Outbound Cisco VPNClient Blocked by Cisco 837 when Site to Site VPN Active

If you only have one IP, I don't think so.  You are telling the router to encrypt everything outbound and send it over the tunnel.   When you bring up your VPN client software it tries to tunnel that as well.  (tunnel in a tunnel).    You might be able to specify in your Access list interesting traffic based only on the networks you wish to lan2lan, Im not very familiar with the DSL router you are using.  

You might be having a problem due to the VPN policies. I’ve done plenty of tunnels, and tunnels inside tunnels, etc in the past but it seems to me what you are going to do is make the VPN server think a VPN user, is trying to VPN again.

So your router does a VPN tunnel, which gives you a “public” IP out of the VPN pool space…being a public Pool or NAT, heck or both. Then, you initiate another VPN session from the PC, but the source would be an IP out of the pool from which the VPN server will assign you. It sort of looks like a spoofed packet attempt from a firewall stance.

I am sure there are ways around this but I am not seeing the benefit.

-James

What version IOS on the 837? You might need to upgrade to one that supports nat transparency..

The IOS is version 12.3(4)T7. I don';t think it can be NAT transparency because the VPN Client works until you enable the Site to Site.

Would it help if I posted the config?

I'll be happy to take a look at your config with site-site enabled, client not working...

My network address is 192.168.4.0. There is a vpn tunnel to 192.168.58.0.
With line:
    crypto map SDM_CMAP_1
present in the di0 interface the site to site tunnel works but a VPNClient on my network cannot connect to any site.
With the crypto map line out, the tunnel obvisously doesn't work but the VPNClient does work

I've tried removing the Inspect rule and the incoming acces-list but that doesn't seem to help.

Config follows:

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 0 <password>
!
username administrator privilege 15 secret 0 <password>
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name hotfix-ltd.co.uk
ip name-server 158.43.128.1
ip dhcp excluded-address 192.168.4.1 192.168.4.239
ip dhcp excluded-address 192.168.4.249 192.168.4.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 158.43.128.1
   default-router 192.168.4.254
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key shared.key address 80.71.217.49
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to80.71.217.49
 set peer 80.71.217.49
 set transform-set SDM_TRANSFORMSET_1
 match address 104
!
!
!
!
interface Tunnel0
 ip unnumbered Dialer0
 ip mtu 1420
 tunnel source Dialer0
 tunnel destination 80.71.217.49
 tunnel path-mtu-discovery
!
interface Loopback1
 ip address 10.0.4.1 255.255.255.255
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.4.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <adsl@username>
 ppp chap password <password>
 crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 Tunnel0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   gre host 80.29.36.23 host 80.71.217.49
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.4.254 host 192.168.58.254
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ahp host 80.71.217.49 host 80.29.36.23
access-list 103 permit esp host 80.71.217.49 host 80.29.36.23
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq isakmp
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit gre host 80.71.217.49 host 80.29.36.23
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 deny   ip 192.168.4.0 0.0.0.255 any
access-list 103 permit icmp any any
access-list 103 deny   ip any any log
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 80.29.36.23 host 80.71.217.49
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^
...
!
line con 0
...
line aux 0
...
line vty 0 4
...
!
scheduler max-task-time 5000
scheduler interval 500
!
end

This VPN tunnel is not the way I would set it up, unless this office is a spoke office and there is a head-end that has connections to many spokes. Is this a simple point-to-point VPN with no other offices involved other than these two?

This is a spoke office. There are three spokes out from the hub. The hub also acts as a server for VPNClients (but this is the what my VPNClient is connecting to). I would be very pleased to hear any comments on the config. This is the first hub / spoke system I have set up and there are a number of issues with this too but that is not my immediate problem.

Have I done something silly?

I have now rebulit the tunnels using this document from cisco and it all looks good. Now that the crypto isn't on the physical interface the VPN Client works fine

Thanks very much for your help