switchports interface range gi0/1/0-3 description ### ACCESS PORT ### switchport switchport mode access switchport access vlan 1 spanning-tree portfast no shutdown exit
6 – Configure PPPoE interface
interface GigabitEthernet0/0/0 description ### PPPoE INTERFACE – TO ISP FIBER MODEM ### no ip address negotiation auto pppoe enable pppoe-client dial-pool-number 1 no cdp enable no shutdown exit
7 – Configure Dialer interface and default route
! Dialer interface interface Dialer1 description ### OUTSIDE INTERFACE ### mtu 1492 ip address negotiated no ip redirects no ip unreachables ip nat outside zone-member security OUTSIDE encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname #BROADBAND_USERNAME# ppp chap password 0 #BROADBAND_PASSWORD# ppp ipcp route default ppp ipcp address accept no shutdown exit
! Default route ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL
8 – Configure outbound NAT (Dynamic PAT)
! NAT ACL ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any exit
! NAT Rule ip nat inside source list NAT interface dialer1 overload end
9 – Verify the configuration works
! Confirm ISP has assigned an IP address to the router.
show ip int brief
! Test a ping to Google
ping 8.8.8.8
10 – Verify and save the configuration
! Verify running-config and ensure all of the above commands have been applied.
show run
! Save running-config to NVRAM
copy running-config startup-config
– or
wr
11 – Conclusion
You should now have a working broadband connection with a router that has been secured for local management.
At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.
(The fallback password will only ever be used in the event the local username is removed in error).
The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.
For convenience, please find copy of running-config below:
Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco C1117-4P router.
This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.
The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.
This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.
Prerequisites
Please populate the below, ready to merge into the main config.
Enable password = #ENABLE_PASSWORD#
Login username = #USERNAME#
Login password = #PASSWORD#
Console and VTY fallback password = #FALLBACKPASSWORD#
Broadband username = #BROADBAND_USERNAME#
Broadband password = #BROADBAND_PASSWORD#
Configuration Steps
1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).
An enable secret is required following the first boot. Enter your enable password below.
The following will now be displayed:
As we don’t want to save anything at this stage, I would enter 0 when prompted. This should allow us to start with a blank config.
Finally, if prompted to enter the initial config, type ‘no’.
2 – Enter global configuration mode and apply general ‘best practice’ fixups
service sequence-numbers service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service tcp-keepalives-in service tcp-keepalives-out service password-encryption logging buffered 10240000 login on-success log login on-failure log clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 no ip http server no ip http secure-server no ip http authentication local ntp server 134.226.81.3 hostname R1
3 – Define login credentials and secure remote access
! Secure console and VTY lines ip access-list standard SECURE_VTY 10 permit 192.168.1.0 0.0.0.255 exit
line con 0 password #FALLBACKPASSWORD# login local session-timeout 15 exit
line vty 0 15 password #FALLBACKPASSWORD# login local transport input ssh access-class SECURE_VTY in session-timeout 15 exit
4 – Configure Zones and ACLs to support stateful packet inspection
! Configure Zones zone security OUTSIDE zone security INSIDE exit
! Configure ACLs to match traffic. ip access-list extended ACL_ZBFW_INSIDE_TO_OUTSIDE 10 permit ip any any exit ip access-list extended ACL_ZBFW_ROUTER_TO_OUTSIDE 10 permit ip any any exit
! Configure class-maps to match ACLs. class-map type inspect match-any CM_ZBFW_INSIDE_TO_OUTSIDE match access-group name ACL_ZBFW_INSIDE_TO_OUTSIDE exit class-map type inspect match-any CM_ZBFW_ROUTER_TO_OUTSIDE match access-group name ACL_ZBFW_ROUTER_TO_OUTSIDE exit
