我已按照 Cisco 的 [netscreen to PIX VPN] http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445的指示在 netscreen 设备和 Cisco PIX 之间配置 VPN 。 shtml文章。
唯一的区别是我运行的是 PIX 6.3(5) 和 Juniper Netscreen 6.1.0r2.0(防火墙+VPN)。我完全遵循了这两种配置,当我尝试连接时,Juniper 返回:
2010-02-21 12:54:28 information IKE: Removed Phase 2 SAs after receiving a notification message.
2010-02-21 12:54:28 information IKE pix_public_IP: Received a notification message for DOI 1 14 NO-PROPOSAL-CHOSEN.
2010-02-21 12:54:28 information IKE pix_public_IP Phase 2: Initiated negotiations.
在 Netscreen 上,我使用 DH Group#2、3DES-CBC 和 SHA-1 创建了名为 ToCorpOffice 的第 2 阶段提案,在配置 AutoKey IKE 时,我选择了 ToCorpOffice 并删除了所有其他转换。我相信我已经在 PIX 上配置了相同的内容:
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address nonat
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer netscreen_public_ip
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
保存并重新启动,所以这里是密码图信息:PIX-FW1# 显示密码图
Crypto Map: "mymap" interfaces: { outside }
Crypto Map "mymap" 10 ipsec-isakmp
Peer = netscreen_public_ip
access-list nonat; 1 elements
access-list nonat line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=0)
Current peer: netscreen_public_ip
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={ mytrans, }
PIX-FW1#
知道为什么我会收到 NO-PROPOSAL-CHOSEN 错误吗?
