IkeV2 mobile VPN - Policy Match Error

Hello, I'm trying to connect a Win Server 2019 machine to a Firebox VPN using IkeV2. The firebox is a XTM25. I've tried with the default IkeV2 VPN settings as well as with many edits to the config (mostly security settings) to try and get this going but still consistently encounter the same 2 errors: Policy match error and/or Unknown error occurred. Extensive searches online have turned up many results but none that have been able to help me so far. I've tried many solutions that relate to Win10 (including creating a reg key to force the system to use higher DH groups) but this proved fruitless as expected.
I am using the client profile downloaded from the Firebox to add the VPN connection to the server. I have also tried adding it manually with identical results.
If it helps- I was able to successfully create and connect a SSL vpn using the same machine and firebox.
I've verified the user account created for this connection is a member of the IkeV2 users groups on the Firebox. I've verified the external address wasn't mistyped. I've tried reverting the security settings back to defaults (have other Firebox's to review settings on for this) as well as matching the settings to an existing, fully functional IkeV2 vpn we have working on a different Firebox (different model as well, however).
I've probably missed a few details, hopefully I can find some help here and I'm more than willing to retry things I've already tried on the off chance I missed a minor detail.
Thank you


  • Options

    Yes, this is one of the guides I followed to initially set this up. This along with the WG guide on configuring an IkeV2 mobile VPN on the Firebox.

  • Options

    Then consider opening a support incident to get WG help in getting this working.

    Also, you can turn on diagnostic logging for IKE which may show something to help:
    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    In the Web UI: System -> Diagnostic Log
    Set the slider to Information or higher

  • Options

    I'll likely end up going that route, thanks.

    One thing I've noticed as I review these instructions is that on the client machine, when running the client profile install, I get a single cmd window instead of the mentioned two powershell windows. Any thoughts on this?

  • Options

    I've never tried this.
    I have only used the Shrew client for an IPSec connection

  • Options

    Solved - we had an ikev2 bovpn tunnel routing to the same location that this mobile vpn wanted to connect to. Disabling that tunnel is allowing the VPN to work while this server is still on site with us. Through testing we've determined we can readd our bovpn once the server is shipped to its permanent location. Adding this reply in case it helps anyone else in the future.

Sign In to comment.