thanks for your help.i alreay know this commands to copy the config file but i doesn`t run through the VPN-Tunnel.

Michael

I am not sure that I understand your problem. Perhaps you can clarify a bit and we might be able to help you better.

I have implemented many VPN tunnels. I frequently tftp config files over the VPN. As long as the IP traffic (between the router whose config you want to copy and the PC to which you want to copy it) goes over the VPN I have never had a problem in copying config files.

So maybe you can help me understand your issue a bit better.

- does the IP traffic with source address of router B and destination address of PC go over the VPN?

- does the access list which identifies traffic for VPN include the source of router B and the destination of PC, and does the access list include tftp protocol?

- if you try to copy the config, what does not work?

HTH

Rick

hallo Rick,

thank you for help.when i copy the config file i get an error message :

%Error opening tftp://194.70.170.33/confg

the access-list allows tftp

i can ping the PC from router B

Michael

Michael

If you can ping to the PC from router B that is a good start. If you get an error in opening the tftp server it is an indication that something is not set up correctly.

Perhaps the next step is to verify some things about the tftp server. Most tftp servers will create a status message or log entry when there is an access attempt. If you check the tftp server while the router is attempting to copy the config file, does the tftp server see the access attempt?

If the tftp server is not seeing the access attempt we need to find out why. If the tftp server is seeing the access attempt then there are a few potential problems that depend on the implementation of the tftp server and the version of OS on the PC. In some implementations the file must exist before the router can copy to it. In some implementations there must be permissions for remote write to the file. Can you verify that these are not issues in this instance?

Can you verify that the tftp server is configured for the correct directory (folder, or whatever its OS calls it) and that there is sufficient room in the directory to write the config file?

HTH

Rick

hallo rick

thank you for help.

the tftp server is configured correctly because i get the config file from router A but not from router B.the log-file of the tftp server brings no enrys.

michael

Michael

Thanks for the additional information. If you can write the config file from router A to the tftp server then it seems to assure that the tftp server is working ok and the problem is probably not one of the issue I mentioned in my previous post.

If the log file of the tftp server does not show any entry when router B attempts to send the config file then we can probably assume that the tftp is never getting to the server. Can you do a traceroute from router B to the PC? (This will send UDP packets and verify connectivity.)

My best theory right now is that either the tftp packets from router B are not getting processed by ipsec or that the responses from the tftp server are not getting processed by ipsec. Can you provide the relevant details of configuring ipsec on both routers (especially the access lists)?

HTH

Rick

hallo

i will send the config file from routerB.

!

hostname routerB

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login userauthentication local

aaa authorization network groupauthorization local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

!

!

no ip domain lookup

no ip bootp server

ip cef

ip inspect name ethernetin cuseeme

ip inspect name ethernetin ftp

ip inspect name ethernetin h323

ip inspect name ethernetin netshow

ip inspect name ethernetin rcmd

ip inspect name ethernetin realaudio

ip inspect name ethernetin rtsp

ip inspect name ethernetin smtp

ip inspect name ethernetin sqlnet

ip inspect name ethernetin streamworks

ip inspect name ethernetin tftp

ip inspect name ethernetin tcp

ip inspect name ethernetin udp

ip inspect name ethernetin vdolive

ip inspect name ethernetin icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

no scripting tcl init

no scripting tcl encdir

!

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key berfrank address 1.1.1.1 no-xauth

!

crypto isakmp client configuration group windowsvpn

key xxxxx

dns 194.25.0.52

pool windowspool

acl 199

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map mymap client authentication list userauthentication

crypto map mymap isakmp authorization list groupauthorization

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp

description Tunnel to rouberB

set peer 1.1.1.2

set transform-set myset

match address 102

crypto map mymap 90 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Ethernet0

description Outside Interface

ip address 1.1.1.1 255.255.255.248

ip access-group 121 in

ip nat outside

ip inspect ethernetin in

no ip mroute-cache

half-duplex

no cdp enable

crypto map mymap

!

interface FastEthernet0

description Outside Interface

ip address 192.168.2.253 255.255.255.0

ip nat inside

ip inspect ethernetin in

no ip mroute-cache

speed auto

no cdp enable

!

ip local pool windowspool 10.0.0.1 10.0.0.254

ip nat pool ovrld 1.1.1.1 1.1.1.1 prefix-length 16

ip nat inside source route-map nonat pool ovrld overload

no ip classless

no ip http server

no ip http secure-server

!

!

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 deny ip any any

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 121 permit udp any host 1.1.1.1 eq isakmp

access-list 121 permit esp any host 1.1.1.1

access-list 121 permit ahp any host 1.1.1.1

access-list 121 permit udp host 1.1.1.1 any eq isakmp

access-list 121 permit esp host 1.1.1.1 any

access-list 121 permit ahp host 1.1.1.1 any

access-list 121 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 121 permit ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 121 deny ip any any

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 175 deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 175 permit ip 192.168.2.0 0.0.0.255 any

access-list 199 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255

no cdp run

!

route-map nonat permit 10

match ip address 175

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password 7 xxxxxxxx

!

!

end

any ideas ?

michael

Hi,

Try adding the following command in RouterB

ip tftp source-interface FastEthernet0

HTH

Regards,

Shijo George.

Michael

Thanks for posting the router config. I am a bit puzzled at what I see. You say in a previous post that you can ping the PC from router B and it looks like the address of the PC is 194.70.170.33. But that address is not a connected subnet and I do not see any static routes or any dynamic routing protocol. So how does router B know how to get to that remote address?

HTH

Rick

Rick,

sorry i have change the ip address in this example configuration and delete the default route.

Michael

Thank you Shijo George.

This has solved my problem.