I am testing this option on 6.44 but I can't get it to work with Windows integrated IKEv2 client. I guess there are just two viable options for IKEv2 road warriors authentication methods:
- rsa signature
- eap radius
Basic problem of rsa signature with Windows clients is that you have to set Windows client authentication to Use machine certificates. And then it picks one (I don't how it decides). As long as you have only one personal certificate in machine store, you are OK. If you have more, you are in trouble. Another problem of using machine certificates on Windows is that you can't set server identity. This makes it impossible to use two different identities with server (my) identity set as fqdn. The following works fine with strongswan client on android. I have two profiles and one puts me into pool set by one mode-config and the other to the one set by the other mode-config.
/ip ipsec identity
add auth-method=rsa-signature certificate=guestvpn.xxxxxx.yy generate-policy=port-strict mode-config=\
ikev2rw-guests my-id=fqdn:guestvpn.xxxxxx.yy peer=ikev2rw policy-template-group=ikev2rw-guests
add auth-method=rsa-signature certificate=vpn.xxxxxx.yy generate-policy=port-strict mode-config=ikev2rw \
my-id=fqdn:vpn.xxxxxx.yy peer=ikev2rw policy-template-group=ikev2rw
But on Windows (with only one certificate imported in machine store) I get "IKE authentication credentials are unacceptable" message. And in router log I get ipsec error "identity not found for peer: DER DN: mycert.vpn.xxxxxx.yy".
If I disable one identity and set my-id to auto then Windows connects.
If I set the my-id of disabled identity to auto and try to enable it I get the error "Couldn't change IPsec Identity <ikev2rw> - a matching identity already exists.
The problem of using RADIUS and multiple identities is even less understandable to me because you actually have only one set of conditions to validate a user. But I admit I am not very experienced in working with RADIUS and maybe I am totally missing something.