I cannot connect to VPN using strongswan or ovpn on linux

my ipsec.conf

conn rmcnx6
keyexchange=ikev2
left=%any
leftid=<your_local_id>
leftauth=psk
right=197.159.66.165
rightauth=psk
ike=aes256-sha256-modp2048 # Phase 1 proposal
esp=aes256-sha256-modp2048 # Phase 2 proposal
dpdaction=restart
dpddelay=60s
dpdtimeout=90s
auto=start
rightsubnet=0.0.0.0/0
leftsourceip=%config

ipsec.secret
: PSK "<your_preshared_key>"


error i get

parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify error establishing connection 'rmcnx6' failed

Hello,

Seems like policy mismatch. You may refer to the below KBA to troubleshoot it further:

 Sophos Firewall: Troubleshooting site to site IPsec VPN issues 

While connecting the VPN, you can login to the advanced shell of the firewall. Add the strongswan service in debug and later connect strongswan.log while attempting to connect VPN.

Do i need to configure SSL VPN (site-to-site) for it to work?

Hello,

No, the KBA is for reference for collecting the logs. The logs for the remote access and IPSec site to site are same.

Hi @Omotola Adeb, what is your exact requirement? is it IPsec RA or SSLVPN RA? and what is the client you are using - Linux or Windows? and what is the remote access client you are using? Based on this, will get back with the suggestion.

I just want to have a successful access to the vpn via my openhead linux(access via SSH)

On windows with sophos connect it connects successfully. 
on Windows Openvpn not successful.
On linux, i used openVPN with the .ovpn file download from the user side, it was not successful.
I also used strongswan, not successfully.

* On Windows, use OpenVPN Connect (downloadable from Internet), after configuring the SSLVPN RA on SFOS, download the .ovpn file file from VPN portal (by the way you are on very very old SFOS with no support, recommended to upgrade to v20.0GA or latest MRs on v20) and use this file on OpenVPN Connect application.

* On Linux, whether it is UI based on CLI based, you can follow the same procedure mentioned above.

* On Linux, download Strongswan and build/install it, 

One example as below:

/etc/strongswan.conf

charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            initiators = 1
            iterations = 1
            delay = 250
            mode = tunnel
            version = 1
            initiator = <Linux ip>
            responder = <SFOS wan ip where ipsec ra configured> 
            responder_id = <SFOS wan ip>
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            esp = aes256-sha2_256-modp1024
            initiator_auth = psk
            responder_auth = psk
            preshared_key = abcdef
            authby = psk
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 3200s
            initiator_tsr = <local subnet of Linux node>
            child_rekey = 3200
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}

Configure the above given IPsec phase1, phase2 proposals, psk on SFOS.

ipsec start // command on Linux node to initiate the tunnel.

Thank you for your response. I configured strongswan as suggested above

i deleted the /etc/ipsec.conf and got error below

root@v844776628:~# sudo rm /etc/ipsec.conf
root@v844776628:~# sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...
no files found matching '/etc/ipsec.conf'
failed to open config file '/etc/ipsec.conf'
unable to start strongSwan -- fatal errors in config

i added it back with few lines then ran the command

config setup
uniqueids=yes
charondebug="ike 2, knl 2, cfg 2"

root@v844776628:~# sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.5 IPsec [starter]...

root@v844776628:~# sudo ipsec start
Starting strongSwan 5.9.5 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping daemon start
starter is already running (/var/run/starter.charon.pid exists) -- no fork done

root@v844776628:~# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-122-generic, x86_64):
uptime: 11 seconds, since Oct 08 23:40:42 2024
malloc: sbrk 1622016, mmap 0, used 512944, free 1109072
worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default bypass-lan connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
37.1.210.216
Connections:
Shunted Connections:
Bypass LAN ::1/128: ::1/128 === ::1/128 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Security Associations (0 up, 0 connecting):
none


With this response, no successful connection was made.

Hi Omotola Adeb,

I noticed that your firmware version is really old and is already end of life. Consider updating the firmware, as some issues could have been resolved through the firmware.