[strongSwan] Windows gives error 13868: Policy match error but Linux connect works

Dirk Hartmann dha at heise.de
Fri May 4 08:47:42 CEST 2018

--On Friday, May 04, 2018 04:53:29 PM +1200 flyingrhino 
<flyingrhino at orcon.net.nz> wrote:

> Hi,
> Just to keep a complete record of this for other people who may
> search the list archive for this solution:
> The solution was to create a windows registry key:
> Path:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameter
> s  Key: NegotiateDH2048_AES256
> Type: DWORD 32bit
> Value: 1
> If you need to roll this out across multiple machines as I did - once
> you do the first machine, you can select the new key you just edited
> and do: File -> Export  , select type reg.
> Then on subsequent machines the user simply double clicks the file
> and it gets imported automatically.
> Hope this helps other people who find this post.

to add to the tip I distribute a powershell script to roadwarriors to 
setup the complete VPN-Connection. Maybe someone likes to use parts of 

echo "activate higher encryption"
reg add HKLM\System\CurrentControlSet\Services\Rasman\Parameters /v 
NegotiateDH2048_AES256 /t REG_DWORD /d 2 /f

echo "import CA"
echo "-----BEGIN PKCS7-----
-----END PKCS7-----
" > c:\certtmp.p7b

import-certificate -FilePath c:\certtmp.p7b -CertStoreLocation 

del c:\certtmp.p7b

sleep 1

echo "Make VPN"
Add-VpnConnection -Name "<VPNNAME>" -ServerAddress <SERVERNAME> 
-TunnelType "Ikev2" -AllUserConnection -EncryptionLevel Required

echo "added"

Set-VPNConnection -Name "<VPNNAME>" -AllUserConnection -SplitTunneling 0

echo "split out"

Set-VPNConnectionIPsecConfiguration -ConnectionName "<VPNNAME>" 
-AuthenticationTransformConstants SHA256128 -CipherTransformConstants 
AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup 
None -DHGroup Group14 -PassThru-Force

echo "parameter set"

sleep 1

echo "all set"


More information about the Users mailing list