Point-To-Site VPN client Connection Manager needs elevated privilege - Policy Match error 13868

Question

Point-To-Site VPN client Connection Manager needs elevated privilege - Policy Match error 13868

Salam ELIAS 302

I have created a Virtual WAN then a hub point-to-site with server configuration using certificate. I downloaded the "Virtual Hub User VPN profile" to my laptop where client certificate is setup, ran VpnClientSetupAmd64.exe then go to VPN settings I see the VPN connection created. I click to connect I get the following 2 messages

User's image

I click on continue I get

User's image

Not really sure how to run this as admin and which policy is erroring. Thanks for your help.

Praveen Bandaru 11,555 Reputation points Microsoft External Staff Moderator

2025-09-16T19:32:07.2833333+00:00
Hello Salam ELIAS
I see that you're experiencing issues connecting to your Point-To-Site VPN, specifically due to a "Policy Match error 13868" and the need for elevated privileges.

Error 13868 (Policy Match Error) occurs when there is a mismatch in IPsec/IKE policies between your client and the Azure VPN gateway while connecting to your Azure Point-to-Site VPN.

As outlined in Microsoft's documentation, Error 13868 (ERROR_IPSEC_IKE_POLICY_MATCH) is triggered if.

The IKE/IPsec policy on your client does not match the one set on the Azure VPN gateway.

Ensure you are running the VPN client as an administrator by right-clicking the shortcut and selecting "Run as administrator."

Please make sure the certificates are installed properly. Verify that AzureClient.pfx is present in Current User/Personal/Certificates and AzureRoot.cer is located in Local Computer/Trusted Root Certification Authorities.

If you are using custom IPsec/IKE policies. Make sure that the encryption, integrity, DH group, and SA lifetimes are configured identically on both Azure and the client. If you are using the default policy, consider removing any custom settings from the client side.

Reinstall the VPN client once you’ve checked the certificate and policy settings. If you’re using IKEv2, make sure your Windows version is compatible and updated as needed.

Check the below public document for more understanding:

Troubleshooting: Azure site-to-site VPN error codes

Troubleshooting: Azure point-to-site connection problems

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Salam ELIAS 302 Reputation points

2025-09-16T20:03:14.3233333+00:00

Praveen, you say "Ensure you are running the VPN client as an administrator by right-clicking the shortcut and selecting "Run as administrator." where is this shortcut? I can only see the link to connection in VPN settings with noo possibility to run as admin
Salam ELIAS 302 Reputation points

2025-09-18T08:47:17.12+00:00

This exactly the steps I followed, as I said in the private messages, connection is established but cant connect to anything
Salam ELIAS 302 Reputation points

2025-09-18T08:48:41.62+00:00

Praveen, I followed instructions at the url you indicated https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site when I created the VPN config 2 days ago
Salam ELIAS 302 Reputation points

2025-09-18T08:49:05.6+00:00

Did you see my messages and images in the private zone?
Praveen Bandaru 11,555 Reputation points Microsoft External Staff Moderator

2025-09-18T09:04:39.82+00:00

Hello Salam ELIAS

Please check private messages and use the meeting link to join the call.

Answer accepted by question author

0 additional answers

Your answer

Praveen Bandaru 11,555 Reputation points Microsoft External Staff Moderator

2025-09-16T19:32:07.2833333+00:00

Hello Salam ELIAS
I see that you're experiencing issues connecting to your Point-To-Site VPN, specifically due to a "Policy Match error 13868" and the need for elevated privileges.

Error 13868 (Policy Match Error) occurs when there is a mismatch in IPsec/IKE policies between your client and the Azure VPN gateway while connecting to your Azure Point-to-Site VPN.

As outlined in Microsoft's documentation, Error 13868 (ERROR_IPSEC_IKE_POLICY_MATCH) is triggered if.

The IKE/IPsec policy on your client does not match the one set on the Azure VPN gateway.

Ensure you are running the VPN client as an administrator by right-clicking the shortcut and selecting "Run as administrator."

Please make sure the certificates are installed properly. Verify that AzureClient.pfx is present in Current User/Personal/Certificates and AzureRoot.cer is located in Local Computer/Trusted Root Certification Authorities.

If you are using custom IPsec/IKE policies. Make sure that the encryption, integrity, DH group, and SA lifetimes are configured identically on both Azure and the client. If you are using the default policy, consider removing any custom settings from the client side.

Reinstall the VPN client once you’ve checked the certificate and policy settings. If you’re using IKEv2, make sure your Windows version is compatible and updated as needed.

Check the below public document for more understanding:

Troubleshooting: Azure site-to-site VPN error codes

Troubleshooting: Azure point-to-site connection problems

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Salam ELIAS 302 Reputation points

2025-09-16T20:03:14.3233333+00:00

Praveen, you say "Ensure you are running the VPN client as an administrator by right-clicking the shortcut and selecting "Run as administrator." where is this shortcut? I can only see the link to connection in VPN settings with noo possibility to run as admin
Salam ELIAS 302 Reputation points

2025-09-18T08:47:17.12+00:00

This exactly the steps I followed, as I said in the private messages, connection is established but cant connect to anything
Salam ELIAS 302 Reputation points

2025-09-18T08:48:41.62+00:00

Praveen, I followed instructions at the url you indicated https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site when I created the VPN config 2 days ago
Salam ELIAS 302 Reputation points

2025-09-18T08:49:05.6+00:00

Did you see my messages and images in the private zone?
Praveen Bandaru 11,555 Reputation points Microsoft External Staff Moderator

2025-09-18T09:04:39.82+00:00

Hello Salam ELIAS

Please check private messages and use the meeting link to join the call.

Answer 1

Hello Salam ELIAS

If you are using certificate authentication, please ensure the client certificate is properly installed on your local machine and that the root certificate is correctly uploaded in the Azure portal configuration.

For testing, remove the certificate from your local machine, then reinstall the client certificate. Delete the existing VPN client file and the old client certificate from your local machine, download a new VPN client file, install it, and test the setup. Let us know the results.

Additionally, these certificates should be included in the Microsoft trusted CA authority list. Please check the below public document:

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider accepting answer and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Point-To-Site VPN client Connection Manager needs elevated privilege - Policy Match error 13868

0 additional answers

Your answer