ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Network security monitoring dashboard showing Windows Event Viewer with IPsec authentication logs
Event ID 4960InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4960 – Microsoft-Windows-Security-Auditing: IPsec Main Mode Authentication Failed

Event ID 4960 indicates IPsec Main Mode authentication failed during IKE negotiation. This security audit event fires when Windows cannot establish secure IPsec tunnels due to authentication issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4960Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4960 represents a security audit event generated by the Microsoft-Windows-Security-Auditing provider when IPsec Main Mode authentication fails. This event occurs during the initial phase of IPsec tunnel establishment, specifically when two peers attempt to authenticate each other using Internet Key Exchange (IKE) protocol.

The Main Mode authentication process involves several steps: identity verification, certificate validation (if using certificates), pre-shared key verification (if using PSK), or Kerberos authentication (in domain environments). When any of these steps fail, Windows logs Event ID 4960 with specific details about the failure reason, authentication method attempted, and network endpoints involved.

This event is particularly important in enterprise environments where IPsec policies enforce secure communications between systems. Failed authentication attempts could indicate misconfigured policies, expired certificates, network attacks, or legitimate systems with incorrect credentials. The event provides forensic value for security investigations and helps administrators maintain IPsec infrastructure health.

In Windows Server 2025 and Windows 11 24H2, enhanced logging provides additional context about certificate chain validation failures and improved error codes for troubleshooting. The event integrates with Windows Defender Advanced Threat Protection (ATP) for automated threat detection when unusual patterns of authentication failures occur.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Certificate validation failures due to expired, revoked, or untrusted certificates
  • Pre-shared key mismatches between IPsec peers
  • Kerberos authentication failures in domain-joined environments
  • IPsec policy configuration mismatches between endpoints
  • Network connectivity issues preventing proper IKE negotiation
  • Firewall blocking required IPsec ports (UDP 500, UDP 4500)
  • Time synchronization issues affecting certificate validity
  • Certificate Authority (CA) unavailability for certificate validation
  • Incorrect authentication method configuration in IPsec policies
  • DNS resolution problems preventing peer identification
Resolution Methods

Troubleshooting Steps

01

Check Event Details and Basic IPsec Status

Start by examining the event details and verifying basic IPsec functionality:

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4960 using this PowerShell command:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4960} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  1. Examine the event details for source/destination IPs and failure reason
  2. Check current IPsec status:
netsh ipsec static show all
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
  1. Verify IPsec services are running:
Get-Service -Name PolicyAgent, IKEEXT | Format-Table Name, Status, StartType
Pro tip: Event 4960 often occurs in pairs - check both source and destination systems for complete troubleshooting context.
02

Verify Certificate Configuration and Validity

Certificate-related authentication failures are common causes of Event ID 4960:

  1. Check computer certificates used for IPsec authentication:
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.EnhancedKeyUsageList -like '*IP security*'} | Format-List Subject, NotAfter, Thumbprint
  1. Verify certificate chain and trust:
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like '*YourComputerName*'}
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($cert)
  1. Check Certificate Revocation List (CRL) accessibility:
certlm.msc
  1. Navigate to PersonalCertificates, double-click the IPsec certificate
  2. Go to Details tab → CRL Distribution Points and verify URLs are accessible
  3. Test certificate validation:
Test-NetConnection -ComputerName your-ca-server -Port 80
Test-NetConnection -ComputerName your-ca-server -Port 443
Warning: Expired or revoked certificates will cause consistent authentication failures. Always check certificate validity dates and revocation status.
03

Analyze IPsec Policy Configuration

Examine IPsec policies for configuration mismatches that cause authentication failures:

  1. Display current IPsec policies:
Get-NetIPsecMainModeRule | Format-Table DisplayName, Enabled, PrimaryStatus
Get-NetIPsecRule | Format-Table DisplayName, Enabled, Direction
  1. Check authentication methods configured:
Get-NetIPsecMainModeRule | Get-NetIPsecAuthProposal | Format-Table
  1. Verify pre-shared keys (if used) match between peers:
netsh ipsec static show policy name="YourPolicyName"
  1. Open Windows Defender Firewall with Advanced Security
  2. Navigate to Connection Security Rules and verify authentication settings
  3. Check for conflicting policies:
Get-NetIPsecRule | Where-Object {$_.Enabled -eq $true} | Group-Object Direction | Format-Table Count, Name
  1. Export current IPsec configuration for analysis:
netsh ipsec static exportpolicy file="C:\temp\ipsec_policy.ipsec"
Pro tip: Use Group Policy Management Console to verify domain-level IPsec policies aren't conflicting with local configurations.
04

Enable Advanced IPsec Logging and Network Tracing

Enable detailed logging to capture comprehensive IPsec negotiation data:

  1. Enable IPsec audit logging:
auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Extended Mode" /success:enable /failure:enable
  1. Enable IKE/AuthIP logging:
netsh wfp set options keywords=IKEV1+IKEV2+AUTHIP
  1. Start network packet capture for detailed analysis:
netsh trace start capture=yes provider=Microsoft-Windows-WFP tracefile=C:\temp\ipsec_trace.etl
  1. Reproduce the authentication failure, then stop tracing:
netsh trace stop
  1. Analyze IPsec logs in Event Viewer:
  2. Navigate to Applications and Services LogsMicrosoftWindowsWFP
  3. Check for additional events: 4650, 4651, 4962, 4963
  4. Use Network Monitor or Wireshark to analyze the .etl file:
netsh trace convert input=C:\temp\ipsec_trace.etl output=C:\temp\ipsec_trace.cap
Warning: Advanced logging generates significant data. Disable detailed logging after troubleshooting to prevent performance impact.
05

