Skip to main content
Pauta
Pauta
New Member
November 12, 2025
Question

VPN IPSEC IKE (1 or 2) certificate-based authentication does not work with Forticlient VPN

  • November 12, 2025
  • 2 replies
  • 936 views

Hello everyone,

I'm having the following problem: I'm migrating configurations from an ASA with an SSL-based VPN that uses certificates to authenticate users (certificate-based authentication). I've tried to migrate this to a FortiGate 100F running Windows 7.6.4, which uses IPsec with iKE (version 1 or version 2), but I haven't been able to get it to work, even after configuring both the FortiGate and FortiClient VPN (the free version without EMS).

After much trial and error, I concluded that when using FortiClient VPN, the certificate only works for Phase 1 authentication of IPSec, essentially replacing the IPSec secret. However, for EAP or XAUTH (Phase 2), it uses the user's credentials and password, not the certificate provided in Phase 1.

Can anyone tell me if there's a way to perform certificate-based authentication (without the user entering a username or password)? Or is my conclusion (previous paragraph) definitive, and therefore impossible?

THANKS

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
November 12, 2025

hi,

in this (below) previous thread, i posted some working IPsec VPN with machine/client based cert configuration.

see if any of them work for you.

 

https://community.fortinet.com/t5/Support-Forum/IPsec-IKEv2-Dialup-using-LDAP-Machine-Cert-authentication/m-p/417687 

"jack of all trades, master of none"
    Shyy
    Shyy
    New Member
    November 12, 2025

    Look at the following article might be helpful
    https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/443323/dialup-ipsec-vpn-with-certificate-authentication

     

      Terms & ConditionsAccessibility statement