Skip to main content
avp
Staff
avp
Staff
March 22, 2026

Technical Tip: Configure IPsec dial-up VPN to connect windows native VPN using IKEv2 and signature authentication instead of pre-shared key

  • March 22, 2026
  • 0 replies
  • 1027 views
Description This article explains how to configure IPSEC dial-up vpn in FortiGate to connect to Windows built-in VPN using IKEv2 and signature authentication instead of pre-shared key.
Scope FortiGate.
Solution

Prerequisites: 

  1. Root CA certificate:
  • It can be a public or a private CA certificate.
  • This has to be installed as a CA certificate in FortiGate and in the Trusted Root CA folder under the local machine of the PC as well.

  1. VPN gateway server certificate:
  • This has to be signed by the Root CA.
  • CN and SAN fields should be configured with the IP/FQDN that is being used to connect the VPN.
  • In Key usage, it should include Digital Signature and Key Encipherment.
  • Extended Key Usage should have Server Authentication enabled.  
  • In this example, the certificate CSR was generated from FortiGate and signed by the Root CA.

  1. Client certificate:
  • This has to be signed by the Root CA.
  • Key Usage must have Digital Signature enabled; Certificate Sign and CRL Sign have to be disabled.
  • Extended Key Usage should have Client Authentication enabled; do not select Server Authentication, Code Signing, Secure Email, etc.
  • After creating it, download the certificate in PKCS12 format by setting a password as well.
  • Then install the certificate in the PC’s Personal Certificate Store under Local Machine by entering the password that was set before.

 

In PC, open the following steps:

 

Screenshot 2026-03-18 145048.png

 

Identify the adapter and go to properties, under the security tab, make the following changes:

 

Screenshot 2026-03-18 145152.png

 

In FortiGate, create peer configuration as follows:

 

config user peer

    edit "vpn-cert-peer"    ---> This can be a random name

           set ca <Your-Root-CA>  ---> Go to System -> Certificate and identify the CA certificate that was imported.

       next

end

 

The configurations below can be set in the FortiGate:

 

config vpn ipsec phase1-interface

    edit "IKEv2"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set authmethod signature

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

        set comments "VPN: You (Created by VPN wizard)"

        set dhgrp 2

        set wizard-type dialup-windows

        set certificate "CertVPN"

        set peer "vpn-cert"

        set ipv4-start-ip 10.10.10.100

        set ipv4-end-ip 10.10.10.111

    next

end

 

config vpn ipsec phase2-interface

    edit " IKEv2"

        set phase1name "You"

        set proposal aes256-md5 3des-sha1 aes192-sha1

        set pfs disable

        set ipv4-df disable

        set replay enable

        set keepalive disable

        set add-route phase1

        set inbound-dscp-copy phase1

        set auto-discovery-sender phase1

        set auto-discovery-forwarder phase1

        set keylife-type seconds

        set encapsulation tunnel-mode

        set comments "VPN: You (Created by VPN wizard)"

        set initiator-ts-narrow disable

        set diffserv disable

        set protocol 0

        set src-addr-type subnet

        set src-port 0

        set dst-addr-type subnet

        set dst-port 0

        set keylifeseconds 3600

        set src-subnet 0.0.0.0 0.0.0.0

        set dst-subnet 0.0.0.0 0.0.0.0

    next

end

 

config firewall policy

    edit 13

        set name "Internal Policy"

        set uuid 8d867ff2-16d9-51f1-a161-c8c8026d5b99

        set srcintf " IKEv2"

        set dstintf "Loopback"

        set action accept

        set srcaddr " IKEv2_range"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set comments "VPN: You (Created by VPN wizard)"

    next

    edit 12

        set name "Internet Policy"

        set uuid 3393518e-16e6-51f1-cb53-75e547dfbfb6

        set srcintf " IKEv2"

        set dstintf "port1"

        set action accept

        set srcaddr " IKEv2_range"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

    next

end

 

Now the connection can be verified as below:

 

  1. From PC:

Screenshot 2026-03-18 145516.png

 Screenshot 2026-03-18 145549.png

 

This default route shows via the VPN tunnel IP 10.10.10.100.

 

Screenshot 2026-03-18 145642.png

 

Via the tunnel, the PC is able to reach the FortiGate loopback interface configured for testing purposes.

 

  1. From FortiGate:

Screenshot 2026-03-18 145741.png

 

IPsec Monitor shows the connected user.

 

Screenshot 2026-03-18 145815.png

 

Negotiation status shows successful in FortiGate VPN event logs.

 

While pinging from the PC to 8.8.8.8, it showed in the forward traffic logs:

 

date=2026-03-03 time=16:00:52 eventtime=1772533851631372537 tz="+0530" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.10.10.100 identifier=1 srcintf="You" srcintfrole="undefined" dstip=8.8.8.8 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=10875999 proto=1 action="accept" policyid=12 policytype="policy" poluuid="3393518e-16e6-51f1-cb53-75e547dfbfb6" policyname="You" service="PING" trandisp="snat" transip=10.5.135.146 transport=0 appcat="unscanned" duration=63 sentbyte=240 rcvdbyte=240 sentpkt=4 rcvdpkt=4 vpntype="ipsecvpn"
    Terms & ConditionsAccessibility statement