Fix STATUS_FWP_INCOMPATIBLE_AUTH_CONFIG (0XC0220038)
IPsec auth config mismatch kills connections. Check Windows Firewall rules for conflicting auth methods. Fix: align the authentication type across all rules.
Quick answer
Delete or fix the IPsec rule where the authentication method doesn't match the rule's expected type (Kerberos vs. certificate vs. preshared key). Run netsh advfirewall consec show rule name=all to find the bad rule.
Why this happens
This error means Windows Firewall found an IPsec connection security rule where the authentication configuration doesn't match the rule's authentication type. The culprit is almost always a rule that sets Auth1 (main mode) to Kerberos but the rule's AuthType says certificate. Or you've got two rules that overlap and one expects preshared key while the other expects machine certificate. I've seen this most often on Windows Server 2019 after someone bulk-imports firewall rules from a different system. It also pops up on Windows 10/11 when someone uses third-party VPN software that creates conflicting IPsec rules.
The error code itself is part of the Windows Filtering Platform (WFP). The system checks every IPsec rule against its configured authentication before allowing the connection. When they don't match—boom, you get 0XC0220038.
Fix steps
Step 1: Identify the bad rule
Open an elevated PowerShell or Command Prompt and run:
netsh advfirewall consec show rule name=all verboseLook for rules where Auth1 says something like Computer (Kerberos) but AuthenticationType is 2 (which means certificate-based). That mismatch is your problem.
Here's a quick mapping for AuthenticationType:
| Value | Meaning |
|---|---|
| 1 | Preshared key |
| 2 | Certificate |
| 3 | Kerberos |
| 4 | Advanced (NTLM/EAP) |
Step 2: Fix the rule
You've got three options:
- Delete the rule if it's not needed:
netsh advfirewall consec delete rule name="Your Rule Name" - Reset the rule's auth type to match. For example, to set it to Kerberos:
netsh advfirewall consec set rule name="Your Rule Name" new auth1=computerkerb - Disable the rule temporarily:
netsh advfirewall consec set rule name="Your Rule Name" new enable=no
Step 3: Verify the fix
Run the same verbose command again. The AuthenticationType should now match Auth1. Then test your connection. If it works, you're good. If not, move to alternative fixes.
Alternative fixes if step 2 fails
Check for duplicate rules
Use PowerShell to find overlapping rules:
Get-NetIPsecRule | Where-Object {$_.Phase1AuthSet -ne $null} | Group-Object -Property Phase1AuthSet | Where-Object Count -gt 1That'll show you authentication sets used by multiple rules. If they have different auth types, you've got a conflict. Remove any duplicate rules using Remove-NetIPsecRule.
Reset Windows Firewall (last resort)
If nothing else works, reset the firewall rules to defaults:
netsh advfirewall resetBe careful—this nukes all custom rules. Backup your rule set first with netsh advfirewall export "C:\backup.wfw". Then re-import only the rules you need.
Prevention tip
Never mix authentication types in the same rule group. If you use Kerberos on your domain-joined machines, stick with it. Don't add a preshared key rule for the same subnet unless you disable the old one. I always create separate connection security rule groups for different auth methods—one for Kerberos, one for certificates, one for preshared keys. Label them clearly in the firewall console so the next admin doesn't curse your name.
Was this solution helpful?