()Hello Stuart, Thanks for giving it also a try - I was the one bothering Tobias earlier today with this use case of a Windows 10 (21H2) client trying to connect to an iked server whose CA certificate wasn't self-signed, but signed by a root CA.
> For Windows this works provided that ISRG Root X1 is already in the > computer trust store. It seems this is present on some but not other > Windows installations - if you get "IKE authentication credentials > are unacceptable" this is the likely failure. Windows initiates the connection as long as, as you note, the root CA is in the computer trust store - along with the iked CA, otherwise I get the "IKE authentication credentials are unacceptable" error you were referring to. On the other hand I initially (OpenBSD 7.1 release) got on iked side (iked -dv) the following "errors": ikev2_pld_cert: multiple cert payloads not supported ikev2_resp_recv: failed to parse message Leading to a timeout (sa_free: SA_INIT timeout) notified on both ends. I did try with a "consolidated" /etc/iked/ca/ca.crt (iked cert + the one from the signing CA) as well as with a "lone" one (iked cert > Or you can check in > MMC > certificates (local computer) > trusted root CAs. If you don't > have ISRG Root X1 shown there then open a browser (I have had > success with Internet Explorer and Chrome but not Edge, YMMV) and > open https://valid-isrgrootsx1.letsencrypt.org/, which will silently > add the new root CA to the store, at which point the VPN should work. > >> >> It would be nice if we could get someone to test if it works with >> Windows. > > > I have connected successfully with Windows 20H2. I got the same "error" after having applied Tobias' updated diff. It's therefore likely that I did something different (wrong?) from you on Windows and/or iked side... Loïc
