Issue with connecting several remote Windows 10 clients to Strongswan with lets-encrypt certificates (IKEv2-EAP)

I set up a Strongswan server for VPN clients to access the internal network (EAP-IKEv2). I have successfully configured it using Letsencrypt server certificates and it works for clients using Mac OS X, IOS, Winodws 7 and Windows 10.

Everything was working fine for a year

But a few weeks ago several remote clients using windows 10 started getting error during the connection

Server: Strongswan version 5.8.2 on FreeBSD 11.2-RELEASE-p15 Client: Mac OS X (several versions) / IOS (several versions) / Windows 7 (several versions) / Windows 10 (several versions)

Windows 10 VPN error: 13801: IKE authentication credentials are unacceptable error

At the same time, other remote clients, including those using Windows 10 with the same build number, work fine.

The saddest thing is that the error does not correlate with the build number of Windows 10

Of course the certificate is extended and valid

You can find all the details below.

Thank you for your time. I would be grateful for any help

ipsec.conf

  config setup
  strictcrlpolicy=no
  charondebug="ike 1, knl 1, cfg 0"
  uniqueids=no

conn ikev2-vpn
  auto=add
  compress=no
  type=transport
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha2
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1

  dpdaction=clear
  dpddelay=300s
  rekey=no

  left=%any
  [email protected]
  leftcert=fullchain.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0

  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=192.168.20.2-192.168.20.50
  rightdns=192.168.70.253,192.168.70.254

  eap_identity=%identity

final part of charon.log

Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin IKE_SA ikev2-vpn[10]
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:17 11[MGR] <ikev2-vpn|10> checkin of IKE_SA successful
Jun 23 09:12:17 03[NET] sending packet: from *serverip*[4500] to *clientip*[4500]
Jun 23 09:12:46 06[NET] waiting for data on sockets
Jun 23 09:12:46 01[JOB] got event, queuing job for execution
Jun 23 09:12:46 01[JOB] next event in 628ms, waiting
Jun 23 09:12:46 11[MGR] checkout IKEv2 SA with SPIs 688d0386698d3362_i b3e60629dc447607_r
Jun 23 09:12:46 11[MGR] IKE_SA checkout not successful
Jun 23 09:12:47 01[JOB] got event, queuing job for execution
Jun 23 09:12:47 01[JOB] next event in 98s 38ms, waiting
Jun 23 09:12:47 11[MGR] checkout IKEv2 SA with SPIs ef71603dd0f2ce38_i 6e86dbaeb491d377_r
Jun 23 09:12:47 11[MGR] IKE_SA ikev2-vpn[10] successfully checked out
Jun 23 09:12:47 11[JOB] <ikev2-vpn|10> deleting half open IKE_SA with *clientip* after timeout
Jun 23 09:12:47 11[MGR] <ikev2-vpn|10> checkin and destroy IKE_SA ikev2-vpn[10]
Jun 23 09:12:47 11[IKE] <ikev2-vpn|10> IKE_SA ikev2-vpn[10] state change: CONNECTING => DESTROYING
Jun 23 09:12:47 11[MGR] checkin and destroy of IKE_SA successful

I had the same issue, resolved by adding the latest Let's Encrypt root CA cert into the Local Machine cert store.

Can't guarantee this was the same problem as you had, but it fixed it for me. I did also add the PEM version of the same certificate into the /etc/ipsec/cacerts dir on the VPN server, which by itself didn't resolve the issue.

Here's a PowerShell script to install the root cert into your local Windows certificate store:

    Write-Host " Fetching Lets Encrypt root CA Cert..." -ForegroundColor Cyan
    $output = "isrgrootx1.der"
    $configUrl = "https://letsencrypt.org/certs/isrgrootx1.der"
    Invoke-WebRequest -Uri $configUrl -OutFile $output
    Import-Certificate -FilePath "$output" -CertStoreLocation 'Cert:\LocalMachine\Root'-Verbose