ISR 4331 -- Unable to Copy Files in Shared Drive over IPSEC

himanshudwivedi · ‎09-06-2021

I have configured Point to Point IPSEC between 2 ISR 4331 Routers and the Crypto Session is showing QM-IDLE and Status is showing active and data is flowing encrypted. But I am unable to Copy Files to shared Folder from one system connected to 1 site to other system connected to other side and vice versa. After removing crytpo map from interface, am able to copy,

Can anyone help me for troubleshooting this issue.

Georg Pauwen · ‎09-06-2021

Hello,

post the full configs of both sides...

himanshudwivedi · ‎09-06-2021

Both the Side Configuration are attached here...

Georg Pauwen · ‎09-06-2021

Hello,

you are running a very outdated IOS version (12.x), and you are using the 'legacy' crypto map config. Check if your router supports the configurations below:

R1#

Current configuration : 2019 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key KEY address 10.0.0.2
!
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
ip tcp synwait-time 5
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.0.0.1
tunnel destination 10.0.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.1 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 192.168.20.0 0.0.0.255 Tunnel0
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

----------

R2#

Current configuration : 2019 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
no ip domain lookup
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key KEY address 10.0.0.1
!
crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TS
!
ip tcp synwait-time 5
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.0.0.2
tunnel destination 10.0.0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
ip address 10.0.0.2 255.255.255.0
clock rate 2000000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
ip route 192.168.10.0 0.0.0.255 Tunnel0
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end

himanshudwivedi · ‎09-06-2021

Sir,

If I do not want to use Tunnel0 logical interface, In that case what will be the changes in configuration.. Because customer do not want to use Logical interface... Also how to deal with below scenario.

Georg Pauwen · ‎09-06-2021

Hello,

it is difficult to tell why the original configuration, which in essence is correct, does not work as desired. As stated, you are running very old software and a legacy/outdated crypto config. Would it be possible to test the VTI/logical interface configuration, just to find out if that makes a difference ?