IKEv2 Windows 13801 error

  • pfSense 2.2.6-Release:

    Followed the https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 guide to create IKEv2 VPN with pfSense.  Stuck at the Windows 13801 error.

    I created the CA in pfSense and created a Server Certificate.

    For my cert:  CN = vpn.domain.com
    SAN: DNS Name = vpn.domain.com
            IP Address = x.x.x.x

    My Phase 1 configuration is V2, IPv4, WAN, EAP-MSChapv2.  My Identifier is Distinguished name = vpn.domain.com
    Phase 1 encryption is AES 256, SHA256, DH key group 2.

    Imported the cert into the local computer Trusted Root CA using MMC.exe then adding Certificate for Computer account->Local computer.

    With 13801, I know something is wrong on my cert, but I can't figure out what, because it is installed in the correct spot and has the correct hostname in CN and SAN.

    In my Win7 VPN Client, I'm connecting to vpn.domain.com.  The only places where vpn.domain.com is defined is in my local hosts file and on the cert.  The IP address for the vpn.domain.com is the WAN address of the pfSense box.

    Getting Windows 13801 with and with out the registry dword added.

    Any other information helpful for troubleshooting this?

  • Have you consulted your logs on PFsense what might go wrong?

    Do you get this error?

    Verifying user name and password...
    Error 13801: IKE authentication credentials are unacceptable

    Have you seen this? https://technet.microsoft.com/en-us/library/dd941612%28v=ws.10%29.aspx

  • Found out the trouble when another poster had a similar problem.  My error was that I had imported the server cert and not the CA cert.  Imported the CA cert into Trusted CA store and now progressing with authentication.

Log in to reply