On the windows side, we get our friend "The IKE credentials are unacceptable" with the matching event viewer log 13801.
One the router side, everything appears to be connected. Active peer, PH2, installed SAs, dynamic policy template generates static policy. Everything looks normal in the router, nothing connected on the Windows side. I'm having trouble figuring where to go next since the whole exchange appears to go off flawlessly from the router side but appears as if there's a key problem on the windows side.
From RouterOS:
Code: Select all
/ip ipsec active-peers print
0 RN CN=user@vpn.ike2.... established 1m3s 1 11.22.33.44 10.0.88.53
/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0xCDCD94D src-address=11.22.33.44:11956 dst-address=44.33.22.11:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="b420b2871a265ab356e50cb038595195c26c7d6c"
enc-key="6e2ab853ce4e37ca05fcda5a4fedf81ef24da9f47c85f10426c3e4b8919f2f93" add-lifetime=6h24m6s/8h8s replay=128
1 HE spi=0x6C180EBE src-address=44.33.22.11:4500 dst-address=11.22.33.44:11956 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="c733dfc43b074faa0fdc61b8fbe21fd256d837b1"
enc-key="d9f6a8599568d6676cad52ea1632d8c1c4a9d1216ba2ee3eeff49c6c3fb8a9c8" add-lifetime=6h24m6s/8h8s replay=128
/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 T 0.0.0.0/0 10.0.88.0/24 all
2 DA peer 68.99.70.68 yes 0.0.0.0/0 10.0.88.59/32 all encrypt unique 1
3 T 172.25.101.0/24 172.25.102.0/24
Auth algorithms are set considerably lower in these screenshots than the initial or hopefully final configuration, as i've changed them several times looking for a set that works.