New Member

Solved

IPsec IKEv2 Dialup using LDAP Machine Cert authentication

Forum|Forum|7 months ago
October 31, 2025
4 replies
4702 views

I have been making no progress on this for weeks now. Using FortiClient 7.4.4 I am unable to successfully configure an IPsec IKEv2 remote VPN connection using LDAP machine certificate (not a user certificate) authentication. We have an internal Windows CA. All clients have a Machine certificate issued by our internal CA with an EKU for Client Authentication and the FQDN set in the certs subject name (ex: CN= ComputerName, OU=Computers, DC=domainname, DC=local) in their local computer personal store. All client machines also have our internal CA’s root certificate in their local computer Trusted Toot Certification Authority store. The FortiGate has a server certificate installed that was issued from our internal CA (appears properly in the FG Local Certificate store) and it also has our internal CA’s root certificate (appears properly in the FG Remote Certificate store).

All of the Certificates mentioned above are still valid and not expired.

The machine certs currently work when used to connect to our current SSL VPN and also for our WiFi, further indicating that the machine certificates are valid and should work with the IPsec VPN.

When trying to connect I get a “ CertificateSignFailed” error message in FortiClient.

If I use a user certificate for authentication with the IPsec IKEv2 VPN instead of the machine cert, it connects with out issue. This indicates to me that the other certificates in the chain are valid.

There has got to be a configuration setting that I am missing to get this VPN to work using machine certs, but for the life of me I can not find it. All of the documentation I have come across for IPsec IKEv2 configurations is for user certs.

I also can’t find any known issues related to IPsec LDAP machine certificate authentication. Can anyone post a basic working config that I can try. I would like to use this to enable pre-Windows logon authentication.

Thanks in advance.

Best answer by FortiNet_Newb

@funkylicious,

Thank you for all of your help. This does indeed appear to be an issue with FortiClient v. 7.4.4. I installed FortiClient 7.4.3 and was able to connect with the Machine certificate with no other changes.

Unfortunately, the reason I installed 7.4.4 to begin with was to enable the use of FortiToken MFA using ldap user accounts along with requiring certificate authentication. This ability, when using IKEv2, was supposed to be an added feature of 7.4.4. It does work correctly when using a user certificate, but does not seem to currently work when using a machine certificate (which is required to enable VPN before logon).

I guess I'll just have to stick with our SSL VPN a little longer until they get these issues worked out in a future release. sigh....

funkylicious

SuperUser

hi,

have you gone through

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dial-up-VPN-with-LDAP-and-Certificate-as/ta-p/406277

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/432323/cross-validation-for-ipsec-vpn

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/298520/ipsec-ikev2-vpn-2fa-with-eap-and-certificate-authentication

"jack of all trades, master of none"

FortiNet_NewbAuthor

New Member

@funkylicious,

Yes, I've gone through each and have am still unsuccessful. To make it easy, my computer certs include their User Principal Name in the SAN field of the certificate, as that seems to be what the FG expects as a default. I've also tried configuring the FG to compare with the dns name or the cn names instead and get the same result.

funkylicious

SuperUser

hi,

this is my working IPsec IKEv2 with LDAP user and client cert I tested

LAB-IT (root) # show user ldap     edit "LAB-AD-LDAPS"         set server "192.168.200.201"         set server-identity-check disable         set cnid "sAMAccountName"         set dn "dc=lab"         set type regular         set username "LAB\\labadmin"         set password <>         set secure ldaps         set ca-cert "root-LAB"         set port 636     next end  LAB-IT (root) # show user peer config user peer     edit "LAB-pki"         set ca "root-LAB"         set mfa-mode subject-identity         set mfa-server "LAB-AD-LDAPS"     next end  LAB-IT (root) # show user peergrp config user peergrp     edit "LAB-pki-grp"         set member "LAB-pki"     next end   LAB-IT (root) # show vpn ipsec phase1-interface config vpn ipsec phase1-interface     edit "RA-cert"         set type dynamic         set interface "wan1"         set ike-version 2         set authmethod signature         set peertype peergrp         set net-device disable         set mode-cfg enable         set proposal aes128-sha256 aes256-sha256         set dpd on-idle         set dhgrp 14         set eap enable         set eap-identity send-request         set eap-cert-auth enable         set network-overlay enable         set network-id 1         set certificate "LAB-FGT"         set peergrp "LAB-pki-grp"         set assign-ip-from name         set ipv4-split-include "DialUP_split"         set ipv4-name "IPsec-cert_range"         set save-password enable         set dpd-retryinterval 60     next end

After connecting:

