Site to Site IPSEC VTI + VPN Client on a stick

Unanswered Question
Sep 2nd, 2010
User Badges:


Currently have a working site to site Ipsec VTI with zone-based firewall.

Now I would like to configure the router to allow remote VPN client (using a stick) to access the network behind the router.(see attached diagram)

Can the experts take a look at my configuration and advise me the problem.

Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
praprama Mon, 09/13/2010 - 06:25
User Badges:
  • Cisco Employee,

Hi Kim,

The config for the VPN part seems alright. But, there seems to be no zone-pair for Inside-Ezclient and vice versa and also for Outside-Ezclient and vice versa.

Please create zone-pairs for those as well and allow/deny necessary traffic. For Outside-Ezclient and vice versa, you will need to allow ESP and UDP 4500 as well. For Inside-Ezclient and vice versa, if you want the VPN clients to be able to access anything, a "permit ip any any" would do.

Let me know if it works.



jazzlim2004 Mon, 09/13/2010 - 19:20
User Badges:


I amended as your advise but still have the same  error below: What may be the problem?

Cisco Systems VPN Client Version
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

11     10:14:53.187  09/14/10  Sev=Warning/2    IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

12     10:14:53.187  09/14/10  Sev=Warning/3    IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

Thank you


This Discussion