IKEv2 works on Android but no in Windows 10

RouterOS General
1

Hi there,

I’m using IKEv2 as VPN system, when I set up everything on my smartphone ( android ) it works with no problems.
But when I do same at windows 10 and always gets "ike credentials are unacceptable "

But even after get this error I can see there is an active connection . But Windows 10 doesn’t connect.

16:01:43 ipsec -> ike2 request, exchange: SA_INIT:0 XXX.XXX.XXX.XXX[500] e77480df359d282d:0000000000000000 
16:01:43 ipsec ike2 respond 
16:01:43 ipsec payload seen: SA 
16:01:43 ipsec payload seen: KE 
16:01:43 ipsec payload seen: NONCE 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec processing payload: NONCE 
16:01:43 ipsec processing payload: SA 
16:01:43 ipsec IKE Protocol: IKE 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #2 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #3 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #4 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #5 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #6 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #7 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #8 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #9 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #10 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #11 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #12 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #13 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #14 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #15 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #16 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #17 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #18 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec matched proposal: 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec processing payload: KE 
16:01:43 ipsec adding payload: SA 
16:01:43 ipsec adding payload: KE 
16:01:43 ipsec adding payload: NONCE 
16:01:43 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
16:01:43 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
16:01:43 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
16:01:43 ipsec adding payload: CERTREQ 
16:01:43 ipsec <- ike2 reply, exchange: SA_INIT:0 XXX.XXX.XXX.XXX[500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec,info new ike2 SA (R): YYY.YYY.YYY.YYY[500]-XXX.XXX.XXX.XXX[500] spi:ba85c5f02986a7f0:e77480df359d282d 
16:01:43 ipsec processing payloads: VID 
16:01:43 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
16:01:43 ipsec   notify: NAT_DETECTION_SOURCE_IP 
16:01:43 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
16:01:43 ipsec (NAT-T) REMOTE  
16:01:43 ipsec KA list add: YYY.YYY.YYY.YYY[4500]->XXX.XXX.XXX.XXX[4500] 
16:01:43 ipsec fragmentation negotiated 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec payload seen: ID_I 
16:01:43 ipsec payload seen: CERT 
16:01:43 ipsec payload seen: CERTREQ 
16:01:43 ipsec payload seen: AUTH 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: CONFIG 
16:01:43 ipsec payload seen: SA 
16:01:43 ipsec payload seen: TS_I 
16:01:43 ipsec payload seen: TS_R 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec ike auth: respond 
16:01:43 ipsec processing payload: ID_I 
16:01:43 ipsec ID_I (DER DN): CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payload: ID_R (not found) 
16:01:43 ipsec processing payload: AUTH 
16:01:43 ipsec processing payload: CERT 
16:01:43 ipsec got CERT: CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec processing payload: AUTH 
16:01:43 ipsec requested auth method: RSA 
16:01:43 ipsec,info,account peer authorized: YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[4500] spi:ba85c5f02986a7f0:e77480df359d282d 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec peer wants tunnel mode 
16:01:43 ipsec processing payload: CONFIG 
16:01:43 ipsec   attribute: internal IPv4 address 
16:01:43 ipsec   attribute: internal IPv4 DNS 
16:01:43 ipsec   attribute: internal IPv4 NBNS 
16:01:43 ipsec   attribute: MS internal IPv4 server 
16:01:43 ipsec   attribute: internal IPv6 address 
16:01:43 ipsec   attribute: internal IPv6 DNS 
16:01:43 ipsec   attribute: MS internal IPv6 server 
16:01:43 ipsec,info acquired 10.0.10.22 address for XXX.XXX.XXX.XXX, CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payload: SA 
16:01:43 ipsec IKE Protocol: ESP 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #2 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #3 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #4 
16:01:43 ipsec   enc: des-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #5 
16:01:43 ipsec   enc: null 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec processing payload: TS_I 
16:01:43 ipsec 0.0.0.0/0 
16:01:43 ipsec [::/0] 
16:01:43 ipsec processing payload: TS_R 
16:01:43 ipsec 0.0.0.0/0 
16:01:43 ipsec [::/0] 
16:01:43 ipsec TSi in tunnel mode replaced with config address: 10.0.10.22 
16:01:43 ipsec candidate selectors: 0.0.0.0/0 <=> 10.0.10.22 
16:01:43 ipsec candidate selectors: [::/0] <=> [::/0] 
16:01:43 ipsec searching for policy for selector: 0.0.0.0/0 <=> 10.0.10.22 
16:01:43 ipsec generating policy 
16:01:43 ipsec matched proposal: 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec ike auth: finish 
16:01:43 ipsec ID_R (FQDN): vpn.domain.com 
16:01:43 ipsec cert: CN=YYY.YYY.YYY.YYY,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=DATACENTER,SN= 
16:01:43 ipsec adding payload: CERT 
16:01:43 ipsec adding payload: ID_R 
16:01:43 ipsec adding payload: AUTH 
16:01:43 ipsec preparing internal IPv4 address 
16:01:43 ipsec preparing internal IPv4 netmask 
16:01:43 ipsec preparing internal IPv4 DNS 
16:01:43 ipsec preparing internal IPv4 DNS 
16:01:43 ipsec adding payload: CONFIG 
16:01:43 ipsec initiator selector: 10.0.10.22  
16:01:43 ipsec adding payload: TS_I 
16:01:43 ipsec responder selector: 0.0.0.0/0  
16:01:43 ipsec adding payload: TS_R 
16:01:43 ipsec adding payload: SA 
16:01:43 ipsec <- ike2 reply, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec fragmenting into 2 chunks 
16:01:43 ipsec adding payload: SKF 
16:01:43 ipsec adding payload: SKF 
16:01:43 ipsec IPsec-SA established: XXX.XXX.XXX.XXX[4500]->YYY.YYY.YYY.YYY[4500] spi=0x4e91c62 
16:01:43 ipsec IPsec-SA established: YYY.YYY.YYY.YYY[4500]->XXX.XXX.XXX.XXX[4500] spi=0xbe59abce 
16:01:52 system,info,account user admin logged in from XXX.XXX.XXX.XXX via telnet 
16:01:54 ipsec sending dpd packet 
16:01:54 ipsec <- ike2 request, exchange: INFORMATIONAL:2 XXX.XXX.XXX.XXX[47831] 8981bdc63a4d01d9:19e0b034a6d53ba4 
16:01:55 ipsec -> ike2 reply, exchange: INFORMATIONAL:2 XXX.XXX.XXX.XXX[47831] 8981bdc63a4d01d9:19e0b034a6d53ba4

