IKEv2 Policy Match Error on Windows 10 Client



  • Hello,

    Just trying to get IKEv2 working and followed the instructions here:

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html

    and here:

    https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to/2

    I then created a VPN adapter in Windows 10 with the following Powershell command (domain name ommited)

    Add-VpnConnection -Name "IKEv2" -ServerAddress "domain-name" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection
    

    When I try to connect it prompts me for my username and password and after it gives me a "policy match error"

    The IPSEC logs show:

    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable DIFFIE_HELLMAN_GROUP found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> selecting proposal:
    Feb 2 18:07:05	charon		06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found
    Feb 2 18:07:05	charon		06[CFG] <11> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
    Feb 2 18:07:05	charon		06[CFG] <11> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    Feb 2 18:07:05	charon		06[CFG] <11> looking for IKEv2 configs for xx.xx.xx.xx...xx.xx.xx.xx
    Feb 2 18:07:05	charon		06[CFG] <11> candidate: %any...%any, prio 24
    Feb 2 18:07:05	charon		06[IKE] <11> remote host is behind NAT
    Feb 2 18:07:05	charon		06[IKE] <11> received proposals unacceptable
    Feb 2 18:07:05	charon		06[ENC] <11> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Feb 2 18:07:05	charon		06[NET] <11> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (36 bytes)
    Feb 2 18:07:05	charon		06[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING
    

    Why isn't it finding an acceptable DH group and encryption algo?

    Here is my IKEv2 setup:

    https://imgur.com/ETm4JL6

    I've tried a few different changes but I can't get it to connect.


  • Rebel Alliance Developer Netgate

    What do the proposal lines look like in /var/etc/ipsec/ipsec.conf ?

    I wonder if you have too many options selected and it overran the line buffer. Try removing some of the unnecessary combinations. Like in the configured proposals it has things like Camellia and every possible DH group. That is not likely to be what you'd really want to allow/support.



  • @jimp Hi jimp, thanks for taking the time to look into my issue

    I have now only selected DH group 2 (1024) yet its still coming up with a bunch of configured proposals that I didn't select. Is there a configuration error causing all those additional proposals to come up? Which one is supported on the Windows 10 1909 client?

    Phase1:
    https://imgur.com/a/MtLqIx8

    Phase 2:
    https://imgur.com/a/cpbojEm

    Here is my ipsec conf:

    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
    
    conn bypasslan
            leftsubnet = xx.xx.164.0/22
            rightsubnet = xx.xx.164.0/22
            authby = never
            type = passthrough
            auto = route
    
    conn con-mobile
            fragmentation = yes
            keyexchange = ikev2
            reauth = yes
            forceencaps = no
            mobike = no
    
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = clear
            dpddelay = 10s
            dpdtimeout = 60s
            auto = add
            left = xx.xx.191.2
            right = %any
            leftid = fqdn:domain ommitted
            ikelifetime = 28800s
            lifetime = 3600s
            rightsourceip = 172.16.10.0/24
            ike = aes256-sha256-modp1024!
            esp = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512!
            eap_identity=%any
            leftauth=pubkey
            rightauth=eap-mschapv2
            leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
            leftsendcert=always
            leftsubnet = xx.xx.164.0/22
    

  • Rebel Alliance Developer Netgate

    What is in that ipsec.conf looks like what you have selected in the GUI (ike is the Phase 1 proposal, and esp is the Phase 2 proposal).

    Are you saying the log still shows all the other entries?

    Maybe try stopping and then starting the ipsec service (do not use the 'restart' button) to see if that changes the behavior.



  • @jimp

    Yep the IPSEC conf file doesn't match what I have configured in Phase 1 & Phase 2 settings.

    I have now tried stopping the IPSEC service and starting it rather than restarting and it's still coming up with the same logs shown below.

    I would like to point out I have 2 sites that I have set this up with recently with identical settings except for the external IP information / domain names and it's happening on both sites.

    Feb 5 09:17:06	charon		01[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
    Feb 5 09:17:06	charon		01[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
    Feb 5 09:17:06	charon		01[IKE] <1> remote host is behind NAT
    Feb 5 09:17:06	charon		01[IKE] <1> received proposals unacceptable
    Feb 5 09:17:06	charon		01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
    Feb 5 09:17:06	charon		01[NET] <1> sending packet: from xx[500] to xx[500] (36 bytes)
    Feb 5 09:17:06	charon		01[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
    


  • Just an update if others come across this. I have now successfully connected using IKEv2. What I did was change the phase 1 remote gateway from "any" to our public IP address. I noticed in the /var/etc/ipsec/ipsec.conf file that the "left" IP was listening on our internal WAN IP on the WAN interface rather than the public IP address.

    conn con-mobile
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = no
    
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = clear
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = add
    	left = 10.x.x.x
    

Log in to reply