I have a Mikrotik setup as IKE VPN server as described below. Testing with an android phone as client (using StrongSwan) succeeds and works great, but using the exact same config & certs on a Win10 machine yields "Credentials are unacceptable" error on the client. With limited access to an external network at work, I'm trying to diagnose this from the WIn10 side exclusively tonight at home. My Win10 uses MS client / IKE / Certificate authentication / UN & PW blank.
My server (DNS name vpn.mydomain.com) contains certs for:
1. "mydomain CA" (certificate authority), LT, since i run my own CA
2. "vpn-client-group-1", KT, this is the cert the client is connecting with (with Key on this end)
3. "vpn.mydomain.com", KT, this cert has Alt name DNS:vpn.mydomain.com (and includes key)
My client contains certs for:
1. "mydomain CA" (certificate authority), LT, since i run my own CA
2. "vpn-client-group-1", KT, for connecting (with key on this end)
3. No other local/user certs installed
Since an Android client connects with exact same parameters, these seems to be something on Win10 end. I found one posts suggesting I create a cert for each machine with subjectAltName = WINDOWS_MACHINE_NAME. (viewtopic.php?p=746523) Yet others say that isn't necessary, and I already have my and remote ID set to auto for the IPsec identity. My Win10 computer has only a single cert added (vpn-client-group-1), aside from my CA cert, and only a single IPsec VPN setup.
I found this doc: https://help.mikrotik.com/docs/display/ ... figuration so I ensured my Proposal includes the required auth & encr algorithms. I also ensured my root CA and client cert are installed in the local machine store as suggest.
Is there a definitive guide on how to setup a Win10 client for certificate authentication to a Mikrotik IKEv2?
Re: Win10 IKE VPN authentication "credentials are unacceptable" [SOLVED] [SOLVED]
For anyone else trying to solve this...
Under win10 you setup your whole VPN connection using the Network & Internet Settings > VPN page.
However, once you are done, go back to Network & Internet Settings and right click the IKE interface created by your VPN connection. In there you must change the setting to "machine certificate". If you don't do this it won't work.
Under win10 you setup your whole VPN connection using the Network & Internet Settings > VPN page.
However, once you are done, go back to Network & Internet Settings and right click the IKE interface created by your VPN connection. In there you must change the setting to "machine certificate". If you don't do this it won't work.
Re: Win10 IKE VPN authentication "credentials are unacceptable"
2nd screenshot / 2nd row from the link you posted, "Windows Client Configuration" captures exactly that, "use machine cert" checked.
Even in writing:
"You can now proceed to Network and Internet settings -> VPN and add a new configuration. Fill in the Connection name, Server name, or address parameters. Select IKEv2 under VPN type. When it is done, it is necessary to select "Use machine certificates". This can be done in Network and Sharing Center by clicking the Properties menu for the VPN connection. The setting is located under the Security tab."
Even in writing:
"You can now proceed to Network and Internet settings -> VPN and add a new configuration. Fill in the Connection name, Server name, or address parameters. Select IKEv2 under VPN type. When it is done, it is necessary to select "Use machine certificates". This can be done in Network and Sharing Center by clicking the Properties menu for the VPN connection. The setting is located under the Security tab."
Re: Win10 IKE VPN authentication "credentials are unacceptable"
Is this in the WiKi ?? If so is it in the right place? (Or are there multiple right places?)
Somehow I didn't find that
Somehow I didn't find that