[strongSwan] configuring android StrongSwan VPN Client 2.2.1

Tue Jan 7 17:31:50 CET 2020

I followed this recipe to install StrongSwan on my linux server:

How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04
<https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04>

This is working fine with a Windows client, so I know it is configured
properly.

After this success I attempted to install the above client on my android
Nougat phone.  Unfortunately this is not working with the default
options on the client.  Here is the log entries from the linux server
attempting to open the VPN connection:

Dec 26 18:07:11 DG41TY charon: 09[NET] received packet: from
108.31.28.59[1024] to 192.168.80.11[500] (716 bytes)
Dec 26 18:07:11 DG41TY charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 26 18:07:11 DG41TY charon: 09[CFG] looking for an ike config for
192.168.80.11...108.31.28.59
Dec 26 18:07:11 DG41TY charon: 09[CFG]   candidate: %any...%any, prio 28
Dec 26 18:07:11 DG41TY charon: 09[CFG] found matching ike config:
%any...%any with prio 28
Dec 26 18:07:11 DG41TY charon: 09[IKE] 108.31.28.59 is initiating an IKE_SA
Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
change: CREATED => CONNECTING
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Dec 26 18:07:11 DG41TY charon: 09[CFG] received proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 26 18:07:11 DG41TY charon: 09[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 26 18:07:11 DG41TY charon: 09[IKE] local host is behind NAT, sending
keep alives
Dec 26 18:07:11 DG41TY charon: 09[IKE] remote host is behind NAT
Dec 26 18:07:11 DG41TY charon: 09[IKE] received proposals inacceptable
Dec 26 18:07:11 DG41TY charon: 09[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Dec 26 18:07:11 DG41TY charon: 09[NET] sending packet: from
192.168.80.11[500] to 108.31.28.59[1024] (36 bytes)
Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
change: CONNECTING => DESTROYING

What do I need to change in the android client configuration?  I would
prefer not to touch the linux server as it is working with windows
clients, but will do so if absolutely necessary.  Thank you for your
assistance in this matter.

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200107/11f07e71/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4056 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200107/11f07e71/attachment.bin>