Algo: Ubuntu 16.04.3
Client: Windows 10 X64
2.2.0.0
requirements.txtmsrestazure: 0.4.18
setuptools: 38.2.3
dopy: 0.3.5
boto: 2.48.0
boto3: 1.4.8
azure: 2.0.0rc5
msrest: 0.4.1
apache-libcloud: 2.2.1
six: 1.11.0
pyopenssl 17.5.0
jinja2: 2.8
I have an issue where Algo has stopped working after another VPN Service was installed on the windows 10 machines called TunnelBear. Once this VPN was installed it is now impossible to connect to my Algo server without getting Policy Match Error. This issue persists after both completely removing the algo VPN and user certificates and attempting to reinstall. In addition, this issue does not go away if I make a new Algo server and ensure that I enable weaker ciphers so that it works with windows 10. I have tested this now on 3 different windows machines and they all immediately stop working after that VPN solution is installed. I can not seem to figure out what may have changed that would persist even after fully removing everything and starting fresh.
Setup algo VPN connection on windows
Install Tunnel bear
Cloud
Algo VPN should connect
Algo VPN no longer connects
Sorry, I don't know how to debug this! I don't use TunnelBear.
Same here. Removing TunnelBear doesn't help :(
Same problem here, except I installed TunnelBear before running the Algo script. I tried uninstalling Tunnelbear, deleting the VPN, and running the script again, but I get the same Policy Match Error. I don't know if the problem is related to TunnelBear or not.
I tried using the Powershell script on another Windows machine that is updated to the Windows 2018 Spring Creators Update and it ran fine. This makes me think that TunnelBear is indeed causing an issue that is not reversed after uninstalling it.
Other people had this issue without tunnel bear. Worst part us i cant figure out hot to find logs for vpn in win10
If i helps anyone, here are my logs results:
`CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The user Tim-PC\Tim has started dialing a VPN connection using a per-user connection profile named Algo VPN IKEv2. The connection settings are:
Dial-in User =
VpnStrategy = IKEv2
DataEncryption = Require
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = Machine Certificate
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The user Tim-PC\Tim is trying to establish a link to the Remote Access Server for the connection named Algo VPN IKEv2 using the following device:
Server address/Phone Number = ###.###.###.###
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The user Tim-PC\Tim has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = ###.###.###.###
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The link to the Remote Access Server has been established by user Tim-PC\Tim.
CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The user Tim-PC\Tim dialed a connection named Algo VPN IKEv2 which has failed. The error code returned on failure is 13868.
CoId={0FA22D74-4330-42AF-A381-DA0FE0335A4E}: The user Tim-PC\Tim dialed a connection named Algo VPN IKEv2 which has terminated. The reason code returned on termination is 631.
`
I solved the problem!
Open the “Run” window while pressing Windows button+R on your keyboard at the same time. Type in regedit. Then, navigate to this directory:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameter
Right click on parameter named NegotiateDH2048_AES256 and set the value to 0.
Note that changing this value may result in other VPN services ceasing to work, so you might want to write down the value before changing it.
@tharri this is awesome!!
Thank you!
I have been setting it to 2, thinking it needs a stronger encryption. but 0 did it.
@jackivanov , @dguido guys, can this be mentioned in Install Instructions?
Deleting the parameter altogether works too. I'm not sure if there is any functional difference.
I found articles suggesting to add it in case of VPN issues. I already had mine there, but it was set to 1
I checked two other Windows 10 computers that I successfully connect to my Algo VPN with and neither of them had the NegotiateDH2048_AES256 parameter at all. That's what gave me the idea to try deleting it or changing it to zero.
thats were i got it
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
@dialbat Thank you. Your article seems to confirm that both deleting the parameter (none) and setting it to zero do the same thing; they make the computer use its default weak encryption.
The next logical question is whether Algo can be altered to use stronger encryption with Windows 10.
And I kept thinking Algo had stronger encryption :)
Should be added to client_windows.ps1
Seems to me instruction "Windows client manual setup" is incorrect.
Parameters:
$setVpnParams = @{
ConnectionName = $VpnName
AuthenticationTransformConstants = "GCMAES256"
CipherTransformConstants = "GCMAES256"
EncryptionMethod = "AES256"
IntegrityCheckMethod = "SHA384"
DHGroup = "ECP384"
PfsGroup = "ECP384"
Force = $true
}
too strong for windows 10.
auto generated file windows_{user}.ps1 for windows 10 have that settings
$setVpnParams = @{
ConnectionName = $VpnName
AuthenticationTransformConstants = "GCMAES128"
CipherTransformConstants = "GCMAES128"
EncryptionMethod = "AES128"
IntegrityCheckMethod = "SHA384"
DHGroup = "ECP256"
PfsGroup = "ECP256"
Force = $true
}
Hello.
I have the same problem on windows. I tried every solution listed above but did not work.
Have anyone solved this problem?
me too
tried to delete or change to zero
not works
please help
Most helpful comment
I solved the problem!
Open the “Run” window while pressing Windows button+R on your keyboard at the same time. Type in regedit. Then, navigate to this directory:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameter
Right click on parameter named NegotiateDH2048_AES256 and set the value to 0.
Note that changing this value may result in other VPN services ceasing to work, so you might want to write down the value before changing it.