Thanks for the links but I need to configure the router without the EZVPN. There's already a L2L VPN and I can't modify it.

Please are there someone that can help me configure the C2L (Client to lan) with the cisco vpn client?

I've configured the router but:

- the L2L vpn is OK !

- the C2L VPN doesn't work: the VPN tunnel Phase 1 and Phase 2 are OK but the client can't ping the inside interface of the router (10.2.0.1)

- The split tunnel is configured corret ?(need to secure the vpn client pool 10.5.0.1 to 10.5.0.10 vs the inside lan 10.2.0.0/24).

The following is the last configuration:

!

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

!

aaa session-id common

!

username cisco password cisco

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 1.2.3.4 no-xauth

!

crypto isakmp client configuration group 3000client

key cisco

dns 10.2.0.1

wins 10.2.0.2

domain stefano.com

pool ippoolvpnclient

acl 188

save-password

!

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map rtp client authentication list clientauth

crypto map rtp isakmp authorization list groupauthor

crypto map rtp client configuration address respond

crypto map rtp 1 ipsec-isakmp

set peer 1.2.3.4

set transform-set rtpset

match address 101

crypto map rtp 20 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Dialer0

ip address 2.3.4.5 255.255.255.0

ip nat outside

crypto map rtp

!

interface Vlan1

ip address 10.2.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool ippoolvpnclient 10.5.0.1 10.5.0.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 outside

!

!

ip nat inside source route-map nat interface Dialer0 overload

!

!

access-list 101 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 101 permit ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny ip 10.2.0.0 0.0.0.255 any

!

access-list 110 deny ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 deny ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 110 deny ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 110 deny ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31

access-list 110 permit ip 10.2.0.0 0.0.0.255 any

access-list 110 permit ip 192.168.11.0 0.0.0.255 any

!

access-list 188 remark #

access-list 188 remark # split tunneling for C2L vpn

access-list 188 permit ip 10.5.0.0 0.0.0.31 10.2.0.0 0.0.0.255

!

!

!

route-map nat permit 10

match ip address 110

!

Thanks for the check !

May I ask you the last 3 questions:

- how it's possible the configure the cisco vpn clients to access the local LAN 'split tunnelig' (I've configured on the client side ALLOW LOCAL LAN ACCESS but doesn't work)

- how it's possible to release immediately on the router the IP address of the vpn pool when the cisco vpn client disconnect ;

- how it's possible to remove immediately the IP address from the routing table router when the cisco vpn client disconnect (there's configured reverse route and the routing table is populated with static route when the clients connect) ;

Regards

RT