0X000032D2

Fix ERROR_IPSEC_MM_AUTH_EXISTS (0X000032D2) in 3 Steps

Windows Errors Beginner 👁 0 views 📅 Jun 9, 2026

IPsec main mode authentication list already exists when trying to create a new one. Quick cleanup fixes it.

What's This Error Really Mean?

You're trying to create an IPsec main mode authentication list—probably through the Windows Firewall with Advanced Security console or a script—and Windows tells you it already exists. The exact code is 0X000032D2, and it translates to ERROR_IPSEC_MM_AUTH_EXISTS. Happens most often when you're applying a Group Policy or a PowerShell script that tries to create a rule that's already there. Had a client last month whose whole VPN tunnel died because a duplicate authentication list was blocking the new one from being applied.

The fix is simple: either delete the existing list or rename your new one so it doesn't clash. I'll walk you through both.

Step 1: The 30-Second Fix – Delete the Duplicate via PowerShell

Open PowerShell as Administrator. Seriously, don't skip that. Then run this:

Remove-NetIPsecMainModeAuthSet -Name "YourAuthListName"

Replace YourAuthListName with the actual name of the authentication list that's giving you trouble. If you're not sure what it's called, run this first to see all your main mode auth sets:

Get-NetIPsecMainModeAuthSet | Format-List Name, DisplayName

Find the one that matches what you're trying to create, note its Name (it's usually a GUID-looking string or the friendly name), and then delete it with the first command.

That's it. Try your operation again. If the error's gone, you're done. If not—or if you can't find the list—move to Step 2.

Step 2: The 5-Minute Fix – Use Netsh to Clear the Policy

PowerShell didn't cut it? Sometimes the IPsec policy is stored in the old-school way via netsh. This is especially common on Windows Server 2012 R2 or older boxes that got upgraded. Let's flush it manually.

Open a Command Prompt as Administrator. Then run:

netsh ipsec static show all

This dumps every IPsec policy, filter, and authentication list on the machine. Look for the section labeled Main Mode Authentication Lists. You'll see entries like this:

Main Mode Authentication Lists
-------------------------------
Name                           : MyAuthList
Description                    :
Authentication Methods         : Preshared key: abc123

Note the exact Name. Then delete it:

netsh ipsec static delete authenticationlist name="MyAuthList"

If you get "The system cannot find the file specified", you might have a typo in the name. Use quotes around the name if it has spaces. After deletion, re-run your script or console operation. Should work now.

Heads up: Netsh commands are case-insensitive, but the name must match exactly. If you're still stuck, the list might be hidden inside a Group Policy. Move to Step 3.

Step 3: The 15+ Minute Fix – Hunt Down Group Policy or Registry Conflicts

If the first two steps didn't resolve it, the authentication list is probably being pushed by a domain Group Policy, or it's corrupted in the registry. Let's check both.

Check for Group Policy

Open Group Policy Management Console (GPMC) on a domain controller (or gpedit.msc if it's a local policy). Navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > IP Security Policies on Active Directory

Look for any policy that contains a rule using your authentication list name. If you find one, you have two options:

  • Remove the policy from the GPO if you control it.
  • Override it by creating a new policy with a different name and higher precedence.

If you're not the domain admin, you'll need to ask them to disable or modify that GPO. This happened to a call center I worked with—their VPN rule was baked into the Default Domain Policy. Took a change request and a reboot to fix.

Registry Cleanup (Last Resort)

IPsec policies are stored in the registry under:

HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\IPSecPolicy\

Open Regedit as Administrator, back up that key first (right-click > Export), then look for subkeys matching your authentication list name. Delete the offending key. Warning: Messing with this can break all your IPsec rules, so only do this if you know exactly what you're deleting and have a backup.

After the registry delete, reboot the machine. Then try creating your authentication list again. 9 times out of 10, this nukes the conflict.

Prevention – Don't Let This Happen Again

Next time you're writing a script to create IPsec rules, always check for existing lists before creating. Use this PowerShell snippet first:

$existing = Get-NetIPsecMainModeAuthSet -DisplayName "YourAuthList" -ErrorAction SilentlyContinue
if ($existing) {
    Write-Host "Auth list already exists, deleting..."
    Remove-NetIPsecMainModeAuthSet -DisplayName "YourAuthList"
}
# Then create your new one

This avoids the collision entirely. I now put this in every deployment script after spending an hour on a client's server cleaning up duplicate rules.

If you're still stuck after all three steps, check if you have multiple policies with the same name but different GUIDs—that's a rare GPO replication issue. Force a gpupdate /force and try again.

Was this solution helpful?

ERROR_IPSEC_MM_AUTH_EXISTS 0X000032D2 IPsec main mode authentication list Windows IPsec policy netsh ipsec remove duplicate IPsec policy IPsec authentication list already exists Windows Server IPsec error fix IPsec policy conflict netsh command IPsec delete IPsec main mode rule