We have a number of customers using Server 2019 as a VPN server with the IKEv2 protocol through the Routing and Remote Access (RRAS) service. Suddenly, every single one of them gets the following error on their clients "IKE credentials are unacceptable" - I've checked the common errors but none of them makes sense as the certificates haven't changed (which seems to be a common culprit). We have a number of customers with a matching setup but on server 2016 - without any issues. I've tried reinstalling the service, but the issue is the same. I've tried stopping the NPS service to verify if it was the NPS og RRAS throwing the error, and the error was the same, so I'm certain that the issue is with the RRAS. There has been no change in network or firewall configurations, no windows updates installed or software installations.
I found the issue...It's a stroke of genius timing that the issue have been reported at more or less the same time across the setups. Apparently, if you have "too many" (I have no idea of the real number) certificates available on your RRAS server for server authentication, it doesn't necesarilly pick the one for authentication that you've chosen in the serviceconfiguration, it uses the default certificate, which is not valid for IKE authentication. Deleting all expired and internally and self signed certificates only leaving the public signed certificate, solved the issue on all setups...I need a drink.