Solution 1
Please try this solution to fix the “Policy match” error:
-
Right-click on the Windows icon at the bottom left corner and select Windows PowerShell (Admin).
-
Enter the following command. Just make sure to change “Your VPN Name” variable to your exact manual VPN connection name:
Set-VpnConnectionIPsecConfiguration -ConnectionName “Your VPN Name” -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
3. Press Enter and attempt to reconnect with the manual IKEv2 connection method again.
Solution 2
https://protonvpn.com/support/windows-10-ikev2-vpn-setup/
How to fix a “Policy match error”
If you are prevented from connecting by a Policy match error:
1. Search for the Registry Editor app and Open it.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters → right-click on any area of white space → New → DWORD (32-bit) Value.
3. Name the newly created value NegotiateDH2048_AES256, then right-click on it → Modify…
4. Enter a Value data of 2 and click OK.
4. The registry entry should now look as follows. Close the Registry Editor and try connecting again.
Solution 3
https://support.nordvpn.com/Connectivity/Windows/1047410092/How-to-connect-to-NordVPN-with-IKEv2-IPSec-on-Windows-10.htm
Solution 4: Policy match error on Windows 10 using Strongswan (IKEv2)
The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.
You have two options:
- Configure Windows to use a stronger DH group. This can be done either
- via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
- or via registry by adding the DWORD key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
. Set it to1
to enable (the other algorithms are still proposed), or2
to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
- Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like
ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024
, which adds it at the end so other clients may use stronger DH groups).