[strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 20 17:54:04 CET 2017 

Hi Alexander,

could you increase the debug level to "cfg 2" on the server which would
show the received and installed crypto algorithms.

Regards

Andreas

On 20.11.2017 16:30, Bugakov, Alexander wrote:
>  Hello,
> 
> I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
> configured server using this tutorial -
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
> 
> I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
> followed all steps in the guide. I've saved server-root-ca.pem to my
> Android phone and installed it. I obtained StrongSwan client from
> Google Play and added profile, choosing the cert, and specifying my
> password and login name.
> 
> I am getting the following in the charon's log on Android:
> 
> Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
> 5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
> Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
> Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
> android-log openssl fips-prf random nonce pubkey chapoly curve25519
> pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
> eap-mschapv2 eap-md5 eap-gtc eap-tls x509
> Nov 20 17:54:40 00[JOB] spawning 16 worker threads
> Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
> Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
> 128.199.36.88[500] (704 bytes)
> Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
> 10.220.173.129[46526] (36 bytes)
> Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error
> 
> Here is the log on the server's side:
> 
> Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
> 31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
> Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
> Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
> Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
> 31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
> Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
> Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
> N
> 
> Here is my /etc/ipsec.conf:
> 
> config setup
>     charondebug="ike 1, knl 1, cfg 0"
>     uniqueids=no
> 
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>     esp=aes256-sha1,3des-sha1!
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=128.199.36.88
>     leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightauth=eap-mschapv2
>     rightdns=8.8.8.8,8.8.4.4
>     rightsourceip=10.10.10.0/24
>     rightsendcert=never
>     eap_identity=%identity
> 
> My  /etc/ipsec.secrets contains:
> 
> 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
> vpnusername %any% : EAP "vpnpasswordredacted"
> 
> What might be the issue?
> 
> Thank you.
> 
> A.
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171120/1a4e0358/attachment-0001.bin>

More information about the Users mailing list