I have got two Mikrotiks. RouterOS 6.44.1. On each of them configured IKE2 vpn. Sample configuration of ike2 here: http://forum.mikrotik.com/t/ike2-rsa-signature-identity-not-found-for-peer-der-dn/128793/1
Certificate creation on Mikrotik1:
/certificate
add common-name=ca name=CA1 days-valid=3650
sign CA1 ca-crl-host=Mikrotik1SN.sn.mynetname.net
add common-name=Mikrotik1SN.sn.mynetname.net subject-alt-name=DNS:Mikrotik1SN.sn.mynetname.net key-usage=tls-server name=server1
sign server1 ca=CA1
add common-name=client1_win10cert key-usage=tls-client name=client1_win10cert
sign client1_win10cert ca=CA1
Certificate creation on Mikrotik2:
/certificate
add common-name=ca name=CA2 days-valid=3650
sign CA2 ca-crl-host=Mikrotik2SN.sn.mynetname.net
add common-name=Mikrotik2SN.sn.mynetname.net subject-alt-name=DNS:Mikrotik2SN.sn.mynetname.net key-usage=tls-server name=server2
sign server2 ca=CA2
add common-name=client2_win10cert key-usage=tls-client name=client2_win10cert
sign client2_win10cert ca=CA2
When I import the certificate from Mikrotik1 to WIN10. It works fine. I can connect (create VPN connection) to Mikrotik1.
After that when I import the certificate from Mikrotik2 to WIN10. It works fine too If I want to connect (create VPN connection) to Mikrotik2 BUT i cannot connect to Mikrotik1 then.
I seems to me that win10 are trying to use certificate for authentication for Mikrotik2 and not certificate for Mikrotik1 when I want to connect to Mikrotik1.
When I try connection to Mikrotik1:
Win error: IKE authentication credentials are unacceptable
Mikrotik log error:ipsec,error identity not found for peer: DER DN: client2_win10cert
My question is should I create client certificate with some more information in it so the WIN10 would choose the right certificate for authentication?
I know that this is more about WIN10 question but maybe anybody here has the knowledge what exactly should the client certificate contain for that situation/scenario.
Thanks