StrongSwan ipsec ubuntu "ignoring informational payload, type NO_PROPOSAL_CHOSEN"

I have StrongSwan running on a ubuntu server and I'm trying to create an ipsec encrypted VPN tunnel with a Cisco 2821 router . The connection is not working and I cannot figure out why. It appears to complete phase 1, but fails at phase 2. Can anyone provide suggestions? I'm stumped. BTW, my server is in the amazon cloud.

Here is my config:

conn my-conn
        type=tunnel
        authby=secret
        auth=esp
        ikelifetime=86400s
        keylife=3600s
        esp=3des-sha1
        ike=3des-sha1-modp1024
        keyexchange=ike
        pfs=no
        forceencaps=yes
        # Left security gateway, subnet behind it, nexthop toward right.
        left=10.0.0.4
        leftsubnet=10.0.0.4/32
        leftnexthop=%defaultroute
        # Right security gateway, subnet behind it, nexthop toward left.
        right=1.2.3.4   
        rightsubnet=1.2.3.5/32
        rightnexthop=%defaultroute
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start

Here is the output from the logs:

Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: initiating Main Mode
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: enabling possible NAT-traversal with method RFC 3947
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [Cisco-Unity]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [Dead Peer Detection]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [883f3a4fb4782a3ae88bf05cdfe38ae0]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [XAUTH]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 28 18:02:20 myserver pluto[15753]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ISAKMP SA established
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #331: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#330}
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

The config given to me to connect to the cisco router was:

Key Management: IKE 
Diffie-Hellman Group:   Group 2 
Encryption Algorithm:   3DES (rec)  
Hash Algorithm: SHA-1 (rec.)    
Authentication Method:  Preshared   
Pre-Shared Secret Key:  TBC 
Life Time:  86400s (24h)    

Encryption Phase 2 (IPSec):     

Encapsulation:  ESP 
Encryption Algorithm used:  3DES (rec)  
Hash Algorithm: SHA-1 (rec.)    
Perfect Forward Secrecy:    Groupe 2    
Aggressive Mode:    NO  
Life Time:  3600s (1h)  

Solution 1:

If I remember correctly, Amazon EC2 uses some NAT to make your instance reachable from the Internet.

While NAT-friendly applications will work seamlessly (think http or ssh), some protocols were designed at a time where end-to-end comunication was the rule, and NAT will break these protocols.

FTP, or SIP (rtp actually) use dynamically-chosen ports, but helpers were designed. STUN for VoIP for example.

In the case of IPSec, phase 1 is successful. This is NAT detection. So your server says in the logs i am NATed.

However, phase 2, which is NAT traversal decision, fails. You may have to enable what Cisco calls 'IPSec NAT Transparency' on both sides. The ipsec payload is thereby not at a layer 3 level (IP), but at layer 4, in UDP.

This is somewhat similar to what openvpn does, but with ssl instead of IPSec.

Have a look at Cisco's site regarding NAT traversal. While cisco-centric, it will help you set up your tunnel.

Solution 2:

I received this error with StrongSwan 5.6.1 in Centos 7 while connecting to a Windows server. The error is due to the remote server using weak ciphers that are considered deprecated by StrongSwan.

  • Enabling the following weak ciphers allows the ipsec connection to complete:

    • Phase1 Algorithms : aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
    • Phase2 Algorithms : aes128-sha1,3des-sha1

enter image description here

see the known issues for network-manager-l2tp


I found the Arch Linux L2TP wiki helpful & the instructions although for OpenSwan also work on StrongSwan:

  • Run ipsec verify first to configure your environment.

  • Run xl2tpd -D (debug mode) - to confirm your settings are sane.

  • Give the VPN the same name in the NetworkManager applet that you give the conn setting in /etc/ipsec.conf

  • The network-manager-l2tp plugin seems to establish the matching L2TP connection via the lns ip address in /etc/xl2tpd/xl2tpd.conf. The name you give the [lac vpn-name] setting does not seem to matter to the plugin.

  • These notes also apply to setting up L2TP with ipsec under Arch Linux. Use Libreswan (Strongswan ipsec does not work in Arch Linux) with the network-manager-l2tp plugin & place your ipsec connection details under /etc/ipsec.d/*.conf. The filename can be anything as the plugin searches for a conn string in the config files that matches the VPN name in NetworkManager.