The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice for Windows 10 Always On VPN deployments where the highest levels of security and assurance are required. However, as I’ve written about in the past, often the default IKEv2 security settings are less than desirable. Before using IKEv2 VPN in a production environment the administrator will need to update these security settings accordingly.
Connection Failure
When configuring Windows Server Routing and Remote Access Service (RRAS) or a third-party VPN appliance to support IKEv2 using custom security policies, the administrator may encounter a scenario in which a connection cannot be established due to a policy mismatch error. When the connection attempt fails, an error will be recorded in the Windows Application event log from the RasClient source with Event ID 20227. The error message states the following:
“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.”
Error Code 13868
Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.
Server Configuration
To view the current IKEv2 IPsec policy configuration, open an elevated PowerShell command window and run the following command.
Get-VpnServerIPsecConfiguration
Client Configuration
To ensure interoperability, the VPN client must be configured to use the same IKEv2 security policy as defined on the sever. To view a VPN client’s currently configured IKEv2 security policy, open an elevated PowerShell command window and run the following command.
Get-VpnConnection -Name [connection name] | Select-Object -ExpandProperty IPsecCustomPolicy
Note: If this PowerShell command returns no output, the VPN connection is not using a custom IKEv2 IPsec security policy.
Updating Settings
Guidance for configuring IKEv2 security policies on Windows Server RRAS and Windows 10 can be found here.
NPS Policy
Another common cause of IKEv2 policy mismatch errors is a misconfigured Network Policy Server (NPS) network policy. Specifically, administrators may disable Basic and Strong encryption for MPPE in an attempt to improve security.
The NPS policy for Always On VPN must include Strong encryption at a minimum. Basic and No encryption can be safely disabled.
Summary
IKEv2 policy mismatch errors can be resolved easily by ensuring both the VPN server and client are configured to use the same IPsec security policies. Use the PowerShell commands in the above referenced above to validate settings and make changes when necessary.
Additional Information
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN IKEv2 Features and Limitations
Show-VpnConnectionIPsecConfiguration PowerShell script on Github
Set-IKEv2SecurityBaseline PowerShell script on Github
Пролог:
Прочел все мануалы по IPsec на DFL.
Затем прочел все мануалы по IPsec на других устройствах, которые смог найти.
Попробовал различные комбинации.
Вводная: имеется DFL-260 со статическим белым адресом с одноранговой локалью за ним. Хочу подключаться к этой локалке через IPsec туннель с мобильной связи, из любой точки. Т. е. подключаться придется зачастую с динамического серого (NAT) адреса.
Пробовал подключаться:
1. штатными средствами Win7 (L2TP IPsec VPN, IKEv2) (NAT);
2. штатными средствами Android (L2TP/IPSec PSK, IPSec Xauth PSK) (мобильный интернет — NAT);
3. штатными средствами Ios (IKEv2, IPSec, L2TP) (мобильный интернет — NAT).
Все безрезультатно.
1. При попытке подключения с Win7 по L2TP IPsec VPN, выдается ошибка 788: Попытка L2TP-подключения не удалась, поскольку на уровне безопасности не удалось согласовать параметры с удаленным компьютером.
