Requirements:

• A client certificate.
• A server certificate.
• LDAP integration on the FortiGate.

FortiAuthenticator, acting as the local CA, signs the client (user certificate) and server (certificate presented by the FortiGate).

The client certificate, along with the CA certificate, will be installed on the dial-up client.

User certificate on the CA referring to the SAN field:

The certificate's SAN should match the logon name on the LDAP server. Server certificate and CA certificate generated on the FortiAuthenticator installed on the FortiGate:

LDAP settings on the FortiGate:

config user ldap
    edit "LDAP"
        set server "10.52.5.6"
        set cnid "cn"
        set dn "dc=fortilab,dc=net"
        set type regular
        set username "FORTILAB\\Administrator"
        set password ENC       MTAwND/6lPb0SpIjm74sPzMp5U6cw5pmg6t/xMYfvy35UJla/DqmXuonwCdcZk/c2/

xQX+HsYNUogSvN3NFOnG2CPxmWipItA0yCyNsinUeLCIjSNeNY1puAOQVIqAW1vaEwUdVpjBhwgnwBgT/

+H3iuZyHQifgM1HgWT/j9Ods8cWUxiv2OdioMHkQNwV4lojAYtFlmMjY3dkVA
    next
end

On the FortiGate, configure the peer users and add them to the peer group:

config user peer
    edit "ldapcert"
        set ca "CA_Cert_1"
        set mfa-mode subject-identity
        set mfa-server "LDAP"
    next
end

config user peergrp

    edit "ldapgrp"
        set member "ldapcert"
    next
end

Configure IPsec dial-up tunnel:

For the tunnel configuration, change the accept types to peer certificate group and select the peer group.

Create a firewall policy to allow access from the IPSEC tunnel interface to the local resources.

config firewall policy
    edit 2
        set name "vpn_Test_remote_0"
        set uuid f696b02e-0966-51f0-eb8f-970a2d02eb94
        set srcintf "Test"
        set dstintf "port3"
        set action accept
        set srcaddr "Test_range"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

On the FortiClient machine, configure the settings:

• Configure the remote gateway.
• Select the authentication method to X.509.
• Save the connection and select Connect.

Debugging:

diagnose debug disable

diagnose debug reset

diagnose vpn ike log-filter dst-addr4 <ip.of.remote.peer>
diagnose debug application ike -1
diagnose debug enable

Note:

If using IKEv2 for dial-up connection, ensure that EAP auth settings is disabled under phase 1 tunnel settings for cert authentication to work.

LDAP-based user authentication is designed to work with XAUTH and IPsec IKEv1.
Starting from FortiClient v7.4.3, EAP-TTLS is now supported with IKEv2 authentication: EAP-TTLS support for IPsec VPN v7.4.3

In earlier versions of FortiClient, EAP-MSCHAPv2 was the method used for username + password authentication and did not work with LDAP. EAP-TTLS now works with LDAP authentication. For dial-up tunnel,s there are two scenarios:

If the initial gateway lookup (based on SA_INIT_req) matches a phase1 with EAP enabled

1.  FortiOS expects the Peer to authenticate with EAP; otherwise, the negotiation fails.
2. The ID of the initiator is ignored: any ID is accepted, acting as if the phase1 is configured with ’set peertype any’.

If the initial gateway lookup (based on SA_INIT_req) matches a phase1 without EAP

1.  FortiOS expects the Peer to authenticate with PSK/CERT authentication; otherwise, the negotiation fails.
2. The ID is used to perform gateway revalidation, but only among non-EAP phase1.

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Related articles:

Troubleshooting Tip: IPsec Tunnel (debugging IKE) 

Technical Tip: No bytes are received when connected to IPsec dialup VPN using FortiClient

Technical Tip: LDAP user and groups cannot be used in IPSEC VPN 

Technical Tip: 'gw validation failed' for VPN Ikev2 tunnel with certificates