The Internet Key Exchange version 2 (IKEv2) VPN protocol is the protocol of choice for Windows 10 Always On VPN deployments where the highest levels of security and assurance are required. However, as I’ve written about in the past, often the default IKEv2 security settings are less than desirable. Before using IKEv2 VPN in a production environment the administrator will need to update these security settings accordingly.
Connection Failure
When configuring Windows Server Routing and Remote Access Service (RRAS) or a third-party VPN appliance to support IKEv2 using custom security policies, the administrator may encounter a scenario in which a connection cannot be established due to a policy mismatch error. When the connection attempt fails, an error will be recorded in the Windows Application event log from the RasClient source with Event ID 20227. The error message states the following:
“The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13868.”
Error Code 13868
Error code 13868 translates to ERROR_IPSEC_IKE_POLICY_MATCH. Essentially this error indicates that the IKEv2 security policy on the client did not match the configuration on the server.
Server Configuration
To view the current IKEv2 IPsec policy configuration, open an elevated PowerShell command window and run the following command.
Get-VpnServerIPsecConfiguration
Client Configuration
To ensure interoperability, the VPN client must be configured to use the same IKEv2 security policy as defined on the sever. To view a VPN client’s currently configured IKEv2 security policy, open an elevated PowerShell command window and run the following command.
Get-VpnConnection -Name [connection name] | Select-Object -ExpandProperty IPsecCustomPolicy
Note: If this PowerShell command returns no output, the VPN connection is not using a custom IKEv2 IPsec security policy.
Updating Settings
Guidance for configuring IKEv2 security policies on Windows Server RRAS and Windows 10 can be found here.
Summary
IKEv2 policy mismatch errors can be resolved easily by ensuring both the VPN server and client are configured to use the same IPsec security policies. Use the PowerShell commands in the above referenced above to validate settings and make changes when necessary.
Additional Information
Windows 10 Always On VPN IKEv2 Security Configuration
Windows 10 Always On VPN IKEv2 Features and Limitations
Show-VpnConnectionIPsecConfiguration PowerShell script on Github
Recently I wrote about 
When deploying Windows 10 Always On VPN using Microsoft Intune, administrators have two choices for configuring VPN profiles. They can use the native Intune user interface (UI) or create and upload a custom ProfileXML. The method chosen will depend on which features and settings are required.
Recently I wrote about 
I’m pleased announce that Kemp has released their 
The 
When an Always On VPN connection is provisioned to a Windows 10 client, there’s nothing to prevent a user from disconnecting or even deleting the connection. Some administrators have expressed concern about this, fearful that users may disable the VPN to improve performance or circumvent access controls when force tunneling is enabled. Also, administrators may wish to prevent users from accidentally or purposefully making changes to the configuration, or even deleting the connection entirely.
The Internet Key Exchange version 2 (IKEv2) is the protocol of choice for Always On VPN deployments where the highest level of security is required. Implementing Always On VPN at scale often requires multiple VPN servers to provide sufficient capacity and to provide redundancy. Commonly an Application Delivery Controller (ADC) or load balancer is configured in front of the VPN servers to provide scalability and high availability for Always On VPN.
The IKEv2 protocol is a popular choice when designing an Always On VPN solution. When 