В логах на DFL следующее:
Код:
2018-08-15
12:27:15
Info
IPSEC
1800904 ike_sa_created
ipsec_if=dynamic_ipsec local_ip=<ВНЕШНИЙ IP DFL> local_port=4500 remote_iface=wan remote_ip=<ВНЕШНИЙ IP компа> remote_port=57944 local_id=<ВНЕШНИЙ IP DFL> remote_id=<ЛОКАЛЬНЫЙ IP компа в его локальной сети>local_ike_spi=0xa1f871a70951d192 remote_ike_spi=0x53bc392752c1ec0c initiator=FALSE algorithms=aes256-cbc/hmac-sha1-96/hmac-sha1/MODP_2048 mode=Main lifetime=28800 ikeversion=1 local_behind_nat=TRUE remote_behind_nat=TRUE initial_contact=FALSE
2018-08-15
12:27:15
Info
IPSEC
1802023 ike_sa_statistics
done=183 success=19 failed=164
2018-08-15
12:27:15
Info
IPSEC
1802049 [b]ipsec_sa_failed[/b]
ipsec_sa_disabled
statusmsg=»No proposal chosen» reason=»Peer IP address mismatch. Local Traffic Selector mismatch.» local_peer=»<ВНЕШНИЙ IP DFL>:4500 ID <ВНЕШНИЙ IP DFL>» remote_peer=»<ВНЕШНИЙ IP компа>:57944 ID <ЛОКАЛЬНЫЙ IP компа в его локальной сети>» ike_spi_i=0x53bc392752c1ec0c ike_spi_r=0xa1f871a70951d192
2018-08-15
12:27:15
Notice
IPSEC
1800105 ike_delete_notification
local_ip=<ВНЕШНИЙ IP DFL> remote_ip=<ВНЕШНИЙ IP компа> cookies=0x53bc392752c1ec0ca1f871a70951d192 reason=»Received delete notification»
2018-08-15
12:27:15
Info
IPSEC
1800906 ike_sa_deleted
ipsec_if=dynamic_ipsec local_ip=<ВНЕШНИЙ IP DFL> local_port=4500 remote_iface=wan remote_ip=<ВНЕШНИЙ IP компа> remote_port=57944 local_id=<ВНЕШНИЙ IP DFL> remote_id=<ЛОКАЛЬНЫЙ IP компа в его локальной сети> local_ike_spi=0xa1f871a70951d192 remote_ike_spi=0x53bc392752c1ec0c peer_dead=FALSE
Я так понимаю, первая фаза(ike) проходит нормально, а вторая(ipsec) прерывается из-за несоответствия внешнего ip и «id» инициатора туннеля. Если я прав, то что с этим делать?
При попытке подключения по IKEv2, Win7 выдает ошибку 13868: Ошибка сопоставления групповой политики.
В логах DFL следующее:
Код:
2018-08-15
12:40:56
Error
IPSEC
1802221 no_matching_tunnel_found
packet_will_be_discarded
localaddr=<ВНЕШНИЙ IP DFL> remoteaddr=<ВНЕШНИЙ IP компа> srcif=wan
2018-08-15
12:40:56
Warning
IPSEC
1802022 ike_sa_failed
no_ike_sa
statusmsg=»No proposal chosen» reason=»» local_peer=»<ВНЕШНИЙ IP DFL>:500 ID (null)» remote_peer=»<ВНЕШНИЙ IP компа>:500 ID (null)» spi_i=0x1960bcb26ab80e2c spi_r=0x6460b7a0d3e77fc4 initiator=FALSE
2018-08-15
12:40:56
Info
IPSEC
1802023 ike_sa_statistics
done=204 success=19 failed=185
2. При попытке подключения с Android по L2TP/IPSec PSK, соединение висит в состоянии «подключение», затем, спустя секунд 30 — «сбой».
В логах DFL следующее:
Код:
2018-08-15
12:44:57
Error
IPSEC
1802221 no_matching_tunnel_found
packet_will_be_discarded
localaddr=<ВНЕШНИЙ IP DFL> remoteaddr=<ВНЕШНИЙ IP Android> srcif=wan
2018-08-15
12:44:57
Warning
IPSEC
1800107 ike_invalid_proposal
local_ip=<ВНЕШНИЙ IP DFL> remote_ip=<ВНЕШНИЙ IP Android> cookies=0xd473938d4b3cf3eb5230d23d5b24cf6d reason=»Could not find acceptable proposal»
2018-08-15
12:44:57
Warning
IPSEC
1802022 ike_sa_failed
no_ike_sa
statusmsg=»No proposal chosen» reason=»» local_peer=»<ВНЕШНИЙ IP DFL>:500 ID (null)» remote_peer=»<ВНЕШНИЙ IP Android>:500 ID (null)» spi_i=0xd473938d4b3cf3eb spi_r=0x5230d23d5b24cf6d initiator=FALSE
2018-08-15
12:44:57
Info
IPSEC
1802023 ike_sa_statistics
done=211 success=19 failed=192
Тут, я так понимаю, не угадал с набором алгоритмов первой фазы. Как их следует изменить?
При попытке подключения с Android по IPSec Xauth PSK, соединение висит в состоянии «подключение», затем, спустя секунд 30 — «сбой».
В логах DFL то же самое. (хотя, при каких-то других параметрах, в логе было что-то похожее на несоответствие IP и ID)
3. При попытках подключения Ios по IKEv2 и IPSec содержимое лога идентичное ситуации, когда неверно подобраны алгоритмы 1 фазы.
