After successfully establishing a VPN connection from my Windows 7 laptop to my Windows Server 2008 R2 using PPTP, SSTP and L2TP, I decided to try IKEv2 using EAP-MSCHAP-v2.
The progress dialog shows "verifying user name and password...", and then "Error 1381: IKE authetication credentials are unacceptable". This fails whether I try to connect from an external WAN, or from the local LAN itself.
I am using EAP to authenticate the client. I assumed certs are not the issue, as SSTP works fine. However I re-checked and made sure that the server's root cert is installed on my Win7 laptop, that the subject name matches the host name I specified for the IKEv2 client, that the cert is valid, and that it supports sevrer and client authentication in its EKU.
I also tried the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\DisableIKENameEkuCheck registry hack. I get a dialogue with the message:
Radius Server: mail.lavie.org
Root CA: Starfield Class 2 Certification Authority
The server "vpn.conteso.com" presented a valid certificate issued by "Starfield Class 2 Certification Authority", but "Starfield Class 2 Certification Authority" is not configured as a valid trust anchor for this profile. Further, the server "vpn.conteso.com" is not configured as a valid NPS server to connect to for this profile.
Please note that my VPN server is using a cert from a recognized CA ("Certificates for Exchange" a/k/a "Starfield"), as it is also my web and Exchange Server. So my Windows domain CA is not the CA for the RRAS' cert.
I have done my best to research this (so as to avoid another shameless RTFM like I posted a few days ago about L2TP). I;ve looked at all the trouble shooting and "How to" pages I could find.
TIA,
mlavie