>а покажите конфиг и как вы делаете роутинг. !начало
!
aaa authentication password-prompt password:
aaa authentication username-prompt login:
aaa authentication login default local-case
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
vpdn-group L2TP
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco12345
!
crypto isakmp policy 1
authentication pre-share
encr 3des
group 2
lifetime 3600
!
crypto isakmp policy 2
authentication pre-share
lifetime 3600
crypto isakmp client configuration group EasyVPN
key cisco12345
pool ippool
acl 199
pfs
crypto ipsec transform-set TS-VIP-STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set TS_L2TP esp-3des esp-sha-hmac
mode transport
crypto dynamic-map DYNIPSECE 2000
set transform-set TS-VIP-STRONG
reverse-route
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS_L2TP
crypto map IPSECCCME client authentication list userauthen
crypto map IPSECCCME isakmp authorization list groupauthor
crypto map IPSECCCME client configuration address respond
crypto map IPSECCCME 1000 ipsec-isakmp dynamic DYNIPSECE
!
crypto map L2TP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
interface Loopback0
ip address 10.100.100.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.100.0.11 255.255.255.240
no ip mroute-cache
duplex auto
speed auto
no keepalive
no cdp enable
interface FastEthernet0/1.900
encapsulation dot1Q 900
ip address 1.1.1.1 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly
no ip route-cache same-interface
no ip mroute-cache
no snmp trap link-status
crypto map IPSECCCME
!
interface FastEthernet0/1.991
encapsulation dot1Q 991
ip address 1.1.1.5 255.255.255.252
no ip route-cache same-interface
no ip mroute-cache
no snmp trap link-status
no cdp enable
crypto map L2TP_MAP
!
interface Virtual-Template2
ip unnumbered Loopback0
ip tcp header-compression
peer default ip address pool L2TP_POOL
ppp mtu adaptive
ppp authentication ms-chap-v2
ppp ipcp header-compression ack
ppp timeout idle 3600
!
ip local pool ippool 10.100.100.101 10.100.100.110
ip local pool L2TP_POOL 10.100.100.10 10.100.100.100
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
ip route 10.100.0.0 255.255.0.0 10.100.0.9
access-list 199 permit ip 10.100.0.0 0.0.255.255 any
access-list 199 permit ip any any
access-list 199 permit udp any any
!конец
1.1.1.1/30 VLAN 900
1.1.1.5/30 VLAN 991
10.100.0.0/16 -локалка
1.1.1.2(vlan900) и 1.1.1.6(vlan991) - на роутере,который уже смотрит "в мир".
Вот какой я из них задаю,тот VPN и работает нормально. Вчатности так:
ip route 0.0.0.0 0.0.0.0 1.1.1.2 - L2tp коннектится, пакеты во внутр.сеть ходят,Cisco EasyVPN Сlient коннектиться, пакеты во внутр.сеть НЕ ходят.
ip route 0.0.0.0 0.0.0.0 1.1.1.6 - L2tp НЕ коннектится, Cisco EasyVPN Сlient коннектиться,пакеты ходят нормально.