0X0000362B

Fix ERROR_IPSEC_IKE_DECRYPT (0X0000362B) - VPN Decrypt Fail

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 26, 2026

This error pops up when Windows can't decrypt an IPsec IKE packet—usually a bad preshared key or mismatched encryption settings on a VPN tunnel.

When does this error actually show up?

You're trying to connect to a corporate VPN—maybe a Cisco AnyConnect, a built-in Windows L2TP/IPsec tunnel, or a third-party IKEv2 client. Right after you enter your credentials, the connection hangs for a few seconds, then pops up with ERROR_IPSEC_IKE_DECRYPT and a hex code 0X0000362B in the event log or client window. It's frustrating because the VPN server seems reachable—ping works, DNS resolves—but the tunnel just won't form.

What's really going on?

The Internet Key Exchange (IKE) protocol handles the encryption keys for your VPN tunnel. When Windows says "error decrypting payload," it means the machine on your end couldn't decrypt a packet from the server. That almost always points to one of three things:

  • Wrong preshared key—you typed in a PSK that doesn't match what's on the VPN server. This is the #1 cause.
  • Mismatched encryption settings—your client expects AES-256, but the server is set to 3DES, or your client wants SHA-1 while the server uses SHA-256.
  • Corrupted local IPsec policy—old or leftover security association data from a previous failed connection.

In plain English: the server sent an encrypted cookie or key material, and your computer tried to unwrap it with the wrong key or algorithm. So it threw up its hands and gave you error 0X0000362B.

Step-by-step fix

Step 1: Double-check the preshared key

This is the most common fix. Go into your VPN connection settings and verify the preshared key character by character. It's case-sensitive. One typo—like "MyKey" instead of "mykey"—will kill the connection.

  1. Open Control Panel > Network and Sharing Center > Change adapter settings.
  2. Right-click your VPN connection and choose Properties.
  3. Click the Security tab.
  4. Under IPsec Settings, click Advanced settings.
  5. Look for the Preshared key field. Compare it to the key your network admin gave you.
  6. If it's wrong, type the correct key. Click OK, then OK again.

After clicking OK a second time, you should go back to the adapter list. Try the connection again.

Step 2: Reset IPsec security associations

Sometimes old cached SA data messes up the negotiation. Here's how to flush it:

  1. Open Command Prompt as Administrator. Click Start, type cmd, right-click it, and choose Run as administrator.
  2. Type the following command and press Enter:
    netsh ipsec static delete all
  3. Wait a few seconds. You should see no error message—just a new blank line.
  4. Now type:
    net stop ipsec && net start ipsec
  5. After the service restarts, you'll see a "The IPsec Policy Agent service was stopped/started successfully" message.

Now attempt the VPN connection again. If the error was from a stale SA, this will clear it right up.

Step 3: Match encryption and integrity settings

If the key is right and the SAs are flushed, the problem is likely algorithm mismatch. You need to set your client to use the same encryption and hash algorithms as the VPN server.

  1. Go back to the VPN connection's Properties > Security tab.
  2. Look at Data encryption. Set it to Require encryption (disconnect if server declines)—unless your admin says otherwise.
  3. Click IPsec Settings.
  4. In the Key Exchange section, note what's selected. Common defaults are IKEv1 with AES-128 and SHA-1.
  5. If your server uses IKEv2, change the Authentication method to IKEv2 and select AES-256 with SHA-256 (if supported).
  6. Click OK, then OK again.

After applying, try connecting. If it still fails, ask your admin which exact algorithms the server expects—AES-128 vs AES-256, SHA-1 vs SHA-256, and IKEv1 vs IKEv2.

Step 4: Check Windows Firewall and third-party antivirus

Some firewalls block IPsec traffic ports. The IKE protocol uses UDP ports 500 and 4500. If those are blocked, the encrypted payload never arrives cleanly.

  1. Open Windows Defender Firewall with Advanced Security.
  2. Click Inbound Rules.
  3. Look for any rule that blocks UDP ports 500, 4500, or IP protocol 50 (ESP). If you see one, disable or delete it.
  4. Also check your antivirus's firewall settings—temporarily disable it to test. If the VPN connects with AV off, you've found the culprit.

After changing firewall rules, restart the VPN client or retry the connection.

What if it still fails?

If you've done all four steps and the error persists, there's a deeper issue. Run this command in an admin command prompt to dump IPsec logs:

netsh wfp show state > wfpstate.txt

Then open that file and search for 0x0000362B. It'll show you the exact packet that failed and the local IP address involved. Send that to your network admin—they'll see if the server's IKE policy is the problem. Also check the VPN server's event logs for ERROR_IPSEC_IKE_DECRYPT on its end—sometimes both sides are misconfigured.

One last thing: if you're using a third-party VPN client like Cisco AnyConnect or FortiClient, uninstall it completely, reboot, and reinstall the latest version. I've seen corrupted driver files cause this exact error on Windows 10 build 22H2 and Windows 11 23H2.

Was this solution helpful?

ERROR_IPSEC_IKE_DECRYPT 0X0000362B VPN decryption error IPsec IKE decrypt Windows VPN error preshared key mismatch VPN tunnel fix IKEv1 IKEv2 settings Cisco AnyConnect error L2TP IPsec error VPN decrypt payload Windows 10 VPN fix Windows 11 VPN error IPsec troubleshooting VPN connection failed