How to configure Cisco remote access IPSEC VPN between IOS Router and Android phone

I have a c891fw router with IOS 15.4 on which I'm trying to configure a remote access VPN for Androids native VPN client. I'm authenticating with RSA-Sig and XAUTH. The tunnel forms but I can't reach any internal resources nor can I reach the Internet through the tunnel. Any help with what could be wrong would be much appreciated!

I've removed parts of the config that I deem irrelevant or sensitive.

!
hostname Skynet
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login ClientAuth local
aaa authorization console
aaa authorization exec local_auth local
aaa authorization network local_auth local
aaa authorization network ClientAuth local
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint vpn-tp
 usage ike
 revocation-check none
 rsakeypair vpn-tp
!
!
crypto pki certificate chain vpn-tp
 certificate 01
          xxx
quit
 certificate ca 00EC7044BAD01A044F
          xxx
quit
no ip source-route
no ip gratuitous-arps
!
!
!
ip cef
!
!
!
username jimmy privilege 15 secret 5 xxxx
username vpnuser privilege 0 secret 5 xxxx
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh dh min size 4096
!
!
crypto isakmp policy 3
 encr aes
 group 2
crypto isakmp identity dn
!
crypto isakmp client configuration group <group>
 key <secret key>
 dns y.y.y.y
 pool dynpool
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   ca trust-point vpn-tp
   match identity group <group>
   client authentication list ClientAuth
   isakmp authorization list ClientAuth
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE1
 set transform-set ESP-3DES-SHA
 set isakmp-profile IKE-PROFILE
!
!
interface GigabitEthernet8
 ip address dhcp client-id FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet8
 no ip unreachables
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE1
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
!
ip local pool dynpool 192.168.0.100 192.168.0.101 recycle delay 1
!
!
ip pim bidir-enable
ip nat inside source list NAT2 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list standard ANY
 permit any
ip access-list standard Deny_RFC1918
 deny   10.0.0.0 0.255.255.255
 deny   172.16.0.0 0.15.255.255
 deny   192.168.0.0 0.0.255.255
 permit any
!
ip access-list extended NAT2
 deny   ip 10.0.0.0 0.0.0.255 host 192.168.0.100
 deny   ip 10.0.0.0 0.0.0.255 host 192.168.0.101
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any

!

Leave Your Comment