[strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial

Bugakov, Alexander a at bougakov.com
Mon Nov 20 18:25:47 CET 2017 

Sorry for wasting your time; I instead used a recipe provided at
https://github.com/jawj/IKEv2-setup and it configured StrongSwan for
me flawlessly - now works with Android and Windows 10 clients.

Works like a charm, much faster and better than commercial VPN providers.

On Mon, Nov 20, 2017 at 8:15 PM, Anvar Kuchkartaev <anvar at anvartay.com> wrote:
>
> You can try to remove/comment out lines of ike= and esp= and try to connect to server (leaving it to use default strongswan ciphers).
>
> Anvar Kuchkartaev
> anvar at anvartay.com
>   Original Message
> From: Bugakov, Alexander
> Sent: lunes, 20 de noviembre de 2017 04:30 p.m.
> To: users at lists.strongswan.org
> Reply To: a at bougakov.com
> Subject: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & Digital Ocean's VPN tutorial
>
>
> Hello,
>
> I tried to install StrongSwan IKEv2 on DigitalOcean's freshly
> configured server using this tutorial -
> https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
>
> I created fresh Ubuntu instance, got an IP address 128.199.36.88 and
> followed all steps in the guide. I've saved server-root-ca.pem to my
> Android phone and installed it. I obtained StrongSwan client from
> Google Play and added profile, choosing the cert, and specifying my
> password and login name.
>
> I am getting the following in the charon's log on Android:
>
> Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan
> 5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus -
> Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64)
> Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon
> android-log openssl fips-prf random nonce pubkey chapoly curve25519
> pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity
> eap-mschapv2 eap-md5 eap-gtc eap-tls x509
> Nov 20 17:54:40 00[JOB] spawning 16 worker threads
> Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88
> Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to
> 128.199.36.88[500] (704 bytes)
> Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to
> 10.220.173.129[46526] (36 bytes)
> Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error
>
> Here is the log on the server's side:
>
> Nov 20 14:49:01 vpn charon: 12[NET] received packet: from
> 31.173.82.18[62259] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT
> Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable
> Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[62259] (36 bytes)
> Nov 20 14:54:38 vpn charon: 13[NET] received packet: from
> 31.173.82.18[56711] to 128.199.36.88[500] (704 bytes)
> Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA
> Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT
> Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable
> Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0
> [ N(NO_PROP) ]
> Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from
> 128.199.36.88[500] to 31.173.82.18[56711] (36 bytes)
> N
>
> Here is my /etc/ipsec.conf:
>
> config setup
> charondebug="ike 1, knl 1, cfg 0"
> uniqueids=no
>
> conn ikev2-vpn
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> fragmentation=yes
> forceencaps=yes
> ike=aes256-sha1-modp1024,3des-sha1-modp1024!
> esp=aes256-sha1,3des-sha1!
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=128.199.36.88
> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%any
> rightauth=eap-mschapv2
> rightdns=8.8.8.8,8.8.4.4
> rightsourceip=10.10.10.0/24
> rightsendcert=never
> eap_identity=%identity
>
> My /etc/ipsec.secrets contains:
>
> 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem"
> vpnusername %any% : EAP "vpnpasswordredacted"
>
> What might be the issue?
>
> Thank you.
>
> A.
>
>

More information about the Users mailing list