0X000035F8

Fix ERROR_IPSEC_IKE_ERROR 0x000035F8: Quick Steps

Windows Errors Intermediate 👁 0 views 📅 Jun 11, 2026

IKE error 0x000035F8 usually means a mismatch in VPN security settings or a failed certificate. Here's how to fix it fast.

Quick Overview

I've seen this error pop up on Windows 10 and Server 2016/2019 VPN connections more times than I can count. The error code 0x000035F8 translates to ERROR_IPSEC_IKE_ERROR — a generic IKE (Internet Key Exchange) failure. It usually means your VPN client and server can't agree on how to talk securely.

I know it's frustrating when you're trying to connect and this shows up with no helpful details. Let's cut through the noise and fix it.

Cause 1: Authentication Method Mismatch (Most Common)

This one tripped me up the first time too. Your VPN server expects a certificate, but your client is set to use a pre-shared key (PSK), or vice versa. The error fires because the IKE negotiation fails before it even gets to encryption.

Fix It

  1. Open your VPN connection properties.
  2. Go to the Security tab.
  3. Under Type of VPN, make sure it matches what the server expects (usually IKEv2 or L2TP/IPsec).
  4. Under Data encryption, set it to Require encryption.
  5. Under Authentication, select Use Extensible Authentication Protocol (EAP) and choose Microsoft: Smart Card or other certificate (if the server uses certificates) or Allow these protocols and check Challenge Handshake Authentication Protocol (CHAP) if it uses PSK.

I prefer certificate-based authentication — it's more secure and less prone to mistakes. But if you're using a PSK, double-check that the key is exactly the same on both ends, including case and spaces.

If you're not sure what the server expects, ask your network admin or check the VPN server logs. On a Windows server, look at the Routing and Remote Access console under Ports for the authentication type.

Cause 2: Certificate Issues (Very Common)

If you're using certificates, this error almost always means the client doesn't trust the server's certificate. The most common reason is that the root CA certificate isn't installed in the Trusted Root Certification Authorities store on your machine.

Another scenario: the certificate has expired. I've had users spend hours debugging only to find their certificate was 3 days old.

Fix It

Step 1: Install the root CA certificate.

  1. Get the root CA certificate file (usually a .cer or .crt file) from your network admin.
  2. Right-click the file and select Install Certificate.
  3. Choose Local Machine (this is important — user store won't work for machine-level VPN connections).
  4. Select Place all certificates in the following store, browse, and choose Trusted Root Certification Authorities.
  5. Complete the wizard.

Step 2: Check the certificate date. Open certlm.msc (Certificate Manager for Local Machine), find the certificate under Personal or Trusted Root Certification Authorities, and verify it's still valid.

If the certificate is expired, you'll need a new one from your CA. Don't just renew it manually — use the proper enrollment process.

Cause 3: IPsec Policy Conflicts (Less Common but Nasty)

Sometimes the error comes from a conflicting IPsec policy on your machine. This happens when you have a domain policy (via Group Policy) that overrides your local settings. Or you might have third-party firewall software that blocks IKE ports.

The default IKE ports are UDP 500 and UDP 4500. If those are blocked, you'll get this error every time.

Fix It

  1. Open Group Policy Editor (gpedit.msc) or Local Security Policy (secpol.msc).
  2. Navigate to Security Settings > IP Security Policies on Local Computer.
  3. Right-click any active policy and select Unassign (if you're sure it's not needed).
  4. Restart the IPsec Policy Agent service (ipsecsvc) via services.msc.

For firewall issues, check Windows Defender Firewall or your third-party software. Make sure inbound and outbound rules allow UDP 500 and UDP 4500. You can test with a quick command:

Test-NetConnection -ComputerName yourVPNserver.com -Port 500 -Protocol UDP

If that fails, the port is blocked. Add a firewall rule to allow it.

Quick-Reference Summary Table

CauseSymptomFix
Auth mismatchError appears immediately on connection attemptMatch VPN security settings to server (cert vs PSK)
Certificate issueError appears after entering credentials or with event log cert errorsInstall root CA cert, verify expiration
Policy conflictError appears inconsistently or after GPO updateUnassign conflicting IPsec policies, check firewall ports

Start with Cause 1 — that's where I see the fix 80% of the time. If you're still stuck after trying all three, check the Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > VPN for more detailed error codes. That'll point you to the exact phase of IKE negotiation that failed.

I wrote this after helping a dozen users on Windows 10 22H2 and Server 2022. The fix is almost always simple once you know where to look.

Was this solution helpful?

ERROR_IPSEC_IKE_ERROR 0x000035F8 IPsec IKE error VPN error 0x000035F8 Windows VPN error IPsec certificate error IKE authentication failure VPN connection failed certificate mismatch fix IKE main mode failed IPsec policy error VPN troubleshooting Windows 0x000035F8 fix IPsec IKE error resolution VPN security mismatch