Hi,

I'm really struggling to get an IPSec working correctly between an SRP521W and 857. The VPN connects, but it is not possible to communicate between the subnets. I have set NAT exclusions on the 857 and when connected to the router from my laptop with the Cisco VPN client I can connect to the server and can confirm split tunneling worksn. This makes me think it is the SRP521W at fault. I don't know how to show the configuration for the SRP521W so could someone please confirm if the 857 is indeed correctly configured and make some suggestions as to why the VPN isn't working?

Please note, the remote site is dynamic IP.

Below is my configuration for the 857:

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname demo-rtr01

!

boot-start-marker

boot-end-marker

!

logging buffered 8000

!

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

!

aaa session-id common

clock summer-time DST date Mar 27 2011 0:00 Oct 29 2011 23:59

!

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.20.5

!

ip dhcp pool VLAN1

   import all

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.1

   dns-server 8.8.8.8 8.8.4.4

   option 66 ip 192.168.20.5

   option 150 ip 192.168.20.5

   lease 8

!

!

ip domain name demo.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

!

!

!

crypto keyring spokes

  pre-shared-key address 0.0.0.0 0.0.0.0 key 53cur3VPN

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNClientGroup

key 53cur3VPN

dns 192.168.20.1 8.8.8.8

pool ippool

acl 101

crypto isakmp profile VPNClient

   description VPN Clients Profile

   match identity group VPNClientGroup

   client authentication list clientauth

   isakmp authorization list groupauthor

   client configuration address respond

crypto isakmp profile L2L

   description LAN-to-LAN for spoke router(s) connection

   keyring spokes

   match identity address 0.0.0.0

!

!

crypto ipsec transform-set VPNSet esp-3des esp-sha-hmac

!

!

crypto dynamic-map dynmap 5

set transform-set VPNSet

set isakmp-profile VPNClient

reverse-route

crypto dynamic-map dynmap 10

set transform-set VPNSet

set isakmp-profile L2L

reverse-route

!

!

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Vlan1

description $$ INTERNAL SUBNET $$

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

description $$ PPP CONNECTION TO WAN $$

ip address 11.22.33.44 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

crypto map mymap

!

ip local pool ippool 192.168.200.1 192.168.200.100

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

!

access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

no modem enable

escape-character 3

line aux 0

line vty 0 4

privilege level 15

transport input ssh

escape-character 3

!

scheduler max-task-time 5000

ntp clock-period 17179583

ntp source Dialer0

ntp server 85.158.108.151

end