Fix ERROR_IPSEC_IKE_NO_POLICY (0X00003601) on Windows
This error means the IPsec policy is missing or corrupt. Here's how to fix it fast without wasting time on resets.
You've got ERROR_IPSEC_IKE_NO_POLICY (0X00003601) staring you in the face. I know it's annoying—especially when you're in the middle of a VPN setup and it just won't connect. Let's cut the fluff and get this fixed. Nine times out of ten, it's a missing or corrupt IPsec policy. Here's the exact fix I've used for clients on Windows 10 Pro, Server 2016, and Server 2019.
Step-by-Step Fix
1. Check if the IPsec Service is Running
Open Services.msc (Win+R, type services.msc, hit Enter). Look for IPsec Policy Agent. If it's not running, right-click and start it. Set startup type to Automatic. This sounds basic, but I had a client last month whose IT guy disabled this service as a "security hardening" move—took down all their site-to-site VPNs.
2. Reset IPsec Policies with netsh
Open an elevated Command Prompt (right-click CMD, Run as Administrator). Run these commands in order:
netsh ipsec static delete policy name=allnetsh ipsec static set policy name="MyIPsecPolicy" assign=nThen re-assign it:
netsh ipsec static set policy name="MyIPsecPolicy" assign=yIf you don't have a policy defined yet, create one with:
netsh ipsec static add policy name="DefaultIPsec" description="Auto-created policy" mmlifetime=480 qmperMM=0Then assign it:
netsh ipsec static set policy name="DefaultIPsec" assign=y3. Verify Group Policy IPsec Rules
If you're on a domain, the real culprit is often a missing Group Policy object. Run gpresult /h c:\gpresult.html and open the HTML file. Under Computer Configuration -> Windows Settings -> Security Settings -> IPsec Policies, check if any policy is assigned. If it's blank, that's your problem. Contact your domain admin—they need to link a GPO with IPsec rules. I've seen this happen when new servers are added to a domain but don't inherit the right policies.
4. Repair Windows Security Settings
Sometimes the IPsec database itself gets corrupt. Run:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verboseThis rebuilds the local security database. Yes, it's safe. I've done this on dozens of machines with no side effects.
Why This Works
The 0X00003601 error is the IPsec stack saying, "I don't know what rules to use." It's not a network problem—it's a configuration problem. The netsh commands flush the old, broken policy and assign a fresh one. The secedit command ensures the underlying database isn't corrupt. Most people waste hours fiddling with firewall rules or reinstalling VPN clients, but this is a policy issue at the OS level.
Less Common Variations
VPN Client Specific
If you're using a third-party VPN client (like Cisco AnyConnect or Palo Alto GlobalProtect), remove it completely with a vendor-specific uninstaller, reboot, and reinstall. These clients often override IPsec policies and leave garbage behind. I've seen this happen after a failed update on a client's Dell laptop running Windows 10 22H2.
Site-to-Site VPN with Server 2019
On a Routing and Remote Access (RRAS) server, the error can appear in the event log when the server's IPsec policy doesn't match the peer's. Double-check the preshared key and encryption settings (like AES vs. 3DES). Use this PowerShell to view the current RRAS IPsec settings:
Get-VpnS2SInterface | Select-Object -Property Name, *IPsec*, *Authentication*If the AuthenticationMethod is blank, set it with:
Set-VpnS2SInterface -Name "YourConnection" -AuthenticationMethod PSKOnly -SharedSecret "YourSharedSecret"Azure Point-to-Site VPN
For Azure VPN clients, the 0X00003601 often comes after a certificate renewal. Re-run the Azure VPN client configuration download and reimport the profile. Don't just change the certificate—the whole profile needs to be refreshed.
Prevention Tips
- Backup IPsec policies. After you get it working, export them with:
netsh ipsec static exportpolicy c:\ipsecbackup.ipsec - Use a script for domain machines. If you manage multiple servers, run the netsh commands as a startup script via GPO. This prevents the error from appearing after a domain join.
- Monitor event ID 4654. In Event Viewer, under Windows Logs -> Security, event ID 4654 logs IPsec policy changes. If you see 0x00003601 there, investigate within 24 hours.
- Keep Windows updated. Microsoft has patched several IPsec-related bugs in cumulative updates for Windows 10 and Server 2022. Running an outdated build (pre-2022) is asking for trouble.
That's it. You're not going to need to reinstall Windows or buy new hardware. The fix is in the policy layer. Go get it done.
Was this solution helpful?