Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN - Client to 1700 problems

Hello all, I have been pulling out my hair over this.

This is my first attempt at creating a VPN from a client (3.5 and 4) to a head end device (in this instance a 1701 router)

I connecting between two routable addresses. Transparency over UDP is enabled (not sure if this is even needed)

The VPN tunnel is created successfully, and authentication is fine.

However, the VPN client status reflects that

Transparent Tunneling: Inactive (although that is selected to UDP)

Tunnel Port:0

Local LAN Access:Disabled (although this is selected)

The client does receive an ip address from the address pool (should this address be part of the private network?)

I do not have split tunneling enabled because traffic flow is not needed out of the LAN to LAN tunnel( is this correct?)

I have removed the access-list from the dialer interface -no joy

I have posted my config -any ideas....please???

Building configuration...

Current configuration : 2835 bytes


version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption


hostname XX_GTW


logging queue-limit 100

no logging console

enable password 7 1506121C017973


username XXXXX password xxxxx

username XXX password xxxx

aaa new-model



aaa authentication login userauthen local

aaa authorization network default local

aaa session-id common

ip subnet-zero





ip audit notify log

ip audit po max-events 100

no ftp-server write-enable






crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group XXXXX

key 0 TXX




crypto ipsec transform-set shtset esp-3des esp-sha-hmac


crypto dynamic-map shtdynamic 10

set transform-set shtset



crypto map shtmap client authentication list userauthen

crypto map shtmap isakmp authorization list default

crypto map shtmap client configuration address respond

crypto map shtmap 10 ipsec-isakmp dynamic shtdynamic





interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1


dsl operating-mode auto


interface BRI0

no ip address



interface FastEthernet0

ip address

ip access-group 120 out

speed auto


interface Dialer1

ip address

ip access-group 110 in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname

ppp chap password xxxxx

crypto map shtmap


ip local pool XXXXX

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 5900 5900 extendable

ip classless

ip route Dialer1

ip http server

no ip http secure-server




ip access-list extended Fast

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended save-password

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty6

ip access-list extended tunnel-password

ip access-list extended wins-servers

access-list 1 permit

access-list 110 permit esp any

access-list 110 permit udp eq isakmp any

access-list 110 permit tcp host eq telnet

access-list 110 permit ip any

access-list 120 permit tcp any host eq 5900


radius-server authorization permit missing Service-Type


line con 0

exec-timeout 120 0

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

password xxxx


no scheduler allocate





Re: VPN - Client to 1700 problems

no nat statement is missing

no access-list 1 permit

no ip nat inside source list 1 interface Dialer1 overload

access-list 102 deny ip host

access-list 102 deny ip host

access-list 102 deny ip host

access-list 102 permit ip any

route-map nonat permit 10

match ip address 102

ip nat inside source route-map nonat interface Dialer1 overload

CreatePlease to create content