Hi,
I'm really struggling to get an IPSec working correctly between an SRP521W and 857. The VPN connects, but it is not possible to communicate between the subnets. I have set NAT exclusions on the 857 and when connected to the router from my laptop with the Cisco VPN client I can connect to the server and can confirm split tunneling worksn. This makes me think it is the SRP521W at fault. I don't know how to show the configuration for the SRP521W so could someone please confirm if the 857 is indeed correctly configured and make some suggestions as to why the VPN isn't working?
Please note, the remote site is dynamic IP.
Below is my configuration for the 857:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname demo-rtr01
!
boot-start-marker
boot-end-marker
!
logging buffered 8000
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock summer-time DST date Mar 27 2011 0:00 Oct 29 2011 23:59
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.20.5
!
ip dhcp pool VLAN1
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 8.8.8.8 8.8.4.4
option 66 ip 192.168.20.5
option 150 ip 192.168.20.5
lease 8
!
!
ip domain name demo.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key 53cur3VPN
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNClientGroup
key 53cur3VPN
dns 192.168.20.1 8.8.8.8
pool ippool
acl 101
crypto isakmp profile VPNClient
description VPN Clients Profile
match identity group VPNClientGroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
!
!
crypto ipsec transform-set VPNSet esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 5
set transform-set VPNSet
set isakmp-profile VPNClient
reverse-route
crypto dynamic-map dynmap 10
set transform-set VPNSet
set isakmp-profile L2L
reverse-route
!
!
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $$ INTERNAL SUBNET $$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $$ PPP CONNECTION TO WAN $$
ip address 11.22.33.44 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
crypto map mymap
!
ip local pool ippool 192.168.200.1 192.168.200.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
no modem enable
escape-character 3
line aux 0
line vty 0 4
privilege level 15
transport input ssh
escape-character 3
!
scheduler max-task-time 5000
ntp clock-period 17179583
ntp source Dialer0
ntp server 85.158.108.151
end