! Configure policy maps to reference class maps. policy-map type inspect PM_ZBFW_ROUTER_TO_OUTSIDE class type inspect CM_ZBFW_ROUTER_TO_OUTSIDE inspect class class-default exit exit
policy-map type inspect PM_ZBFW_INSIDE_TO_OUTSIDE class type inspect CM_ZBFW_INSIDE_TO_OUTSIDE inspect class class-default exit exit
! Configure Zone pairs to reference policy-maps. zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect PM_ZBFW_INSIDE_TO_OUTSIDE zone-pair security ROUTER_TO_OUTSIDE source self destination OUTSIDE service-policy type inspect PM_ZBFW_ROUTER_TO_OUTSIDE
5 – Configure LAN interface and enable DHCP
! Configure VLAN 1 interface and DHCP interface Vlan1 description ### LAN DEFAULT GATEWAY ### ip address 192.168.1.254 255.255.255.0 ip nat inside zone-member security INSIDE no shutdown exit
ip dhcp excluded-address 192.168.1.0 192.168.1.10 ip dhcp excluded-address 192.168.1.240 192.168.1.254 ip dhcp pool VLAN_1 network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 1.1.1.1 8.8.8.8 exit
! Configure built-in switchports interface range gi0/1/0-3 description ### ACCESS PORT ### switchport switchport mode access switchport access vlan 1 spanning-tree portfast no shutdown exit
6 – Configure PPPoE interface and sub-interface
interface Ethernet0/2/0 description ### VDSL CONTROLLER ### no ip address no negotiation auto no shutdown
interface Ethernet0/2/0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 no shutdown
7 – Configure Dialer interface and default route
! Dialer interface interface Dialer1 description ### OUTSIDE INTERFACE ### mtu 1492 ip address negotiated no ip redirects no ip unreachables ip nat outside zone-member security OUTSIDE encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname #BROADBAND_USERNAME# ppp chap password 0 #BROADBAND_PASSWORD# ppp ipcp route default ppp ipcp address accept no shutdown exit
! Default route ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL
8 – Configure outbound NAT (Dynamic PAT)
! NAT ACL ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any exit
! NAT Rule ip nat inside source list NAT interface dialer1 overload end
9 – Verify the configuration works
! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below). show controllers vdsl 0/2/0
! Confirm ISP has assigned an IP address to the router.
show ip int brief
! Test a ping to Google
ping 8.8.8.8
10 – Verify and save the configuration
! Verify running-config and ensure all of the above commands have been applied.
show run
! Save running-config to NVRAM
copy running-config startup-config
– or
wr
11 – Conclusion
You should now have a working broadband connection with a router that has been secured for local management.
At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.
(The fallback password will only ever be used in the event the local username is removed in error).
The ZBFW configuration is very basic, if you intend to configure site-site VPNs you will likely need to add an OUTSIDE -> Self zone with bespoke rules to permit inbound connectivity from the remote peer. A policy-map can be configured to either ‘inspect’ or ‘pass’ packets, I have found ‘pass’ for protocols such as IKE/ESP can prevent common problems.
For convenience, please find copy of running-config below:
Please follow the below guide to securely terminate a VDSL (FTTC) broadband service on a Cisco 887 router.
This configuration will handle DHCP on the LAN , outbound NAT (dynamic PAT), and statefully inspect packets to ensure connections are only ever built outbound.
The router will be unreachable from the outside world and can only be managed internally from the LAN via SSH, or locally via console.
This guide assumes a basic working knowledge of configuring Cisco equipment with a console cable.
Prerequisites
Please populate the below, ready to merge into the main config.
Enable password = #ENABLE_PASSWORD#
Login username = #USERNAME#
Login password = #PASSWORD#
Console and VTY fallback password = #FALLBACKPASSWORD#
Broadband username = #BROADBAND_USERNAME#
Broadband password = #BROADBAND_PASSWORD#
Configuration Steps
1 – Ensure any existing config on the router has been wiped and you are starting from fresh. (write erase & reload).
If prompted to enter the initial config, type ‘no’.
