VPN IKEv2 multiple WAN - policy match error


Occasional Visitor
I have a AX86u running Merlin 386.5. It has two WAN's on load balance (mostly using Primary with one device hard coded to use the secondary). The secondary WAN gets issued a private IP address (but does have onward internet access through NAT etc.

I am trying to run a IKEv2 VPN server on the router and I only need to connect to it from the Secondary WAN (although both would be a bonus!)

I can connect using Windows 10 to the public IP address of the the Primary WAN (or the DDNS hostname). So I have installed the certificate etc. correctly

Using the same computer using the IP address of the Secondary WAN it doesn't work.

Both are the same behaviour irrespective to if I am internal to my network or external.

The error in Windows 10 GUI is:

Policy match error

The error I get in the Windows Event Viewer is:
The user xxxxxxxxxxxxxxxxx dialed a connection named Home which has failed. The error code returned on failure is 13868.

The error in the ASUS-Merlin log is:

Mar 20 15:15:59 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 20 15:15:59 05[IKE] no IKE config found for, sending NO_PROPOSAL_CHOSEN
Mar 20 15:15:59 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 20 15:15:59 05[NET] sending packet: from [2ndWANIP][500] to [InternalIP][500] (36 bytes)
Mar 20 15:21:32 05[KNL] [2ndWANIP] disappeared from eth0

My theory is that IKEv2 uses certificates and that the certificate is hard-coded to the DDNS domain name which only resolves to the Primary WAN IP address.

Is there anyway to add a second server IP address to the certificate file which is created in the IKEv2 setup?

Thanks in advance


Occasional Visitor
I have resolved this.

My understanding is that the primary WAN IP address was listed in /etc/ipsec.conf and if this did not match what the client was using then this policy match error occurred. The issues wasn't related to certificates.


Therefore I created the following script file to remove this line from my configuration which seems to enable connection from either the primary or secondary WAN IP address


source /usr/sbin/helper.sh

pc_delete "left=" $CONFIG

This seems to be working for me and hope it works for someone else.
I can't see any major implications from this change?

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!