FortiClient can form a dial-up IPsec connection with FortiGate using signature-based authentication (certificates).

In some cases, the FortiGate IKE debugs gives minimal information as to why an IPsec tunnel is not coming up. For these types of scenarios, it is beneficial to verify the FortiClient logs and check to see if the FortiGate IPsec Server certificate is trusted by the endpoint.

This article assumes that the initial IPSEC configuration has been completed on both the FortiGate and FortiClient.

See Dialup IPsec VPN with certificate authentication | FortiGate / FortiOS 7.6.2 | Fortinet Document Lib....

To verify if FortiClient is encountering issues with trusting the IPsec server certificate, check the IKE logs in the following location in Windows:

C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_x.log

Changing the FortiClient log level to debug is required for this step: see Technical Tip: How to enable debug log in FortiClient.

After checking the FortiIKE_X.log file, check to see if the following error shows up:


Error:
the peer's certificate is not verified

This error indicates that the FortiGate IPsec Server certificate is not trusted by the endpoint certificate authority store.

To resolve this issue, it is required to either upload the corresponding CA certificate onto the affected endpoint, or use a certificate from a trusted vendor on the FortiGate IPsec settings:

FortiGate GUI -> VPN -> VPN Tunnels -> *Select the desired tunnel* -> *Change the Signature certificate to a trusted one*.


Related articles:

Technical Tip: Using IPsec VPN certificates and peer IDs for remote users

Dialup IPsec VPN with certificate authentication | FortiGate / FortiOS 7.6.2 | Fortinet Document Lib...

Technical Tip: How to enable debug log in FortiClient