Troubleshoot Network Connectivity and Time Synchronization

Address underlying network issues that prevent successful IPsec authentication:

  1. Test basic connectivity to IPsec peer:
Test-NetConnection -ComputerName target-server -Port 500
Test-NetConnection -ComputerName target-server -Port 4500
  1. Verify time synchronization (critical for certificate validation):
w32tm /query /status
w32tm /resync /force
  1. Check DNS resolution for peer identification:
nslookup target-server
Resolve-DnsName target-server -Type A
  1. Test certificate authority accessibility:
Test-NetConnection -ComputerName your-ca-server -Port 135
certutil -ping your-ca-server
  1. Verify Windows Firewall isn't blocking IPsec traffic:
Get-NetFirewallRule | Where-Object {$_.DisplayName -like '*IPsec*' -or $_.DisplayName -like '*IKE*'} | Format-Table DisplayName, Enabled, Direction
  1. Check for NAT-T (Network Address Translation Traversal) issues:
netsh interface ipv4 show global
  1. Reset IPsec policies if configuration corruption is suspected:
netsh ipsec static restore policy file="C:\Windows\System32\ipsecpols.bak"
netsh advfirewall reset
Pro tip: Time skew greater than 5 minutes between peers will cause certificate validation failures. Always verify time synchronization first.

Overview

Event ID 4960 fires when IPsec Main Mode authentication fails during Internet Key Exchange (IKE) negotiations. This security audit event appears in the Security log whenever Windows attempts to establish an IPsec connection but cannot complete the authentication phase. The event occurs during the first phase of IPsec tunnel establishment, where peers authenticate each other before negotiating security associations.

This event is critical for network security monitoring as it indicates potential configuration issues, certificate problems, or unauthorized connection attempts. Windows generates this event on both client and server systems participating in IPsec communications. The event contains detailed information about the failed authentication attempt, including source and destination IP addresses, authentication methods attempted, and failure reasons.

IPsec Main Mode authentication can fail due to certificate validation issues, pre-shared key mismatches, Kerberos authentication problems, or network connectivity issues. Understanding this event helps administrators troubleshoot VPN connections, site-to-site tunnels, and DirectAccess implementations that rely on IPsec for secure communications.

Frequently Asked Questions

What does Event ID 4960 mean and when does it occur?+
Event ID 4960 indicates that IPsec Main Mode authentication failed during IKE (Internet Key Exchange) negotiation. This event occurs when two systems attempt to establish a secure IPsec tunnel but cannot successfully authenticate each other during the first phase of the connection process. The event appears in the Security log on both systems involved in the failed authentication attempt and provides details about the failure reason, authentication method used, and network endpoints involved.
How do I determine why IPsec Main Mode authentication is failing?+
To determine the cause of authentication failures, examine the Event ID 4960 details for specific error codes and failure reasons. Common causes include certificate validation failures (check certificate expiration and trust chain), pre-shared key mismatches (verify PSK configuration on both peers), Kerberos authentication issues (check domain trust and time synchronization), and network connectivity problems (test UDP ports 500 and 4500). Use the PowerShell command 'Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4960}' to retrieve recent events and analyze the failure patterns.
Can Event ID 4960 indicate a security attack or just configuration issues?+
Event ID 4960 can indicate both legitimate configuration issues and potential security attacks. Legitimate causes include misconfigured IPsec policies, expired certificates, or network connectivity problems. However, repeated authentication failures from unknown IP addresses, attempts using invalid certificates, or patterns suggesting brute-force attacks should be investigated as potential security threats. Monitor for unusual frequency of these events, authentication attempts from unexpected sources, or failures occurring outside normal business hours to identify potential attacks.
How do I fix certificate-related IPsec authentication failures?+
To resolve certificate-related failures, first verify certificate validity using 'Get-ChildItem -Path Cert:\LocalMachine\My' to check expiration dates and enhanced key usage. Ensure certificates have the 'IP security IKE intermediate' enhanced key usage. Check certificate trust chains and verify the Certificate Authority (CA) is accessible for validation. Test CRL (Certificate Revocation List) accessibility and ensure time synchronization between peers is within 5 minutes. If using auto-enrollment, verify Group Policy settings and certificate templates. Replace expired or revoked certificates and ensure both peers trust each other's certificate authorities.
What IPsec logs should I check alongside Event ID 4960 for complete troubleshooting?+
For comprehensive IPsec troubleshooting, check multiple related events: Event ID 4650 (IPsec Main Mode established), 4651 (IPsec Main Mode ended), 4962 (IPsec tunnel mode established), and 4963 (IPsec tunnel mode ended). Also examine the WFP (Windows Filtering Platform) logs under Applications and Services Logs → Microsoft → Windows → WFP for detailed negotiation information. Enable IKE/AuthIP logging using 'netsh wfp set options keywords=IKEV1+IKEV2+AUTHIP' for advanced troubleshooting. Check System log for related service failures and Application log for certificate validation errors from the Certificate Services Client.
Documentation

References (2)

1
Microsoft Learn - IPsec Authentication MethodsOfficial documentation covering IPsec authentication methods, certificate requirements, and troubleshooting guidance for Windows systems.https://learn.microsoft.com/en-us/windows/security/network-security/ipsec/ipsec-authentication-methods
2
Windows Security Auditing Events ReferenceComprehensive reference for Windows security audit events including IPsec-related events and their meanings.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4960#ipsec-authentication#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...