Hello im currently trying to set up an easy VPN server for client - server mode using Cisco Configuration Profesional on the company cisco 892 router.

The problem is, that when i set up the virtual template to be unnumbered to Vlan1 i cant connect to the VPN from cisco client at all.

If on the other hand i set the virtual template to GigabitEthernet0 (internet facing interface) i can connect, but i cannot access any lan resourcess.

I dont have much experience with IOS so i think im making some basic mistakes, heres my running conf, if someone could provide me with help on how to properly configure it i would be greatefull.

Regards.

Building configuration...

Current configuration : 21785 bytes

!

! Last configuration change at 14:34:21 PCTime Fri Feb 7 2014 by admin

!

version 15.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router1

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-1451413265

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1451413265

revocation-check none

rsakeypair TP-self-signed-1451413265

!

!

crypto pki certificate chain TP-self-signed-1451413265

certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343531 34313332 3635301E 170D3133 31323237 31333236

  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34353134

  31333236 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A553 73F62F4C 6ACF41FC F13097BD 6F2E619D 8E8768FE 9793A630 139AFB17

  8CD0D5DF CEE1CC84 5FB4E877 73A22A84 7E35E490 0D8B3D4D B3A1B6F5 ECAF19EE

  62178A14 9B590C6D 6C5DDF02 117772A8 5845D34A 1766E628 CE8779B6 01E24117

  8DE20143 BABCCC17 F7AFCA78 5EE21F20 3DC957FD F75A4E8A E264D93A D41AB029

  4EF70203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603

  551D1104 0B300982 07726F75 74657231 301F0603 551D2304 18301680 146257F1

  390A8469 645C3F07 EB21E186 4575C826 55301D06 03551D0E 04160414 6257F139

  0A846964 5C3F07EB 21E18645 75C82655 300D0609 2A864886 F70D0101 04050003

  8181005D 5F038D8C E76C9762 6672B8AA 15FE248D 15F14AD0 875CC3D1 BECDF754

  8BB46400 07A8B5FF DB23495E 6C7A73DA 5B614A68 CC69D2A1 1EB06BC5 C6B18FF1

  9246F5B2 490E5DA5 5C049B07 41CE2A45 97DB981E 7C1F7BE1 0A92665D 4FE3F0D6

  01F7E059 5BEE39AA E26255A7 9574BD65 32F9EA10 831186D8 6FD85DE9 5FCD9706 55CBA2

      quit

no ip source-route

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.171

ip dhcp excluded-address 192.168.0.200 192.168.0.254

!

ip dhcp pool ccp-pool1

import all

network 192.168.0.0 255.255.255.0

dns-server 194.204.159.1 194.204.152.34

default-router 192.168.0.1

!

no ip bootp server

ip name-server 194.204.159.1

ip name-server 194.204.152.34

ip cef

no ipv6 cef

!

!

!

!

multilink bundle-name authenticated

!

!

!

archive

log config

  hidekeys

!

username yyyyy privilege 15 secret 5 yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

username xxxxx privilege 15 secret 5 yyyyyyyyyyyyyyyyyyyyyyyyyyyyy

!

redundancy

!

!

!

!

no cdp run

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect imap match-any ccp-app-imap

match invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

class-map type inspect match-all sdm-nat--1

match access-group 101

class-map type inspect match-all sdm-nat--2

match access-group 102

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-all ccp-Stam2

match access-group name Stam2_Klient

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect ymsgr match-any ccp-app-yahoo

match service text-chat

class-map type inspect msnmsgr match-any ccp-app-msn

match service text-chat

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match req-resp protocol-violation

class-map type inspect aol match-any ccp-app-aol

match service text-chat

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match request port-misuse tunneling

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2

  inspect

class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1

  inspect

class type inspect sdm-nat--1

  inspect

class type inspect sdm-nat--2

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect p2p ccp-action-app-p2p

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group yyyyyy

key xxxxxxxxxxxxxx

dns 192.168.0.1

pool SDM_POOL_1

include-local-lan

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group yyyyyy

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface GigabitEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address xxxxxxxxxxx 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.10.10.0 10.10.10.5

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface GigabitEthernet0 overload

!

!

ip sla auto discovery

logging trap debugging

!

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

!

!

!

control-plane

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

!

!

!

!

!

banner exec ^C