Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Policy Match Error on Windows 10 Client

    Scheduled Pinned Locked Moved IPsec
    7 Posts 3 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VioSpeed
      last edited by VioSpeed

      Hello,

      Just trying to get IKEv2 working and followed the instructions here:

      https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html

      and here:

      https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to/2

      I then created a VPN adapter in Windows 10 with the following Powershell command (domain name ommited)

      Add-VpnConnection -Name "IKEv2" -ServerAddress "domain-name" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection

      When I try to connect it prompts me for my username and password and after it gives me a "policy match error"

      The IPSEC logs show:

      Feb 2 18:07:05	charon		06[CFG] <11> no acceptable DIFFIE_HELLMAN_GROUP found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
Feb 2 18:07:05	charon		06[CFG] <11> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Feb 2 18:07:05	charon		06[CFG] <11> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Feb 2 18:07:05	charon		06[CFG] <11> looking for IKEv2 configs for xx.xx.xx.xx...xx.xx.xx.xx
Feb 2 18:07:05	charon		06[CFG] <11> candidate: %any...%any, prio 24
Feb 2 18:07:05	charon		06[IKE] <11> remote host is behind NAT
Feb 2 18:07:05	charon		06[IKE] <11> received proposals unacceptable
Feb 2 18:07:05	charon		06[ENC] <11> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 2 18:07:05	charon		06[NET] <11> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (36 bytes)
Feb 2 18:07:05	charon		06[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING

      Why isn't it finding an acceptable DH group and encryption algo?

      Here is my IKEv2 setup:

      https://imgur.com/ETm4JL6

      I've tried a few different changes but I can't get it to connect.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What do the proposal lines look like in /var/etc/ipsec/ipsec.conf ?

        I wonder if you have too many options selected and it overran the line buffer. Try removing some of the unnecessary combinations. Like in the configured proposals it has things like Camellia and every possible DH group. That is not likely to be what you'd really want to allow/support.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        V 1 Reply Last reply Reply Quote 0
        • V
          VioSpeed @jimp
          last edited by VioSpeed

          @jimp Hi jimp, thanks for taking the time to look into my issue

          I have now only selected DH group 2 (1024) yet its still coming up with a bunch of configured proposals that I didn't select. Is there a configuration error causing all those additional proposals to come up? Which one is supported on the Windows 10 1909 client?

          Phase1:
          https://imgur.com/a/MtLqIx8

          Phase 2:
          https://imgur.com/a/cpbojEm

          Here is my ipsec conf:

          # This file is automatically generated. Do not edit
config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = xx.xx.164.0/22
        rightsubnet = xx.xx.164.0/22
        authby = never
        type = passthrough
        auto = route

conn con-mobile
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = no

        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s
        auto = add
        left = xx.xx.191.2
        right = %any
        leftid = fqdn:domain ommitted
        ikelifetime = 28800s
        lifetime = 3600s
        rightsourceip = 172.16.10.0/24
        ike = aes256-sha256-modp1024!
        esp = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512!
        eap_identity=%any
        leftauth=pubkey
        rightauth=eap-mschapv2
        leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
        leftsendcert=always
        leftsubnet = xx.xx.164.0/22
          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            What is in that ipsec.conf looks like what you have selected in the GUI (ike is the Phase 1 proposal, and esp is the Phase 2 proposal).

            Are you saying the log still shows all the other entries?

            Maybe try stopping and then starting the ipsec service (do not use the 'restart' button) to see if that changes the behavior.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            V 1 Reply Last reply Reply Quote 0
            • V
              VioSpeed @jimp
              last edited by

              @jimp

              Yep the IPSEC conf file doesn't match what I have configured in Phase 1 & Phase 2 settings.

              I have now tried stopping the IPSEC service and starting it rather than restarting and it's still coming up with the same logs shown below.

              I would like to point out I have 2 sites that I have set this up with recently with identical settings except for the external IP information / domain names and it's happening on both sites.

              Feb 5 09:17:06	charon		01[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Feb 5 09:17:06	charon		01[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Feb 5 09:17:06	charon		01[IKE] <1> remote host is behind NAT
Feb 5 09:17:06	charon		01[IKE] <1> received proposals unacceptable
Feb 5 09:17:06	charon		01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 5 09:17:06	charon		01[NET] <1> sending packet: from xx[500] to xx[500] (36 bytes)
Feb 5 09:17:06	charon		01[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
              1 Reply Last reply Reply Quote 0
              • V
                VioSpeed
                last edited by VioSpeed

                Just an update if others come across this. I have now successfully connected using IKEv2. What I did was change the phase 1 remote gateway from "any" to our public IP address. I noticed in the /var/etc/ipsec/ipsec.conf file that the "left" IP was listening on our internal WAN IP on the WAN interface rather than the public IP address.

                conn con-mobile
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no

	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = clear
	dpddelay = 10s
	dpdtimeout = 60s
	auto = add
	left = 10.x.x.x
                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @VioSpeed
                  last edited by

                  I know this is an old topic but I got here from searching the error message. In our case the person adding the VPN didn't use the .ps1 file from pfSense to do it, and Windows 11 24H2 still apparently uses weak algos by default.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.