cisco 3825 vpn问题？？？？

cisco 3825 vpn问题目前认证都通过了，但是客户端拨通vpn后，却无法和主机通讯，查看了客户机，相关路由已经存在，但是却无法通讯，通过客户端的vpn 软件的status看received packet 为0，sent的数据包正常，请大家帮忙看问题在那里；

Current configuration : 6881 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname v3nipse
!

boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$nGbd$Iv4vod1l/9IvVxuSAQc3qlu/
!
aaa new-model
!
!
aaa authentication login vtylogin local
aaa authentication login groupauthor group tacacs+ local
aaa authentication ppp groupauthor local
aaa authorization network netauth local
aaa accounting network default start-stop group tacacs+
!
aaa session-id common
ip cef
!
!
!
!
ip domain name mgrp.co
!
!
!
crypto pki trustpoint TP-self-signed-700639717
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-700639717
revocation-check none
rsakeypair TP-self-signed-700639717
!
!
crypto pki certificate chain TP-self-signed-700639717
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303036 33393731 37301E17 0D303730 31313131 31323733
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 30363339
37313730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BB4DEDD4 FCE007FD A4E84F15 0DFCC531 3E9AEB81 7E4035D0 A0A86D24 6B6BEBD9
9E625878 C56C9EFC 244B967B A7BC987E E1211000 26BA264F 55CB2D7D 2587C7C3
7BDA2F80 E307B521 E27D0931 ECD2BC59 5EF9353D 14C9154F 51BCDC16 1E2B8374
36A3FEAD 3A86EC0D FE86725C 4CB6EBFE 50F295B2 6BCC554C 24E1E818 A8B2F6BD
02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
11041630 1482126D 6B76336E 69707365 2E6D6B67 72702E63 6F301F06 03551D23
04183016 8014891C 54B50A1F AE39C608 8BB4861E 123F1742 F834301D 0603551D
0E041604 14891C54 B50A1FAE 39C6088B B4861E12 3F1742F8 34300D06 092A8648
86F70D01 01040500 03818100 407F3407 E64742B0 4B0F511E F0F2FA98 00E327FE
C0952917 1A8E399D 64E64A80 432F0652 1BD32725 6CD3A76E E6A09D65 D11C90A5
ABFBDCB4 8180C9A1 AAA516DD BEA7469A D5B0FB5E 6B2DBCCB 2D570500 8F3AE4E0
6F35BF9D 8045F317 D99F65D1 9AD6E955 2B388E4D 52A4ECDD 373F8064 1438DB55
6C6461E8 642E999C DC61C9C9
quit
username ydvpn privilege 15 secret 5 $1$ZaGk$Ms2v059HAgArTh65wgWPpYBi.

!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testxj
key testxjvpn
dns 10.1.2.1
wins 10.1.2.1
pool test1
acl 102
netmask 255.255.255.0
!
crypto isakmp client configuration group jtncuser
key user032198
pool test1
acl 103
!
!
crypto ipsec transform-set vpnclient-jt esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclient-jtnc esp-3des esp-md5-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto dynamic-map jtnc 2
set transform-set vpnclient-jtnc
!
crypto dynamic-map jttemp 1
set transform-set 3des-md5
reverse-route
!
!
crypto map map01 client authentication list groupauthor
crypto map map01 isakmp authorization list netauth
crypto map map01 client configuration address initiate
crypto map map01 client configuration address respond
crypto map map01 65535 ipsec-isakmp dynamic jtnc
!
crypto map jtvpnmap client authentication list groupauthor
crypto map jtvpnmap isakmp authorization list netauth
crypto map jtvpnmap client configuration address respond
crypto map jtvpnmap 65535 ipsec-isakmp dynamic jttemp
!
!
!
interface GigabitEthernet0/0
ip address 10.1.23.21 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
media-type rj45
no keepalive
!
interface GigabitEthernet0/1
ip address 222.218.221.11 255.255.255.248
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
media-type rj45
no keepalive
crypto map jtvpnmap
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
crypto map map01
!
router rip
version 2
passive-interface GigabitEthernet0/1
network 192.168.89.0
neighbor 10.1.23.253
!
ip local pool test1 192.168.89.1 192.168.89.254
ip route 0.0.0.0 0.0.0.0 218.202.221.14
ip route 10.0.0.0 255.0.0.0 10.1.23.253
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended dns-servers
ip access-list extended key-exchange
ip access-list extended service
!
access-list 1 permit 10.1.9.110
access-list 1 permit 10.1.8.50
access-list 1 permit 10.1.9.112
access-list 1 permit any log
access-list 2 permit 10.1.8.50
access-list 2 deny any
access-list 23 permit 10.1.9.0 0.0.0.255
access-list 101 permit ip any 192.168.89.0 0.0.0.255 log
access-list 102 permit ip 10.1.2.0 0.0.0.255 any log
access-list 102 permit ip 10.1.5.0 0.0.0.255 any log
access-list 102 permit ip host 10.5.2.15 any log
access-list 102 permit ip 10.1.9.0 0.0.0.255 any log
access-list 102 permit ip host 10.5.2.20 any log
access-list 102 permit ip host 10.5.2.7 192.168.89.0 0.0.0.255 log
access-list 102 permit ip 10.1.23.0 0.0.0.255 192.168.89.0 0.0.0.255 log
access-list 103 permit ip host 10.1.5.17 any log
access-list 103 permit ip host 10.1.5.39 any log
access-list 120 permit ip 10.1.9.0 0.0.0.255 any log

!
tacacs-server host 10.1.8.50 timeout 20
tacacs-server directed-request
tacacs-server key admin0912
radius-server host 10.1.8.50 auth-port 1645 acct-port 1646 key admin0912
!
control-plane
!
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
privilege level 15
login authentication vtylogin
transport input telnet ssh
line vty 5 8
access-class 1 in
privilege level 15
login authentication vtylogin
transport input telnet ssh
line vty 9 15
access-class 23 in
privilege level 15
login authentication vtylogin
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end



网友1：

VPN通了?

show cry isa sa 看看VPN有没有建立.

在客户机上用 route print查看一下路由,你的split tunnel我看不懂,可能是这个问题.




网友2：

vpn 客户端可以拨通，在客户机上也可以看到相应的路由，但是就是ping 不通，同样的配置，我更改为本地用户验证后，就可以ping 通了，acs server 为3.2（通过acs server 做验证是没有问题的，就是无法和内网主机通讯）；
难道是3825和acs 3.2的兼容问题嘛；
昨晚测试了一下，找到问题原因了，应该是3825和acs 3.2的tacacs+认证的兼容问题,最后改成radius后就没有问题了;