Strange Problem Site-to-Site VPN + Client Access

xinyer · ‎10-05-2009

Hi Everyone,

I have 2 routers, one 877 and one 1841. I setup a remote access VPN first on the 877, which works fine. Then I configured Site-to-Site VPN to both router and works fine as well, able to connect to remote computers from either side. But then I tried to setup client access VPN on the 1841 router with exactly the same configuration from 877, it doesn't work.

I am able to get VPN Client software connect to the router, able to get IP address from router, able to Ping the 1841 LAN interface IP (192.168.168.1), but I can;t ping the server 192.168.168.5.

Please help me, I tried to figure out the problem for the last 10 hours it doesn't work still....

Here is my config on 1841 router

Building configuration...

Current configuration : 4795 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
aaa session-id common
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name yourdomain.com
!
!
!
archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 19.0.0.x
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group test
key xxxxxxxx

pool dpool
acl 120
crypto isakmp profile vi
   match identity group test
   isakmp authorization list default
   client configuration address respond
   client configuration group test
!
!
crypto ipsec transform-set IDC-set esp-3des esp-sha-hmac
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto dynamic-map IDC-map 1
set transform-set IDC-set
set isakmp-profile vi
!
!
!
crypto map IDC-map 1 ipsec-isakmp dynamic IDC-map
crypto map IDC-map 10 ipsec-isakmp
set peer 19.0.0.x
set transform-set IDC-set
match address 110
!
!
!
interface Loopback0
ip address a.a.a.a 255.255.255.0
!
interface FastEthernet0/0
description WAN Interface
ip address 11.0.0.y 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map IDC-map
!
interface FastEthernet0/1
description LAN Interface
ip address 192.168.168.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
ip policy route-map bypassstatic
duplex auto
speed auto
no mop enabled
!
ip local pool dpool 192.168.166.1 192.168.166.200
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 p.q.r.s
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map bypassnat interface FastEthernet0/0 overload
!
access-list 23 permit 192.168.168.0 0.0.0.255
!

access-list 110 permit ip 192.168.168.0 0.0.0.255 192.168.1.0 0.0.0.255

!
access-list 120 permit ip 192.168.168.0 0.0.0.255 any
access-list 120 permit ip 192.168.166.0 0.0.0.255 any

!
access-list 196 deny ip 192.168.168.0 0.0.0.255 192.168.166.0 0.0.0.255
access-list 196 deny ip 192.168.168.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 196 permit ip 192.168.168.0 0.0.0.255 any

!
access-list 198 permit ip 192.168.168.0 0.0.0.255 192.168.166.0 0.0.0.255
access-list 198 permit ip 192.168.168.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 198 deny ip 192.168.168.0 0.0.0.255 any
!

no cdp run
!

route-map bypassstatic permit 10
match ip address 198
set ip next-hop a.a.a.b
!
route-map bypassnat permit 5
match ip address 196
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet
!
scheduler allocate 20000 1000
end