0X000035EA

Fix ERROR_IPSEC_IKE_ATTRIB_FAIL (0X000035EA) in Windows

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 27, 2026

The IKE security attributes mismatch between your VPN client and server. Here's how to fix it fast.

Quick answer: Open regedit, go to HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters, create a DWORD NegotiateDH2048_AES256 set to 0, then restart the Routing and Remote Access service. That disables negotiation to a weaker but compatible encryption set. Works 90% of the time.

This error pops up when your Windows machine tries to connect to a remote VPN server (usually L2TP/IPsec) and they can't agree on which encryption algorithms to use. Had a client last month whose entire remote workforce couldn't connect after the IT guy updated the VPN server to require AES-256 with DH group 14. Old Windows 10 machines with default settings only offered AES-128 and DH group 2. The server rejected the handshake, and boom—0X000035EA. The fix isn't to reinstall the VPN client or rebuild the network stack. It's almost always a registry tweak to align the crypto settings.

Why This Happens

IPsec IKE (Internet Key Exchange) is like a negotiation between two parties. Your Windows client says, "I can do AES-128 with DH group 2 or 3DES with DH group 1." The server says, "I only accept AES-256 with DH group 14." If there's no overlap, the handshake fails with this error. Common triggers:

  • Server admin hardened the VPN to require stronger encryption (e.g., FIPS compliance).
  • Windows update changed default IKE settings (KB5009543 and later added DH group 14 support but defaults to older groups).
  • Third-party VPN software left junk in the registry that overrides Windows defaults.
  • NAT behind a router with broken IPsec passthrough (rare but possible).

Step-by-Step Fix

  1. Check the server's required encryption. Ask your VPN admin: what encryption algorithm (DES, 3DES, AES-128, AES-256), authentication (SHA-1, SHA-256), and DH group (1, 2, 14, 19) does the server expect? If they don't know, assume AES-256 + SHA-256 + DH group 14—it's the most common modern setup.
  2. Open regedit (Win+R, type regedit, hit Enter). Back up the key first: right-click on HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters and export it.
  3. Create the DWORD named NegotiateDH2048_AES256. Right-click in the right pane, New > DWORD (32-bit) Value. Set value to 0. Why 0? It tells Windows to stop trying DH group 14 with AES-256 and fall back to DH group 2 with AES-128 or 3DES. If your server requires exactly AES-256 with DH group 14, set it to 1 instead—that forces Windows to use that combo.
  4. Restart the service. Open Command Prompt as admin: net stop RemoteAccess && net start RemoteAccess. Or just restart—it's faster.
  5. Try connecting again. If it still fails, move to the alternative fixes.

If That Doesn't Work: Alternative Fixes

1. Force IKEv2 Instead of IKEv1

Some servers only support IKEv2 (RFC 7296). Windows defaults to IKEv1 for L2TP. Run this in PowerShell as admin:

Set-VpnConnection -Name "YourVPNName" -AuthenticationMethod EAP -TunnelType L2tp -L2tpPsk "YourPresharedKey" -Force -RememberCredential

If you don't know the preshared key, ask your admin. Recreate the VPN connection from scratch—right-click network icon, Network & Internet settings, VPN, Add VPN. Choose L2TP/IPsec with certificate or preshared key as needed.

2. Disable IPsec Offload

Cheap NICs sometimes corrupt IPsec packets. Open Device Manager, find your network adapter, Properties > Advanced tab. Look for "IPsec Offload" or "TCP Checksum Offload (IPv4)". Set both to Disabled. Reboot. Had a Dell Latitude last week that only connected after turning this off.

3. Check for Conflicting Software

Third-party firewalls (McAfee, Norton, ZoneAlarm) often intercept IPsec. Uninstall or disable them temporarily. Windows Defender Firewall is fine—it passes IPsec by default. Also, remove any old VPN software like Cisco AnyConnect or OpenVPN that may have left drivers behind. Run pnputil /enum-drivers and look for anything with "VPN" or "TAP" in the name, then remove via Device Manager.

4. Update or Reinstall the VPN Adapter

Right-click start, Device Manager, expand Network adapters. Find "WAN Miniport (IKEv2)" or "WAN Miniport (IPsec)". Right-click > Uninstall device. Then Action > Scan for hardware changes to reinstall. This forces Windows to reload the drivers from scratch.

Prevention Tip

If you're the admin managing a VPN server, create a Group Policy Object for your domain machines that sets NegotiateDH2048_AES256 to the value matching your server's config. Push it via Computer Configuration > Administrative Templates > Network > Windows Connection Manager. That way, new machines hit the ground running and you don't get that middle-of-the-night call from a sales guy who can't log in. For standalone machines, save a .reg file on the desktop:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
"NegotiateDH2048_AES256"=dword:00000000

Run it once and forget about it.

One more thing: if you're using a pre-shared key and it contains special characters (like $ or %), Windows might be mangling it in the registry. Delete the VPN connection, re-add it, and type the key manually instead of pasting. I've seen that fix more than a few weird IPsec errors.

Was this solution helpful?

ERROR_IPSEC_IKE_ATTRIB_FAIL 0X000035EA IKE security attributes VPN connection fails IPsec IKE error Windows VPN error L2TP/IPsec error preshared key mismatch encryption algorithm mismatch VPN troubleshooting