Hi
I tried to configure IKE2 remote access, however, it didn’t work from Windows 10 and the error message was ‘Policy match error’.
Anyone can help me on this issue? As I have no idea how to debug the error, no matter in VyOS or Windows… Is there a debug like commands in VyOS? Thanks!
I found this connection error in Windows Event Viewer, but no details provided. I read from Microsoft website:
It seems that all IKE/IPSec parameters configured are supported by Windows 10…
VyOS I used is VyOS 1.4-rolling-202202150317
Here are configurations:
generate pki ca install R1_C3_CA_ROOT
generate pki certificate sign R1_C3_CA_ROOT install R1_RWU_CERT
set vpn ipsec esp-group ESP-RWU compression ‘disable’
set vpn ipsec esp-group ESP-RWU lifetime ‘3600’
set vpn ipsec esp-group ESP-RWU pfs ‘disable’
set vpn ipsec esp-group ESP-RWU proposal 10 encryption ‘aes128gcm128’
set vpn ipsec esp-group ESP-RWU proposal 10 hash ‘sha256’
set vpn ipsec ike-group IKE-RWU key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-RWU lifetime ‘7200’
set vpn ipsec ike-group IKE-RWU mobike ‘enable’
set vpn ipsec ike-group IKE-RWU proposal 10 dh-group ‘14’
set vpn ipsec ike-group IKE-RWU proposal 10 encryption ‘aes128gcm128’
set vpn ipsec ike-group IKE-RWU proposal 10 hash ‘sha256’
set vpn ipsec remote-access pool ra-rwu-ipv4 name-server ‘8.8.8.8’
set vpn ipsec remote-access pool ra-rwu-ipv4 prefix ‘172.16.101.0/24’
set vpn ipsec remote-access connection rwu authentication id ‘172.16.101.1’
set vpn ipsec remote-access connection rwu authentication server-mode ‘x509’
set vpn ipsec remote-access connection rwu authentication x509 ca-certificate ‘R1_C3_CA_ROOT’
set vpn ipsec remote-access connection rwu authentication x509 certificate ‘R1_RWU_CERT’
set vpn ipsec remote-access connection rwu esp-group ‘ESP-RWU’
set vpn ipsec remote-access connection rwu ike-group ‘IKE-RWU’
set vpn ipsec remote-access connection rwu local-address ‘172.16.101.1’
set vpn ipsec remote-access connection rwu pool ‘ra-rwu-ipv4’
set vpn ipsec remote-access connection rwu authentication client-mode ‘eap-mschapv2’
set vpn ipsec remote-access connection rwu authentication local-users username vyos password ‘vyos’
generate ipsec profile windows-remote-access rwu remote “r1.my_domain.com”
==== ====
Add-VpnConnection -Name “VyOS IKEv2 VPN” -ServerAddress “r1.my_domain.com” -TunnelType “Ikev2”
Set-VpnConnectionIPsecConfiguration -ConnectionName “VyOS IKEv2 VPN” -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup “Group14” -PassThru -Force
==== ====
Also, ipv4 address to FQDN entry are added to “hosts” file in Windows 10, as it is recommended in " VyOS Platform Blog - PKI and IPSec IKEv2 remote-access VPN".
Hope that someone can point out what mistake(s) I made on this configuration, thanks!