Troubleshooting Tip: IKEv2 Gateway Validation Failure with Multiple OU Fields

Description

This article describes an issue where IKEv2 VPN negotiation fails with the error 'gw validation failed' when using certificate‑based authentication together with EAP.

Scope

FortiGate.

Solution

Remote users may be unable to establish the VPN tunnel.

The following behavior may be observed:

1. IKE_SA_INIT completes successfully.

2. NAT-T detection succeeds.

3. AUTH fragments are received and reassembled.

4. The tunnel fails during authentication.

5. No LDAP lookup is performed.

6. Some users may connect successfully while others fail.

Debug logs may show:

received peer identifier DER_ASN1_DN: ...
re-validate gw ID
gw validation failed
schedule delete of IKE SA

Additional logs may include:

responder received AUTH msg
re-validate gw ID
gw validation failed
connection expiring due to phase1 down

This issue is resolved in FortiOS v7.4.12 and FortiOS v7.6.7.

Workaround:

If upgrading is not immediately possible, one of the following workarounds may help.

config user peer
    edit "LDAP-Peer"
        unset subject
    next
end

config vpn ipsec phase1-interface
    edit "VPN_IPsecDialUp"
        set peertype any
    next
end