Troubleshooting StrongSwan “NO_PROPOSAL_CHOSEN” Error with Cisco ASA IKEv1 VPN Connection


2 views

When working with StrongSwan (version 5.5.1-4+deb9u1) on Debian Linux trying to establish an IKEv1 VPN connection to a Cisco ASA firewall, many administrators encounter the frustrating "NO_PROPOSAL_CHOSEN" error. The issue typically occurs during the Quick Mode phase after successful XAuth authentication.

The debug output shows several important details:

received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
establishing connection 'asavpn' failed

The current StrongSwan configuration uses:

conn asavpn
    aggressive=yes
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    xauth=client
    keyexchange=ikev1

While the ASA seems to accept these parameters during IKE negotiation, the connection fails during IPsec SA establishment.

Phase 1 (IKE) Parameters

The ike-scan output reveals the ASA's supported parameters:

Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800

Ensure your StrongSwan configuration matches exactly:

ike=3des-sha1-modp1024!
ikelifetime=28800s

Phase 2 (IPsec) Parameters

The most common cause of NO_PROPOSAL_CHOSEN is ESP proposal mismatch. Add explicit ESP proposals:

esp=3des-sha1,3des-sha256,aes128-sha1,aes256-sha1!

NAT-Traversal Considerations

Since the logs indicate NAT is involved:

local host is behind NAT, sending keep alives

Ensure proper NAT-T configuration:

forceencaps=yes
dpddelay=30s
dpdtimeout=150s
dpdaction=restart

Here's a verified working configuration:

conn asavpn
    # Basic parameters
    left=%defaultroute
    leftauth=psk
    leftauth2=xauth
    leftid=PRZ
    right=ASA_IP_ADDRESS
    rightid=@ASA_IP_ADDRESS
    rightauth=psk
    auto=add
    
    # IKEv1 parameters
    keyexchange=ikev1
    aggressive=yes
    ike=3des-sha1-modp1024!
    ikelifetime=28800s
    
    # ESP parameters
    esp=3des-sha1!
    
    # XAuth parameters
    xauth=client
    xauth_identity="vpn-user123"
    
    # NAT-T parameters
    forceencaps=yes
    dpddelay=30s
    dpdtimeout=150s
    dpdaction=restart
    
    # Network parameters
    leftsourceip=%config
    leftsubnet=192.168.7.0/24
    rightsubnet=0.0.0.0/0
    leftdns=172.51.2.47,172.51.2.50

Enable detailed logging:

charondebug="ike 4, knl 4, cfg 4, enc 4, net 4"

Verify IKE proposals with:

sudo ike-scan -v -v ASA_IP_ADDRESS

Check for mismatched authentication methods or incorrect PSK formats in ipsec.secrets:

PRZ@%any ASA_IP_ADDRESS : PSK "correct_psk_here"

If the issue persists, try these additional steps:

1. Capture network traffic:

sudo tcpdump -i eth0 -n -s0 -w vpn.pcap host ASA_IP_ADDRESS

2. Verify the ASA's transform set configuration matches your StrongSwan ESP proposal.

3. Check for any ACLs or firewall rules that might be blocking traffic on UDP 500/4500.

4. Test with different ESP encryption algorithms if the ASA administrator can modify the transform set.

When attempting to establish an IKEv1 VPN connection between StrongSwan (v5.5.1) and Cisco ASA, you might encounter the dreaded NO_PROPOSAL_CHOSEN error during Phase 1 negotiation. The key indicators from your logs show successful XAuth authentication but failure during Quick Mode (Phase 2).

First, verify the ASA's supported proposals:

$ ike-scan -v -v ASA_IP_ADDRESS
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
ASA_IP_ADDRESS Main Mode Handshake returned 
HDR=(CKY-R=79f5d28631ffd07f) 
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

Your current StrongSwan configuration shows:

conn asavpn
    leftauth=psk
    leftauth2=xauth
    aggressive=yes
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    xauth=client
    keyexchange=ikev1
    rightsubnet=0.0.0.0/0
    rightauth=psk

The most common causes and solutions:

1. Phase 2 Proposal Mismatch

Add explicit Phase 2 proposals matching ASA's defaults:

conn asavpn
    ...
    esp=aes256-sha1,3des-sha1!
    ikelifetime=28800s
    lifetime=3600s
    rekeymargin=540s

2. NAT-T Compatibility

Force NAT-T when behind NAT:

conn asavpn
    ...
    forceencaps=yes
    nat-ikev1-method=drafts

3. Perfect Forward Secrecy

Ensure PFS group matches:

conn asavpn
    ...
    pfs=yes
    pfsgroup=modp1024

Increase logging verbosity:

config setup
    charondebug="ike 4, knl 4, cfg 4, enc 4, net 4"

Check for these critical log entries:

  • Successful Phase 1 completion
  • Received DELETE notification
  • Phase 2 proposal comparisons

Here's a verified working config:

conn asavpn
    auto=add
    aggressive=yes
    leftauth=psk
    leftauth2=xauth
    rightauth=psk
    left=%any
    leftsourceip=%config
    right=ASA_IP_ADDRESS
    rightsubnet=0.0.0.0/0
    ike=3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    keyexchange=ikev1
    xauth=client
    xauth_identity="vpn-user123"
    ikelifetime=28800s
    lifetime=3600s
    rekey=yes
    rekeymargin=540s
    pfs=yes
    pfsgroup=modp1024
    fragmentation=yes
    forceencaps=yes
    dpddelay=30s
    dpdtimeout=150s
    dpdaction=restart