1
00:00:02,140 --> 00:00:04,960
The next error message we'll investigate is the 13806.

2
00:00:04,960 --> 00:00:12,190
And much like the 13801, this is exclusive to IPsec and specifically IKEv2.

3
00:00:12,190 --> 00:00:14,960
Now this could be caused by any number of things.

4
00:00:14,960 --> 00:00:18,450
The most common is a certificate missing on the

5
00:00:18,450 --> 00:00:20,860
endpoint for device tunnel connections.

6
00:00:20,860 --> 00:00:24,140
If there's not a certificate in the local computer certificate store for the

7
00:00:24,140 --> 00:00:28,300
device, then obviously that authentication is going to fail.

8
00:00:28,300 --> 00:00:34,540
We can validate this by opening the local computer certificate store

9
00:00:34,540 --> 00:00:38,810
and ensuring that we have a certificate that was issued to the device

10
00:00:38,810 --> 00:00:42,470
that includes the client authentication EKU.

11
00:00:42,470 --> 00:00:45,170
It's also possible that the certificate could simply be

12
00:00:45,170 --> 00:00:49,640
missing from the VPN server itself.

13
00:00:49,640 --> 00:00:50,090
So here,

14
00:00:50,090 --> 00:00:54,030
once again, we want to make sure that we have our IPsec certificate

15
00:00:54,030 --> 00:00:57,600
issued to the VPN server, and we also want to make sure that it is

16
00:00:57,600 --> 00:00:59,670
valid and trusted. And once again,

17
00:00:59,670 --> 00:01:03,040
much like the previous scenario with the 13801, if

18
00:01:03,040 --> 00:01:05,110
there's issues with certificate revocation,

19
00:01:05,110 --> 00:01:08,610
if there's issues with the certification path, and any of these

20
00:01:08,610 --> 00:01:12,500
certificates are missing, that can be problematic as well.

21
00:01:12,500 --> 00:01:15,800
The last point I want to make about this is that there's a security

22
00:01:15,800 --> 00:01:19,870
option that you can enable, and we did this in an earlier lab where you

23
00:01:19,870 --> 00:01:24,380
can restrict which certificates are used or trusted for IPsec

24
00:01:24,380 --> 00:01:28,840
connections with IKEv2. The command to view that and set it is

25
00:01:28,840 --> 00:01:34,330
Get‑VpnAuthProtocol. And here you'll see we've defined the value of

26
00:01:34,330 --> 00:01:39,330
RootCertificateNameToAccept. And in this scenario, I have configured the

27
00:01:39,330 --> 00:01:40,670
incorrect certificate.

28
00:01:40,670 --> 00:01:46,220
I have defined a global or a public CA as the root of

29
00:01:46,220 --> 00:01:49,430
trust for my IPsec connections, which is incorrect.

30
00:01:49,430 --> 00:01:54,280
I'm issuing certificates to my endpoints for IPsec from my internal private CA.

31
00:01:54,280 --> 00:02:02,000
So this is actually incorrect. So this would result in the 13806 failure as well.