Strongswan IKEv2 vpn on Windows 10 client "policy match error"
I have the newest version of Strongswan vpn on my ubuntu server running.
I followed this tutorial here and got it to work on my android and Iphone.
Now I want to get it to work on my windows 10 laptop but when I try to connect via the vpn settings in windows I only get a "policy match error" and the event view gives me the error code "13868".
After much googling I still cant find any working solution.
What can I do?
The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.
You have two options:
- Configure Windows to use a stronger DH group. This can be done either
- via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
- or via registry by adding the DWORD key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to1to enable (the other algorithms are still proposed), or2to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
- Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like
ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).
Option 1 is definitely preferred.