Strongswan IKEv2 vpn on Windows 10 client. I'm getting "policy match error"

my log file:

Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] selecting proposal:
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[IKE] local host is behind NAT, sending keep alives
Jan 16 22:10:46 ip-172-26-4-200 charon: 05[IKE] remote host is behind NAT

What should I set by Set-VpnConnectionIPsecConfiguration in windows10? I can't figure out.

Problem is Windows client uses a different Proposal when rekeying. Which is why so many are having disconnects when the client timeouts (7.6 hours) and rekeys. I have yet to pin down that proposal.

The client is proposing AES in CBC mode with HMAC-SHA2-256 as integrity protection, while the server is configured for AES in GCM mode (AEAD, combined-mode, which includes encryption and integrity protection). Change either of these to make the connection work.

On the client, use VpnConnectionIPsecConfiguration ... -EncryptionMethod GCMAES128 ... to make it use 128-bit AES-GCM for IKEv2.

On the server, you could change the IKE proposals by either adding another one with aes128 and sha256 (AEAD and classic algorithms have to be in separate proposals, e.g. aes128gcm16-prfsha256-ecp256, aes128-sha256-ecp256), clients are then free to use one or the other, or replace aes128gcm16 with aes128-sha256 in the existing proposal.

You might have a similar issue with the ESP proposal, which you can fix similarly (on the Windows client, -CipherTransformConstants GCMAES128 configures AES-GCM for ESP).