I have configured my vpn using the wizard in ASDM, and everything works fine when I connect from a PC on the same subnet as the router's external interface. When I try to connect from a remote PC, phase 1 doesn't even complete. The client is not responding to an IKE_DECODE SENDING Message unless it is plugged into the same switch as the ASA. Here is a diagram to explain the connections...
works: LAN --- ASA 5505 ---- switch ---- VPN client
broken: LAN --- ASA 5505 ---- switch ---- ISP ---- Internet --- VPN client
Here are the first two lines from logs that differ between the working and non-working connections... working:
7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168 7|Nov 21 2007|07:23:27|713236|||IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440broken:
6|Nov 21 2007|07:25:01|713905|||Group = vpngroup, IP = x.x.x.x, P1 Retransmit msg dispatched to AM FSM 5|Nov 21 2007|07:25:01|713201|||Group = vpngroup, IP = x.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet. 7|Nov 21 2007|07:24:56|713236|||IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440I know the client is configured correctly because it works fine when connected to the same subnet as the ASA. Any insight would be much appreciated.