StrongSwan ipsec ubuntu“忽略信息有效负载,输入NO_PROPOSAL

StrongSwan ipsec ubuntu“忽略信息有效负载,输入NO_PROPOSAL_CHOSEN”

我在一个ubuntu服务器上运行了StrongSwan,我正在尝试使用Cisco 2821路由器创建一个ipsec加密的VPN隧道.连接不起作用,我无法弄清楚原因.它似乎完成了阶段1,但在第2阶段失败.任何人都可以提供建议吗？我很难过.顺便说一下,我的服务器在亚马逊云中.

这是我的配置：

conn my-conn
        type=tunnel
        authby=secret
        auth=esp
        ikelifetime=86400s
        keylife=3600s
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keyexchange=ike
        pfs=no
        forceencaps=yes
        # Left security gateway, subnet behind it, nexthop toward right.
        left=10.0.0.4
        leftsubnet=10.0.0.4/32
        leftnexthop=%defaultroute
        # Right security gateway, subnet behind it, nexthop toward left.
        right=1.2.3.4   
        rightsubnet=1.2.3.5/32
        rightnexthop=%defaultroute
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start

以下是日志的输出：

Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: initiating Main Mode
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: enabling possible NAT-traversal with method RFC 3947
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [Cisco-Unity]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [Dead Peer Detection]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [883f3a4fb4782a3ae88bf05cdfe38ae0]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [XAUTH]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 28 18:02:20 myserver pluto[15753]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ISAKMP SA established
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #331: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#330}
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

给我连接到cisco路由器的配置是：

Key Management: IKE 
Diffie-Hellman Group:   Group 2 
Encryption Algorithm:   3DES (rec)  
Hash Algorithm: SHA-1 (rec.)    
Authentication Method:  Preshared   
Pre-Shared Secret Key:  TBC 
Life Time:  86400s (24h)    

Encryption Phase 2 (IPSec):     

Encapsulation:  ESP 
Encryption Algorithm used:  3DES (rec)  
Hash Algorithm: SHA-1 (rec.)    
Perfect Forward Secrecy:    Groupe 2    
Aggressive Mode:    NO  
Life Time:  3600s (1h)

如果我没记错的话,Amazon EC2使用一些NAT来使您的实例可以从Internet访问.

虽然NAT友好的应用程序可以无缝工作(想想http或ssh),但某些协议是在端到端通信成为规则的时候设计的,而NAT将破坏这些协议.

FTP或SIP(实际上是rtp)使用动态选择的端口,但设计了帮助程序.例如,STUN用于VoIP.

在IPSec的情况下,阶段1成功.这是NAT检测.所以你的服务器在日志中说我是NATed.

但是,第2阶段(NAT遍历决策)失败.您可能必须启用思科称之为“IPSec NAT透明度”的双方.因此,ipsec有效载荷不在第3层(IP),而在第4层,在UDP中.

这有点类似于openvpn所做的,但使用ssl而不是IPSec.

看看Cisco’s site regarding NAT traversal.以cisco为中心,它将帮助您设置隧道.