Fix ERROR_IPSEC_IKE_NEG_STATUS_BEGIN 0X000035E8
This error means IPsec negotiation started but failed. It's a generic start marker for IKE errors during VPN setup.
Quick answer
Run netsh advfirewall reset and net start IKEEXT from an admin command prompt, then restart the VPN connection.
What this error means
The error ERROR_IPSEC_IKE_NEG_STATUS_BEGIN (0X000035E8) isn't a failure on its own—it's the starting flag for the list of IKE error codes. But when you see it in logs, it means the IPsec negotiation process kicked off, hit a wall, and never completed. This usually happens in three real-world scenarios:
- You're trying to connect to a corporate VPN that uses IPsec/L2TP or IKEv2.
- Windows Firewall or the IPsec Policy Agent service is disabled or hung.
- Your router or firewall on the other end isn't responding to IKE packets.
I've seen this on Windows 10 and Server 2019 after a Windows update borks the IPsec driver or after someone turns off the Windows Firewall service to "fix" something else. The real fix is nearly always a service restart or a policy reset.
Step-by-step fix
- Open an admin command prompt. Press Windows key, type
cmd, right-click "Command Prompt", pick "Run as administrator". - Stop the IPsec services. Type these one at a time, hit Enter after each:
After each stop, you should see a message like "The service was stopped successfully." If you get "Access denied," you're not running as admin.net stop IKEEXT
net stop PolicyAgent
net stop BFE - Reset the Windows Firewall rules. Type:
You'll see "Ok." This wipes out custom firewall rules—you'll need to re-add any you actually use for other apps.netsh advfirewall reset - Start the services back up. In this order:
Each should say "The service started successfully." Watch for error 5 or 577—those mean a driver is corrupted (see alternative fixes).net start BFE
net start PolicyAgent
net start IKEEXT - Flush the IPsec security associations. Type:
Then:netsh ipsec static delete all
You won't see output for the second command, but it works.ipsec reset - Restart your VPN connection. Go to Network & Internet settings, find your VPN, click "Connect". Test if the error goes away.
After these steps, check Event Viewer under Applications and Services Logs > Microsoft > Windows > IKE. You should see event IDs like 4650 or 4651 indicating negotiation started correctly.
Alternative fixes if the main one fails
Repair the IPsec driver
If you saw error 577 when starting IKEEXT, the driver file ipsec.sys might be corrupt. Run these from admin command prompt:
sfc /scannow
dism /online /cleanup-image /restorehealthReboot after each. This takes 10-20 minutes.
Check the remote VPN server firewall
Tell your network admin to verify that the remote server allows UDP ports 500 (ISAKMP) and 4500 (IPsec NAT-T). If you manage the server, check Windows Firewall inbound rules for "Routing and Remote Access" and "IKE" rules. I've seen admins forget to open port 4500 for clients behind NAT—happens more than you'd think.
Use the built-in Windows VPN troubleshooter
Go to Settings > Update & Security > Troubleshoot > Additional troubleshooters > Network Adapter. Run it, let it restart services. This won't fix everything, but it's worth a try if you're stuck.
Re-enable the IPsec Policy Agent through services.msc
Press Win + R, type services.msc, find "IPsec Policy Agent". Right-click, Properties. Make sure Startup type is "Automatic" and the service is Running. If it's disabled, change it, hit Apply, then Start.
Prevention tip
Don't disable Windows Firewall or the Base Filtering Engine service—they're required for IPsec to work. If you need to run a third-party firewall, make sure it supports IPsec passthrough and doesn't override the Windows IPsec stack. Also, after every major Windows feature update (like 22H2 to 23H2), reboot twice and run an IPsec test connection before relying on VPN for work. That update can reset the IPsec driver or policy store without telling you.
Was this solution helpful?