Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

easy vpn with split tunnel in cisco router

Hi All,

Well I have configured a easy vpn with split tunnel but split tunnel is not working please any one can help My configuration

My  requirement is access to corporate network and then access the local internet.

Server RTR 3845

Client RTR 800 series

aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authentication login XXXX group radius local
aaa authorization network sdm_vpn_group_ml_1 local
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group BRANCH
 key ABCD
  pool SDM_POOL_13
 acl 150
crypto ipsec transform-set BRANCH esp-3des esp-sha-hmac
crypto dynamic-map BRANCH 13
 set security-association replay disable
 set transform-set BRANCH
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map BRANCH isakmp authorization list sdm_vpn_group_ml_1
crypto map BRANCH client configuration address respond
interface GigabitEthernet0/0
 ip address
 ip access-group 110 in
 ip access-group 108 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 load-interval 30
 duplex full
 speed auto
 media-type rj45
 no cdp enable
 crypto map SDM_CMAP_1
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
interface GigabitEthernet0/1.30
 description *** VIMTAVPN ***
 encapsulation dot1Q 300
 ip address
 ip access-group branchvpn out
ip local pool SDM_POOL_13
ip access-list extended branchvpn
permit ip
permit ip

ip access-list extended 150

permit ip any
ip route



no aaa new-model

vtp mode transparent

crypto ipsec client ezvpn BRANCH
 connect auto
 group BRANCH key ABCD
 mode network-extension
 username abc password xyz
 xauth userid mode interactive

interface FastEthernet0
 switchport access vlan 22
 no ip address
interface FastEthernet1
 switchport access vlan 22
 no ip address
interface FastEthernet2
 switchport access vlan 22
 no ip address
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
interface GigabitEthernet0
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed 100
 pppoe enable group 1
 pppoe-client dial-pool-number 1
 no cdp enable
interface Vlan22
 ip address
 ip nat inside
 ip virtual-reassembly in
 crypto ipsec client ezvpn BRANCH inside

interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp chap hostname abcdfgh
 ppp chap password 7 111E0350426842
 ppp pap sent-username abcdhf password 7 01041C510bn1201c
 no cdp enable
 crypto ipsec client ezvpn BRANCH
ip route Dialer1

access-list 130 deny   tcp any any eq 0
access-list 130 deny   ip
access-list 130 permit ip any
dialer-list 1 protocol ip permit
route-map vimta permit 10
 match ip address 130


When I issue the show cry map on branch then output is

Crypto Map IPv4 "Dialer1-head-0" 65536 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer =
        Extended IP access list
            access-list  permit ip any
        Current peer:
        Security association lifetime: 4608000 kilobytes/2147483 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        DH group:  group2
        Transform sets={
                ezvpn-profile-autoconfig-transform-0:  { esp-aes esp-sha-hmac  }
                ezvpn-profile-autoconfig-transform-1:  { esp-aes esp-md5-hmac  }
                ezvpn-profile-autoconfig-transform-2:  { esp-aes esp-sha-hmac  }
 , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-3:  { esp-aes esp-md5-hmac  }
 , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-4:  { esp-192-aes esp-sha-hma
c  } ,
                ezvpn-profile-autoconfig-transform-5:  { esp-192-aes esp-md5-hma
c  } ,
                ezvpn-profile-autoconfig-transform-6:  { esp-256-aes esp-sha-hma
c  } ,
                ezvpn-profile-autoconfig-transform-7:  { esp-256-aes esp-md5-hma
c  } ,
                ezvpn-profile-autoconfig-transform-8:  { esp-256-aes esp-sha-hma
c  } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-9:  { esp-256-aes esp-md5-hma
c  } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-10:  { esp-3des esp-sha-hmac
 } ,
                ezvpn-profile-autoconfig-transform-11:  { esp-3des esp-md5-hmac
 } ,
                ezvpn-profile-autoconfig-transform-12:  { esp-3des esp-sha-hmac
 } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-13:  { esp-3des esp-md5-hmac
 } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-14:  { esp-des esp-sha-hmac
} ,
                ezvpn-profile-autoconfig-transform-15:  { esp-des esp-md5-hmac
} ,
        Interfaces using crypto map Dialer1-head-0:


And I able to ping  Server LAN but not Internet ( from BRANCH  LAN


can anyone help me


Jai Kishore


Hi Jai Kishore, Please remove

Hi Jai Kishore,


Please remove include-local-lan from crypto isakmp client configuration group BRANCH on the EZVPN server.... because already you have enabled the split tunnel with the ACL.....




CreatePlease login to create content