Cisco 1721 VPN

I need to get VPN working and can't seem to see the issue.  Have Cisco 1721 with 2 WICS to different ISP's with failover working.  Want to be able to VPN to at least the 208.x.x.x ip, and perhaps the 24.x.x.x ip as well.  All users will be using vpn clients.  Safenet's softremote!  Can someone have a look see and tell me what I have too much of or not enough of?

Cheers,

Running Config Below

Current configuration : 3819 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$4kPF$CvEeShPvIRhKPzCqgmRuu.
enable password 7 104704470B1243
!
username crabs privilege 15 password 7 030D5655080A70
username john654 password 7 130616021905527C7D
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
!
track 100 rtr 1 reachability
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key cisco123
 dns 192.168.3.249
 domain mydomain.com
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 description ISP1
 ip address 208.181.196.33 255.255.255.248
 ip nat outside
 half-duplex
 crypto map clientmap
!
interface Ethernet1
 description ISP2
 ip address 24.70.4.234 255.255.252.0
 ip nat outside
 full-duplex
 crypto map clientmap
!
interface FastEthernet0
 description Local LAN
 ip address 192.168.193.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.252.0
 ip nat inside
 speed 100
 full-duplex
!
ip local pool ippool 192.168.123.200 192.168.123.250
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT2 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.231 25 24.70.4.234 25 extendable
ip nat inside source static tcp 192.168.3.250 80 24.70.4.234 80 extendable
ip nat inside source static tcp 192.168.0.231 25 208.181.196.33 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 208.181.196.38 track 100
ip route 0.0.0.0 0.0.0.0 24.70.4.1 200
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 204.50.49.20 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.114 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.119 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.120 255.255.255.255 192.168.3.2 permanent
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any established
!
route-map ROUTE-NAT2 permit 10
 match ip address 110
 match interface Ethernet1
!
route-map FAIL-OVER permit 10
 match ip address 120
 set interface Ethernet0 Null0
 set ip next-hop 208.181.196.38
!
route-map ROUTE-NAT permit 10
 match ip address 110
 match interface Ethernet0
!
!
control-plane
!
rtr 1
 type echo protocol ipIcmpEcho 208.181.196.38
rtr schedule 1 start-time now life forever
!
line con 0
 exec-timeout 15 0
line aux 0
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 password 7 030D5655080A70
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login
 transport input telnet ssh
!
!
end
dgratton1085Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Your config is straight out of the Cisco document:
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml
I don't see any discrepancies.

The document is meant for using the Cisco VPN client, there are no guarantees that it will work with any other client like Safenet..

Have you tried this config with the Cisco client?


     
0
dgratton1085Author Commented:
I can't seem to get my hands on it!
0
lrmooreCommented:
If you have a CCO login, you should be able to download it..
http://www.cisco.com/kobayashi/sw-center/vpn/client/
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

dgratton1085Author Commented:
i don't
0
lrmooreCommented:
Contact TAC. If you have the IPSEC feature set on your router, you should be able to convince them to give you access to download it.
0
harbor235Commented:
You are missing the  "crypto isakmp client configuration address-pool local ippool" command under the "crypto isakmp policy 3" configuration mode. Aslo, take a look at http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080189111.shtml

harbor235
0
lrmooreCommented:
Do you need more information?
Have you resolved this problem?
Can you close this question?
http://www.experts-exchange.com/help.jsp#hs5

Thanks!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.