thanks for your reply jathaval

yes right i can connect succefull but no traffic...

as you said i removed the ext acl and put a std acl a match only the internal network if i understand

ip access-list standard IT-VPN-ACL
permit 10.10.0.0 0.0.1.255

but no traffic at all(traffic being discarded)

thanks!

can you please post the output of "show crypto ipsec sa" on the router when you are connected...

also please mention the value in the routing table on the client, you will find this in client under statitics and routing

also if this is a new setup you can try configuring it without using profiles, please see if you can configure using this link

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml#enablingsplittunneling

i think you must have configured this using ccp or sdm

Hi, Jathaval! thanks for your atention

i don't have access to the link you provide me after change de acl the routing table on my client become 0.0.0.0 0.0.0.0 and all traffic are being discarded

here the output of the SH CRYPTO IPSEC SA

#sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 64.30.154.85

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.11/255.255.255.255/0/0)
   current_peer 41.78.17.174 port 54858
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 64.30.154.85, remote crypto endpt.: 41.78.17.174
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.10
     current outbound spi: 0x2A77D608(712496648)

     inbound esp sas:
      spi: 0x2903FFDA(688127962)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2033, flow_id: FPGA:33, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4460451/3571)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2A77D608(712496648)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2034, flow_id: FPGA:34, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4460451/3549)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

see the atachement for  the route table on the client

1> What if you use the acl that you used before, that is the extended one

Wht do you see in the routing table on the client

2> See if you can remove split tunneling and by removing the acl from the group and check the routing table

Regards,

Jitendriya

1> What if you use the acl that you used before, that is the extended one

   Wht do you see in the routing table on the client

if i re-use the acl that i used before the routing table on vpn client is: see atach file

2> See if you can remove split tunneling and by removing the acl from the group and check the routing table

sory! but i don't understand what you meen by rmove split... and acl...

best regards

Now with the old acl that is the extended can you ping something in inside and paste the output of show crypto ipsec sa from router and also can you show the statistics on the client (encaps, decaps)

Regards,

Jitendriya

Thanks! for attention

sory but i don't know where i'm missing i tried the exact config before and work perfectly.

with the primary acl the route table seems ok, but no traffic s well

sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 64.30.154.85

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.255.13/255.255.255.255/0/0)
   current_peer 41.78.17.170 port 45422
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 64.30.154.85, remote crypto endpt.: 41.78.17.170
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1.10
     current outbound spi: 0xD6DAB211(3604656657)

     inbound esp sas:
      spi: 0xFECA5FF6(4274675702)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2037, flow_id: FPGA:37, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408813/3227)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD6DAB211(3604656657)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2038, flow_id: FPGA:38, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4408813/3226)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I do not see anything encrypted by the client, are you using win 7 with 3 g connection by any chance

Regards,

Jitendriya

Yes i do...

i'm using Win 7x64 with 3G connection

thanks a lot!   it's working now!!!

nice job...

best regards

Awesome I am glad it worked

Regards,

Jitendriya