A virtual private network (VPN) is mostly used to protect a user’s privacy in the online world and skit their physical location. While most of the time these perform well, there are some occasions when the user can encounter errors, crashes, or different connection issues with their VPN program. When your VPN is not working, not connecting, or has been blocked, there are some quick fixes you can try to get it solved. Though there are many possible errors that a user can encounter with VPNs, there are a few who gain more eminence than others; one such error code is VPN Error 13801.
VPN Error 13801 on Windows 10
Error 13801 expresses the message – IKE authentication credentials are unacceptable.
This Internet Key Exchange version 2 (IKEv2) errors are related to problems with the server authentication certificate. Basically, the machine certificate required for authentication is either invalid or doesn’t exist on your client computer, on the server, or both.
IKE authentication credentials are unacceptable
Here’s a quick breakup of the possible causes of Error 13801:
- The machine certificate on the RAS server has expired
- The trusted root certificate to validate the RAS server certificate is absent on the client
- VPN server name as given on the client doesn’t match the subject name of the server certificate
- The machine certificate used for IKEv2 validation on RAS Server does not have “Server Authentication” as the EKU (Enhanced Key Usage).
Since the users do not have any control over the server, there’s very little that can be done to fix this issue. And in most cases, the user might have to the VPN provider’s help desk and get them to repair the error 13801.
VPN error 13801 clearly references the protocols being used by the VPN service, so you don’t have to waste time figuring out what IKEv2 for VPN error 1380 is. Look for the correct IKEv2 certificate in the documentation provided by the VPN admin. There are a few ways in which you can confirm this issue:
- The certificate does not have the required Enhanced Key Usage (EKU) values assigned
- The machine certificate on the RAS server has expired.
- The trusted root for the certificate is not present on the client.
- The subject name of the certificate does not match the remote computer
Let’s look at these options in detail:
The certificate does not have the required Enhanced Key Usage (EKU) values assigned
You can check it by the following steps:
1] On the VPN server, run mmc, add snap-in ‘certificates.’
2] Expand certificates-personal-certificates, double click the certificate installed
3] Click detail for ‘enhanced key usage’, verify if there is ‘server authentication’ below
The machine certificate on the RAS server has expired.
If the issue is caused by this reason, connect the CA administrator and enroll a new certificate that doesn’t expire.
The trusted root for the certificate is not present on the client.
If the client and server are domain members, the root certificate will be installed automatically in ‘trusted root certification authorities.’ You can check if the certificate is present on the client here.
The subject name of the certificate does not match the remote computer
You can verify using the below steps:
1] On client, open ‘VPN connection properties’, click ‘General.’
2] In ‘host name or IP address of destination’ you will need to enter the ‘subject name’ of the certificate used by the VPN server instead of the IP address of the VPN server.
Note: The subject name of the server’s certificate is usually configured as the FQDN of the VPN server.
When to call your VPN Server administrator
Having to deal with VPN errors can be extremely frustrating, and when you cannot troubleshoot them independently, the frustration is even more. That’s exactly the case with VPN Error 13801, so waste no time and contact your VPN administrator to make sure the correct certificate is configured on your PC, which is validated by the remote server.