0

I am configuring Site-to-Site vpn between my home Cisco 2621 router and Amazon EC2 instance running openswan. I keep on getting the following message on the openswan server: " NO_PROPOSAL_CHOSEN " My Cisco 2621 router config and Openswan config are posted below, I know im missing something small but just can't figure it out what it is :-) any help would be appreciated.

Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.253'
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:17d23abf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=160
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | ISAKMP Notification Payload
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: |   00 00 00 a0  00 00 00 01  03 04 00 0e
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: received and ignored informational message

The diagram looks like this: 192.168.0.0/24:FA0/1[Router]FA0/0 192.168.1.253---------192.168.1.254[Modem]64.231.25.93 ( pub ip assigned to my modem )

Cisco 2621 Router Config:

Current configuration : 2649 bytes
!
version 12.3
no parser cache
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
boot-start-marker
boot system flash c2600-ik9o3s3-mz.123-26.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging monitor
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.10
!
ip audit po max-events 100
!

username admin privilege 15 password 7 01100F175804
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key mysecretkey address 52.39.49.77
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac

!
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
 ! Incomplete
 description Amazon EC2 instance
 set peer 52.39.49.77
 set transform-set AMAZON-TRANSFORM-SET
 match address 111
!
!
!
!
interface FastEthernet0/0
 description Connection to Bell Modem
 ip address 192.168.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map INTERNET-CRYPTO
!
interface Serial0/0
 no ip address
!
interface FastEthernet0/1
 description Connection to LAN
 ip address 192.168.0.254 255.255.255.0
 ip helper-address 192.168.0.10
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.2
 description Service Vlan
 encapsulation dot1Q 2
 ip address 10.0.0.254 255.0.0.0
 ip helper-address 192.168.0.10
 ip nat inside
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
ip http server
ip http authentication local
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!!
!
!
ip access-list extended ACL-NAT
 permit ip any any
 permit tcp any any
 permit udp any any
logging trap debugging
logging facility syslog
logging 192.168.0.47
access-list 111 permit ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
!
!
!
dial-peer cor custom
!
!
!
line con 0
 password 7 05080F1C2243
 login
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
 transport output telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
!
end

Openswan Configuration:

paulaga.secrets file:

64.231.25.93 192.168.1.253 52.39.49.77: PSK "mysecretkey"

paulaga.conf file:

conn paulaga-home
        left=%defaultroute
        leftsubnet=172.31.0.0/16 # My EC2 subnet
        leftid=52.39.49.77 # My EC2 public ip
        right=64.231.25.93 # My Home Modem public ip
        rightid=192.168.1.253 # My Home Cisco 2621 router outside interface ip
        rightsubnet=192.168.0.0/24 # My Home Cisco 2621 LAN
        authby=secret
        pfs=yes
        auto=start
3
  • Any thoughts about why the crypto map seems to be trying to tell you that its configuration is ! Incomplete? Commented Apr 17, 2016 at 11:22
  • Yes I have fixed that " ! Incomplete ? " no longer there... but same issue, I start to wonder if my IOS is too old, im running: IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2) c2600-ik9o3s3-mz.123-26.bin Commented Apr 17, 2016 at 15:58
  • If you fixed the "incomplete," I assume that means you've changed the router config, so you should probably update the question to keep it in sync. I am no expert on this but if I were trying to hack it into life, I'd temporarily remove/disable PFS, to remove one layer of complexity. Commented Apr 17, 2016 at 23:04

0

You must log in to answer this question.

Browse other questions tagged .