IPSEC(crypto_decrypt_ipsec_sa_check): failed to coalesce pak

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Avatar utente
k4mik4ze
Cisco pathologically enlightened user
Messaggi: 196
Iscritto il: mar 20 mag , 2008 1:24 am

L'errore me l'ha dato in ambiente di laboratorio [GNS3 su ubuntu]
[guest windows su VirtualBOX] -> Cisco 7200 [r2] -> Cisco 7200 [r1] -> Cloud vs internet.

Tutti e due i cisco hanno c7200-advipservicesk9-mz.124-2.T.bin.

In breve, tanto per fare un pochetto di esercizi, il tentativo prevedeva di mandare il traffico http/https in vpn tra i due router, per poi farlo riuscire: per un attimo ha funzionato, dopodichè ha iniziato a spararmi l'errore di cui al topic.

Seguono le conf [edit: vabbe' le taglio un po']:

Codice: Seleziona tutto

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip inspect name inspect_base http
ip inspect name inspect_base dns
ip inspect name inspect_base https
no ip ips deny-action ips-interface
!
!
crypto isakmp policy 10
 authentication pre-share
 group 5
 lifetime 60
crypto isakmp key cisco address 10.0.0.2
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set httptset esp-des 
!
crypto map httpcmap 1 ipsec-isakmp 
 set peer 10.0.0.2
 set transform-set httptset 
 set pfs group5
 match address 2000
!
!
interface FastEthernet0/0
 ip address 192.168.81.16 255.255.255.0
 ip access-group 102 in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.1 255.255.255.252
 ip inspect inspect_base in
 duplex auto
 speed auto
 crypto map httpcmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.81.251
ip route 192.168.0.0 255.255.255.0 10.0.0.2
no ip http server
no ip http secure-server
!
!
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 8080
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq domain
access-list 102 deny   ip any any
access-list 2000 permit tcp any eq www 192.168.0.0 0.0.0.255
access-list 2000 permit tcp any eq 8080 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

Codice: Seleziona tutto

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
!
crypto isakmp policy 10
 authentication pre-share
 group 5
 lifetime 60
crypto isakmp key cisco address 10.0.0.1
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set httptset esp-des 
!
crypto map httpcmap 1 ipsec-isakmp 
 set peer 10.0.0.1
 set transform-set httptset 
 set pfs group5
 match address 2000
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.0.0.2 255.255.255.252
 duplex auto
 speed auto
 crypto map httpcmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
no ip http server
no ip http secure-server
!
!
!
access-list 2000 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 2000 permit tcp 192.168.0.0 0.0.0.255 any eq 8080
!
!
control-plane
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

qualche idea? Purtroppo non sono riuscito a trovare nulla sull'errore. Se non su "experts-exchange" in cui si paventava di un bug nella ios.
Top
Rispondi

Torna a “VPN”