What's new

VPN IKEv2 multiple WAN - policy match error

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Occasional Visitor
I have a AX86u running Merlin 386.5. It has two WAN's on load balance (mostly using Primary with one device hard coded to use the secondary). The secondary WAN gets issued a private IP address (but does have onward internet access through NAT etc.

I am trying to run a IKEv2 VPN server on the router and I only need to connect to it from the Secondary WAN (although both would be a bonus!)

I can connect using Windows 10 to the public IP address of the the Primary WAN (or the DDNS hostname). So I have installed the certificate etc. correctly

Using the same computer using the IP address of the Secondary WAN it doesn't work.

Both are the same behaviour irrespective to if I am internal to my network or external.

The error in Windows 10 GUI is:

Policy match error

The error I get in the Windows Event Viewer is:
The user xxxxxxxxxxxxxxxxx dialed a connection named Home which has failed. The error code returned on failure is 13868.

The error in the ASUS-Merlin log is:

Mar 20 15:15:59 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar 20 15:15:59 05[IKE] no IKE config found for, sending NO_PROPOSAL_CHOSEN
Mar 20 15:15:59 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 20 15:15:59 05[NET] sending packet: from [2ndWANIP][500] to [InternalIP][500] (36 bytes)
Mar 20 15:21:32 05[KNL] [2ndWANIP] disappeared from eth0

My theory is that IKEv2 uses certificates and that the certificate is hard-coded to the DDNS domain name which only resolves to the Primary WAN IP address.

Is there anyway to add a second server IP address to the certificate file which is created in the IKEv2 setup?

Thanks in advance
I have resolved this.

My understanding is that the primary WAN IP address was listed in /etc/ipsec.conf and if this did not match what the client was using then this policy match error occurred. The issues wasn't related to certificates.


Therefore I created the following script file to remove this line from my configuration which seems to enable connection from either the primary or secondary WAN IP address


source /usr/sbin/helper.sh

pc_delete "left=" $CONFIG

This seems to be working for me and hope it works for someone else.
I can't see any major implications from this change?

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!