Help with Cisco 870 VPN setup and Cisco easy VPN client

Unanswered Question
Jul 26th, 2007

I've got a Cisco 870 (non-wireless) setup with a typical home config, broadband cable (dhcp client), DHCP server, NAT, FW, etc... I also currently have a site-to-site tunnel setup.

I use the Cisco VPN client on some computers on my internal network to VPN into my work. The VPN client is setup to use IPSec over UDP. I can hit our VPN end point at work and authenticate, but IKE SA negotiation fails (phase 1). This used to work before configuring the tunnel. Additionally, if I swap out the 870 for my old linksys WRT54G, VPN client works just fine.

I also removed all ACLs from the WAN int, as well as turned off the FW, but still have the problem. Everything else I use through the 870 works fine, i.e. games, IM, inet, p2p, etc... another VPN client I have that uses VPN over SSL even works fine.

What needs to be configured on the 870 to allow IKE SA to complete?

Thanks a ton to whoever can help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Thu, 07/26/2007 - 13:38


following config is for cisco VPN client access with dynamic allocation and split-tunnel.

Hope this helps, please rate post if it does!

aaa new-model


aaa authentication login userauthen local

aaa authorization network groupauthor local


username vpnc password 0 userpass


crypto isakmp client configuration group vpncg

key grouppass




pool ip-pool

acl 108


crypto ipsec transform-set myset esp-aes esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set myset


crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


interface FastEthernet0/0

ip nat outside

crypto map clientmap

interface vlan1

ip address

ip nat inside


ip local pool ip-pool


access-list 108 remark VPN client split tunnel

access-list 108 permit ip

travis.wolfe Mon, 07/30/2007 - 17:46

Thanks for the reply. I'm a noob (working on ccna), so sorry for the next few questions...

Is there a way to implement split tunnel with a static crypto map? Also can split tunnel be implemented without AAA?

I've read a bunch about split tunnel, but haven't seen a config like what i'm running. Since the tunnel is already setup, is there a split tunnel command I can use to enable the feature for the existing tunnel? Thanks again for the help, I'll be sure to rate if I can get this working.

travis.wolfe Tue, 07/31/2007 - 05:48

Just to be clear the site-to-site tunnel is not setup between my home and my work, it's to a completely different network. I can post the config later if that would help. Checking routes only traffic destined for the network on the other side of the tunnel should be going there. If someone could suggest a book or has a link to some info about every way a split tunnel can be implemented that would be helpful.

travis.wolfe Wed, 08/01/2007 - 05:54

To help clarify, I've attached a simple diagram of configuration. I really need to get this working and appreciate any help you guys can provide.



This Discussion