无法将 Cisco 2621 连接到 AWS EC2 Openswan 站点到站点 vpn

无法将 Cisco 2621 连接到 AWS EC2 Openswan 站点到站点 vpn

我正在我的家用 Cisco 2621 路由器和运行 openswan 的 Amazon EC2 实例之间配置站点到站点 vpn。我在 openswan 服务器上不断收到以下消息:“NO_PROPOSAL_CHOSEN”我的 Cisco 2621 路由器配置和 Openswan 配置发布如下,我知道我遗漏了一些小东西,但就是想不通它是什么 :-) 任何帮助都将不胜感激。

Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.253'
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:17d23abf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=160
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | ISAKMP Notification Payload
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: |   00 00 00 a0  00 00 00 01  03 04 00 0e
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: received and ignored informational message

该图如下所示192.168.0.0/24:FA0/1[Router]FA0/0 192.168.1.253---------192.168.1.254[Modem]64.231.25.93(分配给我的调制解调器的公共 IP)

Cisco 2621 路由器配置

Current configuration : 2649 bytes
!
version 12.3
no parser cache
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
boot-start-marker
boot system flash c2600-ik9o3s3-mz.123-26.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging monitor
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.10
!
ip audit po max-events 100
!

username admin privilege 15 password 7 01100F175804
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key mysecretkey address 52.39.49.77
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac

!
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
 ! Incomplete
 description Amazon EC2 instance
 set peer 52.39.49.77
 set transform-set AMAZON-TRANSFORM-SET
 match address 111
!
!
!
!
interface FastEthernet0/0
 description Connection to Bell Modem
 ip address 192.168.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map INTERNET-CRYPTO
!
interface Serial0/0
 no ip address
!
interface FastEthernet0/1
 description Connection to LAN
 ip address 192.168.0.254 255.255.255.0
 ip helper-address 192.168.0.10
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.2
 description Service Vlan
 encapsulation dot1Q 2
 ip address 10.0.0.254 255.0.0.0
 ip helper-address 192.168.0.10
 ip nat inside
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
ip http server
ip http authentication local
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!!
!
!
ip access-list extended ACL-NAT
 permit ip any any
 permit tcp any any
 permit udp any any
logging trap debugging
logging facility syslog
logging 192.168.0.47
access-list 111 permit ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
!
!
!
dial-peer cor custom
!
!
!
line con 0
 password 7 05080F1C2243
 login
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
 transport output telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
!
end

Openswan 配置

paulaga.secrets 文件

64.231.25.93 192.168.1.253 52.39.49.77: PSK "mysecretkey"

paulaga.conf 文件

conn paulaga-home
        left=%defaultroute
        leftsubnet=172.31.0.0/16 # My EC2 subnet
        leftid=52.39.49.77 # My EC2 public ip
        right=64.231.25.93 # My Home Modem public ip
        rightid=192.168.1.253 # My Home Cisco 2621 router outside interface ip
        rightsubnet=192.168.0.0/24 # My Home Cisco 2621 LAN
        authby=secret
        pfs=yes
        auto=start

相关内容