Thanks you.

2

What is the Auth Method of your server?
You have to choose the P1/P2 correctly to suit your config

If its digital certificate (RSA)

Add-VpnConnection -Name "IKEv2" -ServerAddress "vpn.domain.tld" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.vpn.domain.tld.crt'
-EncryptionLevel "Optional" -RememberCredential $True -AuthenticationMethod "MachineCertificate" -EncryptionLevel "Required" -RememberCredential $True

https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps

ecp256 Group 19 (256 bit ECP)
ecp384 Group 20 (384 bit ECP)
ecp521 Group 21 (521 bit ECP)
modp1024 Group 2 (1024 bit modulus) Avoid
modp1024s160 Group 22 (1024 bit modulus, 160 bit POS)
modp1536 Group 5 (1536 bit modulus) Avoid
modp2048 Group 14 (2048 bit modulus) Avoid if possible
modp2048s224 Group 23 (2048 bit modulus, 224 bit POS)
modp2048s256 Group 24 (2048 bit modulus, 256 bit POS) Avoid
modp3072 Group 15 (3072 bit modulus)
modp4096 Group 16 (4096 bit modulus)
modp6144 Group 17 (6144 bit modulus)
modp768 Group 1 (768 bit modulus) Avoid
modp8192 Group 18 (8192 bit modulus)

3

Does the certificate your /ip ipsec identity row refers to have something in the subject-alt-name field? If yes, does it match the address of the server you’ve set in the Windows client configuration, i.e. IP:xxx.xxx.xxx.xxx if you’ve set an IP address there and DNS:vpn.domain.com if you’ve set a domain name?

4

That’s it, I used IP instead of dns name ( vpn.domain.com )

It works!

Thanks you.