При попытке подключения по L2TP — несоответствие IP и ID.
Как быть, куда копать? Вообще, возможно ли поднятие туннеля в таких условиях?
Настройки IPsec:
Вложение:
Комментарий к файлу: Настройки IPsec 1
IPSec_01.jpg [ 53.82 KiB | Просмотров: 6097 ]
Вложение:
Комментарий к файлу: Настройки IPSec 2
IPSec_02.jpg [ 77.54 KiB | Просмотров: 6097 ]
Вложение:
Комментарий к файлу: Настройки IPsec 3
IPSec_03.jpg [ 98.89 KiB | Просмотров: 6097 ]
Последний раз редактировалось aNGEl0 Ср авг 15, 2018 13:01, всего редактировалось 1 раз.
Error code: 13868
This error can occur when using the IKEv2 protocol and the IKEv2 security settings configured on the client don’t match the settings configured on the server.
What is VPN connection error 13868?
Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.
What are the error codes for always on VPN?
Always On VPN administrators will be familiar with error codes such as 809, 691 and 812, 853, 858, and even 13801, 13806, and 13868.
What is 13806 always on VPN?
Error code: 13806
Contact your network security administrator about installing a valid certificate in the appropriate certificate store. Possible cause. This error typically occurs when no machine certificate or root machine certificate is present on the VPN server.
Why is my always on VPN not connecting?
If the AOVPN setup doesn’t connect clients to your internal network, the cause is likely an invalid VPN certificate, incorrect NPS policies, issues that affect the client deployment scripts, or issues that occur in Routing and Remote Access.
Always On VPN Deployment Guide
How do I make my VPN always connected?
- If you haven’t already, add a VPN.
- Open your phone’s Settings app.
- Tap Network & internet. VPN. …
- Next to the VPN you want to change, tap Settings .
- Turn Always-on VPN on or off. If you’ve set up a VPN through an app, you won’t have the always-on option.
- If needed, tap Save.
How do I stop VPN from blocking my internet?
When your VPN gets blocked, a manual VPN connection might be your best solution. You can try setting up a VPN connection manually on your device (for example, it’s possible on Windows 10) via inbuilt VPN functionality or an app like OpenVPN Connect or strongSwan.
Should you always have VPN turned on?
You should use a Virtual Private Network (VPN) whenever you’re online. By doing so, you make sure that your data and privacy are protected. Without a VPN, your every action online may be monitored and taken advantage of. A VPN encrypts all of your data, effectively hiding any information about you from prying eyes.
Is it safe to always on VPN?
Security: Always On VPN has new, advanced security capabilities to restrict the type of traffic, which applications can use the VPN connection, and which authentication methods you can use to initiate the connection. When the connection is active most of the time, it is especially important to secure the connection.
Is it good to always have VPN on?
Always keeping a VPN on is necessary to ensure that your device and personal information is protected. For instance, with a VPN (Virtual Private Network) always on, can protect you from cyberthreats on public Wi-Fi.
How do I fix VPN error?
How to Fix VPN Not Connecting
- Change your VPN server. If something is wrong with that particular node, switching to a different one will help. …
- Reboot the device (and the router). …
- Temporarily disable firewalls/antivirus/anti-spyware. …
- Connect using a different protocol. …
- Reinstall & reboot. …
- Switch networks.
What is error code 13801 on always on VPN?
Certificate Chain
A 13801 error will occur if the client does not trust the certificate installed on the VPN server. Ensure the client has all the necessary root and intermediate certification authority (CA) certificates installed in their respective certificate stores.
What is always on VPN 13899?
Error code: 13899
If the VPN server is configured to assign IP addresses from a static pool, check if all available addresses have been allocated. If so, add additional IP address space to the pool.
How to reset VPN?
In the portal, go to the virtual network gateway that you want to reset. On the Virtual network gateway page, in the left pane, scroll down to the Support + Troubleshooting section and select Reset. On the Reset page, click Reset.
How do I fix VPN on Chrome?
5 Ways to Fix VPN Connection Issues in Google Chrome
- Clear browsing data.
- Disable proxy server.
- Disable Chrome extensions.
- Flush DNS cache.
- Check firewall settings.
