Windows 10 ikev2 13801: IKE authentication credentials are unacceptable error

I am loosing my mind trying to do a certificate authentication between a Mkt server and a windows 10 client using ikev2.

I can log in to the Mkt server from an iPhone, however, I got the dreaded error from Windows saying: “IKE authentication credentials are unacceptable”.

I am also lost how to find any relevant data in windows log, as the only thing I was able to find in the event viewer was the failed connection and the error 13801 associated with it.

From an internet search, common causes for this issue are:

The machine certificate, which is used for IKEv2 validation on the RAS Server, does not have Server Authentication as the EKU (Enhanced Key Usage).
The machine certificate on RAS server has expired.
The root certificate to validate the RAS server certificate is not present on the client
The VPN Server Name, provided on the client, does not match with the subjectName of the server certificate.

I have checked that the server certificate has the proper Server Authentication and IP security Intermediate IKE EKU, in addition to Digital Signature and Key Encipherment.
The CN has the fqdn and the SAN has also the DNS fqdn.
I have tried with the root certificate and intermediate certificate in both the local and machine certificate store in the Windows Client.
I have tried to add to the mikrotik identity setting the certificate both the intermediate and root certificate in addition to the server one.

The Mikrotik log shows that during the ESP phase, after negotiating a match proposal, the windows client did not send its identity, but only its ID_I (ADDR4) ip address and the server show an error as identity not found as no certificate was sent.


My question is two folds:
Does someone knows how to increase/create/find a verbose log for the VPN connection on Windows 10?
Do you have any clue what could be my problem?

The possible reasons you’ve googled may be related both to Windows acting as server and to Windows acting as client so not all of them may be relevant.

Unless Windows need something specific, the normal requirements are the following:

1. to be able to prove its own identity to the remote party, each local party needs to have the private key for its own certificate.
2. to be able to check the authenticity of the remote party, each local party needs to have access to public certificates of the complete chain of trust of the other party’s public certificate - the public certificate of the ultimate root CA in the issuing chain as well as the public certificates of any intermediate CAs, and the root CA’s public certificate must be marked as trusted root CA (stored in the appropriate certificate store) locally.

So if you have generated the machine certificate for the Windows client elsewhere, make sure you have exported it including the private key. If you have created and exported the certificate for the Windows client on the Mikrotik itself, it means that you have to enter the passphrase for the key when exporting it, otherwise the private key is silently not exported (and the Windows don’t ask for the passphrase when importing the certificate).

To allow Windows to verify authenticity of the server’s (Mikrotik’s) certificate, you have to export (this time without the private key) the certificate of the issuing CA and any intermediate CAs for the Mikrotik’s certificate and import them to Windows, where the certificate of the root CA in the server’s chain of trust must be stored in the “trusted root CA” store.

Failure in one of the points above is the most likely explanation why the Windows’ VPN client doesn’t send its own certificate.

Similarly, to allow the Mikrotik to verify authenticity of the client’s certificate (once the Windows VPN client sends it after all), you have to install the public certificate of the root CA and all the intermediate CAs in the chain of trust of the client’s certificate on the Mikrotik. Only if you want to use the client certificate itself as as a selector value to the /ip ipsec identity, you need to store the client’s public certificate itself on the Mikrotik. If you’ve generated the certificate on the Mikroik itself, these requirements are automatically met.

Thanks,
I had all the chain of trust of the CA in both the client and server.
The client certificate had its key too.

I am really surprised not to find any information how to get a better error log on the windows vpn client… That would point me into the right direction instead of playing half blind with only the Mikrotik side.

If you have more than one certificate installed in Local Computer Personal certificate store that might be used for client authentication, you might need to specify one to be used by MachineCertificateIssuerFilter parameter of a VPN connection.

PowerShell command for this is:

Set-VpnConnection -Name VPN_connection_name -MachineCertificateIssuerFilter "path_to_CA.cer_file"

I had selected the option to have windows asking me which client certificate to use each time. And indeed I have a dropdown box letting me chose at the connection time.

If you have dropdown box you are using wrong auth method, it should be Use machine certificates.

I believe that I tried with machine certificate before without success also and eventually reading that both could be used as long as the certificates and chain were in the proper stores (user or machine).
But to make sure I tried again. I even put all the certificates in both chain. Still the same error message.

EAP auth with cert doesn’t work with Mikrotik as an IKEv2 server, it doesn’t see client cert at all, as you found, nor recognize auth method.

What error message do you see in your Mikrotik’s log with Use machine certificates selected on the client ?
Isn’t it hh:mm:ss ipsec,error can’t verify peer’s certificate from store ?

