Skip to main content
sfrati
Staff
sfrati
Staff
January 21, 2026

Troubleshooting Tip: IKEv2 remote access VPN certificate validation issue 'peer id does not match cert'

  • January 21, 2026
  • 0 replies
  • 1173 views
Description This article describes a common issue encountered during the deployment of a new IPsec IKEv2 Remote Access VPN solution, which uses certificate-based authentication for clients. The tunnel fails to establish with the error message: 'peer id does not match cert'. This article provides a step-by-step guide to resolve the issue.
Scope FortiGate 7.4.5+.
Solution

To resolve the IKEv2 Remote Access VPN certificate validation issue, follow these steps:

  1. Make sure the certificate is properly configured and the subject alternative name (SAN) field contains the correct principal name.
  2. Check the IKEv2 settings on the client-side to ensure that the ID type is set to ASN1DN, so that the subject of the certificate will be set as the IKE ID.
  3. If the steps above do not resolve the issue, try disabling the cert-id-validation parameter on the FortiGate. By default, the 'cert-id-validation' is enabled under 'config vpn ipsec phase1-interface'.

 

To disable it, run the following command:

 

config vpn ipsec phase1-interface
    edit VPN_Interface

        set cert-id-validation disable

    next

end

 

  1. Alternatively, the administrator can create a new client certificate that includes the RFC822 name in the subject alternative name field.

 

Related articles:

Technical Tip: Certificate authentication for IKEv2 VPN with RADIUS or LDAP user authentication 

Technical Tip: Certificate Authentication for FortiClient remote access dialup IPsec clients with SAML user authentication 

IPsec IKEv2 VPN 2FA with EAP and certificate authentication | FortiOS Administration Guide 
    Terms & ConditionsAccessibility statement