2 – Enter global configuration mode and apply general ‘best practice’ fixups
service sequence-numbers service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service tcp-keepalives-in service tcp-keepalives-out service password-encryption logging buffered 1024000 login on-success log login on-failure log clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 no ip http server no ip http secure-server ntp server 134.226.81.3 hostname R1
3 – Define login credentials and secure remote access
! Secure console and VTY lines ip access-list standard SECURE_VTY 10 permit 192.168.1.0 0.0.0.255 exit
line con 0 password #FALLBACKPASSWORD# login local session-timeout 15 exit
line vty 0 15 password #FALLBACKPASSWORD# login local transport input ssh access-class SECURE_VTY in session-timeout 15 exit
4 – Configure LAN interface and enable DHCP
! Configure VLAN 1 interface and DHCP interface Vlan1 description ### LAN DEFAULT GATEWAY ### ip address 192.168.1.254 255.255.255.0 ip nat inside no shutdown exit
ip dhcp excluded-address 192.168.1.0 192.168.1.10 ip dhcp excluded-address 192.168.1.240 192.168.1.254 ip dhcp pool VLAN_1 network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 1.1.1.1 8.8.8.8 exit
! Configure dialer interface ACL ip access-list extended FIREWALL_IN permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit udp host 134.226.81.3 eq 123 any deny ip any any exit
! Configure CBAC ip inspect name CBAC tcp ip inspect name CBAC udp ip inspect name CBAC icmp
! Configure PPPoE interface and bind to dialer.
interface Ethernet0 no ip address no shutdown exit
interface Ethernet0.101 encapsulation dot1Q 101 pppoe enable group global pppoe-client dial-pool-number 1 no shutdown exit
6 – Configure Dialer interface and default route
! Dialer interface
interface Dialer1 description ### OUTSIDE INTERFACE ### mtu 1492 ip address negotiated ip access-group FIREWALL_IN in no ip redirects no ip unreachables ip nat outside ip inspect CBAC out ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname #BROADBAND_USERNAME# ppp chap password 0 #BROADBAND_PASSWORD# ppp ipcp route default ppp ipcp address accept no shutdown exit
! Default route
ip route 0.0.0.0 0.0.0.0 dialer1 name DEFAULT_VIA_VDSL
7 – Configure outbound NAT (Dynamic PAT)
! NAT ACL ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any exit
! NAT Rule ip nat inside source list NAT interface dialer1 overload end
8 – Verify the configuration works
! Confirm phone line has synced with modem. (You want to see a modem status of TC Sync and downstream/upstream channels as below).
show controllers vdsl 0
! Confirm ISP has assigned an IP address to the router.
show ip int brief
! Test a ping to Google
ping 8.8.8.8
9 – Verify and save the configuration
! Verify running-config and ensure all of the above commands have been applied.
show run
! Save running-config to NVRAM
copy running-config startup-config
– or
wr
10 – Conclusion
You should now have a working broadband connection with a router that has been secured for local management.
At this point it should be possible to connect your laptop to the router switchports and open an SSH session to 192.168.1.254, logging in with the username and password configured earlier.
(The fallback password will only ever be used in the event the local username is removed in error).
For convenience, please find copy of running-config below:
The below configuration replicates the behaviour of a IKEv2/IPsec client VPN but on a Cisco IOS router to tunnel traffic via NordVPN.
This guide assumes you have a working knowledge of cisco routers and will be capable of making the necessary adjustments to support DNS resolution and to secure the VPN once deployed.
The router will use a username/password for local IPsec authentication and certificate for remote peer authentication.
1. Login to your NordVPN account, navigate to “NordVPN” and then “Set up NordVPN manually”.
2. Take a note of your chosen peer and then browse to “Service credentials” and note down your own unique username/password.
Make sure IKEv2/IPsec is listed under the available protocols.
3. Go to Help Centre and search “Connect to NordVPN (IKEv2/IPSec) on Windows”
A guide should come up with a link to download Nord’s rootCA certificate. Grab a copy of this.
7. Open root.pem with notepad and copy contents to your clipboard. Execute the following to paste the certificate contents to the router and authenticate it.
