IkeV2 mobile VPN - Policy Match Error
Hello, I'm trying to connect a Win Server 2019 machine to a Firebox VPN using IkeV2. The firebox is a XTM25. I've tried with the default IkeV2 VPN settings as well as with many edits to the config (mostly security settings) to try and get this going but still consistently encounter the same 2 errors: Policy match error and/or Unknown error occurred. Extensive searches online have turned up many results but none that have been able to help me so far. I've tried many solutions that relate to Win10 (including creating a reg key to force the system to use higher DH groups) but this proved fruitless as expected.
I am using the client profile downloaded from the Firebox to add the VPN connection to the server. I have also tried adding it manually with identical results.
If it helps- I was able to successfully create and connect a SSL vpn using the same machine and firebox.
I've verified the user account created for this connection is a member of the IkeV2 users groups on the Firebox. I've verified the external address wasn't mistyped. I've tried reverting the security settings back to defaults (have other Firebox's to review settings on for this) as well as matching the settings to an existing, fully functional IkeV2 vpn we have working on a different Firebox (different model as well, however).
I've probably missed a few details, hopefully I can find some help here and I'm more than willing to retry things I've already tried on the off chance I missed a minor detail.
Thank you
Comments
Have you reviewed this ?
Configure Windows Devices for Mobile VPN with IKEv2
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_windows_client.html
Yes, this is one of the guides I followed to initially set this up. This along with the WG guide on configuring an IkeV2 mobile VPN on the Firebox.
Then consider opening a support incident to get WG help in getting this working.
Also, you can turn on diagnostic logging for IKE which may show something to help:
In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
In the Web UI: System -> Diagnostic Log
Set the slider to Information or higher
I'll likely end up going that route, thanks.
One thing I've noticed as I review these instructions is that on the client machine, when running the client profile install, I get a single cmd window instead of the mentioned two powershell windows. Any thoughts on this?
None.
I've never tried this.
I have only used the Shrew client for an IPSec connection
Solved - we had an ikev2 bovpn tunnel routing to the same location that this mobile vpn wanted to connect to. Disabling that tunnel is allowing the VPN to work while this server is still on site with us. Through testing we've determined we can readd our bovpn once the server is shipped to its permanent location. Adding this reply in case it helps anyone else in the future.