Hello, I am trying to establish a VPN connection with a FlexVPN setup on a Cisco Router, using the Windows VPN built-in client IKEv2. To setup the router, I followed the instruction described in this example, using openssl to create the certificates chain. https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html The connection fails with the message 'IKE authentication credentials are unacceptable' I enabled the debug console on the router to see what's happening and realized that the local IP is sent as identity. After some researches I found a hotfix was released for this symptom, but only for Windows 7. --> https://mskb.pkisolutions.com/kb/975488 This workaround does not seems to be applicable to Windows 11. Is there a way to prevent Windows 11 from sending the local IP as identity ? ===== SA KE N NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID *Mar 18 17:11:28.500: IKEv2:(SESSION ID = 2,SA ID = 1):Verify SA init message *Mar 18 17:11:28.500: IKEv2:(SESSION ID = 2,SA ID = 1):Insert SA *Mar 18 17:11:28.500: IKEv2:Searching Policy with fvrf 0, local address 87.65.197.86 *Mar 18 17:11:28.500: IKEv2:Found Policy 'windows' *Mar 18 17:11:28.500: IKEv2:(SESSION ID = 2,SA ID = 1):Processing IKE_SA_INIT message *Mar 18 17:11:28.501: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 18 17:11:28.501: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'VranaVPN-rrr1' 'VranaVPN' 'SLA-TrustPoint' 'TP-self-signed-3349085815' *Mar 18 17:11:28.501: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Mar 18 17:11:28.501: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Mar 18 17:11:28.502: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Mar 18 17:11:28.502: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Mar 18 17:11:28.502: IKEv2:(SESSION ID = 2,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2 *Mar 18 17:11:28.505: IKEv2:(SESSION ID = 2,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 18 17:11:28.505: IKEv2:(SESSION ID = 2,SA ID = 1):Request queued for computation of DH key *Mar 18 17:11:28.505: IKEv2:(SESSION ID = 2,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2 *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):Request queued for computation of DH secret *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Mar 18 17:11:28.509: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):Generating IKE_SA_INIT message *Mar 18 17:11:28.509: IKEv2:(SESSION ID = 2,SA ID = 1):IKE Proposal: 10, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2 *Mar 18 17:11:28.509: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Mar 18 17:11:28.509: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'VranaVPN-rrr1' 'VranaVPN' 'SLA-TrustPoint' 'TP-self-signed-3349085815' *Mar 18 17:11:28.510: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Mar 18 17:11:28.510: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Mar 18 17:11:28.510: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 87.66.194.200:500/From 87.65.197.86:500/VRF i0:f0] Initiator SPI : 8F52074FC0F0390A - Responder SPI : E0B07AB69D968D12 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) *Mar 18 17:11:28.511: IKEv2:(SESSION ID = 2,SA ID = 1):Completed SA init exchange *Mar 18 17:11:28.511: IKEv2:(SESSION ID = 2,SA ID = 1):Starting timer (30 sec) to wait for auth message *Mar 18 17:11:28.534: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 87.66.194.200:4500/To 87.65.197.86:4500/VRF i0:f0] Initiator SPI : 8F52074FC0F0390A - Responder SPI : E0B07AB69D968D12 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: IDi CERTREQ NOTIFY(Unknown - 16396) CFG SA TSi TSr *Mar 18 17:11:28.535: IKEv2:(SESSION ID = 2,SA ID = 1):Stopping timer to wait for auth message *Mar 18 17:11:28.535: IKEv2:(SESSION ID = 2,SA ID = 1):Checking NAT discovery *Mar 18 17:11:28.535: IKEv2:(SESSION ID = 2,SA ID = 1):NAT OUTSIDE found *Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):NAT detected float to init port 4500, resp port 4500 !!!!!!!!!!!!!!!*Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):Searching policy based on peer's identity '192.168.2.121' of type 'IPv4 address' !!!!!!!!!!!!!!!*Mar 18 17:11:28.536: IKEv2-ERROR:% IKEv2 profile not found !!!!!!!!!!!!!!!*Mar 18 17:11:28.536: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Failed to locate an item in the database *Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authentication data FAILED *Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):Sending authentication failure notify *Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption. Payload contents: NOTIFY(AUTHENTICATION_FAILED) *Mar 18 17:11:28.536: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 87.66.194.200:4500/From 87.65.197.86:4500/VRF i0:f0] Initiator SPI : 8F52074FC0F0390A - Responder SPI : E0B07AB69D968D12 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Mar 18 17:11:28.537: IKEv2:(SESSION ID = 2,SA ID = 1):Auth exchange failed *Mar 18 17:11:28.537: IKEv2-ERROR:(SESSION ID = 2,SA ID = 1):: Auth exchange failed *Mar 18 17:11:28.537: IKEv2:(SESSION ID = 2,SA ID = 1):Abort exchange *Mar 18 17:11:28.537: IKEv2:(SESSION ID = 2,SA ID = 1):Deleting SA *Mar 18 17:11:28.537: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session *Mar 18 17:11:28.537: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSEDConnection to 192.168.70.1 closed by remote host.