|
Hub config:
config vpn ipsec phase1-interface
edit "Test_HUB"
set type dynamic
set interface "wan1"
set ike-version 2
set local-gw x.x.x.x
set authmethod signature
set proposal aes256-sha256
set dpd on-idle
set dhgrp 5
set certificate "TEST_VPN"
set peer "user_1"
set net-device enable
set distance 254
set dpd-retryinterval 60
next
config user peer
edit "user_1"
set ca "CA_Cert_1"
set subject "CN = 10.255.10.1"
next
Spoke Config:
config vpn ipsec phase1-interface
edit "Test_Spoke"
set interface "wan1"
set ike-version 2
set authmethod signature
set net-device enable
set proposal aes256-sha256
set dhgrp 5
set remote-gw x.x.x.x
set certificate "spoke_VPN"
set peer "TEST"
next
end
config user peer
edit "TEST"
set ca "CA_Cert_1"
set subject "CN = 10.255.255.2"
next
When trying to set up the VPN, it does not come up. The following debugs must be collected on both Spoke and Hub:
diag debug reset
diag debug console timestamp en
diag vpn ike log-filter name xxx
diag debug application ike -1
diag debug application fnbamd -1
diag debug en
The debug shows the following output on Spoke:
[246] fnbamd_chain_build-Chain discovery, opt 0x7, cur total 2
[262] fnbamd_chain_build-Following depth 1
[773] subject_issuer_name-S: 'DC = local, DC = thisgrp, CN = SubCA-DC1'
[774] subject_issuer_name-I: 'CN = Root Certificate Authority'
[291] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[313] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)
[86] fnbamd_cert_check_issued-X509_check_issued returns 29
[325] fnbamd_chain_build-Extend chain by peer-provided certs. (no luck)
[804] __fnbamd_cert_verify-Following cert chain depth 0
[872] __fnbamd_cert_verify-Issuer found: Name_CA (SSL_DPI opt 1)
[804] __fnbamd_cert_verify-Following cert chain depth 1
[1750] cert_check_group_list-checking group type 1 group name 'TEST'
[1529] quick_check_peer-ca name 'CA_Cert_1' doesn't match
[1625] check_add_peer-check peer user 'TEST' in group '(null)', result is 1
[1781] cert_check_group_list-all groups failed
[1885] fnbamd_auth_cert_check_status-res=1
[181] fnbamd_comm_send_result-Sending result 1 (error 8, nid 672) for req 217889088
ike 0:Test_Spoke:140157: certificate validation failed
The certificate validation is failing because Spoke FortiGate is not able to build up the certificate chain to the Root CA. Only the Sub-CA was imported to the Spoke FortiGate.
Note:
Sometimes, when multiple CA certificates are used make sure that only the correct CA certificate is pushed by FortiManager in all the spokes which can validate the certificate used by FortiGate while connecting with the peer devices.
Import the Root CA also to the Spoke FortiGate to fix the issue.
Related documents:
IPsec VPN authenticating a remote FortiGate peer with a certificate v6.2.0
Technical Tip: IPsec Tunnel with certificate authentication fails after upgrade to FortiOS v7.0.x
|
