Knowledge

ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH - 13887 (0x363F)

Certificate doesn't chain to a trusted root in IPsec policy.

Updated: Feb 21, 2026

Technical Background

The ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH error code indicates a specific issue in the Internet Protocol Security (IPsec) implementation within Windows. This error is related to the IPsec policy configuration and specifically concerns certificate chain validation.

Error Details

When this error occurs, it signifies that the certificate presented during an IPsec negotiation does not establish a valid chain of trust back to a trusted root certificate authority (CA). This can occur in scenarios where IPsec policies are enforced on network traffic, such as when using IKEv1 or IKEv2 for secure communication.

Common Causes

  • Incorrect Certificate Chain: The presented certificate may be missing intermediate certificates necessary to establish the chain of trust.
  • Misconfigured Policy: The IPsec policy might be incorrectly set up, leading to a mismatch between expected and actual certificate chains.
  • Root CA Not Trusted: The root CA issuing the certificate is not included in the trusted root store on the system.

Real-World Context

This error can arise in various network environments where IPsec policies are enforced. For example, it might occur when establishing a secure connection over a Virtual Private Network (VPN) or when configuring endpoint security for remote access.

Is This Error Critical?

The criticality of this error depends on the specific context and the importance of the secured communication. In scenarios requiring high security, such as financial transactions or sensitive data transfers, this error can be considered critical as it may indicate a potential security vulnerability.

How to Diagnose

To diagnose this issue, follow these steps:

  1. Review IPsec Policy Configuration: Ensure that the IPsec policy is correctly configured and that all necessary certificates are included in the chain.
  2. Verify Trusted Root Store: Check if the root CA issuing the certificate is present in the trusted root store on the system.
  3. Certificate Chain Validation: Use tools like certutil to validate the certificate chain.

How to Resolve

To resolve this issue, consider these practical steps:

  1. Correct Certificate Chain: Ensure that all necessary intermediate certificates are included in the certificate chain.
  2. Update Trusted Root Store: If the root CA is missing from the trusted store, add it using certutil or similar tools.
  3. Reconfigure IPsec Policy: Verify and adjust the IPsec policy to ensure it correctly references the required certificates.

Developer Notes

Developers should be aware that this error can impact network security and should take steps to validate certificate chains during IPsec negotiations. This is particularly important in environments where secure communication is paramount.

Related Errors

  • ERROR_IPSEC_IKE_CERT_REVOCATION: Indicates a revoked certificate.
  • ERROR_IPSEC_IKE_CERT_EXPIRED: Certificate has expired.

FAQ

Q: What does the ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH error mean?

A: This error indicates that the presented certificate in an IPsec negotiation does not establish a valid chain of trust to a trusted root CA.

Q: How can I prevent this error from occurring?

A: Ensure all necessary intermediate certificates are included, and verify that the root CA is present in the trusted store. Correctly configure the IPsec policy to reference the required certificates.

Summary

The ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH error highlights a critical issue with certificate chain validation in IPsec policies. By understanding its causes and following appropriate diagnostic and resolution steps, network administrators can ensure secure communication channels are established correctly.