Should mention, that WIndows finicky approach to IPsec may be the heart of the matter, in that vein, I found easily in search some interesting snippets........ for example,
-
By default, the native Windows VPN client does not like the IPsec server to run on a private address behind a NAT.
-
Regarding the certificate - Windows need the same type of encryption to be used in the certificate and in the Phase 1/ Phase 2 proposals, either both must be RSA or both must be EC. But I’m not sure whether that is the actual reason for that error message - also the certificate purpose may be wrong, it must contain the tls-server bit at least in order that the WIndows embedded client wouild accept it, and if I am not mistaken, the domain name must be in the Subject-Alt-Names list, many IPsec initiators do not look for it in the Common Name field.
-
Picking the right certificate:
IKEv2 Picking the wrong client cert installed on local PC cert store - #2 by akarpas -
Hi, on the Mikrotik you can adjust MSS size for broken PMTUD via mangle rules. For more info:
/ip firewall mangle
add chain=forward action=change-mss ipsec-policy=in,ipsec protocol=tcp tcp-flags=syn \
tcp-mss=1301-65535 new-mss=1300
add chain=postrouting action=change-mss ipsec-policy=out,ipsec protocol=tcp \
tcp-flags=syn tcp-mss=1301-65535 new-mss=1300
6.Route internet traffic through ISP, only VPN traffic through IPSEC - #2 by rplant