IPsec VPN problems with AES128 and strongSwan VPN Client

  • So I have been playing with IPsec VPN to make sure it will be all good when we buy pfSense boxes for work.

    I have followed this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

    Setting it to AES 256 works just fine, but 128 does not work. I just get a "Policy match error" from the windows client, but I have set AES 128 in both Phase 1 and 2 (also tried with auto on Phase 2)
    Is AES-128 not supported using this method?

    Also is https://play.google.com/store/apps/details?id=org.strongswan.android not working with this? again I followed the guide, but just get "Failed to establish VPN: User authentication failed."

    Looking at the logs I get this on the Android app:

    Phase 1 Hash Algorithm Mismatch

    charon: 10[ENC] parsed INFORMATIONAL_V1 request 2774552374 [ N(NO_PROP) ]
    charon: 10[IKE] received NO_PROPOSAL_CHOSEN error notify

    Am I missing something?

    Running 2.4.2-RELEASE-p1

  • I was struggling with the same issue. If you haven't solved it yet, my suggestion:

    At the VPN configuration -> Mobile Client try editing "Phase 1" -> "Phase 1 Proposal (Algorithms)" -> choose "DH Group" = 14 (2048 bits)

    If you already have so, change logging level under "VPN" -> "IPSec" -> "Advanced Settings" to "Control". Afterwards you will probably find out the error in the system logs -> IPsec.

    Good luck and have fun!


  • For the details of the Windows VPN Client settings have a look here:

Log in to reply