Hi,
I’m trying to set IKEv2 on a router which doesn’t have DNS name but IP only.
But I keep getting “identity not found for peer: ADDR4: xx.xx.xx.xx”
on the same time, windows 10 shows that “IKE authentication credentials are unacceptable”
I already tried to put both client certificate and CA in personal certificate and trusted Root Certificate both only on user account or whole machine
Is my certificate CN name wrong or other problem
below is the config and logs
If any info needs to be reviewed, please tell me, thank you
What you must do is that you install the client certificate including its private key and the certificates of all the CAs in its chain of trust at Windows side, so that the Windows client could use it to both identify and authenticate itself to the responder (Mikrotik). The client certificate must be installed as a machine one, not user one (so far, gents in Riga are working on it). You also have to configure the IKEv2 client to use the machine certificate (I hazily remember they call it “chip card” authentication method but I may be wrong, try all the options one by one if this one fails).
Without the certificate, the Windows client sends its private IP address as its ID-I, which doesn’t match the remote-id of any /ip ipsec identity row linked to the peer at the Mikrotik side, so the Mikrotik cannot choose its own certificate to send to the client, and thus Windows report an error as well.
You also have to import the client certificate (its private key is not necessary in this case) to Mikrotik’s certificate store and link the /ip ipsec identity row to it (using the remote-certificate field), as Windows will send the certificate itself as ID-I.
If both the client certificate and the Mikrotik certificate are signed by the same CA, it will start working once you install the client certificate at both devices and tell the VPN client to use it. If the signing CA for the Mikrotik differs from the one of the Windows client, you have to import the complete chain of trust of the Mikrotik’s certificate to the Windows, and you have to import the complete chain of trust of the client certificate to Mikrotik’s certificate store.
