IKEv1 phase 2 fails with NO_PROPOSAL_CHOSEN but ESP proposal is correct. What else could cause this to fail?

vpn ubuntu-18.04 strongswan ikev1

Solution 1:

You haven't configured a remote traffic selector (rightsubnet). So it will default to the peer's IP address. That might not be what it expects (for IKEv1 the traffic selectors have to match exactly).

For roadwarrior connections, which the other settings indicate (e.g. the virtual IP address and XAuth authentication), everything is usually tunneled. So the correct setting would be rightsubnet=0.0.0.0/0.

The error notify sent by the responder (NO_PROPOSAL_CHOSEN) is wrong for such a traffic selector mismatch, it should have sent INVALID_ID_INFORMATION (RFC 2409, section 5.5).

Related

How to NOT print items in an Ansible loop error without no_log
Understand if email error is due to sender or recipient server
Nginx reverse proxy with dynamic port forwarding
Can't install additional VM with virt-install
Why is this bash script triggering so many false positives for monitoring memory usage?
AWS: Serve up website from private subnet?
SSH into newly deployed Container on GCP Compute Engine
I want to set the status code of a specific path to "404" GCP Load Balancer
Troubleshooting SATA/SAS reverse breakout cable
How to block port 80 in Google AppEngine
GitLab always Redirects to HTTPS
Hping showing -400% packet loss