I used the transport mode and NAT-T environment to negotiate SAs, and the method to authenticate the peer is PSK.

When I use Main Mode, IKE negotiation can be completed normally, the logs of PSK is:

Jan  6 01:24:06 09[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:24:06 09[CFG] <1>   candidate "trap-a", match: 1/20/3100 (me/other/ike)
Jan  6 01:24:06 09[CFG] <1> selected peer config "trap-a"

But when I use Aggressive Mode, strongswan prompts errors when processing the first received message:

Jan  6 01:45:38 05[CFG] <1> looking for pre-shared key peer configs matching 192.168.163.130...10.1.1.10[10.1.1.10]
Jan  6 01:45:38 05[IKE] <1> no peer config found

I checked the initialization log, it looks no problem, because the IDs is loaded as:

Jan  6 01:23:45 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for %any
Jan  6 01:23:45 00[CFG]   loaded IKE secret for 10.1.1.10

My config is as blow:

ipsec.conf

conn %default
    ikelifetime=6m
    keylife=5m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    ike=aes256-sha256-modp1024
    esp=aes256-sha256-modp1024
    authby=psk
    type=transport
    auto=route
    fragmentation=no
    rekey=no
    forceencaps=yes

conn trap-a
    aggressive=yes # it will set to  aggressive=no  when using main mode
    left=192.168.163.130
    leftsubnet=192.168.163.0/24
    right=10.1.1.10
    rightsubnet=10.1.1.0/24
    auto=add

ipsec.secrets

: PSK "123456"
%any : PSK "123456"
10.1.1.10 : PSK "123456"

strongswan.conf

charon {
        load_modular = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no

        filelog {
                charon {
                        path = /etc/strongswan/logs/strongswan.log
                        time_format = %b %e %T
                        ike_name = yes
                        append = no
                        default = 2
                        flush_line = yes
                }
                stderr {
                        ike = 4
                        knl = 4
                }
        }
}

include strongswan.d/*.conf

Is there any wrong with my configs?

And the network topology diagram is like:

Public network initiator --- Public network NAT --- Intranet responder
10.1.1.10-----------------10.1.1.11--192.168.163.1------192.168.163.130                                           

Thanks for help!

l2tpd configuration file :

remote access vpn configuration conn L2TP-PSK authby=psk pfs=no rekey=no keyingtries=3 keyexchange=ikev1 forceencaps=yes leftfirewall=yes leftnexthop=%defaultroute type=transport

    # ----------------------------------------------------------
    # The VPN server.
    #
    # Allow incoming connections on the external network interface.
    # If you want to use a different interface or if there is no
    # defaultroute, you can use:   left=your.ip.addr.ess
    #
left=10.102.222.125
    #
leftprotoport=17/1701
    # If you insist on supporting non-updated Windows clients,
    # you can use:    leftprotoport=17/%any
    #
    # ----------------------------------------------------------
    # The remote user(s).
    #
    # Allow incoming connections only from this IP address.
right=%any
    # If you want to allow multiple connections from any IP address,
    # you can use:    right=%any
    #
rightprotoport=17/%any
    #
    # ----------------------------------------------------------
    # Change 'ignore' to 'add' to enable this configuration.
    #
rightsubnetwithin=0.0.0.0/0
auto=add

Client was able to connect to server without any preshared key at client side instead it was able to L2TP/Ipsec with Certificate .

how to block connection with L2tp/Ipsec with certificate at server side and allow only L2tp/Ipsec with pre shared key

Strongswan version 5.7 , windows os [client]: 10

For testing purposes, I want to setup an ipsec tunnel using IKEv1 or v2 (preferably v2) that does not require any authentication - so just using the protocol to agree on the secret-keys of the ipsec tunnel and skipping the authentication. Is such an option even supported by the IKEv1 or v2 protocol? If so, how can I enable that in strongswan (what value do I need to set for leftauth and rightauth to enable this?)

Trying to troubleshoot an IPSec/IKEv1 VPN connection with Strongswan that is failing to complete phase 2 with NO_PROPOSAL_CHOSEN.

I know the solution for this error is nearly always "double-check your phase 2 proposal", but I am 100% sure that the ESP proposal is correct - it's working on a Windows box using NCP Secure Entry Client (see screenshot below).

