FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a common issue encountered during the deployment of a new IKEv2 Remote Access VPN solution, which uses certificate-based authentication for clients. The tunnel fails to establish with the error message: 'peer id does not match cert'. This article provides a step-by-step guide to resolve the issue.
Scope
FortiGate 7.4.5+
Solution
To resolve the IKEv2 Remote Access VPN certificate validation issue, follow these steps:
Make sure the certificate is properly configured and the subject alternative name (SAN) field contains the correct principal name.
Check the IKEv2 settings on the client-side to ensure that the ID type is set to ASN1DN, so that the subject of the certificate will be set as the IKE ID.
If the steps above do not resolve the issue, try disabling the cert-id-validation parameter on the FortiGate. This can be done by running the following command:
config vpn ipsec phase1-interface
edit VPN_Interface
set cert-id-validation disable
next
end
Alternatively, the administrator can create a new client certificate that includes the RFC822 name in the subject alternative name field.
For more information, refer to the FortiGate documentation.
