The Sample Topology for the Setup is as follows:

                                                                                                ----------- AD/LDAP/CA

                                                                                                |

Client Machine (i.e Windows) <---------> Internet <---------> FGT

                                      <-- (L2TP Tunnel over IPSEC) -->

In this scenario, the client has configured certification-based authentication for the L2TP tunnel on the FortiGate.

The client has installed a user certificate signed by the root CA installed on the endpoint and has imported the server certificate and CA cert to the FortiGate.

However, while attempting to establish the connection, it will be observed that the tunnel fails to establish despite the required certificate being configured on both the client & FortiGate end and also the PKI user configured under the respective user group referenced under the VPN L2TP config.

This is because the FortiGate does not support certificate-based authentication for L2TP tunnels currently.

Sample config on the FortiGate:

config vpn l2tp
    set status enable
    set eip 192.168.1.100
    set sip 192.168.1.1
    set usrgrp "PKI_User_Group"

config vpn ipsec phase1-interface
    edit "L2TP_Tunnel"
        set type dynamic
        set interface "wan1"
        set authmethod signature
        set net-device disable
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set dhgrp 2
        set certificate "L2TP"
        set peer " L2TP_Tunnel_peer"

config vpn ipsec phase2-interface
    edit " L2TP_Tunnel"
        set phase1name " L2TP_Tunnel"
        set proposal aes256-md5 3des-sha1 aes192-sha1
        set pfs disable
        set encapsulation transport-mode
        set l2tp enable
        set keylifeseconds 3600
    next
end