Troubleshooting Tip: IPsec VPN error 'certificate validation before eap failed' with IKEv2
| Description | This article describes how to troubleshoot the error 'certificate validation before EAP failed' when connecting to dial-up IPsec VPN after switching from signature to preshare key authentication. |
| Scope | FortiGate. |
| Solution | When switching from signature authentication to the preshare key method combined with EAP in IKEv2, VPN clients may experience connection failure with the error 'certificate validation before eap failed'. diagnose debug reset diagnose debug application ike -1 diagnose debug enable Stop the debug processes after collecting the output by using the following commands:
diagnose debug disable diagnose debug reset
This issue can happen if the 'set eap-cert-auth enable' command was used before changing the authentication method from 'set authmethod signature' to 'set authmethod psk'. When switching to PSK using the command 'set authmethod psk', the 'set eap-cert-auth enable' option becomes hidden, but it still remains active in Phase1. To avoid problems, disable 'set eap-cert-auth' before changing the authentication method to PSK.  After disable 'set eap-cert-auth', try to reconnect VPN and confirm the connection.  |
