According to the internal engineering documentation, FortiGate’s certificate verification is performed by different daemons depending on the tunnel type. For an 'SSL VPN' or 'static type' FortiGate, a certificate verification is performed by the FNBAMD daemon. However, when an IPsec connection type is ‘dynamic’, certificate verification is performed by the IKE daemon first. Therefore, vpn.certificate settings could be applied only for SSL VPN and the static-type connections.

This article has three separate parts. VPN tunnel configuration is skipped:

• Configuration and debug outputs for SSL VPN certificate-based connection.
• Configuration and failed debug outputs of IPsec dial-up certificate-based authentication.
• Configuration and successful connection debug outputs of IPsec dial-up certificate-based authentication.

Config and debug outputs for SSL-VPN certificate-based connection:

config user peer
    edit "pki01"
        set ca "G_CA_Cert_1"
        set cn "fortinet.lab"
    next
end

config vpn certificate setting           

    show full-configuration | grep match

    set subject-match substring

    set cn-match substring               <----- This setting are always the same.

Debug outputs of SSL-VPN connection (there are only fnbamd debug outputs):

2025-09-25 03:39:00 [500] fnbamd_cert_verify-Following cert chain depth 0
2025-09-25 03:39:00 [573] fnbamd_cert_verify-Issuer found: G_CA_Cert_1 (SSL_DPI opt 1)
2025-09-25 03:39:00 [500] fnbamd_cert_verify-Following cert chain depth 1
2025-09-25 03:39:00 [675] fnbamd_cert_check_group_list-checking group with name 'group_sdu'
2025-09-25 03:39:00 [490] __check_add_peer-check 'pki01'
2025-09-25 03:39:00 [366] peer_subject_cn_check-Cert subject 'C = DE, CN = pki01@fortinet.lab, emailAddress = pki01@fortinet.lab'
2025-09-25 03:39:00 [294] __RDN_match-Checking 'CN' val 'fortinet.lab' -- match.
2025-09-25 03:39:00 [404] peer_subject_cn_check-CN is good.
2025-09-25 03:39:00 [497] __check_add_peer-'pki01' check ret:good

Configuration and failed debug outputs of an IPsec dial-up certificate-based authentication (the vpn.certificate setting is the same):

config user peer

    edit "pki01"

        set ca "G_CA_Cert_1"

        set cn "fortinet.lab"

    next

end

config vpn ipsec phase1-interface

    edit "FGT-dialup"

        set type dynamic

        set interface "port3"

        set ike-version 2

        set authmethod signature

        set net-device disable

        set mode-cfg enable

        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

        set comments "VPN: FGT-dialup (Created by VPN wizard)"

        set dhgrp 14

        set certificate "fgt01.fortinet.lab"

        set peer "pki01"

        set ipv4-start-ip 172.11.10.10

        set ipv4-end-ip 172.11.10.20

        set dns-mode auto

        set ipv4-split-include "FGT-dialup_split"

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

    next

end

Debug logs of a failed attempt:

2025-09-25 03:51:57.464871 ike 0:FGT-dialup:41994: received FCT-UID = 528A41E2FEE845A48081F455EF908644

2025-09-25 03:51:57.466154 ike 0:FGT-dialup:41994: received EMS SN :

2025-09-25 03:51:57.467026 ike 0:FGT-dialup:41994: received EMS tenant ID :

2025-09-25 03:51:57.468072 ike 0:FGT-dialup:41994: received peer identifier DER_ASN1_DN 'C = DE, CN = pki01@fortinet.lab, emailAddress = pki01@fortinet.lab'

2025-09-25 03:51:57.469979 ike 0:FGT-dialup:41994: re-validate gw ID

2025-09-25 03:51:57.470892 ike 0:FGT-dialup:41994: gw validation failed

2025-09-25 03:51:57.471860 ike 0:FGT-dialup:41994: schedule delete of IKE SA 8ad7c4ba34254700/66bb15e988d4c1e8

2025-09-25 03:51:57.473242 ike 0:FGT-dialup:41994: scheduled delete of IKE SA 8ad7c4ba34254700/66bb15e988d4c1e8

2025-09-25 03:51:57.474682 ike 0:FGT-dialup: connection expiring due to phase1 down

2025-09-25 03:51:57.475768 ike 0:FGT-dialup: deleting

2025-09-25 03:51:57.476646 ike 0:FGT-dialup: deleted

Configuration and successful connection debug outputs of IPSec dial-up certificate-based authentication:

User.peer has been adjusted, and has full 'CN' value:

config user peer

    edit "pki01"

        set ca "G_CA_Cert_1"

        set cn "pki01@fortinet.lab"

    next

end

Debugs:

2025-09-25 03:54:31.399403 ike 0:FGT-dialup:42010: received FCT-UID = 528A41E2FEE845A48081F455EF908644

2025-09-25 03:54:31.400502 ike 0:FGT-dialup:42010: received EMS SN :

2025-09-25 03:54:31.401288 ike 0:FGT-dialup:42010: received EMS tenant ID :

2025-09-25 03:54:31.402258 ike 0:FGT-dialup:42010: received peer identifier DER_ASN1_DN 'C = DE, CN = pki01@fortinet.lab, emailAddress = pki01@fortinet.lab'

2025-09-25 03:54:31.405393 ike 0:FGT-dialup:42010: re-validate gw ID

2025-09-25 03:54:31.406262 ike 0:FGT-dialup:42010: gw validation OK

2025-09-25 03:54:31.407199 ike 0:FGT-dialup:42010: Validating X.509 certificate

2025-09-25 03:54:31.408399 ike 0:FGT-dialup:42010: peer cert, subject='pki01@fortinet.lab', issuer='ca01.fortinet.lab'

2025-09-25 03:54:31.409691 ike 0:FGT-dialup:42010: peer ID verified

2025-09-25 03:54:31.410621 ike 0:FGT-dialup:42010: building fnbam peer candidate list

2025-09-25 03:54:31.411663 ike 0:FGT-dialup:42010: FNBAM_GROUP_NAME candidate 'pki01'

…

…

2025-09-25 03:54:31.661516 ike 0:FGT-dialup_0: HA send IKEv2 message ID update send/recv=0/2

2025-09-25 03:54:31.662556 ike 0:FGT-dialup_0:42010:FGT-dialup:28020: sending SNMP tunnel UP trap

Note:

The SSL VPN certificate matching leverages the vpn.certificate settings (subject-match / cn-match) via the FNBAMD daemon, whereas IPsec dial-up tunnels rely on the IKE daemon, which requires an exact CN match from the peer certificate.

Related articles:

Technical Tip: Understanding the ikev2 debugs SA_INIT and IKE_AUTH

SSL VPN with certificate authentication - FortiGate administration guide