Cert Based VPN ipsec IKEv2 connection issue

hofi76 · February 2, 2026, 2:57pm

Hi All,

I set up a VPN server using IPsec IKEv2.

As I have multiple certificates, I used the following command to select the correct certificate for authentication:

Set-VpnConnection -Name "IKEV2" -MachineCertificateIssuerFilter 'C:\temp\Mikrotik-CA.crt'

On Client side I see I got a “Policy mismatch error“ In Event viewer :

XXXX dialed a connection named IKEV2 which has failed. The error code returned on failure is 13868.

Mikrotik Config:

/interface bridge
add admin-mac=16:C5:39:E5:FC:8D auto-mac=no name=LAN
add name=VPN
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=Group-ikev2
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=Profile-ikev2
/ip ipsec peer
add exchange-mode=ike2 name=peer-ikev2 passive=yes profile=Profile-ikev2
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=proposal-ikev2 pfs-group=none
/ip pool
add name=VPN-IP-Pool ranges=192.168.77.1-192.168.77.200
add name=dhcp_pool1 ranges=192.168.76.10-192.168.76.200
/ip ipsec mode-config
add address-pool=VPN-IP-Pool address-prefix-length=32 name=cfg-ikev2 split-include=0.0.0.0/0
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/ipv6 settings
set disable-ipv6=yes
/ip address
add address=192.168.76.254/24 interface=LAN network=192.168.76.0
add address=192.168.77.254/24 interface=VPN network=192.168.77.0
/ip dhcp-client
add default-route-tables=main interface=WAN
/ip dhcp-server
add address-pool=dhcp_pool1 interface=LAN name=dhcp1
/ip dhcp-server network
add address=192.168.76.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.76.254
/ip ipsec identity
add auth-method=digital-signature certificate=Mikrotik-CA generate-policy=port-strict match-by=certificate mode-config=cfg-ikev2 peer=peer-ikev2 policy-template-group=Group-ikev2 remote-certificate=Client1@mikrotik.local remote-id=\
    fqdn:Client1@mikrotik.local
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 proposal=*2 src-address=0.0.0.0/0
add dst-address=192.168.77.0/24 group=Group-ikev2 proposal=proposal-ikev2 src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.hu.pool.ntp.org
add address=1.hu.pool.ntp.org

In the Mikrotik log I see it is connected for a while.

2026-02-02 15:37:22 ipsec,info new ike2 SA (R): peer-ikev2 XXXX
2026-02-02 15:37:22 ipsec,info,account peer authorized: peer-ikev2 XXXXX
2026-02-02 15:37:22 ipsec,info acquired 192.168.77.198 address for XXXXX CN=Client1@mikrotik.local
2026-02-02 15:37:22 ipsec,error no proposal chosen
2026-02-02 15:37:22 ipsec,info releasing address 192.168.77.198

I am sure there is a small mistake, but I do not find it at all.

All cert is in the right place under machine

pe1chl · February 2, 2026, 3:10pm

It seems the problem is not the certificate, but the proposal is unacceptable for the client.

hofi76 · February 3, 2026, 7:07am

Definitely yes,

I modified the proposal as follows:

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=3des
add dh-group=modp1024 enc-algorithm=3des name=Profile-ikev2

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=3des name=proposal-ikev2 pfs-group=none

The “no proposal chosen” error disappeared.

In the log:

2026-02-03 07:50:31 ipsec,info new ike2 SA (R): peer-ikev2 X.X.X.x[500]-10.36.7.119[500]
2026-02-03 07:50:31 ipsec,info,account peer authorized: peer-ikev2 X.X.X.X[4500]-X.X.X.X[4500] 3549bdedff03b84b:de798f5429e1cc56
2026-02-03 07:50:31 ipsec,info acquired 192.168.77.199 address for X.X.X.X, CN=Client1@mikrotik.local
2026-02-03 07:51:04 ipsec,info killing ike2 SA: peer-ikev2 X.X.X.X[4500]-X.X.X.X[4500] 3549bdedff03b84b:de798f5429e1cc56
2026-02-03 07:51:04 ipsec,info releasing address 192.168.77.199

On Win 11 side:

The user XXXXXX dialed a connection named IKEV2 which has failed. The error code returned on failure is 13801.

IKE authentication credentials unacceptable

It seems to me that I am close to the solution. Just need to find the next step

pe1chl · February 3, 2026, 9:58am

Ok that is easy to google….

You probably used a self-signed certificate or set up you own certificate authority that is not installed in the client.

hofi76 · February 3, 2026, 10:11am

CA and Client cert are installed. The connection is established. Just dropped. As You said before something proposal Can be.
At the test client contains more certs, maybe I will install a brand new machine for testing.

pe1chl · February 3, 2026, 11:46am

You already solved the proposal problem but now it is something with the certificate.

Well, I never managed to get IKEv2 working on Windows either. Now I was using PSK not Cert, but there were never-ending issues that are difficult to debug, and I ended up using L2TP/IPsec (IKEv1). I.e., continue using that.

On Android it is the other way around and it works using IKEv2 while L2TP/IPsec is “deprecated”.

hofi76 · February 3, 2026, 1:58pm

Your ideas are worth their weight in gold

I had a deeper look in the config and the problem was in the Identitiy Certification setting. I set the CA instead of the server cert.

All fine, Now connected

Thanks @pe1chl