Problem con vpn client to router

[osso75]

Ho la seguente configurazione, mi autentifico ma non navigo!

sicuramente dipende da qualche access list o qualche route

chi mi da una mano!

Client cisco 4.8

posto la conf del router un 2801 con adsl + isdn

!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot system flash c2801-advsecurityk9-mz.124-5.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret pwd
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip cef
!
!
!
!
ip ftp username cisco
ip ftp password 7 082D434D194B12
ip domain name yourdomain.com
!
isdn switch-type basic-net3
!
!
!
username vpnuser password pwd
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group assistenza
key assistenza
domain buonbuono
pool vpnpool
acl 106
crypto isakmp profile softclient
match identity group assistenza
client authentication list userauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set vpnclient esp-3des esp-sha-hmac
!
crypto dynamic-map rtpmap 10
set transform-set vpnclient
set isakmp-profile softclient
reverse-route
!
!
crypto map rtp 5 ipsec-isakmp dynamic rtpmap
!
!
!
interface Tunnel0
ip address 10.0.3.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 88.37.219.105
tunnel mode ipip
!
interface Tunnel1
ip address 10.0.4.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 195.72.207.174
tunnel mode ipip
!
interface FastEthernet0/0
ip address 150.1.254.254 255.255.0.0 secondary
ip address 83.211.208.137 255.255.255.240
ip access-group 105 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto map rtp
hold-queue 100 out
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface BRI0/1/0
no ip address
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer rotary-group 1
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
!
interface ATM0/2/0
backup interface Dialer1
no ip address
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname user
ppp chap password pwd
ppp pap sent-username user password pwd
!
interface Dialer1
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer in-band
dialer idle-timeout 600
dialer string 7020005034
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname user
ppp chap password pwd
ppp pap sent-username user password pwd
!
ip local pool vpnpool 192.168.171.1 192.168.171.10
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1 100
ip route 192.168.10.0 255.255.255.0 Tunnel0
ip route 192.168.10.0 255.255.255.0 Tunnel1 105
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
!
logging trap debugging
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip 83.211.208.0 0.0.0.240 any
access-list 101 permit ip 150.1.0.0 0.0.255.255 any
access-list 101 permit ip 192.168.171.0 0.0.0.255 any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any any eq 10000
access-list 101 permit gre any any
access-list 105 permit tcp host 150.1.1.199 any eq www
access-list 105 permit tcp host 150.1.1.199 any eq 443
access-list 105 permit tcp host 150.1.1.200 any eq www
access-list 105 permit tcp host 150.1.1.200 any eq 443
access-list 105 deny tcp any any eq www
access-list 105 deny tcp any any eq 443
access-list 105 permit ip any any
access-list 106 permit ip any 192.168.171.0 0.0.0.255
access-list 106 permit ip 150.1.0.0 0.0.255.255 any
access-list 106 permit ip 192.168.171.0 0.0.0.255 any
access-list 111 permit ip 150.1.1.0 0.0.0.255 any
access-list 111 permit ip 195.72.192.0 0.0.0.63 any
access-list 111 permit ip 195.72.192.240 0.0.0.15 any
access-list 111 permit ip 195.72.196.0 0.0.0.31 any
access-list 111 permit ip 195.72.200.64 0.0.0.63 any
access-list 111 permit ip host 62.94.244.202 any
access-list 111 permit ip host 83.211.93.24 any
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
snmp-server community ibn-bkb RO
snmp-server enable traps tty
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
login local
transport output all
stopbits 1
line aux 0
transport output all
line vty 0 4
access-class 111 in
exec-timeout 0 0
privilege level 15
login local
transport input all
transport output all
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler max-task-time 5000
end

[emanuele.ciani]

di solito nella access-list della group vpn per fare lo split-tunneling io faccio un permit della rete interna verso any . e non del pool assegnato alla VPN

prova se puoi


CIao

[zot]

Ti consiglio di toglieri i riferimenti "pericolosi"!!!!