Question : Problem: Client PC to Cisco Router VPN woes!

I wondering if you could help me on this stinker of a problem. I have been following this document to help configure my soho97 and work 1700 series router to process client pc to router vpns; http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

I followed the guide, but everytime i try to connect it bombs out with "Secure VPN connection terminated locally by the client. Reason 412: the remote peer is no longer responding" Would really appreciate some pointers from you cisco boffs!!! here is my config;

-----------------------------------------------------------------------------------------------------------------------------------------
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname mattacuk
!
no logging buffered
enable secret 5 $1$Q1kJ$CEt/sZ3lOW3bdoZxqnACj1
!
username mattacuk password 7 060A0E2F485D0A181512
username cisco password 7 01100F175804
username CRWS_Kannan privilege 15 password 7 08651D0A3E48033656045D0B190E34296A6
5704456445A500F
ip subnet-zero
ip domain lookup source-interface Dialer1
ip name-server 80.225.250.178
ip name-server 80.225.250.186
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key 0 cisco123
dns 80.225.248.50
domain cisco.com
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.
255.0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname edited@edited
ppp chap password 7 0827435C0D1F0C12011F0D
ppp pap sent-username [email protected] password 7 0827435C0D1F0C12011F0D
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
hold-queue 224 in
!
ip local pool ippool 192.168.1.50 192.168.1.100
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end

Answer : Problem: Client PC to Cisco Router VPN woes!

If using WinXP w/SP2 you must upgrade the client to 4.0.5 or 4.6.3
Your acl 111 does not permit udp 4500

Add "log" to the end of your final deny all
>access-list 111 deny ip any any log <==

That will at least let you troubleshoot by watching the denied packets in the log.
To setup logging
logging buffer debug 4096
To see the log entries:
show log

Else, try removing the acl 111 from the dialer interface. Then try the client.

Random Solutions

Problem: Recover old data after a new installed

Problem: limited or no connectivity wireless

Problem: 3000 Concentrator & 506e PIX: AES Tunnels

Problem: Correct IP address but no default gateway.

Problem: MOM Question about Alerting for Offline/Down Systems

Problem: PSU Doesn't Have a 12V 4-Pin Power Connector

Problem: Slow printing between pages

Problem: How to shut down multiple computers running off of one UPS

Problem: Howto remove iLiberty from iPod Touch

Problem: I want to resell nobilis laptops