1
00:00:02,040 --> 00:00:05,060
The next error I want to take a look at is the error 13801.

2
00:00:05,060 --> 00:00:08,220
And this is specific to IKEv2 connections.

3
00:00:08,220 --> 00:00:11,790
In this scenario, it's almost always a certificate issue,

4
00:00:11,790 --> 00:00:14,530
but it might not always be what you expect.

5
00:00:14,530 --> 00:00:19,240
Let's generate a connection, and let's see this failure in action.

6
00:00:19,240 --> 00:00:21,940
And so you'll see simply it just returns IKE

7
00:00:21,940 --> 00:00:25,240
authentication credentials are unacceptable.

8
00:00:25,240 --> 00:00:29,360
The most common cause of a 13801 error is a misconfiguration of

9
00:00:29,360 --> 00:00:31,720
the server certificate on the VPN server.

10
00:00:31,720 --> 00:00:33,670
So here we are on our VPN server,

11
00:00:33,670 --> 00:00:38,040
and I'm going to open up the local computer certificate store.

12
00:00:38,040 --> 00:00:44,410
And here I want to take a look at the certificate that I use for my VPN server.

13
00:00:44,410 --> 00:00:46,750
This is my public server certificate.

14
00:00:46,750 --> 00:00:48,940
This is a remote desktop certificate.

15
00:00:48,940 --> 00:00:52,940
This is the certificate that I'm using for IKEv2. And if I double‑click on

16
00:00:52,940 --> 00:00:56,710
this, one of the things that you'll notice is that it is issued to the

17
00:00:56,710 --> 00:01:00,580
server's host name and not the public host name.

18
00:01:00,580 --> 00:01:03,120
So the public host name is just simply vpn.richardhicks.net

19
00:01:03,120 --> 00:01:06,320
in our examples. And here the certificate,

20
00:01:06,320 --> 00:01:08,680
although it's valid and trusted and configured

21
00:01:08,680 --> 00:01:11,530
correctly, has the wrong host name.

22
00:01:11,530 --> 00:01:15,560
So this is essentially a host name mismatch of sorts, but it manifests

23
00:01:15,560 --> 00:01:19,890
itself fundamentally as an IKE authentication error. And this can also

24
00:01:19,890 --> 00:01:21,650
happen in a couple of other scenarios.

25
00:01:21,650 --> 00:01:22,550
For example,

26
00:01:22,550 --> 00:01:27,000
you could just simply be using the wrong host name in your VPN configuration on

27
00:01:27,000 --> 00:01:30,320
the client, and so that can also lead to the same problem.

28
00:01:30,320 --> 00:01:32,410
So now I've corrected the certificate issue.

29
00:01:32,410 --> 00:01:35,420
Now you'll see that the certificate has the correct host

30
00:01:35,420 --> 00:01:38,070
name. But also understand that there are some other things

31
00:01:38,070 --> 00:01:40,740
that can cause the 13801 as well.

32
00:01:40,740 --> 00:01:45,410
It's not uncommon for there to be certificate chain issues on the server.

33
00:01:45,410 --> 00:01:49,560
If any of the root or intermediate certificates are missing from the VPN server,

34
00:01:49,560 --> 00:01:53,410
that can cause a 13801. It's also possible that the root

35
00:01:53,410 --> 00:01:55,900
or intermediate certificates are not in the appropriate

36
00:01:55,900 --> 00:01:57,920
stores on the endpoint as well.

37
00:01:57,920 --> 00:02:01,450
So be sure to check the client configuration there.

38
00:02:01,450 --> 00:02:02,370
Also,

39
00:02:02,370 --> 00:02:05,360
the one last thing I want to make mention of here is that

40
00:02:05,360 --> 00:02:15,000
certificate revocation lists, or CRLs, if they have expired, those certainly can cause 13801 messages too.