If you have encountered a problem with a IKEv2 connection with Windows 10 or Windows 11 and the error message states:
IKE authentication credentials are unacceptable
The error looks a little bit different from our routers side:
oct/16 10:50:55 ipsec,error identity not found for peer: DER DN: CN=1114XXXXX,C=,ST=,L=,O=,OU=,SN=1114XXXXX
There might be multiple certificates installed to your machine and Windows is unable to select the proper certificate for authentication (If you didn’t install any certificates in your computer the above error is most likely not related to this article. Please follow the original setup of your VPN tutorial to complete this step). But don’t worry this is easy to fix. We can pin a certificate authority (CA) that has signed a certificate to a specific VPN connection.
First we need to have the CA certificate as a file on the clients machine. You can either export the CA-certificate from the computers certificate store (certmgr.exe) or you can download the file from your router or the location you have created the CA-Certificate, server-certificates and user-certificates.
Second step is to pin the CA-certificate to our VPN connection. Open PowerShell (do not open as “Administrator” since we want to set the certificate pinning in user context) and type in the following (please make sure you replace the VPN name and path to CA-certificate):
Set-VpnConnection -Name "My VPN" -MachineCertificateIssuerFilter 'C:\CA-files\my-ca.cer'
After you have completed the above steps your VPN should start working.