Strange, I imported one of the clients certificate on Mikrotik and VPN start working again! Even when I delete this certificate, restarted router and still can connect. Even more strange is that all of the clients can now connect not only this one with previous uploaded certificate! But in ipsec log...

Thanks for reply, the CRL has been already renewed as you can see on screenshot from previous post: CRL is valid until 25 Nov.
Clock is synchronized by NTP. But Mikrotik still rejecting connections I have no idea what could be wrong maybe bug in RoS?

Thanks for explanation, looks like Mikrotik firewall is quiet different than Linux iptables where OUTPUT traffic passing through NAT table and changing dst ip address in packets generated on localhost is easy (ex. when ping 1.1.1.1 packets goes to 2.2.2.2). Another example, how force local traffic t...

I have IPSec VPN ikev2 setup for Roadwarrior clients with cert auth and for a few months this works quiet well. But now Mikrotik started refusing connections, in logs there are "CRL has expired(12) at depth:0" and "can't verify peer's certificate from store". CRL URL from my CA c...

I need to change dst address in some outgoing connection originated from router itself (eg fetch command): chain=dstnat action=dst-nat to-addresses=some_ip protocol=tcp dst-address=some_ip src-address-type=local dst-port=80 log=no log-prefix="" but it not working, any packets hitting this ...

I have latest RouterOS v6.40.2.

I have IPSec VPN setup with IKEv2 and RSA sign. auth. method, PKI infrastructure was on different linux host. I have imported CA cert on MikroTik and added CRL url. All works fine except CRL: revoked certificates still can connect. Its a bug or I missed something? On Certificates->CRL WinBox window ...

EAP with radius is implemented and working only with cert installed in User Store (in this mode Windows searching for certificate only in user store).

I have similar issue, did you manage to solve it?