Please try this solution to fix the “Policy match” error:
Right-click on the Windows icon at the bottom left corner and select Windows PowerShell (Admin).
Enter the following command. Just make sure to change “Your VPN Name” variable to your exact manual VPN connection name:
Set-VpnConnectionIPsecConfiguration -ConnectionName “Your VPN Name” -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
3. Press Enter and attempt to reconnect with the manual IKEv2 connection method again.
How to fix a “Policy match error”
If you are prevented from connecting by a Policy match error:
1. Search for the Registry Editor app and Open it.
2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters → right-click on any area of white space → New → DWORD (32-bit) Value.
3. Name the newly created value NegotiateDH2048_AES256, then right-click on it → Modify…
4. Enter a Value data of 2 and click OK.
4. The registry entry should now look as follows. Close the Registry Editor and try connecting again.
Solution 4: Policy match error on Windows 10 using Strongswan (IKEv2)
The problem is most likely that the Windows client proposes a weak Diffie-Hellman (DH) group (1024-bit MODP). That group is not used anymore by strongSwan unless the user configures it explicitly.
You have two options:
- Configure Windows to use a stronger DH group. This can be done either
- via Set-VpnConnectionIPsecConfiguration PowerShell cmdlet, which allows enabling stronger DH groups (e.g. group 14/2048-bit MODP or 384-bit ECP) and even other algorithms (e.g. AES-GCM combined-mode encryption/integrity, which is more efficient, but needs to be enabled explicitly on the server too)
- or via registry by adding the DWORD key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256. Set it to
1to enable (the other algorithms are still proposed), or
2to enforce the use of 256-bit AES-CBC and 2048-bit MODP DH (only these will be proposed).
- Add the proposed, weak DH group (1024-bit MODP) to the IKE proposal on the server (e.g. configure something like
ike=aes256-aes128-sha256-sha1-modp3072-modp2048-modp1024, which adds it at the end so other clients may use stronger DH groups).