With the same series of certificate:
When I successfully connect from an Iphone:

aug/22 16:05:54 ipsec ike auth: respond 
aug/22 16:05:54 ipsec processing payload: ID_I 
aug/22 16:05:54 ipsec ID_I (FQDN): My_Client_Cert 
aug/22 16:05:54 ipsec processing payload: ID_R 
aug/22 16:05:54 ipsec ID_R (FQDN): my.server.com 
aug/22 16:05:54 ipsec processing payload: AUTH 
aug/22 16:05:54 ipsec processing payload: CERT 
aug/22 16:05:54 ipsec got CERT: CN=My_Client_Cert,OU=My_Client_Cert 
aug/22 16:05:54 ipsec requested server id: my.server.com
[...]
aug/22 16:05:54 ipsec IKE Protocol: ESP 
[...]
aug/22 16:05:54 ipsec ike auth: finish 
aug/22 16:05:54 ipsec ID_R (FQDN): my.server.com 
aug/22 16:05:54 ipsec processing payload: NONCE 
aug/22 16:05:54 ipsec cert: CN=my.server.com 
aug/22 16:05:54 ipsec adding payload: CERT 
aug/22 16:05:54 ipsec cert: CN=intermediateCA.my.server.com 
aug/22 16:05:54 ipsec adding payload: CERT 
aug/22 16:05:54 ipsec cert: CN=rootCA 
aug/22 16:05:54 ipsec adding payload: CERT 
aug/22 16:05:54 ipsec adding payload: ID_R 
aug/22 16:05:54 ipsec adding payload: AUTH

When I attempt to connect from Windows with a machine certificate:

03:52:29 ipsec ike auth: respond 
03:52:29 ipsec processing payload: ID_I 
03:52:29 ipsec ID_I (DER DN): CN=My_Client_Cert,OU=My_Client_Cert 
03:52:29 ipsec processing payload: ID_R (not found) 
03:52:29 ipsec processing payload: AUTH 
03:52:29 ipsec processing payload: CERT 
03:52:29 ipsec got CERT: CN=My_Client_Cert,OU=My_Client_Cert 
03:52:29 ipsec,error identity not found for peer: DER DN: CN=My_Client_Cert,OU=My_Client_Cert 
03:52:29 ipsec reply notify: AUTHENTICATION_FAILED

When I attempt to connect with a local certificate from Windows:

03:53:43 ipsec ike auth: respond 
03:53:43 ipsec processing payload: ID_I 
03:53:43 ipsec ID_I (ADDR4): 192.168.123.100 
03:53:43 ipsec processing payload: ID_R (not found) 
03:53:43 ipsec processing payload: AUTH (not found) 
03:53:43 ipsec,error identity not found for peer: ADDR4: 192.168.123.100 
03:53:43 ipsec,error identity not found for peer: ADDR4: 192.168.123.100 
03:53:43 ipsec reply notify: AUTHENTICATION_FAILED 
03:53:43 ipsec adding notify: AUTHENTICATION_FAILED

So it appears that at least with a machine certificate a proper certificate is presented while it is not with a local certificate as McSee indicated.

However, the main difference I see between the iPhone and Windows is that the iphone present:
ipsec ID_I (FQDN): My_Client_Cert
ipsec ID_R (FQDN): my.server.com

while Windows does not seem to send the ID_R as I got ID_R (not found).

Looks like you explicitly set my-id for an identity instead of leaving it at auto (it’s My ID type in WinBox).
So it should match to ID_R that a client presents.
If that’s the case try to set it to auto .

I have set up as follow:
remote id type= auto
match by=certificate


I also tried with match by id with all the different remote id type

I’m afraid @McSee might have in mind the own ID at Mikrotik side, which it uses to match the ID-R received from the initiator. So double-check that you have my-id in the identity row set to auto. I’ve tested here and I have no issue although the log shows that the Windows client sends, like in your case, no ID-R at all and ID-I as DER DN:

14:34:35 ipsec payload seen: ID_I
14:34:35 ipsec payload seen: CERT
14:34:35 ipsec payload seen: CERTREQ
14:34:35 ipsec payload seen: AUTH
14:34:35 ipsec payload seen: NOTIFY
14:34:35 ipsec payload seen: CONFIG
14:34:35 ipsec payload seen: SA
14:34:35 ipsec payload seen: TS_I
14:34:35 ipsec payload seen: TS_R
14:34:35 ipsec ike auth: respond
14:34:35 ipsec processing payload: ID_I
14:34:35 ipsec ID_I (DER DN): CN=w10-nb,C=tv,ST=,L=here,O=me,OU=mikrotik,SN=
14:34:35 ipsec processing payload: ID_R (not found)
14:34:35 ipsec processing payload: AUTH
14:34:35 ipsec processing payload: CERT
14:34:35 ipsec got CERT: CN=w10-nb,C=tv,ST=,L=here,O=me,OU=mikrotik,SN=

Unlike in your case, there are no complaints on inability to find the identity. However, on his machine I’m running 6.44.3, so it is not excluded that there is some regression in newer versions. There is also a similar topic from March/6.44.1 which is marked as SOLVED but continues by an open end.

