IKEv2 Errors 13801, 13806, 13868 and 809 on Windows: Fixes
These error codes come from Windows’ built-in IKEv2 VPN client, the one you configure under Settings → Network & Internet → VPN. If you set up VPNBaron manually with IKEv2, this page decodes what Windows is trying to tell you. Codes covered: 13801, 13806, 13868, 809.
Using the VPNBaron app instead?
The native app doesn’t use the Windows IKEv2 client, so these errors don’t apply to it. If a manual setup keeps fighting you, the app is the two-minute fix: Baron Pathfinder also switches protocols automatically on networks where IKEv2 itself is blocked.
Error 13801: “IKE authentication credentials are unacceptable”
Windows rejected the authentication exchange. In a username/password (EAP) setup this almost always means one of:
Wrong VPN credentials. Use the VPN username and password from your Servers page (top card, copy/reveal buttons). They are separate from your website login.
Server address vs certificate mismatch. The Server name and Remote ID in your VPN profile must be the exact hostname from the Servers page IKEv2 tab, not an IP address and not a hostname from an old guide.
Stale profile. Delete the VPN profile and recreate it fresh; edited-in-place profiles sometimes keep old values in the background.
Error 13806: “IKE failed to find valid machine certificate”
Windows is trying to authenticate with a machine certificate that doesn’t exist. This is a configuration-type problem, not a server problem:
Open your VPN profile’s settings (Network & Internet → VPN → your profile → Advanced options, or rasphone.exe → Properties → Security).
Set Authentication to EAP / Use Extensible Authentication Protocol (secured username + password), not “Use machine certificates”.
Save and reconnect with your VPN credentials.
Error 13868: “Policy match error”
The encryption settings proposed by Windows and the server didn’t overlap. Two fixes, try in order:
Recreate the profile with defaults. Custom IPsec settings are the usual cause; a fresh profile with automatic settings negotiates cleanly.
Enable stronger negotiation via registry (classic fix for older Windows builds). In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters, create a DWORD named NegotiateDH2048_AES256 with value 2, then reboot. This lets the built-in client offer modern AES-256 / DH-2048 combinations.
Error 809: “The network connection between your computer and the VPN server could not be established”
The server never answered. IKEv2 runs on UDP ports 500 and 4500, and something between you and the server is eating them:
The network blocks UDP 500/4500. Common on hotel, campus and office Wi-Fi. Test on another network (phone hotspot): if it connects there, the network is the problem, and no IKEv2 setting will fix it. You need a protocol that doesn’t look like a VPN: the app’s stealth protocols exist for exactly this.
You’re behind NAT and Windows is being cautious. Classic fix: in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent, create a DWORD named AssumeUDPEncapsulationContextOnSendRule with value 2, then reboot. This allows IKEv2/IPsec to negotiate through NAT.
Local firewall/antivirus. Temporarily disable third-party firewalls to test; if that’s it, allow UDP 500/4500 outbound.
Still stuck?
Try a different server from the Servers page; if one location misbehaves, another usually doesn’t.
The native app sidesteps the entire Windows IKEv2 client, drivers, registry and all.
Open a support ticket with the exact error code and the network you’re on; a human answers.