Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎10-08-2025 09:35 PM

Article Id 414298

Technical Tip: Certificate authentication for IKEv2 VPN with RADIUS or LDAP user authentication

Description This article demonstrates FortiGate configuration for combining client certificate authentication with RADIUS or LDAP user authentication for IPsec VPN.
Scope

FortiOS v7.4.2 and later, FortiClient v7.2. For LDAP authentication with IKEv2, FortiClient v7.4.3 and later.
Solution

Similar to SSL VPN, FortiOS IKEv2 IPsec VPN supports client authentication using certificate in conjunction with user/password-based authentication.

Related configuration articles:

 

Configuration:

Import the certificate of the CA which is signing user certificates to the FortiGate as a new remote CA certificate. See the CA certificate. The CA certificate will have an automatically generated name. It is recommended to rename the certificate after import for ease of administration.

 

 

config vpn certificate ca
rename CA_Cert_1 to "root-g1.users.example.com"

Configure a user peer referencing the remote CA. Optionally add a subject match to search the user certificate common name for a particular string.

config user peer

edit "peer_admin-ou"

set ca "root-g1.users.example.com"

set subject "OU=ADMIN" <-- optional

next

end

Import a trusted local certificate to the FortiGate. If the firewall already has a trusted SSL certificate, for example one used for SSL VPN server, this step can be skipped and the existing certificate applied to the IPsec VPN.

 

The certificate is named automatically when created, but can be renamed. This is for administrative purposes only and does not affect certificate operation.

config vpn certificate local
rename vpn.sitea.example.com_1 to 2025_vpn.sitea.example.com

Configure an IKEv2 dialup tunnel referencing the local certificate.

config vpn ipsec phase1-interface

edit "RA_VPN_ADMIN"

set type dynamic
set interface "port1"
set ike-version 2
set authmethod signature
set peertype peer
set net-device disable
set mode-cfg enable
set proposal aes256-sha256
set ip-fragmentation pre-encapsulation
set dpd on-idle
set dhgrp 20 14 5
set eap enable
set eap-identity send-request
set eap-cert-auth enable
set authusrgrp '' <----- if configuring a user group here, do not set one on firewall policies later.
set certificate "2025_vpn.sitea.example.com"
set peer "peer_admin-ou"
set ipv4-start-ip 10.253.0.100
set ipv4-end-ip 10.253.0.200
set dns-mode auto
set ipv4-split-include "Admin Split Tunnel Addresses" <----- address or address group containing all IP ranges VPN users require.
set dpd-retryinterval 60

next

end

 

config vpn ipsec phase2-interface

edit "p2_RA_VPN_ADMIN"

set phase1name "RA_VPN_ADMIN"
set proposal aes256-sha256
set dhgrp 20 14 5

next

end

Configure users and user group(s) based on the user authentication method.

RADIUS users: 

RADIUS and LDAP user groups should not be configured on the same VPN tunnel.

 

 

config user radius

edit "RADIUS"

set server "10.250.0.21"
set secret <radius shared secret>
set source-ip "10.250.0.1"
set require-message-authenticator {enable | disable} <----- See Troubleshooting Tip: RADIUS authentication failure after the firmware upgrade to v7.2.10/v7.4.5/v7.6...

next

end

 

config user group

edit "VPN User Group"

set member "RADIUS"

config match <-- optional. By default checks Vendor 12356, VSA 26.

edit 1

set server-name "FAC"

set group-name "General Access Group"  

next

end

next

end


LDAP users:

 

config user ldap

edit "LDAP"

set server "10.250.0.21"
set cnid "cn"
set dn "dc=example,dc=com"
set type regular
set username "cn=example-fgt.service,ou=it,dc=example,dc=com"
set password <password for LDAP user example-fgt.service>

next

end


config user group

edit "VPN User Group"

set member "LDAP"

config match <-- optional

edit 1

set server-name "LDAP"

set group-name "cn=General Access Group,ou=test_users,dc=example,dc=com"

next

end

next

end

 

Note:

Using LDAP with IKEv2 IPsec VPN requires FortiClient v7.4.3 and later, as well as advanced FortiClient configuration. See the article Technical Tip: How to enable EAP-TTLS for IPSec IKEv2 tunnels in VPN-only (unlicenced) FortiClient

 

Local users:

 

config user local

edit "jsmorth"

set type password

set passwd <password>

next

edit "mdijk"

set type password

set passwd <password>

next

end

 

config user group

edit "VPN User Group"

set member "jsmorth" "mdijk"

next

end

Configure one or more firewall policies referencing an IPsec tunnel and a user group.

config firewall policy

edit <index>

set name "RA_VPN_ADMIN General Access"
set srcintf "RA_VPN_ADMIN"
set dstintf "port2"
set action accept
set srcaddr "IPsec VPN Admin Clients" <-- address object containing the 'ipv4-start-ip' to 'ipv4-end-ip' range configured on phase1-interface.
set dstaddr "Admin General Access"
set schedule "always"
set service "PING" "HTTPS"
set logtraffic all

set groups "VPN User Group"

next

end


Multiple firewall policies can be configured, and multiple user groups can be used. However, configuring both LDAP and RADIUS groups on the same IPsec dial-up tunnel is not supported.

Provision certificates on the VPN client.

For domain-joined endpoints, this may be done automatically via GPO. For an example of how to manually import a certificate using Windows, see  Importing user certificate into Windows 10


The endpoint must also trust the certificate configured on the FortiOS  phase1-interface.

config vpn ipsec phase1-interface

edit "RA_VPN_ADMIN"

set certificate "2025_vpn.sitea.example.com"

next

end

 

  • If the FortiGate’s server certificate is signed by a private CA, ensure this private CA is imported to the workstation certificate store. For an example using GPO, see Technical Tip: How to distribute a Fortinet CA SSL certificate on a local domain on a Windows Server
  • For FortiClient macOS endpoints, ensure the root CA and any intermediate CA certificates signing the FortiGate's server certificate are installed in the endpoint's keychain. Both the root and any intermediate CA certificates are required. See Apple Support | Add certificates to a keychain using Keychain Access on Mac
  • For FortiClient Linux endpoints, ensure the root CA and any intermediate CA certificates signing the FortiGate's server certificate are installed in the CA certificate store. Both the root and any intermediate CA certificates are required. To add the certificates, refer to the appropriate third-party documentation for the Linux version in use.

 

Configure FortiClient Remote Access connection.

FortiClient.PNG

 

It is strongly recommended to configure the remote gateway using an FQDN resolving to the FortiGate's external IP address and enable cert_subjcheck in XML configuration, see IKE settings. Without this configuration, FortiClient will accept any trusted publicly signed certificate as valid for the Remote Gateway, regardless of the CN or SAN of the certificate.

 

Related documents:

IPsec IKEv2 VPN 2FA with EAP and certificate authentication

Using single or multiple user groups for user authentication

 

208
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.