IKEv2 VPN "Policy Match error" on Windows 10 Mobile after security mod RRS feed

  • Question

  • We have an issue with a company VPN. A security audit recently revealed that our default RRAS VPN setup was fairly insecure; we followed Steven Jordan's suggestions in his article on the topic:

    After adding the DWORD value to the registry as suggested (on both the server and client systems), all is happy, EXCEPT:

    ... it is now impossible to get our Windows 10 phone devices (we have several Lumia 950s and 950XLs being used in the field) to connect to the company public or private VPNs. The connection always fails with:

    "Policy match error"

    ...which is to be expected, since the cipher suites no longer match up and IKEv2 cannot properly set up the tunnels.

    Frustratingly, the couple of field devices we have running StrongSwan on Android work just fine, as do other connection devices (we have two off-site routers that make/break temporary VPN connections and some IoT Azure Sphere devices).

    So, what I'm asking:

    Given that there seems to be no way for us to edit the registry on these devices (I tried using WICD provisioning, but that didn't work - although it did allow me to control SPLIT_TUNNELING which was very helpful), how might one go about making the Windows 10 Phones perform the same way that our Windows desktop machines do - i.e., connecting to the VPN as per usual? We need to continue to use these phones until the end of their support lifetime - can't afford to replace them all plus there's Continuum which no other phones seem to be able to match.

    Thanks in advance

    (Repost from Windows 10 IT Pro topic)

    "I'm anispeptic, frasmotic, even compunctual to have caused you such pericombobulation."

    Saturday, December 8, 2018 6:30 AM

All replies

  • Have you found a solution by any chance?
    Thursday, January 31, 2019 1:59 AM
  • Nope. Furthermore, yours was the only reply.

    Ended up working-around it by creating a separate RRAS portal just for these phones; the Android phones will use the original portal. The secondary RRAS portal is geo-limited and won't accept incoming connections from anywhere outside the US.

    After December, when the Windows phones go out of support, my company will switch to Android, and we'll shut the Windows Phone RRAS portal down for good.

    Hopefully, someday, MSFT will sell a Surface device with LTE or 5G, small enough to fit in a pocket or to carry on an airplane without taking it out of a briefcase. That would solve our problem. We live and breathe Windows, so Android is kind-of second-fiddle.

    BTW, if one wants to weaken the Android StrongSwan client to the point where it will connect to an unmodified RRAS portal (we didn't choose that route), one can add the following settings to the StrongSwan VPN Profile:


    IKEv2 Algorithms:


    I tried this, it works.

    "I'm anispeptic, frasmotic, even compunctual to have caused you such pericombobulation."

    Thursday, January 31, 2019 7:58 PM