How to debug IPSec failure when using certificate? RRS feed

  • Question

  • I try to setup end-to-end IPsec transport mode between two Windows Server 2012 R2 VM. I use certificate for authentication. It works fine if I use preshared key.

    The error I am getting (from event log) is IKE failed to find valid machine certificate. Error code is 13806, from netevent.xml.

    I am not able to find the log showing what IKEEXT doesn't like. I capture some WFP traces but they are in XML format and I can't get too much out of it. There also wfpdiag.etl file that I cannot translate into text. It may need wfp.tmf file but I cannot find such file for Windows Server 2012 R2.

       <failureErrorCode>13806 (ERROR_IPSEC_IKE_NO_CERT)</failureErrorCode>

    Wednesday, May 4, 2016 5:57 PM

All replies

  • What certificate store have you stored the certificate in? I believe it needs to be in the Local Computers Personal store, not the Current Users Personal store. Is the certification path of the certificate valid? (double click -> certification path).

    If not, you may need to put the root certificates in the Local Computers Trusted Root Certification Authorities store.


    • Proposed as answer by JST86 Thursday, May 12, 2016 8:48 AM
    • Unproposed as answer by JST86 Monday, May 16, 2016 8:54 AM
    Thursday, May 12, 2016 8:48 AM
  • I have tried that. The certificate chain is ok, per "certutil". I suspect something in the certificate that IKEEXT doesn't like.

    Does anyone know how to get more details of logging from Windows IKE? So far, I can only get error code 13806, etc. 

    Friday, May 13, 2016 6:56 PM