[strongSwan] Windows gives error 13868: Policy match error but Linux connect works
Dirk Hartmann
dha at heise.de
Fri May 4 08:47:42 CEST 2018
--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino
<flyingrhino at orcon.net.nz> wrote:
> Hi,
>
> Just to keep a complete record of this for other people who may
> search the list archive for this solution:
>
> The solution was to create a windows registry key:
> Path:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameter
> s Key: NegotiateDH2048_AES256
> Type: DWORD 32bit
> Value: 1
>
> If you need to roll this out across multiple machines as I did - once
> you do the first machine, you can select the new key you just edited
> and do: File -> Export , select type reg.
> Then on subsequent machines the user simply double clicks the file
> and it gets imported automatically.
>
> Hope this helps other people who find this post.
to add to the tip I distribute a powershell script to roadwarriors to
setup the complete VPN-Connection. Maybe someone likes to use parts of
it:
############
echo "activate higher encryption"
reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v
NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f
echo "import CA"
echo "-----BEGIN PKCS7-----
MII.....
....=
-----END PKCS7-----
" > c:\certtmp.p7b
import-certificate -FilePath c:\certtmp.p7b -CertStoreLocation
'Cert:\LocalMachine\Root'
del c:\certtmp.p7b
sleep 1
echo "Make VPN"
^M
Add-VpnConnection -Name "<VPNNAME>" -ServerAddress <SERVERNAME>
-TunnelType "Ikev2" -AllUserConnection -EncryptionLevel Required
echo "added"
Set-VPNConnection -Name "<VPNNAME>" -AllUserConnection -SplitTunneling 0
echo "split out"
Set-VPNConnectionIPsecConfiguration -ConnectionName "<VPNNAME>"
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup
None -DHGroup Group14 -PassThru-Force
echo "parameter set"
sleep 1
echo "all set"
############
Cheers
Dirk
More information about the Users
mailing list