IKEv2 Policy Match Error on Windows 10 Client
-
Hello,
Just trying to get IKEv2 working and followed the instructions here:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html
and here:
https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to/2
I then created a VPN adapter in Windows 10 with the following Powershell command (domain name ommited)
Add-VpnConnection -Name "IKEv2" -ServerAddress "domain-name" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection
When I try to connect it prompts me for my username and password and after it gives me a "policy match error"
The IPSEC logs show:
Feb 2 18:07:05 charon 06[CFG] <11> no acceptable DIFFIE_HELLMAN_GROUP found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> selecting proposal: Feb 2 18:07:05 charon 06[CFG] <11> no acceptable ENCRYPTION_ALGORITHM found Feb 2 18:07:05 charon 06[CFG] <11> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Feb 2 18:07:05 charon 06[CFG] <11> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Feb 2 18:07:05 charon 06[CFG] <11> looking for IKEv2 configs for xx.xx.xx.xx...xx.xx.xx.xx Feb 2 18:07:05 charon 06[CFG] <11> candidate: %any...%any, prio 24 Feb 2 18:07:05 charon 06[IKE] <11> remote host is behind NAT Feb 2 18:07:05 charon 06[IKE] <11> received proposals unacceptable Feb 2 18:07:05 charon 06[ENC] <11> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Feb 2 18:07:05 charon 06[NET] <11> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (36 bytes) Feb 2 18:07:05 charon 06[IKE] <11> IKE_SA (unnamed)[11] state change: CONNECTING => DESTROYING
Why isn't it finding an acceptable DH group and encryption algo?
Here is my IKEv2 setup:
https://imgur.com/ETm4JL6
I've tried a few different changes but I can't get it to connect.
-
What do the proposal lines look like in
/var/etc/ipsec/ipsec.conf
?I wonder if you have too many options selected and it overran the line buffer. Try removing some of the unnecessary combinations. Like in the configured proposals it has things like Camellia and every possible DH group. That is not likely to be what you'd really want to allow/support.
-
@jimp Hi jimp, thanks for taking the time to look into my issue
I have now only selected DH group 2 (1024) yet its still coming up with a bunch of configured proposals that I didn't select. Is there a configuration error causing all those additional proposals to come up? Which one is supported on the Windows 10 1909 client?
Phase1:
https://imgur.com/a/MtLqIx8Phase 2:
https://imgur.com/a/cpbojEmHere is my ipsec conf:
# This file is automatically generated. Do not edit config setup uniqueids = yes conn bypasslan leftsubnet = xx.xx.164.0/22 rightsubnet = xx.xx.164.0/22 authby = never type = passthrough auto = route conn con-mobile fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = xx.xx.191.2 right = %any leftid = fqdn:domain ommitted ikelifetime = 28800s lifetime = 3600s rightsourceip = 172.16.10.0/24 ike = aes256-sha256-modp1024! esp = aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512! eap_identity=%any leftauth=pubkey rightauth=eap-mschapv2 leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt leftsendcert=always leftsubnet = xx.xx.164.0/22
-
What is in that ipsec.conf looks like what you have selected in the GUI (
ike
is the Phase 1 proposal, andesp
is the Phase 2 proposal).Are you saying the log still shows all the other entries?
Maybe try stopping and then starting the ipsec service (do not use the 'restart' button) to see if that changes the behavior.
-
Yep the IPSEC conf file doesn't match what I have configured in Phase 1 & Phase 2 settings.
I have now tried stopping the IPSEC service and starting it rather than restarting and it's still coming up with the same logs shown below.
I would like to point out I have 2 sites that I have set this up with recently with identical settings except for the external IP information / domain names and it's happening on both sites.
Feb 5 09:17:06 charon 01[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Feb 5 09:17:06 charon 01[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Feb 5 09:17:06 charon 01[IKE] <1> remote host is behind NAT Feb 5 09:17:06 charon 01[IKE] <1> received proposals unacceptable Feb 5 09:17:06 charon 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Feb 5 09:17:06 charon 01[NET] <1> sending packet: from xx[500] to xx[500] (36 bytes) Feb 5 09:17:06 charon 01[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
-
Just an update if others come across this. I have now successfully connected using IKEv2. What I did was change the phase 1 remote gateway from "any" to our public IP address. I noticed in the /var/etc/ipsec/ipsec.conf file that the "left" IP was listening on our internal WAN IP on the WAN interface rather than the public IP address.
conn con-mobile fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 10.x.x.x