FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 278825

This article describes how to configure FortiGate to accept connection when using Windows native VPN with a machine certificate, the guide does not cover how to generate a machine certificate and it would be necessary to refer to Microsoft documentation.

Scope FortiGate.

Generate and sign a CSR and import the signed certificate to the FortiGate:

  1. On the FortiGate go to System -> Certificates and select Create/Import -> Generate CSR.
  2. Configure the CSR: (below is just an example, change according to reflect the environment).

Certificate Name


ID Type

Domain Name

Domain Name


Subject Alternative Name



  1. Configure the remaining settings as required, then select OK.
  2. Download the CSR to a location that is accessible to the CA server, in this example: C:\CSR\
  3. Sign the CSR with local CA server:
    1. Open the command prompt as an administrator and enter the following:

certreq -submit -attrib 'CertificateTemplate:WebServer' C:\CSR\vpn.lab.local.csr

The Certification Authority List window opens.

2. Select the CA and select OK.

3. Save the signed certificate with a .cer file extension to a location that is accessible from the FortiGate.

  1. Import the signed certificate to the FortiGate:
    1. On the FortiGate, go to System -> Certificates and select Create/Import -> Certificate.
    2. Select Import Certificate.
    3. Set Type to Local Certificate.
    4. Select Upload and locate and select the signed certificate
    5. Select Create then select 'OK'.


Then import local root CA certificate into Fortiate:

Technical Tip: How to export root CA from Certificate Authority Server and import to FortiGate


Once certificates have been imported, it is necessary to enable PKI peer setting in Fortigate so that machine certificates can be verified against root CA.


config user peer

    edit <name>

        set ca "CA_Cert_1” <----- Refer to the above KB article.



Proceed with VPN configuration in the FortiGate CLI:


VPN Phase 1 setting:


config vpn ipsec phase1-interface

    edit <name>

        set type dynamic

        set interface "port10" <----- Replace with the WAN interface of the choice.

        set ike-version 2

        set authmethod signature

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 xx.xx.xx.xx <----- Point to AD server DNS.

        set proposal aes128-sha256 aes256-sha256 aes128-sha1

        set localid "vpn.syd.fortilabapac.lab" <----- Set according to FQDN of the VPN.

        set dpd on-idle

        set dhgrp 14 5 2

        set certificate "vpn.syd.fortilabapac.lab" <----- Replace with certificate generated by CSR.

        set peer "NativeDialup_peer" <----- Replace with user peer name configure previously.

        set ipv4-start-ip

        set ipv4-end-ip

        set ipv4-split-include "LAN"

        set dpd-retryinterval 60




VPN Phase 2 setting:


config vpn ipsec phase2-interface

    edit <name>

        set phase1name <phase1 name>

        set proposal aes128-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set pfs disable

        set keepalive enable




Client VPN configuration (Windows 10):


Select Start, then select Settings -> Network & Internet -> VPN, and select  Add a VPN connection to start configuration.




Follow the below configuration, and ensure to use FQDN in the Server name or address or there will be an error during connection.




After saving the setting, select the Change adapter option to change the connection to use the machine certificate.




Right-click on VPN connection, and select Properties -> Security. Select Use machine certificate and press OK.




Go back to Settings -> Network & Internet -> VPN  to test the VPN connection.



In case there is an issue with the connection, run the below debug command to check.


diagnose debug application ike -1

diagnose debug enable


Below sample output on the certificate verification:


ike 0:dialup_cert:10: Validating X.509 certificate

ike 0:dialup_cert:10: peer cert, subject='Computers', issuer='syd-FORTILABAPAC-AD-CA-2'

ike 0:dialup_cert:10: peer ID verified

ike 0:dialup_cert:10: building fnbam peer candidate list

ike 0:dialup_cert:10: FNBAM_GROUP_NAME candidate 'NativeDialup_peer'

ike 0:dialup_cert:10: certificate validation pending

ike 0:dialup_cert:10: fnbam reply 'NativeDialup_peer'

ike 0:dialup_cert:10: fnbam matched peer 'NativeDialup_peer'

ike 0:dialup_cert:10: certificate validation complete

ike 0:dialup_cert:10: certificate validation succeeded

ike 0:dialup_cert:10: signature verification succeeded

ike 0:dialup_cert:10: auth verify done

ike 0:dialup_cert:10: responder AUTH continuation

ike 0:dialup_cert:10: authentication succeeded