StrongSwan ipsec ubuntu“忽略信息有效负载,输入NO_PROPOSAL_CHOSEN”

我在一个ubuntu服务器上运行了StrongSwan,我正在尝试使用Cisco 2821路由器创建一个ipsec加密的VPN隧道.连接不起作用,我无法弄清楚原因.它似乎完成了阶段1,但在第2阶段失败.任何人都可以提供建议吗？我很难过.顺便说一下,我的服务器在亚马逊云中.

这是我的配置：

conn my-conn        type=tunnel        authby=secret        auth=esp        ikelifetime=86400s        keylife=3600s        esp=3des-sha1        ike=3des-sha1-modp1024        keyexchange=ike        pfs=no        forceencaps=yes        # Left security gateway, subnet behind it, nexthop toward right.        left=10.0.0.4        leftsubnet=10.0.0.4/32        leftnexthop=%defaultroute        # Right security gateway, subnet behind it, nexthop toward left.        right=1.2.3.4           rightsubnet=1.2.3.5/32        rightnexthop=%defaultroute        # To authorize this connection, but not actually start it,        # at startup, uncomment this.        auto=start

以下是日志的输出：

Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: initiating Main ModeDec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: enabling possible NAT-traversal with method RFC 3947Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [Cisco-Unity]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [Dead Peer Detection]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [883f3a4fb4782a3ae88bf05cdfe38ae0]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [XAUTH]Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATedDec 28 18:02:20 myserver pluto[15753]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-TDec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: Peer ID is ID_IPV4_ADDR: '1.2.3.4'Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ISAKMP SA establishedDec 28 18:02:20 myserver pluto[15753]: "my-conn" #331: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#330}Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type NO_PROPOSAL_CHOSENDec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

给我连接到cisco路由器的配置是：

Key Management: IKE Diffie-Hellman Group:   Group 2 Encryption Algorithm:   3DES (rec)  Hash Algorithm: SHA-1 (rec.)    Authentication Method:  Preshared   Pre-Shared Secret Key:  TBC Life Time:  86400s (24h)    Encryption Phase 2 (IPSec):     Encapsulation:  ESP Encryption Algorithm used:  3DES (rec)  Hash Algorithm: SHA-1 (rec.)    Perfect Forward Secrecy:    Groupe 2    Aggressive Mode:    NO  Life Time:  3600s (1h)

如果我没记错的话,Amazon EC2使用一些NAT来使您的实例可以从Internet访问.

虽然NAT友好的应用程序可以无缝工作(想想http或ssh),但某些协议是在端到端通信成为规则的时候设计的,而NAT将破坏这些协议.

FTP或SIP(实际上是rtp)使用动态选择的端口,但设计了帮助程序.例如,STUN用于VoIP.

在IPSec的情况下,阶段1成功.这是NAT检测.所以你的服务器在日志中说我是NATed.

但是,第2阶段(NAT遍历决策)失败.您可能必须启用思科称之为“IPSec NAT透明度”的双方.因此,ipsec有效载荷不在第3层(IP),而在第4层,在UDP中.

这有点类似于openvpn所做的,但使用ssl而不是IPSec.

看看Cisco’s site regarding NAT traversal.以cisco为中心,它将帮助您设置隧道.