Hi,

I'm trying to configure our Fortigate v7.4 to provide dialup IPSec VPN to FortiClient on Windows. The VPN works fine with user certificate but if I want to use computer certificate instead, or enable VPN before login, the VPN failed. I tried to give user access to the certificate key of the machine certificate without success.

Any advices are much appreciated.

Here is an abstract of the FG config:

config vpn ipsec phase1-interface
  edit "Staff VPN"
    set type dynamic
    set interface "portn"
    set ike-version 2
    set authmethod signature
    set peertype peergrp
    set net-device disable
    set mode-cfg enable
    set ipv4-dns-server1 x.x.x.x
    set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-   prfsha256
    set localid "StaffVPN"
    set comments "VPN: Staff VPN (Created by VPN wizard)"
    set ems-sn-check enable
    set certificate "xxx.localhost"
    set peergrp "pki-ldap"
    set ipv4-start-ip x.x.x.x
    set ipv4-end-ip x.x.x.x
    set ipv4-split-include "Staff VPN_split"
    next
  end

config user peergrp
  edit "pki-ldap"
    set member "Staff VPN_peer" "Computer VPN_peer"
    next
  end

config user peer
  edit "Staff VPN_peer"
    set ca "CA_Cert_1"
    set cn-type email
    set mfa-mode subject-identity
    set mfa-server "LDAP_SRV"
    next
  edit "Computer VPN_peer"
    set ca "CA_Cert_1"
    set cn-type FQDN
    set mfa-mode subject-identity
    set mfa-server "LDAP_SRV"
    next
  end

And here is the FortiClient config:

<ipsecvpn>
<options>
<use_win_current_user_cert>0</use_win_current_user_cert>
<show_auth_cert_only>1</show_auth_cert_only>
<check_for_cert_private_key>0</check_for_cert_private_key>
<beep_if_error>0</beep_if_error>
<enable_udp_checksum>0</enable_udp_checksum>
<no_dns_registration>2</no_dns_registration>
<usewincert>1</usewincert>
<uselocalcert>0</uselocalcert>
<usesmcardcert>1</usesmcardcert>
<enhanced_key_usage_mandatory>1</enhanced_key_usage_mandatory>
<enabled>1</enabled>
<disable_default_route>0</disable_default_route>
<use_win_local_computer_cert>1</use_win_local_computer_cert>
<block_ipv6>1</block_ipv6>
<disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>
</options>
<connections>
<connection>
<name>Staff IPSEC</name>
<uid>xxxxxxxx</uid>
<machine>1</machine>
<keep_running>1</keep_running>
<disclaimer_msg/>
<single_user_mode>0</single_user_mode>
<type>manual</type>
<ui>
<show_remember_password>0</show_remember_password>
<show_alwaysup>0</show_alwaysup>
<show_autoconnect>0</show_autoconnect>
<show_passcode>0</show_passcode>
<save_username>0</save_username>
</ui>
<redundant_sort_method>0</redundant_sort_method>
<tags>
<allowed/>
<prohibited/>
</tags>
<host_check_fail_warning/>
<ike_settings>
<server>fg.hostname.local</server>
<authentication_method>System Store X509 Certificate</authentication_method>
<fgt>1</fgt>
<prompt_certificate>0</prompt_certificate>
<xauth>
<use_otp>0</use_otp>
<enabled>0</enabled>
<prompt_username>0</prompt_username>
<username/>
</xauth>
<version>2</version>
<mode>aggressive</mode>
<key_life>86400</key_life>
<localid/>
<implied_SPDO>0</implied_SPDO>
<implied_SPDO_timeout>0</implied_SPDO_timeout>
<nat_traversal>1</nat_traversal>
<enable_local_lan>1</enable_local_lan>
<enable_ike_fragmentation>1</enable_ike_fragmentation>
<mode_config>1</mode_config>
<dpd>1</dpd>
<dpd_retry_count>3</dpd_retry_count>
<dpd_retry_interval>5</dpd_retry_interval>
<run_fcauth_system>1</run_fcauth_system>
<nat_alive_freq>5</nat_alive_freq>
<sso_enabled>0</sso_enabled>
<networkid>0</networkid>
<use_external_browser>0</use_external_browser>
<transport_mode>2</transport_mode>
<tcp_port>443</tcp_port>
<udp_port>500</udp_port>
<ike_saml_port>0</ike_saml_port>
<dhgroup>5</dhgroup>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
<auth_data/>
</ike_settings>
<ipsec_settings>
<remote_networks>
<network>
<addr>172.16.0.0</addr>
<mask>255.255.0.0</mask>
</network>
<network>
<addr>n.n.0.0</addr>
<mask>n.n.0.0</mask>
</network>
<network>
<addr>n.n.n.n</addr>
<mask>n.n.0.0</mask>
</network>
</remote_networks>
<dhgroup>5</dhgroup>
<key_life_type>seconds</key_life_type>
<key_life_seconds>43200</key_life_seconds>
<key_life_Kbytes>5200</key_life_Kbytes>
<replay_detection>1</replay_detection>
<pfs>1</pfs>
<use_vip>1</use_vip>
<virtualip>
<type>modeconfig</type>
<ip>0.0.0.0</ip>
<mask>0.0.0.0</mask>
<dnsserver>0.0.0.0</dnsserver>
<winserver>0.0.0.0</winserver>
</virtualip>
<proposals>
<proposal>AES128|SHA1</proposal>
<proposal>AES256|SHA256</proposal>
</proposals>
</ipsec_settings>
<warn_invalid_server_certificate>1</warn_invalid_server_certificate>
<android_cert_path/>
</connection>
</connections>
</ipsecvpn>