FortiGate supports Windows Native Client IPSEC connections using IKEv2. FortiGate can use certificate-based authentication to allow the endpoint to connect successfully.

This article assumes that the FortiGate VPN wizard has already been utilized to create an IKEv2 Native VPN tunnel, and the endpoints are correctly configured with the IKEv2 Native VPN settings.

In some cases, it's possible to run into the following error:

Error:
'IKE authentication credentials are unacceptable'


This error usually occurs when the Windows Device does not trust the IPSEC server certificate due to a missing Certificate Authority in the Windows Store.

To resolve this issue, check for the configured IPSEC server certificate under: FortiGate GUI -> VPN -> VPN Tunnels -> Select the desired tunnel and take note of the configured 'signature' name.



After verifying the configured IPSEC certificate, navigate to the FortiGate certificate store under: FortiGate GUI -> System -> Certificates > Select the IPSEC server certificate and take note of the 'Issuer' (CA) field.

After confirming the CA for the IPSEC server certificate, obtain the CA file and upload the CA file to the Microsoft certificate store on the Windows Endpoint:


Once the CA certificate has been uploaded to the Trusted Root Certificate Authorities store, restart the endpoint and attempt the connection again. The connection should succeed after making these changes.


Related document:
Windows IKEv2 native VPN with user certificate | FortiGate / FortiOS 7.6.2 | Fortinet Document Libra...