IPSEC vpn with certificate auth on forticlient

smashytech · ‎03-05-2019

Hi,

We're trying to se up cert based authentication via forticlient in our enviroment. We're running 5.6.6 and we have a working ipsec with local user /pw setup. However we now want to move to a cert based authentication.

We're not really getting past phase 1, and we have a really hard time debugging this to see what the issue is.

I've looked at these guides and examples:

https://docs.fortinet.com/document/forticlient/6.0.5/xml-reference-guide/673310/ipsec-vpn

and

https://cookbook.fortinet.com/ipsec-vpn-with-forticlient-56/

To clear out the obvious:

And this is the same on the forticlient settings.

sonarden · ‎03-22-2020

Are you using FortiClient EMS or a standalone client?

sonarden · ‎03-22-2020

The reason I ask is because the tunnel will not even try to connect if you have two Diffie-Hellman groups in the FortiClient configuration, since the tunnel will not even build if the FortiClient profile is propagated from EMS. The client act as if it is trying to connect, but it is not.

I have dozens of certificate authenticating clients right now that are working with both xauth and MFA right now.

I hope this helps.

IPSEC vpn with certificate auth on forticlient

Nominate a Forum Post for Knowledge Article Creation