Forum Discussion
AlwaysOnVPN Device Tunnel (IKE) Certificate selection problem
We are using AlwaysOnVPN and configuring device tunnel at Windows 10/11 clients.
(not to be confused with user tunnel)
At server side we are using EKU filtering (CertificateEKUsToAccept parameter)
Everything works well until clients have 2 or more device certificates. Windows randomly takes first one and in most cases, it is no valid without correct EKU. So authentication failed: “Verifying username and password...IKE authentication credentials are unacceptable”
From first sight, this problem could be solved by adding section to client’s config:
<NativeProtocolType>IKEv2</NativeProtocolType>
<Authentication>
<MachineMethod>Certificate</MachineMethod>
<Certificate>
<EKU>1.3.6.1.5.5.7.3.7</EKU>
</Certificate>
</Authentication>
and there is a section at VPNv2 CSP:
Device/{ProfileName}/NativeProfile/Authentication/Certificate/Eku
But is says “Reserved for future use.” And there is no any Allowed Values.
Without much hope, I wanted to ask the community are there any ways to chose right device certificate at client side?
And hope MS will enable this feature as well.