[strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

Anvar Kuchkartaev anvar at anvartay.com
Mon Nov 20 18:15:49 CET 2017 

You can try to remove/comment out lines of ike= and esp= and try to connect to server (leaving it to use default strongswan ciphers).

Anvar Kuchkartaev 
anvar at anvartay.com 
  Original Message  
From: Bugakov, Alexander
Sent: lunes, 20 de noviembre de 2017 04:30 p.m.
To: users at lists.strongswan.org
Reply To: a at bougakov.com
Subject: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial


Hello,

I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
configured server using this tutorial -
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04

I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
followed all steps in the guide. I've saved server-root-ca.pem to my
Android phone and installed it. I obtained StrongSwan client from
Google Play and added profile, choosing the cert, and specifying my
password and login name.

I am getting the following in the charon's log on Android:

Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
android-log openssl fips-prf random nonce pubkey chapoly curve25519
pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Nov 20 17:54:40 00[JOB] spawning 16 worker threads
Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
128.199.36.88[500] (704 bytes)
Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
10.220.173.129[46526] (36 bytes)
Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error

Here is the log on the server's side:

Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
N

Here is my /etc/ipsec.conf:

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=128.199.36.88
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity

My /etc/ipsec.secrets contains:

128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
vpnusername %any% : EAP "vpnpasswordredacted"

What might be the issue?

Thank you.

A.

More information about the Users mailing list