Error 13801

One of the most common errors related to IKEv2 and certificates is 13801, IKE authentication credentials are unacceptable.

When an attempt VPN connection using IKEv2 fails, the Windows Application event log will record an event ID 20227 from the RasClient source. The error message states the following:

The user [username] dialed a connection named [connection name] which has failed. The error code returned on failure is 13801

Possible Cause

Possible causes of Error 13801:

• The machine certificate on the VPN server has expired
• The trusted root certificate to validate the VPN server certificate is absent on the client
• VPN server name as given on the client doesn’t match the subject name of the server certificate
• The machine certificate used for IKEv2 validation on VPN Server does not have Server Authentication as the EKU (Enhanced Key Usage).

Solution

Following solution will be applied for the cause trusted root certificate absent on the client PC.

1. Download following certificate

trusted-letsencrypt-ca.cer

2. Right-click on Start and select Run

3. Type in mmc and click on OK

4. If your PC User Account Control (UAC) enabled, on the User Account Control screen, click on Yes

5. Once the Microsoft Management Console (mmc) opens, click on File and select Add/Remove Snap-in

6. In the left menu, select Certificates and click on Add

7. On the next screen, click the radio button next to Computer account and click on Next

8. Click on Finish

9. Click on OK

10. In the Microsoft Management Console window, click on Certificates (Local Computer) to expand the list

From here onward, you will perform certificate import into 2 locations certificate stores:

• Trusted Root Certification Authorities
• Third-Party Root Certification Authorities

Trusted Root Certification Authorities

11. Expand Trusted Root Certification Authorities in the left pane, right-click on Certificates subfolder and select All Tasks and then Import

12. Click Next in the Certificate Import Wizard

13. Browse to where you saved the CA certificate downloaded earlier and select it. Then click on Open

14. Back to Certificate Import Wizard, click Next

15. In the Certificate Store window, ensure that it says Trusted Root Certification Authorities and click on Next

16. Click on Finish and then OK.

Third-Party Root Certification Authorities

17. Expand Third-Party Root Certification Authorities in the left pane, right-click on Certificates subfolder and select All Tasks and then Import

18. Click Next in the Certificate Import Wizard

19. Browse to where you saved the CA certificate downloaded earlier and select it. Then click on Open

20. Back to Certificate Import Wizard, click Next

21. In the Certificate Store window, ensure that it says Third-Party Root Certification Authorities and click on Next

22. Click on Finish and then OK.

Review

You should have by now successfully import root certificate ISRG Root X1 (Internet Security Research Group) into certificate store:

Trusted Root Certification Authorities

Third-Party Root Certification Authorities

You may close Microsoft Management Console (mmc) and click No

Now you may retry again reconnect your IKEv2 VPN.

==========================================================================================

If you face any difficulties on the setup, please feel free to contact our support team by submitting a ticket on https://247livesupport.biz or emailing out support team at support@247livesupport.biz.