From here I see that this error can result from mismatched encryption, auth, PFS or occasionally lifetime proposals. But mine are correct. Is there anything else that can result in NO_PROPOSAL_CHOSEN? (I have sadly no access to the responder so can't check logs or change config there).

ipsec.conf:

config setup
conn VDI
        left=%any
        leftauth=psk
        leftauth2=xauth
        leftid=userfqdn:VDI
        leftsourceip=%config
        right=163.x.y.z
        rightauth=psk
        aggressive=yes
        auto=add
        dpdaction=restart
        dpddelay=20s
        keyexchange=ikev1
        lifetime=8h
        ikelifetime=8h
        modeconfig=pull
        xauth_identity=DR400
        ike=aes256-sha1-modp2048
        esp=aes256-sha2_256-modp2048

ipsec.secrets:

: PSK "zzzzzzzzzzzzzz"
DR400 : XAUTH "xxxxxxxxxx"

charon output:

~$ sudo ipsec up VDI
initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes)
received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ]
received DPD vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received XAuth vendor ID
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3540227287 [ HASH CPRQ(X_USER X_PWD X_MSG) ]
XAuth message: Please Enter Your User Name and Password :
generating TRANSACTION response 3540227287 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3540227287 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ]
XAuth authentication of 'DR400' (myself) successful
IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z]
scheduling reauthentication in 27760s
maximum IKE_SA lifetime 28300s
generating TRANSACTION response 3540227287 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
generating TRANSACTION request 4217090559 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed TRANSACTION response 4217090559 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.132.0.10 via resolvconf
installing DNS server 10.132.0.11 via resolvconf
installing new virtual IP 192.168.246.61
generating QUICK_MODE request 167394241 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3483337871 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'VDI' failed

working windows connection:

I have tried various other ESP propsals with the same result, including:

• no esp= line
• esp=aes256-sha2_256-modp2048!
• esp=aes256-sha2_256
• esp=aes256-sha2_256!
• esp=aes256-sha1-modp2048

I've also tried setting sha256_96 = yes in ipsec.conf but again it makes no difference.

Trying to use Strongswan to connect to a work VPN and getting "selected peer config inacceptable" errors in the logs which I haven't been able to find any info on in Google:

~$ sudo ipsec up VDI
initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes)
received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ]
received DPD vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received XAuth vendor ID
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPRQ(X_USER X_PWD X_MSG) ]
XAuth message: Please Enter Your User Name and Password :
generating TRANSACTION response 3165206765 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ]
selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed
IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z]
scheduling reauthentication in 28180s
maximum IKE_SA lifetime 28720s
generating TRANSACTION response 3165206765 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
generating TRANSACTION request 2622082016 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed TRANSACTION response 2622082016 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.132.0.10 via resolvconf
installing DNS server 10.132.0.11 via resolvconf
installing new virtual IP 192.168.246.108
generating QUICK_MODE request 1906245246 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3184934143 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'VDI' failed

ipsec.conf:

config setup
conn VDI
        left=%any
        leftauth=psk
        leftauth2=xauth
        leftid=userfqdn:VDI
        leftsourceip=%config
        right=163.x.y.z
        rightauth=psk
        rightauth2=xauth
        aggressive=yes
        auto=add
        dpdaction=restart
        dpddelay=20s
        keyexchange=ikev1
        lifetime=8h
        ikelifetime=8h
        modeconfig=pull
        xauth_identity=DR400
        ike=aes256-sha1-modp2048
        esp=aes256-sha2_256-modp2048

ipsec.secret:

: PSK "zzzzzzzzzzzzzz"
DR400 : XAUTH "xxxxxxxxxx"

It looks to me like phase 1 is successful, but then I can't see why I get NO_PROPOSAL_CHOSEN at phase 2. I am 100% sure the esp propsal and lifetimes are correct (they work from a different VPN client on a Windows machine).

But I don't really understand the lines:

selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed

If the XAuth password is actually wrong the responder sends XAuth message: User Authentication Failed ! Try Again. What could be causing "selected peer config inacceptable" and this early XAuth failure?