IKEv1 phase 2 fails with NO_PROPOSAL_CHOSEN but ESP proposal is correct. What else could cause this to fail?

Solution 1:

You haven't configured a remote traffic selector (rightsubnet). So it will default to the peer's IP address. That might not be what it expects (for IKEv1 the traffic selectors have to match exactly).

For roadwarrior connections, which the other settings indicate (e.g. the virtual IP address and XAuth authentication), everything is usually tunneled. So the correct setting would be rightsubnet=0.0.0.0/0.

The error notify sent by the responder (NO_PROPOSAL_CHOSEN) is wrong for such a traffic selector mismatch, it should have sent INVALID_ID_INFORMATION (RFC 2409, section 5.5).