0

I'm attempting to setup both L2TP (for use on my Android phone) and IKEv2 (for use on my Mac) on the same server with Strongswan

I'm getting the following error when connecting L2TP, but IKEv2 works fine

Apr  4 06:41:41 server charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Apr  4 06:41:41 server charon: 16[IKE] no IKE config found for IP...IPb, sending NO_PROPOSAL_CHOSEN
Apr  4 06:41:41 server charon: 16[ENC] generating INFORMATIONAL_V1 request 3379933903 [ N(NO_PROP) ]
Apr  4 06:41:41 server charon: 16[NET] sending packet: from IP[500] to IPb[60789] (40 bytes)
Apr  4 06:41:44 server charon: 08[NET] received packet: from IPb[60789] to IP[500] (788 bytes)
Apr  4 06:41:44 server charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Apr  4 06:41:44 server charon: 08[IKE] no IKE config found for IP...IPb, sending NO_PROPOSAL_CHOSEN
Apr  4 06:41:44 server charon: 08[ENC] generating INFORMATIONAL_V1 request 586602282 [ N(NO_PROP) ]
Apr  4 06:41:44 server charon: 08[NET] sending packet: from IP[500] to IPb[60789] (40 bytes)

This my config file:

#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

#define new ipsec connection

conn L2TP-PSK-noNAT
    dpdaction=clear
    authby=secret
    auto=add
    keyingtries=3
    ikelifetime=8h
    keylife=1h
    ike=aes256-sha1,aes128-sha1,3des-sha1
    type=transport
    left=IP
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any


conn ike-server
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@hostname
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    rightsourceip=10.15.1.0/24
    rightdns=1.1.1.1,1.0.0.1
    rightsendcert=never
    eap_identity=%identity
Keanu
  • 1
  • 1
  • 1
    It's possible that the IP you configured in _left_ doesn't match (you don't have to set that option anyway). But why not use strongSwan's [IKEv2 Android app](https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient)? – ecdsa Apr 04 '19 at 07:21
  • It is failing with the IKE proposals. I would try a different ike= line, you might also want to provide a esp= proposals line. – Douglas Kosovic Apr 04 '19 at 22:52

0 Answers0