09-06-2021 12:09 AM - edited 09-06-2021 12:31 AM
I have configured Point to Point IPSEC between 2 ISR 4331 Routers and the Crypto Session is showing QM-IDLE and Status is showing active and data is flowing encrypted. But I am unable to Copy Files to shared Folder from one system connected to 1 site to other system connected to other side and vice versa. After removing crytpo map from interface, am able to copy,
Can anyone help me for troubleshooting this issue.
09-06-2021 12:15 AM
Hello,
post the full configs of both sides...
09-06-2021 12:28 AM
09-06-2021 01:00 AM
Hello,
you are running a very outdated IOS version (12.x), and you are using the 'legacy' crypto map config. Check if your router supports the configurations below:
R1#
Current configuration : 2019 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key KEY address 10.0.0.2
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
ip tcp synwait-time 5
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 192.168.20.0 0.0.0.255 Tunnel0
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
----------
R2#
Current configuration : 2019 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key KEY address 10.0.0.1
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
ip tcp synwait-time 5
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 192.168.10.0 0.0.0.255 Tunnel0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
09-06-2021 01:24 AM - edited 09-06-2021 01:36 AM
Sir,
If I do not want to use Tunnel0 logical interface, In that case what will be the changes in configuration.. Because customer do not want to use Logical interface... Also how to deal with below scenario.
09-06-2021 02:47 AM
Hello,
it is difficult to tell why the original configuration, which in essence is correct, does not work as desired. As stated, you are running very old software and a legacy/outdated crypto config. Would it be possible to test the VTI/logical interface configuration, just to find out if that makes a difference ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide