FQDN DMVPN ISAKMP建立的IPsec失败协商

Question

尝试学习和玩VPN，类似的设置在我的家庭实验室很好，PAT似乎造成了问题，我知道它的配置相关，只是不知道在哪里。连接是通过ISP动态分配IP的，这个设置应该允许动态连接，不管公共IP是否改变，这都是目标。请看一看，让我知道你的想法。我是在GRE上配置IPsec的业余爱好者，可能犯了一个简单的错误。

FQDN DMVPN中心配置：

interface Tunnel2
 ip address 172.16.64.1 255.255.255.0
 no ip redirects
 ip mtu 1440
 no ip next-hop-self eigrp 1
 no ip split-horizon eigrp 1
 ip nhrp authentication string
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile myprofile

crypto ipsec profile myprofile
 set transform-set set 

crypto ipsec transform-set set esp-aes 
 mode tunnel

crypto isakmp key key address 0.0.0.0 

crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share

轮辐配置：

interface Tunnel2
 ip address 172.16.64.2 255.255.255.0
 no ip redirects
 ip mtu 1440
 ip nhrp authentication string
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp nhs dynamic nbma fqdn.net
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile myprofile

crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
crypto isakmp key key address 0.0.0.0 0.0.0.0
crypto ipsec transform-set set esp-aes 
crypto ipsec profile myprofile
 set security-association lifetime kilobytes 102400
 set transform-set set

下面是我收到的调试输出，我知道它与代理IP有关，不知道如何解决这个问题。谷歌对此并没有多大帮助：

*Mar 21 23:03:36.665: IPSEC(validate_proposal_request): proposal part #1
*Mar 21 23:03:36.665: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.16.48.2:0, remote= 98.x.x.x:0,
    local_proxy= 174.x.x.x/255.255.255.255/47/0,
    remote_proxy= 192.168.1.43/255.255.255.255/47/0,
    protocol= ESP, transform= esp-aes  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
 *Mar 21 23:03:36.665: map_db_find_best did not find matching map
*Mar 21 23:03:36.665: IPSEC(ipsec_process_proposal): proxy identities not supported

Answer 1

这是我用来完成FQDN DMVPN设置的配置。

HUB

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 100 3
 ip hold-time eigrp 100 24
 no ip next-hop-self eigrp 100
 no ip split-horizon eigrp 100
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp registration no-unique
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp keycisco address 0.0.0.0        
crypto ipsec transform-set cisco esp-aes esp-sha-hmac 
 mode transport
crypto ipsec profile cisco
 set transform-set cisco

Spoke

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 100 3
 ip hold-time eigrp 100 24
 ip nhrp authentication cisco
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp nhs 10.0.0.1 nbma url.net multicast
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile cisco

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set cisco esp-aes esp-sha-hmac 
crypto ipsec profile cisco