客户有一台运行 SonicOS 3.0 的 Sonicwall Pro 2040,他们希望能够使用 iPad 上的 L2TP VPN 客户端连接到内部服务(Citrix 等)。我在 Sonicwall 上启用了 L2TP VPN 服务器,确保为第 2 阶段设置了 AES-128,并在测试 iPad 上使用适当的用户名、密码和预共享密钥设置了配置。当我尝试连接时,我在 Sonicwall 的日志中收到一些相当神秘的错误消息:
2 03/29/2011 12:25:09.096 IKE Responder: IPSec proposal does not match (Phase 2) [My outbound IP address redacted] (admin) [WAN IP address redacted] 10.10.130.7/32 -> [WAN IP address redacted]/32
3 03/29/2011 12:25:09.096 IKE Responder: Received Quick Mode Request (Phase 2) [My outbound IP address redacted], 61364 (admin) [WAN IP address redacted], 500
4 03/29/2011 12:25:07.048 IKE Responder: IPSec proposal does not match (Phase 2) [My outbound IP address redacted] (admin) [WAN IP address redacted] 10.10.130.7/32 -> [WAN IP address redacted]/32
5 03/29/2011 12:25:07.048 IKE Responder: Received Quick Mode Request (Phase 2) [My outbound IP address redacted], 61364 (admin) [WAN IP address redacted], 500
iPad 上的控制台日志如下所示:
Mar 29 13:31:24 Daves-iPad racoon[519] <Info>: [519] INFO: ISAKMP-SA established 10.10.130.7[500]-[WAN IP address redacted][500] spi:5d705eb6c760d709:458fcdf80ee8acde
Mar 29 13:31:24 Daves-iPad racoon[519] <Notice>: IPSec Phase1 established (Initiated by me).
Mar 29 13:31:24 Daves-iPad kernel[0] <Debug>: launchd[519] Builtin profile: racoon (sandbox)
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] INFO: initiate new phase 2 negotiation: 10.10.130.7[500]<=>[WAN IP address redacted][500]
Mar 29 13:31:25 Daves-iPad racoon[519] <Notice>: IPSec Phase2 started (Initiated by me).
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Mar 29 13:31:25 Daves-iPad racoon[519] <Info>: [519] ERROR: Message: '@ No proposal is chosen'.
Mar 29 13:31:46 Daves-iPad racoon[519] <Info>: [519] ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Mar 29 13:31:46 Daves-iPad racoon[519] <Info>: [519] ERROR: Message: '@ No proposal is chosen'.
Mar 29 13:31:55 Daves-iPad pppd[518] <Notice>: IPSec connection failed
这是否能提供什么线索来表明问题出在哪里?
答案1
首先,我强烈建议您(或您的客户)升级到较新版本的 SonicOS,或者更确切地说是 SonicOS Enhanced。
关于您的问题,通过阅读错误消息,似乎 SonicWall 和 iPad 上的第 2 阶段提案不匹配。我会查看所使用的协议和身份验证。确保 iPad 进行了相应的配置。
两个有用的链接:
答案2
尽管 SonicWALL 确实表示您的配置应该可以工作,但您可以尝试升级到 AES-256 看看是否能有更好的效果。另外请确保未选中 PFS。
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8260