I have a Cisco 2811 router with ADSL at a remote site which performs NAT giving users of that site Internet access. We have a Lan to Lan VPN for remote management of that sites hardware which runs on the 2811 to a Cisco 3000 VPN. This all works fine.
Our corporate users when remote use VPN Clients to connect to our network using the same Cisco VPN 3000 Concentrator. However our corporate users who visit this site can only get their VPN clients to work if they select "IPSec over TCP". The client successfully connects on UDP but they can't "see" anything on the network. I have failed to replicate this problem with an 837 router in our test environment (setup same as 2811 with Lan to Lan VPN and NAT).
anyone have any ideas?
I've attached a sh ver, sh conf, a debug of a VPN client at site which failed then successfully worked using TCP and a sh crypto.
The entire network is subnetted into different 10.X.X.X subnets. 172.16.X.X is used for management.
VPN clients receive an address of 10.254.40.X.
Concentrator real IP has been substituted with 188.8.131.52, real IP of 2811 ADSL router has been substituted with 184.108.40.206.
There are 3 dialers but we're only using dialer 1 for now, I will be applying OER later once I get this problem fixed.