Run the following CLI commands to troubleshoot the issue with the dial-up IKEv2 tunnel:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug enable

The following error can be seen in the output:

2025-08-07 13:03:34 [1503] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, No_Messa
ge_Authenticator_Attr: 0, State_Len: 0
2025-08-07 13:03:34 [2804] fnbamd_rad_result-Error (10) for req 13499276255236
2025-08-07 13:03:34 [133] fnbamd_comm_send_result-Not enough buffer for EAP message
2025-08-07 13:03:34 [239] fnbamd_comm_send_result-Sending result 10 (nid 0) for req 13499276255236, len=6688
2025-08-07 13:03:34.339776 ike V=root:0:ike2-fct:11 EAP 13499276255236 result FNBAM_TIMEOUT
2025-08-07 13:03:34.345554 ike V=root:0:ike2-fct: EAP failed for user "user"
2025-08-07 13:03:34.353568 ike V=root:0:ike2-fct: EAP response is empty
2025-08-07 13:03:34 2025-08-07 13:03:34.358568 ike V=root:0:ike2-fct: connection expiring due to EAP failure
2025-08-07 13:03:34.368264 ike V=root:0:ike2-fct: going to be deleted

To resolve this issue, try making sure a certificate exists in 'system.global.wifi-certificate':

config system global

(global) # get | grep wifi
wifi-ca-certificate : 
wifi-certificate : 

If there is any certificate assigned, make sure that the same certificate is in 'vpn.certificate' using the following commands:

config vpn certificate local

(local) # get | grep 'certificate_name'

If no certificate is assigned, assign a certificate as shown below:

config system global

(global) # set wifi-certificate Fortinet_Factory

(global) # set wifi-ca-certificate Fortinet_CA

(global) # end

After that, the local user will be able to connect to the VPN tunnel successfully. IKEv2 makes use of the same EAP proxy that was originally implemented for Wi-Fi, which is why the 'wifi-certificate' is required.