Knowledge

ERROR_IPSEC_IKE_INVALID_KEY_USAGE - 13818 (0x35FA)

Invalid certificate key usage.

Updated: Feb 21, 2026

Technical Background

The ERROR_IPSEC_IKE_INVALID_KEY_USAGE error code is a specific error encountered in the Windows implementation of Internet Key Exchange (IKE) for IPsec. This error indicates that there was an issue with the key usage specified in a certificate used during the IKE negotiation process.

Error Details

  • Error Name: ERROR_IPSEC_IKE_INVALID_KEY_USAGE
  • Numeric Code: 13818 (0x35FA)
  • Short Description: Invalid certificate key usage for IPsec IKE operations.

This error typically occurs when the certificate used in an IPsec IKE negotiation does not have the correct key usage attributes set, which are essential for establishing secure connections. The key usage attribute is a critical component of X.509 certificates that defines what types of cryptographic operations can be performed with the associated public key.

Common Causes

  • Invalid Key Usage Attributes: The certificate used in the IKE negotiation does not have the correct key usage attributes set, such as digitalSignature, keyEncipherment, or dataEncipherment.
  • Incorrect Certificate Selection: The wrong certificate was selected for use in the IPsec IKE negotiation process.

Real-World Context

In a typical scenario, when establishing an IPsec connection, the system expects certain key usage attributes to be present in the certificate. If these attributes are missing or incorrect, the system will generate this error code and fail to establish the secure connection.

Is This Error Critical?

The criticality of this error depends on the specific context in which it occurs. In a corporate environment, failing to establish an IPsec connection can result in network isolation or reduced security. However, in a less critical scenario, such as a development or testing environment, the impact might be minimal.

How to Diagnose

  1. Review Certificate Attributes: Verify that the certificate used for IPsec IKE negotiations has the correct key usage attributes set. Use tools like certutil or Microsoft Management Console (MMC) with the Certificates snap-in to inspect the certificate details.
  2. Check Certificate Selection: Ensure that the correct certificate is being selected for use in the IPsec negotiation process. Misconfiguration of certificate policies can lead to incorrect certificates being used.
  3. IKE Negotiation Logs: Review IKE negotiation logs for additional context and error messages. These logs can provide more detailed information about why the key usage was considered invalid.

How to Resolve

  1. Correct Certificate Attributes: Modify the certificate to ensure it has the correct key usage attributes set. This may involve reissuing the certificate from a certification authority (CA) with the appropriate attributes.
  2. Reconfigure Certificate Policies: Ensure that the certificate policies are correctly configured to select the appropriate certificate for IPsec IKE negotiations. Use Group Policy or Local Security Settings to configure these settings.
  3. Retest Connection: After making changes, attempt to reestablish the IPsec connection and verify that the error no longer occurs.

Developer Notes

Developers should ensure that certificates used in IPsec IKE operations have the correct key usage attributes set during certificate issuance or management. Additionally, proper configuration of certificate policies is crucial to avoid this error.

Related Errors

  • ERROR_IPSEC_IKE_CERT_INVALID: Indicates an invalid certificate for IPsec IKE operations.
  • ERROR_IPSEC_IKE_PROCESSING_AUTHENTICATION_FAILED: Authentication failed during the IPsec IKE negotiation process.

FAQ

Q: What does ERROR_IPSEC_IKE_INVALID_KEY_USAGE mean?

A: This error indicates that a certificate used in an IPsec IKE negotiation does not have the correct key usage attributes set, preventing the establishment of a secure connection.

Q: How can I resolve this issue?

A: Ensure that the certificate has the correct key usage attributes and that it is correctly selected for use in the IPsec negotiation process. Review IKE negotiation logs for additional context.

Summary

The ERROR_IPSEC_IKE_INVALID_KEY_USAGE error code indicates a problem with the key usage specified in a certificate used during an IPsec IKE negotiation. This error can be resolved by ensuring that the correct certificate attributes are set and that the certificate is properly configured for use in the negotiation process.