All,

I've been working on this all weekend, and I can't figure out what's wrong. My requirements are that I'm about to bring up a tunnel on demand from one host inside my network to my office for only certain subnets. I've got control of both sides router and ASA. The cisco vpn client works fine with any of the groups that I've tried under the ezvpn, but ezvpn won't negotiate. Under a "debug crypt isakmp" it shows that none of the ike proposals match and it fails Phase 1. On the ASA side, it only tells me that "Information Processing failed" with host x.x.x.x. I'm at a loss.

My current config on my router is attached.

In acl 102, I've tried just "permit ip host 10.20.1.200 any" and it makes the router reload. I changed my mode to client extension, but Cisco docs say that in order to use multiple subnets, you need to have network extension enabled. That didn't work either. I've tried to use the VPN groupname that the software clients use in the ASA, but it doesn't negotiate. I created a new group name for just my router, and I'm allowing only the networks that you see in the config, but that didn't work. I thought that it had something to do with my username because we authenticate to a RADIUS server, so I created a local account on the ASA and change the group-policy to use local authentication. That didn't work either.

Any ideas? I tried to change the version on my IOS to 12.4.24 (currently at 12.4.15), but that didn't work either. The software client works fine with the group name and user name that I've put in the router.

Thanks,

John