Skip to main content
Brenden
Brenden
Explorer
February 27, 2026
Question

Windows IKEv2 Native VPN

  • February 27, 2026
  • 1 reply
  • 419 views

I'm trying to set up a dial-up IKEv2 IPsec VPN using the Windows Native VPN client for a "user-based" certificate authentication setup.

 

Specifically, there is no RADIUS or third-party client involved in this setup. The authentication should be handled locally on the FortiGate using the certificate handshake between the client and the firewall.

 

Are there any official or community-validated docs that show this specific configuration? I am specifically interested in the requirements for:

 

  1. The FortiGate Server Certificate: Are there specific SAN or EKU requirements for Windows Native to trust the gateway?

  2. The User Certificate: What is the correct way to present these to the FortiGate when using the Windows Native client?

  3. Local Authentication: How to properly map the user certificate to a PKI User or User Peer on the FortiGate side to avoid needing an external authentication server.

Any CLI snippets or pointers to specific technical tips for the "Mutual Trust" between these two devices would be greatly appreciated!

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
February 28, 2026

maybe this will help, https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/726232/windows-ikev2-native-vpn-with-user-certificate 

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement