|
FortiGate supports Windows Native Client IPsec connections using IKEv2. FortiGate can use certificate-based authentication to allow the endpoint to connect successfully.
This article assumes that the FortiGate VPN wizard has already been utilized to create an IKEv2 Native VPN tunnel, and the endpoints are correctly configured with the IKEv2 Native VPN settings.
In some cases, it's possible to run into the following error:
Error:
'IKE authentication credentials are unacceptable'
This error usually occurs when the Windows Device does not trust the IPsec gateway certificate due to one of the reasons below:
- The CA certificate used to sign the IPsec gateway certificate is missing from the Windows certificate store when a private CA is used.
- The intermediate CA certificate is missing on the FortiGate when the IPsec gateway certificate is signed by a public CA.
- The FQDN/IP configured on the Windows client does not match the IPsec gateway certificate.
Solution 1 - IPsec Gateway Certificate signed by a private CA.
Check for the configured IPsec gateway certificate under: FortiGate GUI -> VPN -> VPN Tunnels -> Select the desired tunnel and take note of the configured 'signature' name.
After verifying the configured IPsec certificate, navigate to the FortiGate certificate store under: FortiGate GUI -> System -> Certificates > Select the IPsec gateway certificate and take note of the 'Issuer' (CA) field.
After confirming the CA for the IPsec gateway certificate, obtain the CA file and upload the CA file to the Microsoft certificate store on the Windows Endpoint:
Once the CA certificate has been uploaded to the Trusted Root Certificate Authorities store, restart the endpoint and attempt the connection again. The connection should succeed after making these changes.
Solution 2 - IPsec gateway certificate signed by a public CA.
In most cases, when buying a certificate from a public CA, it will be signed by an intermediate CA. During the connection, the Windows client will first attempt to validate the certificate presented by the IPsec gateway, and it expects to receive the full certificate trust chain. FortiGates include many root CA certificates from well-known certificate authorities, just as most modern operating systems like Windows and macOS do, however, they do not include intermediate CA certificates. If any certificate in the trust chain is missing, the validation will fail, and the error 'IKE authentication credentials are unacceptable' will appear.
Below is an example using a certificate signed by DigiCert.
The best way to view the full certificate trust chain is to first download the certificate onto a PC, then navigate the FortiGate GUI to System -> Certificate, highlight the relevant certificate, and select 'Download'.
Once downloaded, open the certificate and check the Certification Path section to see all intermediate CAs in the trust chain.
In this case, the issue was resolved by importing the intermediate CA certificate 'DigiCert EV RSA CA G2' onto the FortiGate.
To import a CA certificate, follow the steps described in the Administration Guide CA certificate | Fortinet Document Library.
Normally, the full certificate chain is provided as part of the certificate bundle when acquiring a certificate from a public CA. If it is not included, the Certificate Authority’s website will typically have a download section where all required intermediate and root CA certificates can be downloaded.
Solution 3 - FQDN/IP in VPN configuration on the Windows client is not matching with the certificate.
When configuring the VPN connection on the client side, it is important to use an FQDN in the 'Server name or address' field that matches the CN or one of the SAN entries on the certificate presented by the IPsec gateway.
Related document:
Windows IKEv2 native VPN with user certificate | FortiGate / FortiOS 7.6.2 | Fortinet Document Libra...
|