LAB-IT (root) # diagnose vpn ike gateway list  vd: root/0 name: RA-cert_0 version: 2 interface: wan1 17 addr: IPsec-WAN:4500 -> USER-WAN:64917 tun_id: 10.0.2.50/::10.0.0.18 remote_location: 0.0.0.0 network-id: 1 transport: UDP created: 18s ago eap-user: myname groups:   RA-cert-grp 6 peer-id: DC = lab, OU = LAB-Users, CN = My Name peer-id-auth: yes FortiClient UID: 3FC3FE2517A34882BA1BABB6C9B5C50D assigned IPv4 address: 10.0.2.50/255.255.255.255 nat: peer IKE SA: created 1/1  established 1/1  time 90/90/90 ms IPsec SA: created 1/1  established 1/1  time 0/0/0 ms    id/spi: 112 ba34d2c8c634f3f9/ee39ce955c3482be   direction: responder   status: established 18-18s ago = 90ms   proposal: aes128-sha256   lifetime/rekey: 86400/86111   DPD sent/recv: 00000000/00000000   peer-id: DC = lab, OU = LAB-Users, CN = My Name   peer-group: LAB-pki-grp

I am using EMS 7.4.4 and FCT 7.4.3 IKEv2 w/ EAP-TTLS and network id ( i have another IKEv2 tunnel configured, to diff them ) but I think IKEv1 will also work.

My cert configured and signed by the CA is installed in Personal ( if you generate it somewhere else and import it you must also have the private key - pfx file ) and on the FGT i've created a CSR and signed it by the same CA ( root-LAB ) then imported it ( LAB-FGT ).

Hope it helps.

L.E. computer certificate also works, if you unset mfa-mode / mfa-server otherwise, it will fail with :

ike V=root:0:RA-cert:149: fnbam cert group matching failed
ike V=root:0:RA-cert:149: certificate validation failed
ike V=root:0:RA-cert:149: certificate validation before eap failed
ike V=root:0:RA-cert:149: auth verify done
ike V=root:0:RA-cert:149: responder AUTH continuation
ike V=root:0:RA-cert:149: authentication failed

"jack of all trades, master of none"

FortiNet_NewbAuthor

New Member

@funkylicious,

Thank you for your help, it is much appreciated. Your config is very similar to the one I was attempting to use. I tried your config just incase the minor variations were causing the issue, but I get the same result. It is able to connect successfully when using a user cert, but fails when attempting to connect using the machine cert.

I'm running FortiOS 7.4.9 on the FG and using FortiClient 7.4.4. I may need to move back down to FC 7.4.3, since you seem to be able to connect with a Machine cert.

Below are my IKE Debugs:

My_FortiGate # ike V=root:0: comes 192.168.1.100:59785->999.999.999.999:4500,ifindex=47,vrf=0,len=626....

ike V=root:0: IKEv2 exchange=SA_INIT id=4e4531924d116d66/0000000000000000 len=622

ike 0: in 4E4531924D116D66000000000000000021202208000000000000026E2200008C0200004401010007030000080300000C0300000C0100000C800E0080030000080400000E03000008020000050300000802000006030000080200000700000008020000020000004402010007030000080300000C0300000C0100000C800E0100030000080400000E030000080200000503000008020000060300000802000007000000080200000228000108000E000098E83F52D……

ike V=root:0:4e4531924d116d66/0000000000000000:286: responder received SA_INIT msg

ike V=root:0:4e4531924d116d66/0000000000000000:286: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF58E4BA13F67F0000

ike V=root:0:4e4531924d116d66/0000000000000000:286: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E78E4BA13F67F0000

ike V=root:0:4e4531924d116d66/0000000000000000:286: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E28EB3A1A32000000

ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type NAT_DETECTION_SOURCE_IP

ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type NAT_DETECTION_DESTINATION_IP

ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type SIGNATURE_HASH_ALGORITHMS

ike V=root:0:4e4531924d116d66/0000000000000000:286: incoming proposal:

ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 1:

ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:

ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 128)

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_512

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_384

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.

ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 2:

ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:

ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 256)

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_512

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_384

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.

ike V=root:0:4e4531924d116d66/0000000000000000:286: matched proposal id 1

ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 1:

ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:

ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 128)

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.

ike V=root:0:4e4531924d116d66/0000000000000000:286: lifetime=86400

ike V=root:0:4e4531924d116d66/0000000000000000:286: SA proposal chosen, matched gateway My-IPsec-VPN

ike V=root:0:My-IPsec-VPN:My-IPsec-VPN: created connection: 0x5561008c30 47 999.999.999.999->192.168.1.100:59785.

