Windows 10 IKEv2 clients sent incorrect user certificate to the server

角色

If you have multiple IKEv2 clients installed on Windows 10, the system will send incorrect client certificate to the remote IKEv2 server. The following can be used to resolve this issue:

1. Now, if you have more than one IKE2 RSA VPN's created, you should specify which certificate Windows should use, because Windows is stupid and can't automatically determine the right certificate for each VPN profile.
   
2. 1. Open Powershell and enter certlm.msc to open Local Machine Certificate tool
   
3. 2. Under Trusted Root Certification.. find your certificate and open it with double click
   
4. 3. Select Details and copy Serial number
   
5. 4. Go back to Powershell and create new variable with specified serial number
   
6. $ca = Get-ChildItem Cert:\LocalMachine\Root\ | ? SerialNumber -EQ <serial number>
   
7. 5. Check whether variable can find you certificate, it should return something
   
8. $ca
   
9. 6. Add certificate to your created VPN profile
   
10. Set-VpnConnection -Name <your VPN profile name> -MachineCertificateIssuerFilter $ca

複製代碼

If you find the serial number of ca, for instance, 1234567890
$ca = Get-ChildItem Cert:\LocalMachine\Root\ | ? SerialNumber -EQ 1234567890

If you create an VPN profile: IKEv2 abc
Set-VpnConnection -Name "IKEv2 abc" -MachineCertificateIssuerFilter $ca

How to invoke powershell?
Type powershell in Windows "Type here to search" box

1. Please note that the name for VPN profile must not have a period/fullstop character.
2. One ca only have one client private key. If more than one client key, the last one user's key is used. In simplicity, when you click both IKEv2 clients, always the last installed client certificate.
3. The above method is one ca to one client private key. That's why we only choose the ca which is corresponding the client's private key.

Reference:
https://forum.mikrotik.com/viewt ... mp;p=878614#p878614