cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
0
Helpful
3
Replies

ftp over ipsec

admin_2
Level 3
Level 3

I have created new IPSec tunnel between branch to branch (1750 to 1750 router) and tested the FTP file transfer.I am able to logon to the FTP server and able to see the files but i could not PUT or GET the the files.Encryption happening for PING and TELNET.ie encryption not working totally between 1750 routers for FTP PUT &GET.

And there is no problem with FTP server because without ipsec,FTP is working fine and also i tested with other FTP server.

both routers are running ospf.

Also we have tried the ftp between central router 3661 and remote router 1750. Routers running IPsec and routing protocol OSPF and . I was able to do ping, telnet and also able to download file from ftp server located at central location. But I am not able to upload the file from remote router 1750 to central router 3661.

What could be the problem.

3 Replies 3

Not applicable

You are having here some MTU problems.

As the IPSec adds some overhead to the IP packets

the MTU decreases. The router informs the stations sending

1500Bytes packets and DF set via ICMP to decrease

the MTU.

At one end (based on your desription at remote site)

probably the station tries to send packets of 1500 octets size

and ignoes the router ICMP's.

You can control the behavior of DF bit in newer IOS's (12.2.T).

alexis.fidalgo
Level 1
Level 1

I think this is an MTU problem.

do this to be sure.

in the router first clear all the SA's

clear crypto sa

then start debugs for isakmp and ipsec

debug crypto ipsec

debug crypto isakmp

term mon

then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.

i hope it helps

alexis.fidalgo
Level 1
Level 1

I think this is an MTU problem.

do this to be sure.

in the router first clear all the SA's

clear crypto sa

then start debugs for isakmp and ipsec

debug crypto ipsec

debug crypto isakmp

term mon

then generate some traffic to initiate the tunnel and look in the debug how many bytes is adding ipsec (ex: esp-des esp-md5-hmac adds 56bytes) if the path MTU is 1500 , you must reset the MTU.

i hope it helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: