Score:0

Strongswan IKEv2 vpn on Windows 10 client. I'm getting "policy match error"

br flag

my log file:

Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] selecting proposal:
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[IKE] local host is behind NAT, sending keep alives
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[IKE] remote host is behind NAT

What should I set by Set-VpnConnectionIPsecConfiguration in windows10? I can't figure out.

Tim avatar
gp flag
Tim
Welcome to Server Fault :) Please edit your question to have more detail, and ideally fix up the formatting (I'll do a little to help). For example: what are you connecting to? How are the source and target currently configured? Which log file is that, client or server?
Score:0
bd flag

Problem is Windows client uses a different Proposal when rekeying. Which is why so many are having disconnects when the client timeouts (7.6 hours) and rekeys. I have yet to pin down that proposal.

Score:0
cn flag

The client is proposing AES in CBC mode with HMAC-SHA2-256 as integrity protection, while the server is configured for AES in GCM mode (AEAD, combined-mode, which includes encryption and integrity protection). Change either of these to make the connection work.

On the client, use VpnConnectionIPsecConfiguration ... -EncryptionMethod GCMAES128 ... to make it use 128-bit AES-GCM for IKEv2.

On the server, you could change the IKE proposals by either adding another one with aes128 and sha256 (AEAD and classic algorithms have to be in separate proposals, e.g. aes128gcm16-prfsha256-ecp256, aes128-sha256-ecp256), clients are then free to use one or the other, or replace aes128gcm16 with aes128-sha256 in the existing proposal.

You might have a similar issue with the ESP proposal, which you can fix similarly (on the Windows client, -CipherTransformConstants GCMAES128 configures AES-GCM for ESP).

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.