Recently I cannot log into my IKEv2 road warrior VPN and keep getting error “IKE authentication credentials are unacceptable” on Windows 11.
I don’t know what is the cause of this problem. Previously I am able to log into the VPN without any problem. If the same problem occur, this is due to the LetsEncrypt certificate being renewed and I have to manually update the certificate in the IPSec Identities section.
But even after I updated the LetsEncrypt certificate including the root certificate, I still cannot login and came out with the mentioned error above. Please help.
Just a shot in the dark: effective July 1st or so, Let’s encrypt has changed their intermediate certificate from R3 to R10. To allow the server to present the complete certificate chain to the client, the R10 certificate has to be imported to Mikrotik.
Let’s encrypt has changed their intermediate certificate from R3 to R10
That not the whole story. There are actually two new RSA intermediate CAs, R10 and R11. Which intermediate CA is chosen is random. I testet it on a CHR
So that really sucks because you need to correct the trust chain every time the certificates is renewed.
Correct. I have to upload and imported multiple of their CA (R10, R11, E5 and E6) into the MikroTik as they are using difference CAs when renewing the LE certificate. Good Lord.
Actually not, at least if the initiator is the the embedded Windows VPN client, as it doesn’t mind if it gets an unrelated certificate. So it doesn’t matter whether your Let’s Encrypt certificate gets signed using R10 or R11 on renewal - it is enough to add both to the certificate list on the /ip/ipsec/identity row along with the one issued for the router, and the initiator sorts that out on its own.