I’ve got a Mikrotik router configured as VPN server (IKEv2 with certificate) and connect form Windows clients without problems.
However: the certificates used were all generated on the Mikrotik router (Issuing CA, server (Mikrotik router) and client (Windows machine)) and two of them (Client and Issuing CA) were imported in the “My” (Personal) and “Root” (Trusted Root Certification Authorities) folders of the client machine’s certificate store respectively.
This implies that anyone working on that machine can use them to create a VPN connection to the Mikrotik router (if they also know a few other parameters).
Can a user authentication be added so that different users working on the same Windows client can be distinguished by the Mikrotik router?