IKE2 RSA signature - identity not found for peer: DER DN:

RouterOS General
1

I have configured IKE2. RouterOS 6.44.1

If I have just one ipsec identity, then it works fine. When I have two identities configured like below It doesnt work and end it up with error
"ipsec,error identity not found for peer: DER DN: client_win10cer

Certificaion creation:

/certificate
add common-name=ca name=CA days-valid=3650
sign CA ca-crl-host=MYSN.sn.mynetname.net

add common-name=MYSN.sn.mynetname.net subject-alt-name=DNS:MYSN.sn.mynetname.net key-usage=tls-server name=server1
sign server1 ca=CA

add common-name=client_win10cert key-usage=tls-client name=client_win10cert
sign client_win10cert ca=CA

add common-name=Client_AndroidPhoneCert key-usage=tls-client name=Client_AndroidPhoneCert
sign Client_AndroidPhoneCert ca=CA

Ipsec IKE2 conf:

/ip ipsec profile
add name=ike2-profile

/ip ipsec proposal
add name=ikev2-proposal pfs-group=none
/ip pool
add name=ikev2_dhcp_pool ranges=192.168.103.100-192.168.103.200

/ip ipsec mode-config
add address-pool=ikev2_dhcp_pool name=ikev2_mode_cfg1 system-dns=yes address-prefix-length=32

/ip ipsec policy group
add name=ikev2-policies

/ip ipsec policy
add dst-address=192.168.103.0/24 group=ikev2-policies proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes

/ip ipsec peer
add exchange-mode=ike2 name=all_peers passive=yes profile=ike2-profile

/ip ipsec identity
add auth-method=rsa-signature certificate=server1 generate-policy=port-strict match-by=certificate \
mode-config=ikev2_mode_cfg1 peer=all_peers policy-template-group=ikev2-policies remote-certificate=client_win10cert

/ip ipsec identity
add auth-method=rsa-signature certificate=server1 generate-policy=port-strict match-by=certificate \
mode-config=ikev2_mode_cfg1 peer=all_peers policy-template-group=ikev2-policies remote-certificate=Client_AndroidPhoneCert

Any ideal please? Do i have anything wrongly configured?
Thanks

IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem
Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error
2

Try disabling and re-enabling the second identity (or both) and see whether it starts working then.

Setting up IKEv2 VPN Server behind NAT
3

I tried it as you recommended (re-enabling both identities) and now it works fine. Problem solved then. Thanks!

4

OK, thanks for reporting. We will fix the issue in next releases of RouterOS so disabling and enabling is not necessary.

5

Same here, disabling doesn’t help.

The strange thing is, it works on iOS fine, but the windows client doesn’t. Current RouterOS from today on CCR

6

I had also problems of different behavior between Windows and IOS.
You can see what worked eventually for me here:http://forum.mikrotik.com/t/windows-10-ikev2-13801-ike-authentication-credentials-are-unacceptable-error/132454/1