Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎02-08-2022 07:53 AM

Article Id 204523

Technical Tip: Certificate validation failing for IPsec VPN after upgrading from 6.0 to 6.2

Description This article describe that Certificate validation may fail after upgrading ForitGate from 6.0 version to 6.2.version.
Scope

FortiGate v6.0 and v6.2
Details

Hub config:

 

# config vpn ipsec phase1-interface
   # edit "Test_HUB"
        # set type dynamic
        # set interface "wan1"
        # set ike-version 2
        # set local-gw x.x.x.x
        # set authmethod signature
        # set proposal aes256-sha256
        # set dpd on-idle
        # set dhgrp 5
        # set certificate "TEST_VPN"
        # set peer "user_1"
        # set net-device enable
        # set distance 254
        # set dpd-retryinterval 60
    # next


# config user peer
    # edit "user_1"
        # set ca "CA_Cert_1"
        # set subject "CN = 10.255.10.1"
    # next

 

Spoke Config: 

 

# config vpn ipsec phase1-interface
    # edit "Test_Spoke"
        # set interface "wan1"
        # set ike-version 2
        # set authmethod signature
        # set net-device enable
        # set proposal aes256-sha256
        # set dhgrp 5
        # set remote-gw x.x.x.x
        # set certificate "spoke_VPN"
        # set peer "TEST"
    # next
# end

 

# config user peer
    # edit "TEST"
        # set ca "CA_Cert_1"
        # set subject "CN = 10.255.255.2"
    # next

 

When trying to setup the VPN, it does not come up. 

 

Following debugs must be collected on both Spoke and Hub: 

 

# diag debug reset

# diag debug console timestamp en

# diag vpn ike log-filter name xxx

# diag debug application ike -1

# diag debug application fnbamd -1

# diag debug en

 

The debug show the following output on Spoke: 

 

[246] fnbamd_chain_build-Chain discovery, opt 0x7, cur total 2
[262] fnbamd_chain_build-Following depth 1
[773] subject_issuer_name-S: 'DC = local, DC = thisgrp, CN = SubCA-DC1'
[774] subject_issuer_name-I: 'CN = Root Certificate Authority'
[291] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[313] fnbamd_chain_build-Extend chain by remote CA cache. (no luck)
[86] fnbamd_cert_check_issued-X509_check_issued returns 29
[325] fnbamd_chain_build-Extend chain by peer-provided certs. (no luck)
[804] __fnbamd_cert_verify-Following cert chain depth 0
[872] __fnbamd_cert_verify-Issuer found: Name_CA (SSL_DPI opt 1)
[804] __fnbamd_cert_verify-Following cert chain depth 1
[1750] cert_check_group_list-checking group type 1 group name 'TEST'
[1529] quick_check_peer-ca name 'CA_Cert_1' doesn't match
[1625] check_add_peer-check peer user 'TEST' in group '(null)', result is 1
[1781] cert_check_group_list-all groups failed
[1885] fnbamd_auth_cert_check_status-res=1
[181] fnbamd_comm_send_result-Sending result 1 (error 8, nid 672) for req 217889088
ike 0:Test_Spoke:140157: certificate validation failed

 

The certificate validation is failing because the Spoke FortiGate is not able to build up the certificate chain up to the Root CA. Only the Sub-CA was imported to the Spoke FortiGate. 
Solution Import the Root CA also to the Spoke FortiGate to fix the issue. 

 

Labels:
4027
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.