Technical Tip: IPsec Tunnel with certificate authe...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 253151

Description

This article explains an issue where the IPsec tunnel is unable to be established with a 'certificate validation failed' error.

Error message in ike debug logs:

2023-04-18 10:43:20.098727 ike 1:Tunnel:10194: fnbam cert group matching failed

2023-04-18 10:43:20.098733 ike 1:Tunnel10194: certificate validation failed

Scope

FortiGate.

Solution

With a regular system upgrade from v6.4.x to v7.0.x, the user peer definition of the following,

Before upgrade (v6.4.x):

# config user peer
    edit "peer"
        set ca "G_CA_Cert_1"
        set subject "example.fortinet.com"
    next
end

After upgrade (v7.0.x):

# config user peer
    edit "peer"
        set ca "G_CA_Cert_1"
        set subject "CN=example.fortinet.com"
    next
end

Since FortiOS v7.0.x, subject in user.peer has to be single or multiple RDN(s), if the above is not being changed after the upgrade, it is possible to manually change the user.peer.

3549

Contributors

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: IPsec Tunnel with certificate authentication fails after upgrade to FortiOS v7.0.x

You are leaving our website