Sorry for wasting your time; I instead used a recipe provided at https://github.com/jawj/IKEv2-setup and it configured StrongSwan for me flawlessly - now works with Android and Windows 10 clients.
Works like a charm, much faster and better than commercial VPN providers. On Mon, Nov 20, 2017 at 8:15 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote: > > You can try to remove/comment out lines of ike= and esp= and try to connect > to server (leaving it to use default strongswan ciphers). > > Anvar Kuchkartaev > an...@anvartay.com > Original Message > From: Bugakov, Alexander > Sent: lunes, 20 de noviembre de 2017 04:30 p.m. > To: users@lists.strongswan.org > Reply To: a...@bougakov.com > Subject: [strongSwan] StrongSwan Android app, NO_PROPOSAL_CHOSEN error & > Digital Ocean's VPN tutorial > > > Hello, > > I tried to install StrongSwan IKEv2 on DigitalOcean's freshly > configured server using this tutorial - > https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04 > > I created fresh Ubuntu instance, got an IP address 128.199.36.88 and > followed all steps in the guide. I've saved server-root-ca.pem to my > Android phone and installed it. I obtained StrongSwan client from > Google Play and added profile, choosing the cert, and specifying my > password and login name. > > I am getting the following in the charon's log on Android: > > Nov 20 17:54:40 00[DMN] Starting IKE charon daemon (strongSwan > 5.6.1dr3, Android 7.0 - NRD90M/2017-10-01, MI 5s Plus - > Xiaomi/natrium/Xiaomi, Linux 3.18.31-perf-gb46523a, aarch64) > Nov 20 17:54:40 00[LIB] loaded plugins: androidbridge charon > android-log openssl fips-prf random nonce pubkey chapoly curve25519 > pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity > eap-mschapv2 eap-md5 eap-gtc eap-tls x509 > Nov 20 17:54:40 00[JOB] spawning 16 worker threads > Nov 20 17:54:40 10[IKE] initiating IKE_SA android[4] to 128.199.36.88 > Nov 20 17:54:40 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > Nov 20 17:54:40 10[NET] sending packet: from 10.220.173.129[46526] to > 128.199.36.88[500] (704 bytes) > Nov 20 17:54:40 09[NET] received packet: from 128.199.36.88[500] to > 10.220.173.129[46526] (36 bytes) > Nov 20 17:54:40 09[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] > Nov 20 17:54:40 09[IKE] received NO_PROPOSAL_CHOSEN notify error > > Here is the log on the server's side: > > Nov 20 14:49:01 vpn charon: 12[NET] received packet: from > 31.173.82.18[62259] to 128.199.36.88[500] (704 bytes) > Nov 20 14:49:01 vpn charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > Nov 20 14:49:01 vpn charon: 12[IKE] 31.173.82.18 is initiating an IKE_SA > Nov 20 14:49:01 vpn charon: 12[IKE] remote host is behind NAT > Nov 20 14:49:01 vpn charon: 12[IKE] received proposals inacceptable > Nov 20 14:49:01 vpn charon: 12[ENC] generating IKE_SA_INIT response 0 > [ N(NO_PROP) ] > Nov 20 14:49:01 vpn charon: 12[NET] sending packet: from > 128.199.36.88[500] to 31.173.82.18[62259] (36 bytes) > Nov 20 14:54:38 vpn charon: 13[NET] received packet: from > 31.173.82.18[56711] to 128.199.36.88[500] (704 bytes) > Nov 20 14:54:38 vpn charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA > KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > Nov 20 14:54:38 vpn charon: 13[IKE] 31.173.82.18 is initiating an IKE_SA > Nov 20 14:54:38 vpn charon: 13[IKE] remote host is behind NAT > Nov 20 14:54:38 vpn charon: 13[IKE] received proposals inacceptable > Nov 20 14:54:38 vpn charon: 13[ENC] generating IKE_SA_INIT response 0 > [ N(NO_PROP) ] > Nov 20 14:54:38 vpn charon: 13[NET] sending packet: from > 128.199.36.88[500] to 31.173.82.18[56711] (36 bytes) > N > > Here is my /etc/ipsec.conf: > > config setup > charondebug="ike 1, knl 1, cfg 0" > uniqueids=no > > conn ikev2-vpn > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > ike=aes256-sha1-modp1024,3des-sha1-modp1024! > esp=aes256-sha1,3des-sha1! > dpdaction=clear > dpddelay=300s > rekey=no > left=%any > leftid=128.199.36.88 > leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem > leftsendcert=always > leftsubnet=0.0.0.0/0 > right=%any > rightid=%any > rightauth=eap-mschapv2 > rightdns=8.8.8.8,8.8.4.4 > rightsourceip=10.10.10.0/24 > rightsendcert=never > eap_identity=%identity > > My /etc/ipsec.secrets contains: > > 128.199.36.88 : RSA "/etc/ipsec.d/private/vpn-server-key.pem" > vpnusername %any% : EAP "vpnpasswordredacted" > > What might be the issue? > > Thank you. > > A. > >