- Use updated VPN app.
- Disable network lock in VPN app.
How to setup VPN in network security?
How to Set up a VPN on Your Router
- Type your router’s internet protocol (IP) address and password to log into your admin panel.
- Find the VPN option in the settings.
- Select the option for VPN client, not VPN server.
- Enter the correct settings. …
- Complete any additional steps your router may request.
What does always on VPN mean?
Always On VPN is Microsoft’s technology for Windows 10 clients that replaces Direct Access and provides secure remote access for clients. Replacing Microsoft’s older Direct Access technology, the VPN connection is “always on” and securely connected to the internet after the connection is established.
Is VPN needed for home Wi-Fi?
Most people won’t need to log into a VPN service when accessing the internet from home, whether from an Android phone, a Windows computer, or other connected device. That doesn’t mean, though, that VPNs aren’t important online privacy tools, particularly when you’re accessing the internet on the go.
Why would you turn off VPN?
While it’s recommended to use a VPN at all times, there are a few scenarios when you might want to disable it for a short while. Situations in which you may wish to disconnect a VPN include: troubleshooting network issues; setting up an internet connection for the first time.
Why should I disable VPN?
Turning off your VPN reveals your IP address, identity, and data to interested parties, including snoopers and cybercrooks. You’ll also lose secure access to your favorite content on certain networks. We recommend you always keep your VPN on and only disconnect if absolutely necessary.
Should VPN be on or off on my phone?
Should I Run a VPN on My iPhone or Android Smartphone? Yes, You Should! A VPN (virtual private network) is a service that provides a secure Internet connection by using private servers in remote locations. All data traveling between your computer, smartphone or tablet and the VPN server is securely encrypted.
Can VPN block my Wi-Fi?
The flow of traffic to and from a VPN server is managed by VPN ports. Just like VPN protocols, some ports might also get blocked, causing no internet access when connected to VPN.
Can Wi-Fi block you from using a VPN?
Yes, public Wi-Fi networks can block you from accessing them with a VPN. Whoever is hosting the connection gets to choose the terms of use, so occasionally, they will block them. However, anybody who intentionally blocks you from using a VPN is generally only doing it so they can track your online activity.
Can my internet provider block me from using VPN?
Yes, an ISP can block a VPN by blocking IP addresses associated with a certain VPN provider or disabling communication ports. If you’re unable to connect to the internet when using a VPN, your ISP might be restricting the access. You can solve this problem by switching to a different server, port, or protocol.
How does always on VPN know when to connect?
When deploying Windows 10 Always On VPN, administrators can configure Trusted Network Detection (TND) which enables clients to detect when they are on the internal network. With this option set, the client will only automatically establish a VPN connection when it is outside the trusted network.
I dont know where to find the Windows logs, but I can post the server logs.
Mar 9 06:33:04 Babee charon: 14[NET] received packet: from MYIP[18168] to 45.32.243.173[500] (376 bytes)
Mar 9 06:33:04 Babee charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 9 06:33:04 Babee charon: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 9 06:33:04 Babee charon: 14[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 9 06:33:04 Babee charon: 14[IKE] received Vid-Initial-Contact vendor ID
Mar 9 06:33:04 Babee charon: 14[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar 9 06:33:04 Babee charon: 14[IKE] MYIP is initiating an IKE_SA
Mar 9 06:33:04 Babee charon: 14[IKE] remote host is behind NAT
Mar 9 06:33:04 Babee charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 9 06:33:04 Babee charon: 14[NET] sending packet: from 45.32.243.173[500] to MYIP[18168] (272 bytes)
I still get the Policy Match Error
EDIT: Found the client logs:
MY NAME dialed a connection named MYDOMAIN which has failed. The error code returned on failure is 13868.
To find out what is the problem you should, as a first step, turn on logging and see what happens during the connection process. Here is the example config I use on my server.
/etc/strongswan.d/charon-logging.conf
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <filename> is the full path to the log file.
/var/log/strongswan.log {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
append = yes
# Default loglevel.
default = 2
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
ike_name = yes
# Adds the milliseconds within the current second after the
# timestamp (separated by a dot, so time_format should end with %S
# or %T).
# time_add_ms = no
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
}
}
}
U can use it and analyze the log file to discover the issue. If you will not able to figure it out, post a connection log here I will try to help you.