🟠 High   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2022

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

VPN tunnel stays down and branch workloads cannot reach central services.

Environment & Reproduction

Windows Server 2022 build 20348 RRAS endpoint with custom IPsec settings.

Get-VpnS2SInterface
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA

Root Cause Analysis

Peer uses different encryption, integrity, DH group, or PFS values than RRAS policy.

Quick Triage

Confirm peer reachability and UDP 500/4500 path.

Test-NetConnection  -Port 500
Test-NetConnection  -Port 4500
Get-WinEvent -LogName Application -MaxEvents 60 | Where-Object Message -match 'IKE|IPsec'

Step-by-Step Diagnosis

Capture current IKE proposals and compare with remote firewall config.

Get-NetIPsecMainModeCryptoSet
Get-NetIPsecQuickModeCryptoSet
Get-VpnServerConfiguration
Illustrative mockup for windows-server-2022 — terminal_or_powershell
RRAS VPN and IKE diagnostics — Illustrative mockup — Progressive Robot

Solution — Primary Fix

Align IKEv2 proposal sets and reestablish tunnel.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-VpnS2SInterface -Name BranchA -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret 'UseSecureSecretHere'
Set-NetIPsecMainModeCryptoSet -DisplayName 'MM-BranchA' -Encryption AES256 -Integrity SHA256 -DHGroup ECP256
Set-NetIPsecQuickModeCryptoSet -DisplayName 'QM-BranchA' -Encryption AES256 -Integrity SHA256 -PfsGroup ECP256
Illustrative mockup for windows-server-2022 — event_or_log_viewer
IKE negotiation failure events — Illustrative mockup — Progressive Robot

Solution — Alternative Approaches

Fallback to mutually supported stronger baseline when vendor mismatch persists.

Set-NetIPsecMainModeCryptoSet -DisplayName 'MM-Compat' -Encryption AES256 -Integrity SHA1 -DHGroup Group14
Set-NetIPsecQuickModeCryptoSet -DisplayName 'QM-Compat' -Encryption AES256 -Integrity SHA1 -PfsGroup PFS2048

Verification & Acceptance Criteria

Tunnel status should be connected and branch prefixes reachable.

Get-VpnS2SInterface -Name BranchA
ping 10.40.1.10
Get-NetRoute -DestinationPrefix 10.40.0.0/16

Rollback Plan

Restore previous crypto sets if interoperability breaks with other peers.

Set-NetIPsecMainModeCryptoSet -DisplayName 'MM-BranchA' -Encryption AES128 -Integrity SHA1 -DHGroup Group14

Prevention & Hardening

Document per-peer IKE policy and validate after firmware upgrades.

Get-VpnS2SInterface | Export-Csv C:Tempvpn-s2s.csv -NoTypeInformation

Related to NAT-T issues, MTU fragmentation, and certificate chain failures.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn RRAS site-to-site VPN and IPsec cryptographic suite planning.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.