Solution: IKEv2 Policy Match Error on Windows

9 July 2022

Solution 1

Please try this solution to fix the “Policy match” error:

Right-click on the Windows icon at the bottom left corner and select Windows PowerShell (Admin).
Enter the following command. Just make sure to change “Your VPN Name” variable to your exact manual VPN connection name:

Set-VpnConnectionIPsecConfiguration -ConnectionName “Your VPN Name” -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force

3. Press Enter and attempt to reconnect with the manual IKEv2 connection method again.

Solution 2

https://protonvpn.com/support/windows-10-ikev2-vpn-setup/

How to fix a “Policy match error”

If you are prevented from connecting by a Policy match error:

1. Search for the Registry Editor app and Open it.

Open Registry Editor
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters → right-click on any area of white space → New → DWORD (32-bit) Value.

Create a new DWORD (32-bit) Value

3. Name the newly created value NegotiateDH2048_AES256, then right-click on it → Modify…

Modify the value
4. Enter a Value data of 2 and click OK.

Enter a Value data of 2 4. The registry entry should now look as follows. Close the Registry Editor and try connecting again.

Try connecting again

Solution 3

https://support.nordvpn.com/Connectivity/Windows/1047410092/How-to-connect-to-NordVPN-with-IKEv2-IPSec-on-Windows-10.htm

Solution 4: Policy match error on Windows 10 using Strongswan (IKEv2)

The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.

You have two options:

Configure Windows to use a stronger DH group. This can be done either
- via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
- or via registry by adding the DWORD key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to 1 to enable (the other algorithms are still proposed), or 2 to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).

AMD Ryzen fTPM Random Stuttering Problem

Browser Extensions to Enhance Your YouTube Experience

Use Emoji & SVG Instead Of Font Awesome to increase website speed

Enable Shortcodes In Divi Fields [Contact Form etc]

DNS Based Adblocker on iOS DNS Configuration Profiles (NextDNS/AdGuard)

Why is my Instagram posting my videos as reels?

Add JS to on Specific Pages via functions.php in WordPress [Example: For Adsense]

How to Disable Laptop’s Keyboard on Windows 10/11 and Only Use External Keyboard?

Emre Tosunkaya