MikroTik

Hello, I'm using RB4011 with ROS 6.48.6 and IPSEC IKEv2. Certificates are issued on Windows Server and uploaded to router. It works correctly since last 2 years but 2 days ago I've upgraded my servers from 2012R2 to 2022 and it stopped to work. Can anybody help me with fix it?

Where exactly does it break? Is it upload phase or certificate import phase? Describe how exactly are you doing the failing phase.

And a suggestion: upgrade ROS to latest long-term version (6.49.10).

I can upload certificate but connection can't establish correct - on pc I have message "IKE authentication credentials cannot be accepted", on ROS I see connection established but with no traffic - it disappears after 2 minutes.

When I upgraded Windows Server to 2022, all of directly connected computers have refreshed their certificates. And these computers can't connect to VPN. All computers which didn't have connect and didn't get new certificate, still work.

Enable ipsec debug logging on ROS and you will see why it disappears after 2 minutes.
Use latest ROS version.

I've updated ROS to 6.49.10. There is nothing readable in log after 2 minutes.

I can upload certificate but connection can't establish correct ...

I'd say that it has something to do with key type, used in certificate. ROS v6 is pretty outdated with regard to support of security features (encryption protocols, key types, etc.) and it could be that recent windows servers deprecated use of older security features while ROS v6 doesn't support the (now) required newer ones.

If you can afford doing it, upgrade your router to v7 (7.12.1 is latest stable at the tiem being) and see if things improve for you. Beware that upgrade from v6 to v7 can cause some hiccups, so prepare yourself for some (extended) downtime.
Alternatively, you can try to manually enable use of deprecated security features on windows machines to see if it helps. This probably won't help if the reason for problems is certificate, generated by Windows, and is thus unusable in ROS. Which actually seems to be the case as the only change in VPN clients is use of newer certificates ...

I'll try with CHR in lab, only with ike2 functionality. When it will be work, I'll set chr only as vpn server, not router. I have no time to downtime after upgrade ROS to 7.x

I've tested IKE2 on CHR 7.12.1 - it works with certificates generated by Mikrotik but doesn't work with certificates from Windows.

Is it possible to tell how you set up the issuance of certificates in the windows server (with what keys) so that mikrotik(ikev2) would work with them?