Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AZFortinetMember335
New Contributor III

Created on ‎09-09-2025 07:20 AM

IPSec Dialup Connect - Err_CERT_COMMON_NAME_INVALID, Cert has applicable information

Based on another solution by @funkylicious we created a FQDN that was addressable from the internet. We also created a certificate with the FQDN in the common name and the IP address in the Subject Alternative Name. When Forticlient tries to connect to the FQDN the web browser states the connection is not private and lists that the Cert Common Name is Invalid.

 

I notice in the address field that instead of the FQDN being listed it is showing the IP address. I thought that have the IP address in the SAN would address this. Our security policies do not allow users to continue if there is a security certificate mismatch. So trying to figure out why the IP address is showing up when connecting to the VPN instead of the FQDN. Do I need to make another certificate that explicitly names the IP address instead of the FQDN?

Labels:
63
0 Kudos
1 Solution
AZFortinetMember335
New Contributor III

Created on ‎09-09-2025 08:53 AM Edited on ‎09-09-2025 08:54 AM

Ok, so I don't know where the fault lies with this. In FortiClient we manually changed the Remote Gateway from the IP address to the FQDN. Nothing was working as stated above. We ran WireShark and noticed that when we were trying to connect using FortiClient it was still reaching out the IP address and not the FQDN.

 

So we manually created a new profile in FortiClient and set the remote gateway with the FQDN. Once we hit connect in FortiClient, WireShark showed the DNS query for the IP address using the FQDN and the certificate works since now the FQDN is being used to access the site.

 

So we are wondering if standard users are not allowed to change certain settings in Forticlient due to permissions but actually doesn't let the user know that the changes didn't take affect; while visually in the Forticlient app it looks to have.

 

Additionally we looking in the registry at HKLM\SOFTWARE\Fortinet\Forticlient\IPSEC\Tunnels\{VPN Name}\P1
and noticed for the VPN Name that was a problem we noted the following entries:Forticlient_Bad_Config.png

When we look at the Registry settings for the new tunnel it shows the following.
Forticlient_Good_Config.png

So I don't know if the Forticlient is actually using the 'RemoteGWSorted' entry in the Registry after the first connection is made and will continue using that entry no matter what. So not sure if this is a bug with the software or a permission issue, but if this is a permission issue the app should let the user know that changing the name of the Remote Gateway is not allowed and to contact IT, or make the field non-editable and force the creation of a new VPN Name if the Remote Gateway is changed.

 

I will leave this marked as unsolved for a little bit to give people time to read and comment.

View solution in original post

45
0 Kudos
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎09-09-2025 08:06 AM

The common name should be the same as the one your client is configured to connect to.

If the CN is IP address the configure your client to connect to your IP address. And if the CN is FQDN the configure your client to connect to the FQDN.

Also I already found some situations where the CN must be duplicated in SAN in order to work properly. So since that time I always duplicate the CN in SAN.

AEK
AEK
54
0 Kudos
AZFortinetMember335
New Contributor III

Created on ‎09-09-2025 08:53 AM Edited on ‎09-09-2025 08:54 AM

Ok, so I don't know where the fault lies with this. In FortiClient we manually changed the Remote Gateway from the IP address to the FQDN. Nothing was working as stated above. We ran WireShark and noticed that when we were trying to connect using FortiClient it was still reaching out the IP address and not the FQDN.

 

So we manually created a new profile in FortiClient and set the remote gateway with the FQDN. Once we hit connect in FortiClient, WireShark showed the DNS query for the IP address using the FQDN and the certificate works since now the FQDN is being used to access the site.

 

So we are wondering if standard users are not allowed to change certain settings in Forticlient due to permissions but actually doesn't let the user know that the changes didn't take affect; while visually in the Forticlient app it looks to have.

 

Additionally we looking in the registry at HKLM\SOFTWARE\Fortinet\Forticlient\IPSEC\Tunnels\{VPN Name}\P1
and noticed for the VPN Name that was a problem we noted the following entries:Forticlient_Bad_Config.png

When we look at the Registry settings for the new tunnel it shows the following.
Forticlient_Good_Config.png

So I don't know if the Forticlient is actually using the 'RemoteGWSorted' entry in the Registry after the first connection is made and will continue using that entry no matter what. So not sure if this is a bug with the software or a permission issue, but if this is a permission issue the app should let the user know that changing the name of the Remote Gateway is not allowed and to contact IT, or make the field non-editable and force the creation of a new VPN Name if the Remote Gateway is changed.

 

I will leave this marked as unsolved for a little bit to give people time to read and comment.

46
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.