! Phase 2 profile crypto ipsec profile IPSEC_PROF_NORD_VPN set transform-set ESP_AES256_SHA256 set security-association lifetime seconds 86400 set security-association lifetime kilobytes disable set ikev2-profile IKEv2_PROF_NORD_VPN set pfs group14
! Configure tunnel interface. interface Tunnel1 description ### NORD VPN ### ip address negotiated no ip redirects no ip unreachables ip mtu 1400 ip tcp adjust-mss 1360 tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel destination XXXXXXX.nordvpn.com tunnel protection ipsec profile IPSEC_PROF_NORD_VPN
9. Verify tunnel has come up and IP has been assigned to VTI.
R1#show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 x.x.x.x/4500 x.x.x.x/4500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: EAP, Auth verify: RSA Life/Active Time: 86400/1120 sec CE id: 1004, Session-id: 4 Local spi: ZZZZZZ Remote spi: YYYYYY
R1#show crypto ipsec sa interface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr Z.Z.Z.Z
R1#show ip int brief Interface IP-Address OK? Method Status Protocol Tunnel1 10.x.x.x YES NVRAM up up
10. Adjust NAT to re-route desired client devices out the VPN tunnel but allow everything else to break out locally.
In this scenario dialer1 is my outside interface and tunnel1 is the VTI.
! Dialer 1 NAT ACL and route-map.
! I’ve chosen hosts 192.168.1.200 and 192.168.1.201 to be re-routed via the VPN. The ‘deny’ statements will prevent connections leaking via the dialer interface.
ip access-list extended NAT 10 deny ip host 192.168.1.200 any 20 deny ip host 192.168.1.201 any 30 permit ip 10.0.0.0 0.255.255.255 any 40 permit ip 172.16.0.0 0.15.255.255 any 50 permit ip 192.168.0.0 0.0.255.255 any
route-map RM_NAT_OUT permit 10 match ip address NAT match interface Dialer1
ip nat inside source route-map RM_NAT_OUT interface Dialer1 overload
! VPN NAT ACL and route-map.
! Outbound connections from my chosen hosts will be translated to sit behind the VTI IP.
ip access-list extended VPN_NAT 10 permit ip 10.0.0.0 0.255.255.255 any 20 permit ip 172.16.0.0 0.15.255.255 any 30 permit ip 192.168.0.0 0.0.255.255 any
route-map RM_NORD_VPN permit 10 match ip address VPN_NAT match interface Tunnel1
ip nat inside source route-map RM_NORD_VPN interface Tunnel1 overload
! Configure policy based routing and NAT on inside/VPN interfaces.
interface Vlan1 ip nat inside ip policy route-map PBR_NORD_VPN
interface Tunnel1 ip nat outside
11. Verify outbound NAT translations for hosts via the tunnel interface (10.x.x.x IP).
It is advisable to use Nord’s DNS servers to avoid geographical issues for the VPN hosts. This can be set manually on each end device or using DHCP reservations on the router. Below are examples for client-identifier and hardware-address.
ip dhcp pool VPN_DEVICE_01 host 192.168.1.200 255.255.255.0 client-identifier 01xx.xxyy.yyzz.zz default-router 192.168.1.1 dns-server 103.86.99.100 103.86.96.100
ip dhcp pool VPN_DEVICE_02 host 192.168.1.201 255.255.255.0 hardware-address xxxx.yyyy.zzzz default-router 192.168.1.1 dns-server 103.86.99.100 103.86.96.100
Whilst there is security through obscurity thanks to the PAT, it is best to secure the tunnel interface with an ACL or ZBFW rule. I will leave it to you to engineer the solution that works best for you.
If you are configuring ZBFW be sure to remember the ‘self’ zone and to configure policies to secure this as well as inter-zone traffic. Otherwise your router control-plane will be open to the world.
If you are configuring the above on IOS 15 and would prefer not to use ZBFW, I would recommend looking at CBAC as a stateful firewall solution. This is a significant improvement over stateless or reflexive ACLs.
Final thoughts
IOS converts the FQDN for the tunnel destination to an IP address and stores it in the config. The below EEM script will run every 60 seconds to ensure the peer updates should there be an IP change. My outside interface ACL references the network object group to permit ESP, UDP/500 and UDP/4500. The script has no impact to the tunnel as the router is for the most part just applying the same config – nothing is changing. I’ve also included a logging discriminator to ensure the buffer isn’t filled up.
It is possible to route all traffic via the tunnel interface by simply configuring a static route to the VPN peer via the outside interface and a default route via the tunnel, eg:
ip route x.x.x.x 255.255.255.255 dialer1 name NORD_VPN_PEER
ip route 0.0.0.0 0.0.0.0 tunnel1 name DEFAULT_VIA_VPN