You’re right. With the own ID to auto it does connect…
Thanks

Now I need to figure out why this difference behavior between iOS and Windows.
Also, I still need to fix the routing issue as windows does not get any gateway set up.

If you mean the difference at Tik side, it is because iOS does send ID-R while Windows don’t.

Have you specified any list of networks in split-include of the mode-config to which the identity row points? Beware - for Windows, the split-include may contain several subnets, but iOS reportedly only accepts the first one, and it cannot be 0.0.0.0/0.

Yes I am aware of the split include limitation on Windows.

My issue was from my firewall rules. I had the VPN issue an IP from a dhcp pool that was managed by bridge rules, but obviously the ipsec connection is not an interface and not attached to a bridge. I had to add a new rule for the IP subnet.

Yes, the payload packets coming via an IPsec SA are seen by the firewall as coming from the same interface through which the SA’s transport packets carrying them came in. So in order to let the DHCPINFORM reach the DHCP server process, a permissive rule for protocol=udp dst-port=67 must match on src-address and/or on in-interface(-list) together with ipsec-policy=in,ipsec.

I now have another problem with Windows. When attempting to use a second VPN connection to another Mikrotik with a different intermediate CA, I have the known problem of WIndows presenting the wrong certificate (the one of the first vpn connection) and refusing the authentication.

To avoid this issue, I am supposed in Power Shell to add to the VPN settings, which issuing authority certificate should be use for the connection by using the command (in my case the client certificate is issued by the intermediate CA):

Set-VpnConnection -Name "VPN_connection_name" -MachineCertificateIssuerFilter "path_to_intermediateCA.cer_file"

I checked in the Windows log that the indeed, the intermediate CA certificate thumbprint was added to the filter of the vpn connection.
The client certificate, intermediate certificate and root certificate are in the machine certificate store.

However, when I attempt to connect, Windows does not even try to reach the server and return the error:
“Can’t connect: an array that must contain at least one element is zero length.”

Any suggestions?

I do it !
Windows 10 clients and iOS 13 clients can connect at the same time.
Thanks all for suggestions.
Special thanks to this man: https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/

My settings:
Certificates:
3650 days, key usage: all with ‘ipsec’ in name,
CA is self signed certificate with IP address in subjectAltName
server certificate with CN and subjectAltName as DNS:some.host.com, signed by CA
iOS remote certificate with CN and subjectAltName as some email, signed by CA
Windows10 remote certificate with CN and subjectAltName as WINDOWS_COMPUTER_NAME, signed by CA

Mikrotik side:
Policy: default
Proposals: default with Auth.alg. selected sha1,sha256, Encr. Alg. selected 3des,aes256, PFS: modp1024
Peers: default with “Passive” checked and “IKE2” exchange mode selected
Identities:
Iphone: default peer selected, auth method digital signature, server certificate with CN and subjectAltName as DNS:some.host.com, remote certificate with CN and subjectAltName as some email, My ID and remote ID type = auto, match by: certificate, generate policy: port strict
Windows10: default peer selected, auth method digital signature, server certificate with CN and subjectAltName as DNS:some.host.com, remote certificate with CN and subjectAltName as WINDOWS_COMPUTER_NAME, My ID and remote ID type = auto, match by: certificate, generate policy: port strict
Profiles: default with Hash sha256, Encr.alg 3des,aes128,aes256, DH group modp1024,modp2048, proposal check: obey, nat traversal checked
Mode configs: default with “Responder” checked, some address pool selected, and static DNS selected with IP address of router.

iOS side:
both CA and user certificates must be installed
VPN type: IKEv2
Server: ip or dns name of server
Remote ID: dns name of VPN server (i have one; you can enter IP address here but in this case you must re-create server certificate with IP address as subjectAltName)
Local ID: not needed
User Auth: none
Use certificate: yes
Certificate: select client certificate with email as subjectAltName
Proxy: off

Windows10side:
CA cert must be installed as trusted root certificate (i have installed in local machine store and in user store also)
Windows10 client certificate with CN and subjectAltName = WINDOWS_MACHINE_NAME must me installed in local machine cert store (not the user store).
Type of VPN: IKEv2
Data encryption: require
Auth: use machine certificate

Hi. Did anyone find solution for the “An array that must contain at least one element is zero length.” when you try to connect ?

So, do I need to import both the CA cert and the client cert?