Skip to main content
A
Ause
New Member
April 22, 2026
Question

Forticlient - IPsec IKEv2 VPN (X.509) works on local account but not on Entra ID / Intune‑managed device

  • April 22, 2026
  • 2 replies
  • 67 views

Hi,

I’m having an issue with FortiClient IPsec VPN (IKEv2) using X.509 certificate authentication.

I get a timeout when connecting.

Setup:

Windows 11
Device Entra ID joined and enrolled in Intune
FortiClient VPN (free) 7.4.3.4726
IPsec VPN, IKEv2, certificate (X.509)
Encapsulation: Auto
Ports open: UDP 500, TCP 443
Issue:

✅ VPN connects successfully when I sign in to Windows using a local account
❌ VPN fails when I sign in using a work account (Microsoft Entra ID)
No changes were made to the VPN configuration, certificates, or FortiGate
The same VPN profile works on devices not enrolled in Intune
This strongly suggests a conflict related to Intune / Entra ID device context, not the gateway or certificate itself. I should add that there are no policies in Intune that could restrict VPN functionality.

Question:

Are there known issues or limitations with IPsec IKEv2 + X.509 certificates on Intune‑managed, Entra ID–joined devices?
Is a device certificate required instead of a user certificate in this scenario?
Any insights would be appreciated. Thanks!

    2 replies

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    April 22, 2026

    hi,

    when the work account is used, does it have access to read/use the certificate installed? 

    maybe it helps, https://docs.fortinet.com/document/forticlient/7.4.6/administration-guide/421362/access-to-certificates-in-windows-certificates-stores 

    "jack of all trades, master of none"
    A
    AuseAuthor
    New Member
    April 27, 2026

    Thanks for the tip. I managed to resolve the issue; it turned out I needed one more certificate, which I had to install in the “Trusted Root Certification Authorities” store.

      Terms & ConditionsAccessibility statement