Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Not so easy VPN...

I've got a pair of 2611XM's that are running as internet routers for at two branch offices. They're both performing pppoe negotiation over a fast eth/dial interface. The dialer interface is ip nat outisde. The other fast eth interface is running with private LAN addresses and ip nat inside.

One of these branch offices has remote workers that connect using the VPN client which gives them a local LAN ip address etc. This worked great, first time around for a change. However my intent was to configure the remote branch router to VPN into the Easy VPN Server as well. I haven't been able to get it to work was wondering if anyone could help!

Outputs from debug show that Phase 2 is failing.


Server side config

username user priv 15 pass <password>

crypto isakmp client configuration group REMOTE_LOGIN

key 6 <key>







max-users 20

max-logins 2


banner ^CConnection Secured^C


crypto isakmp profile ISAKMP_PROFILE

match identity group REMOTE_LOGIN

client authentication list LOCAL_AUTH

isakmp authorization list NETWORK_AUTH

client configuration address respond

virtual-template 1


crypto ipsec transform-set VPN esp-aes esp-sha-hmac


crypto ipsec profile IPSEC_PROFILE

set security-association idle-time 3600

set transform-set VPN

set isakmp-profile ISAKMP_PROFILE


interface FastEthernet0/0

description LAN Interface

ip address

ip nat inside

ip virtual-reassembly


interface FastEthernet0/1

description Connection to ADSL Modem

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1


interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROFILE


interface Dialer1

bandwidth 14000

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

ip tcp adjust-mss 1400

dialer pool 1

dialer idle-timeout 0

no cdp enable

ppp authentication chap callin

ppp pap sent-username <username> password 7 <password>


ip local pool VPN_POOL


access-list SPLIT_TUNNEL permit ip any

Remote side config

crypto ipsec client ezvpn remote

connect manual

group REMOTE_LOGIN key 6 <key>

mode client

peer <hostname>

username user password 6 <password>

xauth userid mode local

Any help would be greatly appreciated!