Reason 401: An unrecognized error occurred while establishing the VPN connection.

You might be better off to post this info under the orignal thread

Please post your config as it now stands

Sorry, thought you had gone off-line! My config has not changed. Still get no prompt for pwd from home site (here all day). Can post config again on Mon. One thought is: I don't have to have a cisco router at the remote site do I? Just the client software?

You changed the groupanme and passwords and you should have change the crypto setup based on some recommendatiosn made.

but if you could repost I would like to see the configs current state

OK, here it is... Please can you answer some other simple questions too such as can I test this from within the network? And in the config I am a bit mystified why my VLAN1 states it has no ip. Do I need some vpn ACL commands?

CONFIG AS AT 20 Feb !This is the running config of the router: xxx.xxx.xxx.100 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 52000 debugging logging console critical enable secret 5 $1$LR.f$pB8.ZdKhW3GXtV8S4gj3J. ! username xxxxx privilege 15 secret 5 $1$lURO$tewOxEtKEAqZxNz7Zdbd4. clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network default if-authenticated aaa session-id common ip subnet-zero no ip source-route ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip domain name domainname ip name-server 158.152.1.58 ip name-server 158.152.1.43 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key keydetails address 82.0.98.178 crypto isakmp key keydetails address xxx.xxx.xxx.22 255.255.255.0 ! crypto isakmp client configuration group Hovarians key keydetails dns 158.152.1.58 158.152.1.43 wins xxx.xxx.xxx.200 domain domainname pool SDM_POOL_1 include-local-lan max-users 1 max-logins 3 ! ! crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac ! crypto ipsec profile IPSecProfile1 set transform-set TransformSet1 ! ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set TransformSet1 reverse-route ! ! crypto map SDM_CMAP_1 client authentication list default crypto map SDM_CMAP_1 isakmp authorization list default crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! bridge irb ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ no ip redirects no ip unreachables no ip proxy-arp pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface Dot11Radio0 no ip address ! ssid ssidname authentication open ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 channel 2462 no cdp enable bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address 80.177.223.54 255.0.0.0 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname snipped-for-privacy@lon1-aj1e.demonadsl.co.uk ppp chap password 7 05082E1D2042405A0A ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address xxx.xxx.xxx.100 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! logging trap debugging logging xxx.xxx.xxx.100 logging 80.177.223.54 access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit xxx.xxx.xxx.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit xxx.xxx.xxx.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit ip host xxx.xxx.xxx.50 any access-list 100 permit ip host xxx.xxx.xxx.51 any access-list 100 permit ip host xxx.xxx.xxx.52 any access-list 100 permit ip host xxx.xxx.xxx.53 any access-list 100 permit ip host xxx.xxx.xxx.54 any access-list 100 permit ip host xxx.xxx.xxx.55 any access-list 100 permit udp any host xxx.xxx.xxx.100 eq non500-isakmp access-list 100 permit udp any host xxx.xxx.xxx.100 eq isakmp access-list 100 permit esp any host xxx.xxx.xxx.100 access-list 100 permit ahp any host xxx.xxx.xxx.100 access-list 100 deny ip 80.0.0.0 0.255.255.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip host xxx.xxx.xxx.50 any access-list 101 permit ip host xxx.xxx.xxx.51 any access-list 101 permit ip host xxx.xxx.xxx.52 any access-list 101 permit ip host xxx.xxx.xxx.53 any access-list 101 permit ip host xxx.xxx.xxx.54 any access-list 101 permit ip host xxx.xxx.xxx.55 any access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp access-list 101 permit udp any host 80.177.223.54 eq isakmp access-list 101 permit esp any host 80.177.223.54 access-list 101 permit ahp any host 80.177.223.54 access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq non500-isakmp access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq isakmp access-list 101 permit esp host 82.0.98.178 host 80.177.223.54 access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54 access-list 101 permit udp host 158.152.1.43 eq domain host

80.177.223.54 access-list 101 permit udp host 158.152.1.58 eq domain host 80.177.223.54 access-list 101 deny ip xxx.xxx.xxx.0 0.0.0.255 any access-list 101 permit icmp any host 80.177.223.54 echo-reply access-list 101 permit icmp any host 80.177.223.54 time-exceeded access-list 101 permit icmp any host 80.177.223.54 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 101 remark IPSec Rule access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 deny ip any host xxx.xxx.xxx.50 access-list 103 deny ip any host xxx.xxx.xxx.51 access-list 103 deny ip any host xxx.xxx.xxx.52 access-list 103 deny ip any host xxx.xxx.xxx.53 access-list 103 deny ip any host xxx.xxx.xxx.54 access-list 103 deny ip any host xxx.xxx.xxx.55 access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any access-list 105 remark VTY Access-class list access-list 105 remark SDM_ACL Category=1 access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any access-list 105 deny ip any any access-list 700 permit 0001.e694.aa0a 0000.0000.0000 access-list 700 deny 0000.0000.0000 ffff.ffff.ffff dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 access-class 105 in transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp server 130.88.203.12 prefer end

I will take a detailed look at this later today.

Thanks for your help on this. As I was investigating changing the link to the Dialer0{ATM0.1} instead of the BVI1 for the crypto map (as you suggested) I opened the current config for the BVI1 to see how it was setup and when I clicked OK I got this message:

"Method list for group policy lookup contains methods not supported by Easy VPN Server" Continue: Yes/No.

The policy is set as "default" but I can't find where this is configured so I don't know what "default" really means. Any pointers welcome on how to config the group policy lookup. This must be the main issue because my connection fails because no policy was selected.

Just discovered that I might need a TACACS or RADIUS server/group. What on earth are these? Are they part of this router's config? Can't disable AAA as Easy VPN requires this.

just use aaa extended local authentication

see

!--- Enable Authentication, Authorizing and Accounting (AAA) !--- for user authentication and group authorization.

aaa new-model

!--- To enable X-Auth for user authentication, !--- enable the aaa authentication commands.

aaa authentication login userauthen local

!--- To enable group authorization, !--- enable the aaa authorization commands.

aaa authorization network groupauthor local

Merv, I'm moving house at the moment plus have new router at home as last firmware upgrade blew it - that's Belkin for you. Once up and running again will try new settings and if no joy will start looking into having a Cisco router at home as well...