Hi guys,

I am not that well versed in networks and I might be missing something obvious, but I would really appreciate some assistance with my IKEv2 setup. If I miss to provide any information, do not hesitate to ask for it since I already have spent days trying to troubleshoot this and as I have said, it seems like I am missing some pretty basic stuff, but I am lost and thus I'd appreciate some assistance.

What I am trying to set up is a Road Warrior VPN setup based on IKEv2 RSA auth, basically what's been portrayed [here](https://wiki.mikrotik.com/wiki/Manual:I ... entication).

On my RB750Gr3 I am running ROS 6.42.6.

My setup looks like this atm:
To elaborate on this setup a bit. I want to be able to connect to my home network and reach the resources I am running in there via multiple clients when on the run. Multiple clients are different macbook laptops, android/iphone mobile phones, etc. My *Home router box* needs to stay there and it gets the public IP address from my ISP. From there I am doing NAT for all the required ports to my mikrotik router in order to establish VPN. So my VPN server is behind NAT. Clients on the other hand may or may not be behind the same NAT, but I believe that's not important right now (but it's worth mentioning since I read that clients sharing the same public IP (being behind the same NAT) can't establish VPN at the same time, because it's not supported by the protocols... but that should only apply to l2tp, right?).

So I have followed the aforementioned manual and with some struggle here and there I was able to establish the VPN connection between my Mac and mikrotik. Then I have decided to try the same with my other macbook laptop and what I did is that I've only replicated steps for creating, signing and trusting the new certs that I have successfully exported and then imported and fully trusted in my second macbook and then I've also created a new Ipsec Peer config for this second macbook. I have tried to connect by following the same setup as with the previous macbook but all I got is the error message in mikrotik logs saying:
and on the macbook end I received "User authentication failed". I thought that might be because my first macbook was still connected to the VPN when I have tried connecting with the second one, so I have disconnected the first, then tried connecting again with my second macbook but got the same error message.

Then I have started reading, trying out options etc etc... At some point I have generated, signed and trusted completely new set of certs for my second macbook, imported and trusted them by that second macbook and have tried to establish a VPN and voila! I was able to run it with success.

But then I have tried establishing the VPN with my first Mac but then received the aforementioned error log msg... And that's the current state of things.

I am not sure what's the problem here but it seems like I can't run more than one VPN tunnel at the same time? It's worth mentioning that I have tried establishing VPN connections when my macbooks were behind the same NAT and on completely different networks to no avail. I can't seem to be able to pass beyond that RSASIG error message.

This should signal that something related to my certs does not work but I am not able to figure it out on my own. Here's important part of my config that might share some more insights in how I have configured this:
So there's a separate dhcp pool for clients coming from the VPN and each has its own ipsec peer defined.

Could it be that I cannot generate multiple policies from the same template? Because 2 policies can't have the 0.0.0.0/0 set for the source address? Or that all the clients are sharing the same mode-config?

I have switched on some ipsec logging but that does not tell me much...

tl;dr I would like to be able to connect multiple clients (sitting somewhere in the public and when I am on the go) to my home network via VPN. If there's certain limitation on the protocol level that won't allow me to run multiple clients that are sitting behind the same NAT, I would even be satisfied with a solution where I would be able to have at least one client connected to my home network (that's usually sufficient) but when I disconnect that client I'd like to be able to connect to the VPN with some other device/client (something that I am not able to do with my current setup since I am receiving that err msg).

I am open to any leads, insights/rtfm's, suggestions, anything that would allow me to run this setup in any of the desired and explained scenarios.

Thank you guys in advance!

I do not get it. I can't make it to work with multiple devices. At the moment I am only able to connect with one device and if I try with any other I would get that RSASIG error msg.

Like it caches the cert of the client that managed to connect once and then it won't let any other client with the different cert to connect. Either that or I do not get where the issue is.

At this point I'd be satisfied to enable multiple clients to connect to IKEv2 VPN with their own RSA certs one at the time. I am not even looking at having multiple simultaneous VPN connections but just an option to enable whatever device to connect to VPN if it has the correct cert.

I think your problem is that you have two peers, and only the first is matched. Try:

@eworm, thanks for the suggestion! I really appreciate that you run through my post that might be all upside down...

I am on the move unfortunately but will be able to try this out in a n hour from now.

But let me ask you one thing... if I do what you have suggested... then how will peer identify/auth itself if I do not specify a `remote-cert`? I might be going complete bonkers here but I thought I should have a `peer` entry for each client that I would like to let in my home network? Or I might be wrong?

The peer certificate is issued from a CA on your device, that only accepts trusted certificates it issued itself.

@eworm, your suggestion was a spot on!

As soon as I removed the `remote-certificate` and set it to `none` and remove the second peer I was a able to connect to VPN with any imaginable client for as long that client was auth itself with the client cert signed by the mikrotik CA!

I tried connecting by using a cert not signed by mikrotik CA and I was not let in. I believe the same would apply if I'd revoke the cert in mikrotik then the client using it will fail to connect to the VPN? (I am just going to try this)

But I believe I am on the right track for now thanks to you and that I can move forward now and experiment with different setup.

Thanks a lot, highly appreciated!

Hi!
I am running the exact same setup and am dealing with the same issue, and by assigning none to the remote certificate it now accepts all clients. Thanks!

However, would it be possible to distinct peers only by the remote certificate?
Assuming I'd just like to have different mode-configs for different clients.

My issue is that my 4G clients all have dynamic IPs and I have to src address 0.0.0.0/0 for all of them.

The way I understand it is that incoming request is checked and matched against the first peer rule. Like it won’t propagate through the list of peers rules if you have several of them.
I guess the inly way would be to create distinct VPN subnets/policy/mode-config for each of your clients but I will let more experienced forum members to weigh in here.
Even though I was able to resolve this issue by implementing the suggested solution, it would be great to auth each client by its own cert nevertheless.