ike V=root:0:My-IPsec-VPN:286: processing notify type NAT_DETECTION_SOURCE_IP

ike V=root:0:My-IPsec-VPN:286: processing NAT-D payload

ike V=root:0:My-IPsec-VPN:286: NAT detected: PEER

ike V=root:0:My-IPsec-VPN:286: process NAT-D

ike V=root:0:My-IPsec-VPN:286: processing notify type NAT_DETECTION_DESTINATION_IP

ike V=root:0:My-IPsec-VPN:286: processing NAT-D payload

ike V=root:0:My-IPsec-VPN:286: NAT detected: ME PEER

ike V=root:0:My-IPsec-VPN:286: process NAT-D

ike V=root:0:My-IPsec-VPN:286: processing notify type SIGNATURE_HASH_ALGORITHMS

ike V=root:0:My-IPsec-VPN:286: FEC vendor ID received FEC but IP not set

ike 0:My-IPsec-VPN:286: FCT EAP 2FA extension vendor ID received

ike V=root:0:My-IPsec-VPN:286: responder preparing SA_INIT msg

ike V=root:0:My-IPsec-VPN:286: create NAT-D hash local 999.999.999.999/4500 remote 192.168.1.100/59785

ike V=root:0:My-IPsec-VPN:286: sending CERTREQ payload (len=21)

ike V=root:0:My-IPsec-VPN:286: certreq[0]: 'DE611F4514795A658F3A617E24A17292045C506A'

ike 0:My-IPsec-VPN:286: out 4E4531924D116D6636CC22DE3413CF572120222000000000000001B9220000300000002C010100040300000C0100000C800E00800300000802000005030000080300000C000000080400000E28000108000E000084E1D1ECDF56AF02AEA3C210056CB29FEDD9FFB34DE933E5AFD700EB0C8AF4F30FA2752F3BB9B4DA346A9BD46FCAFD55A07A9AF567F5FE2D…….

ike V=root:0:My-IPsec-VPN:286: sent IKE msg (SA_INIT_RESPONSE): 999.999.999.999:4500->192.168.1.100:59785, len=441, vrf=0, id=4e4531924d116d66/36cc22de3413cf57, oif=47

ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ei 16:687B168C0DB8F362141B198B41F88128

ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_er 16:F629E19F00F928EC2B7973AE6DB01C42

ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ai 32:9E571000676274B06B6C379E9F0DA1DF26D250D395A6AC8115FBADDD107F7775

ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ar 32:53E8113A27AD1A2C0794B335518D1231C9E9DD961CEE7AC9BCD41554D8B092AA <-- Machine Cert Connection attempt dies right here, and throws a "CertificateSignFailed" error in FortiClient

If I use a User Cert instead the connection attempt is able to continue on from that point with -->

ike V=root:0: comes 192.168.1.100:53295->999.999.999.999:4500,ifindex=47,vrf=0,len=2532....

ike V=root:0: IKEv2 exchange=AUTH id=1853c55dacb84fb9/50e180db3dc23c56:00000001 len=2528

ike 0: in 1853C55DACB84FB950E180DB3DC23C562E20230800000001000009E0230009C48705F9A97DED98540153D251971283E8BC137805CB626A96EF657878BBD3205555CE735777DAB207C98E416223F0B8E5B16E323A7C22C8B7641D276FA7CAE0C320FBEC5DB8E881F8….. and connect successfully

FortiNet_NewbAuthorAnswer

New Member

@funkylicious,

Thank you for all of your help. This does indeed appear to be an issue with FortiClient v. 7.4.4. I installed FortiClient 7.4.3 and was able to connect with the Machine certificate with no other changes.

Unfortunately, the reason I installed 7.4.4 to begin with was to enable the use of FortiToken MFA using ldap user accounts along with requiring certificate authentication. This ability, when using IKEv2, was supposed to be an added feature of 7.4.4. It does work correctly when using a user certificate, but does not seem to currently work when using a machine certificate (which is required to enable VPN before logon).

I guess I'll just have to stick with our SSL VPN a little longer until they get these issues worked out in a future release. sigh....

iulian

Visitor III

You need to allow forticlient user to use the machine certs. This setting is not available in the forticlient GUI, so you would need to backup the config file, make changes and upload it into forticlient. Or just use EMS and make all the changes.

How to use certificates from Local machin... - Fortinet Community

FortiNet_NewbAuthor

New Member

Trust me, the option to allow non-administrator accounts to use machine cert option was enabled in the IPsec settings. This was not the issue.

Regardless, I am happy to report that the recently released FortiClient v7.4.5 resolved all of the issues. I am now able to successfully connect using IPsec IKEv2 (over TCP or UDP), while using FortiToken MFA mobile push (using LDAP accounts), and machine certs (user certs still work too).

Looks like I can finally start to move away from SSL VPN.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded