When the certificate-based authentication is used for IKE, the default FortiGate built-in certificate can be used. 

In the above configuration, the entity certificate is used as Fortinet_Factory and the CA certificate as built-in Fortinet_Sub_CA.

Since the keys and dependencies for these built-in certificates are available with the firewall, there is no need to import additional key files here.

Once the configuration is done, phase1 status will be up. 

LAB # diagnose vpn ike gateway list name S2S

vd: root/0
name: S2S
version: 1
interface: port1 3
addr: 10.5.24.44:500 -> 10.5.27.81:500
tun_id: 2.3.4.5/::2.3.4.5
remote_location: 0.0.0.0
network-id: 0
created: 104s ago
peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGVM080000031546, emailAddress = support@fortinet.com
peer-id-auth: yes
IKE SA: created 1/2  established 1/2  time 10/15/20 ms
IPsec SA: created 0/1

  id/spi: 4 7f307ee05619b343/e0329706744c1643
  direction: initiator
  status: established 104-104s ago = 20ms
  proposal: aes128-sha256
  key: 9e62ea4eb199660f-2874ee2b8c3f8861
  lifetime/rekey: 86400/85995
  DPD sent/recv: 00000000/00000000
  peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGVM080000031546, emailAddress = support@fortinet.com

If a third-party CA-signed certificate needs to be used, import the key file as the cert file. 

It is also necessary to import the CA certificate on both the VPN endpoints.