Solution: IKEv2 Policy Match Error on Windows

r/nordvpn - Policy Match Error

Solution 1

Please try this solution to fix the “Policy match” error:

  1. Right-click on the Windows icon at the bottom left corner and select Windows PowerShell (Admin).

  2. Enter the following command. Just make sure to change “Your VPN Name” variable to your exact manual VPN connection name:

Set-VpnConnectionIPsecConfiguration -ConnectionName “Your VPN Name” -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force

3. Press Enter and attempt to reconnect with the manual IKEv2 connection method again.

Solution 2

How to fix a “Policy match error”

If you are prevented from connecting by a Policy match error:

1. Search for the Registry Editor app and Open it.

Open Registry Editor
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters → right-click on any area of white space → New → DWORD (32-bit) Value.

Create a new DWORD (32-bit) Value

3. Name the newly created value NegotiateDH2048_AES256, then right-click on it → Modify…

Modify the value
4. Enter a Value data of 2 and click OK.

Enter a Value data of 24. The registry entry should now look as follows. Close the Registry Editor and try connecting again.

Try connecting again

Solution 3

Solution 4: Policy match error on Windows 10 using Strongswan (IKEv2)

The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.

You have two options:

  1. Configure Windows to use a stronger DH group. This can be done either
    • via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
    • or via registry by adding the DWORD key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to 1 to enable (the other algorithms are still proposed), or 2 to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
  2. Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).
5/53526 oy

Emre Tosunkaya

Kendini İnternete adamış bir tekno kişi. Teknoloji ve İnternet adına; WordPress, Webmaster, Android, Google, mobil, oyun, yazılım hakkında insanlara yararlı makaleler yazar.

  • İndirim Kuponları
  • Uzman Diyetisyen Semiye Tosunkaya
  • Güzel Hosting, 2008'den beri kaliteli ve ekonomik paylaşımlı hosting, kiralık sunucu, sanal sunucu ve co-location hizmetleri sağlamaktadır.
  • Turhost: Türkiye'nin Lider Hosting ve Domain Servis Sağlayıcısı
  • - Alışverişin Uğurlu Adresi
  • En Trend Ürünler Türkiye'nin Online Alışveriş Sitesi Amazon'da İndirim Kuponları Binance %10 Komisyon İndirimi TRBinance %10 Komisyon İndirimi Amazon Amazon 50₺ indirim kodu Trendyol Güncel İndirim Kodları