我正在我的家用 Cisco 2621 路由器和运行 openswan 的 Amazon EC2 实例之间配置站点到站点 vpn。我在 openswan 服务器上不断收到以下消息:“NO_PROPOSAL_CHOSEN”我的 Cisco 2621 路由器配置和 Openswan 配置发布如下,我知道我遗漏了一些小东西,但就是想不通它是什么 :-) 任何帮助都将不胜感激。
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.253'
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:17d23abf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=160
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | ISAKMP Notification Payload
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | 00 00 00 a0 00 00 00 01 03 04 00 0e
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: received and ignored informational message
该图如下所示:
192.168.0.0/24:FA0/1[Router]FA0/0 192.168.1.253---------192.168.1.254[Modem]64.231.25.93(分配给我的调制解调器的公共 IP)
Cisco 2621 路由器配置:
Current configuration : 2649 bytes
!
version 12.3
no parser cache
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
boot-start-marker
boot system flash c2600-ik9o3s3-mz.123-26.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging monitor
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.10
!
ip audit po max-events 100
!
username admin privilege 15 password 7 01100F175804
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key mysecretkey address 52.39.49.77
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac
!
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
! Incomplete
description Amazon EC2 instance
set peer 52.39.49.77
set transform-set AMAZON-TRANSFORM-SET
match address 111
!
!
!
!
interface FastEthernet0/0
description Connection to Bell Modem
ip address 192.168.1.253 255.255.255.0
ip nat outside
duplex auto
speed auto
crypto map INTERNET-CRYPTO
!
interface Serial0/0
no ip address
!
interface FastEthernet0/1
description Connection to LAN
ip address 192.168.0.254 255.255.255.0
ip helper-address 192.168.0.10
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1.2
description Service Vlan
encapsulation dot1Q 2
ip address 10.0.0.254 255.0.0.0
ip helper-address 192.168.0.10
ip nat inside
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
ip http server
ip http authentication local
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!!
!
!
ip access-list extended ACL-NAT
permit ip any any
permit tcp any any
permit udp any any
logging trap debugging
logging facility syslog
logging 192.168.0.47
access-list 111 permit ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
!
!
!
dial-peer cor custom
!
!
!
line con 0
password 7 05080F1C2243
login
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
transport output telnet
line vty 5 15
privilege level 15
login local
transport input telnet
transport output telnet
!
!
end
Openswan 配置:
paulaga.secrets 文件:
64.231.25.93 192.168.1.253 52.39.49.77: PSK "mysecretkey"
paulaga.conf 文件:
conn paulaga-home
left=%defaultroute
leftsubnet=172.31.0.0/16 # My EC2 subnet
leftid=52.39.49.77 # My EC2 public ip
right=64.231.25.93 # My Home Modem public ip
rightid=192.168.1.253 # My Home Cisco 2621 router outside interface ip
rightsubnet=192.168.0.0/24 # My Home Cisco 2621 LAN
authby=secret
pfs=yes
auto=start