IPsec VPN problems with AES128 and strongSwan VPN Client

vooze

So I have been playing with IPsec VPN to make sure it will be all good when we buy pfSense boxes for work.

I have followed this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Setting it to AES 256 works just fine, but 128 does not work. I just get a "Policy match error" from the windows client, but I have set AES 128 in both Phase 1 and 2 (also tried with auto on Phase 2)
Is AES-128 not supported using this method?

Also is https://play.google.com/store/apps/details?id=org.strongswan.android not working with this? again I followed the guide, but just get "Failed to establish VPN: User authentication failed."

Looking at the logs I get this on the Android app:

Phase 1 Hash Algorithm Mismatch
Initiator

charon: 10[ENC] parsed INFORMATIONAL_V1 request 2774552374 [ N(NO_PROP) ]
charon: 10[IKE] received NO_PROPOSAL_CHOSEN error notify

Am I missing something?

Running 2.4.2-RELEASE-p1

pasco

I was struggling with the same issue. If you haven't solved it yet, my suggestion:

At the VPN configuration -> Mobile Client try editing "Phase 1" -> "Phase 1 Proposal (Algorithms)" -> choose "DH Group" = 14 (2048 bits)

If you already have so, change logging level under "VPN" -> "IPSec" -> "Advanced Settings" to "Control". Afterwards you will probably find out the error in the system logs -> IPsec.

Good luck and have fun!

Cheers
Pasco

lst_hoe

For the details of the Windows VPN Client settings have a look here:
https://wiki.strongswan.org/projects/strongswan/wiki/Windows7