IKE authentication credentials are unacceptable

The error looks a little bit different from our routers side:

oct/16 10:50:55 ipsec,error identity not found for peer: DER DN: CN=1114XXXXX,C=,ST=,L=,O=,OU=,SN=1114XXXXX

There might be multiple certificates installed to your machine and Windows is unable to select the proper certificate for authentication (If you didn’t install any certificates in your computer the above error is most likely not related to this article. Please follow the original setup of your VPN tutorial to complete this step). But don’t worry this is easy to fix. We can pin a certificate authority (CA) that has signed a certificate to a specific VPN connection.

First we need to have the CA certificate as a file on the clients machine. You can either export the CA-certificate from the computers certificate store (certmgr.exe) or you can download the file from your router or the location you have created the CA-Certificate, server-certificates and user-certificates.

Second step is to pin the CA-certificate to our VPN connection. Open PowerShell (do not open as “Administrator” since we want to set the certificate pinning in user context) and type in the following (please make sure you replace the VPN name and path to CA-certificate):

Set-VpnConnection -Name "My VPN" -MachineCertificateIssuerFilter 'C:\CA-files\my-ca.cer'

After you have completed the above steps your VPN should start working.

Der Beitrag IKEv2 VPN with routerOS and Windows 10/11: IKE authentication credentials are unacceptable erschien zuerst auf MEB-IT | Blog.

MikroTik removed “capsman forwarding” in wifiwave2 package thus the only option to seperate multiple networks from each other is using VLANs and local forwarding.

CAPsManager configuration:

/interface wifiwave2 configuration
add channel.band=2ghz-ax country=Germany datapath.client-isolation=no name=cap-master-2ghz security.authentication-types=wpa2-psk,wpa3-psk  .passphrase="1234567890" ssid=SSID-TEST
    
    
add channel.band=5ghz-ax country=Germany datapath.client-isolation=no name=cap-master-5ghz security.authentication-types=wpa2-psk,wpa3-psk  .passphrase="1234567890" ssid=SSID-TEST
    
    
add datapath.client-isolation=yes .vlan-id=99 name=cap-slave-guest security.authentication-types=wpa2-psk,wpa3-psk .passphrase="0987654321" ssid=SSID-TEST-GUEST
    
    
/interface wifiwave2
add configuration=cap-master-5ghz disabled=no name=cap-wifi1
add configuration=cap-master-2ghz disabled=no name=cap-wifi2
add configuration=cap-slave-guest disabled=no mac-address=4A:A9:8A:5C:B7:88 master-interface=cap-wifi1 name=cap-wifi3
add configuration=cap-slave-guest disabled=no mac-address=4A:A9:8A:5C:B7:89 master-interface=cap-wifi2 name=cap-wifi4


/interface wifiwave2 capsman
set enabled=yes interfaces=switch


/interface wifiwave2 provisioning
add action=create-enabled comment="hap ax2 01 2ghz" master-configuration=cap-master-2ghz radio-mac=48:A9:8A:5C:B7:89 slave-configurations=cap-slave-guest
add action=create-enabled comment="hap ax2 01 5ghz" master-configuration=cap-master-5ghz radio-mac=48:A9:8A:5C:B7:88 slave-configurations=cap-slave-guest
add action=create-disabled comment="create default disabled"

CAP configuration (hap ax²):

/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: SSID-TEST, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath.bridge=switch disabled=no
# managed by CAPsMAN
# mode: AP, SSID: SSID-TEST, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman datapath.bridge=switch disabled=no
/interface wifiwave2 cap
set caps-man-addresses=172.16.254.254 certificate=request enabled=yes slaves-datapath=datapath-slave slaves-static=no
/interface wifiwave2 datapath
add bridge=switch name=datapath-slave

The most important part is to configure the CAP to use the bridge for default wifi (via ‘/interface wifiwave2 set 0,1 datapath.bridge=switch’) and CAPsManager config (via ‘/interface wifiwave2 set 0,1 configuration.manager=capsman’).

If you need additional wifi networks, e.g. for guests you also need to specify the datapath bridge (‘/interface wifiwave2 datapath add bridge=switch name=datapath-slave’) and add this datapath to your cap config (‘/interface wifiwave2 cap set caps-man-addresses=172.16.254.254 certificate=request enabled=yes slaves-datapath=datapath-slave slaves-static=no’). The vlan-id will be not visible on the CAP (at time of writing: routerOS 7.7) but is taken from CAPsManager configuration for the slave network(s).

A more detailed blog post is following soon!

Der Beitrag Configuration: MikroTik routerOS 7 wifiwave2 and CAPsMan erschien zuerst auf MEB-IT | Blog.