FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Article Id 197921
This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.
Expectations, Requirements
Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate Server Certificate
Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:

C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crt
Finally generate client certificate through the following list of commands:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12

Import the CA certificate and Server Certificate to the FortiGate:

Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.

Configure user peer and peergrp:
#config user peer
edit test1
set ca ""                 <----- specify the CA certificate already uploaded.

#config user peergrp
edit user_group1
set member test1
Set up IPSEC VPN diaulp:

1) Check, if needed, to enable NAT traversal. In this case it is not required.

2) Specify the server certificate and peergrp as follow:


3) At last, specify the user group for XAUTH:


Import the CA certificate and client certificate to the user side:

1) Import CA certificate in the IE to Trusted Root Certification Authorities in the PC running FortiClient.

2) Import the client certificate to the FortiClient:

FortiClient 2.PNG

3) At last, select the authentication method in the FortiClient to X.509 certificate to use the client certificate already uploaded previously.

FortiClient 1.PNG

Once all described above is finished, attempt connection from FortiClient to FortiGate and open following debug flow into FortiGate to see all IPsec negotiation:
#diag debug disable
#diag debug reset
#diag debug appl ike -1
#diag debug enable
After connection, test the debug to be disabled with the commands below:
#diag debug reset
#diag debug disable