IPSEC DialUp with Certificate

Hello,

I'd like to create an IPsec DialUp tunnel with FortiClients at the remote site using certificates. I've already created the tunnel and imported the self signed server certificate and CA certificate on the FortiGate and the self signed client certificate on the client. Additionally I added the CA and server certificate to the trusted certificates pool in windows. This brings me to my first question: is this even necessary?

The DialUp tunnel is working properly with pre shared keys. I've already made a diag debug app ike -1 but this doesn't help me pretty much since there I only see that there is a mismatch with the certificates. In the attached file you can see the output of the debug command. (The localVPN is a side to side tunne)

Thanks in advance!

Daniel