01-13-2005 04:34 AM
Hello
I have an 837 adsl router with 3 x site-site vpn's working OK. I'm now trying to add VPN Client connectivity but seem to have hit a brick wall!
I get "phase 1 SA policy not acceptable!" and nada!
Any suggestions most gratefully received.
01-13-2005 04:20 PM
According to the Feature Navigator (http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp), support for "Easy VPN Server" wasn't formally introduced into the 837 until 12.3(2)T. You're running 12.2 something so you'll need to upgrade to get it working properly (and get proper support on it).
As for your config, you're missing the following lines:
aaa authorization network VPNgroup local
crypto map clientmap isakmp authorization list VPNgroup
Also, always make sure your dynamic crypto map instance number is HIGHER than all your static crypto maps, otherwise the dynamic one will be picked up first and match everything, which could have adverse effects on your static maps. Change your dynamic crypto map statement to the following:
no crypto map mymap 5 ipsec-isakmp dynamic DynMap
crypto map mymap 500 ipsec-isakmp dynamic DynMap
Don't forget to add your IP pool traffic into the 101 access-list either.
See the following sample config for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide