I have a 1720 running Easy vpn server for remote access clients using Unity Client. Those connections from remote sites to the 1720 work fine. The problem is when a user coming from behind the 1720 which also servers as a firewall/ NAT gateway uses a unity client to connect to a remote access VPN elsewhere. The session gets established but cannot pass any traffic, the logs return with invalid spi messages. I believe this is due to the dynamic crypto map being applied on the outside interface and inspecting all ipsec traffic since the remote access map is dynamic. Is there anyway around this? Is there anyway for the router to differentiate when the ipsec traffic is deatined for a user who may have initiated it behind itself rather than destined to it for remote access.
I have this problem too.