Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPsec IKEv2 Dialup using LDAP Machine Cert authent...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec IKEv2 Dialup using LDAP Machine Cert authentication
I have been making no progress on this for weeks now. Using FortiClient 7.4.4 I am unable to successfully configure an IPsec IKEv2 remote VPN connection using LDAP machine certificate (not a user certificate) authentication. We have an internal Windows CA. All clients have a Machine certificate issued by our internal CA with an EKU for Client Authentication and the FQDN set in the certs subject name (ex: CN= ComputerName, OU=Computers, DC=domainname, DC=local) in their local computer personal store. All client machines also have our internal CA’s root certificate in their local computer Trusted Toot Certification Authority store. The FortiGate has a server certificate installed that was issued from our internal CA (appears properly in the FG Local Certificate store) and it also has our internal CA’s root certificate (appears properly in the FG Remote Certificate store).
All of the Certificates mentioned above are still valid and not expired.
The machine certs currently work when used to connect to our current SSL VPN and also for our WiFi, further indicating that the machine certificates are valid and should work with the IPsec VPN.
When trying to connect I get a “ CertificateSignFailed” error message in FortiClient.
If I use a user certificate for authentication with the IPsec IKEv2 VPN instead of the machine cert, it connects with out issue. This indicates to me that the other certificates in the chain are valid.
There has got to be a configuration setting that I am missing to get this VPN to work using machine certs, but for the life of me I can not find it. All of the documentation I have come across for IPsec IKEv2 configurations is for user certs.
I also can’t find any known issues related to IPsec LDAP machine certificate authentication. Can anyone post a basic working config that I can try. I would like to use this to enable pre-Windows logon authentication.
Thanks in advance.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiClient
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all of your help. This does indeed appear to be an issue with FortiClient v. 7.4.4. I installed FortiClient 7.4.3 and was able to connect with the Machine certificate with no other changes.
Unfortunately, the reason I installed 7.4.4 to begin with was to enable the use of FortiToken MFA using ldap user accounts along with requiring certificate authentication. This ability, when using IKEv2, was supposed to be an added feature of 7.4.4. It does work correctly when using a user certificate, but does not seem to currently work when using a machine certificate (which is required to enable VPN before logon).
I guess I'll just have to stick with our SSL VPN a little longer until they get these issues worked out in a future release. sigh....
- « Previous
- Next »
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help, it is much appreciated. Your config is very similar to the one I was attempting to use. I tried your config just incase the minor variations were causing the issue, but I get the same result. It is able to connect successfully when using a user cert, but fails when attempting to connect using the machine cert.
I'm running FortiOS 7.4.9 on the FG and using FortiClient 7.4.4. I may need to move back down to FC 7.4.3, since you seem to be able to connect with a Machine cert.
Below are my IKE Debugs:
My_FortiGate # ike V=root:0: comes 192.168.1.100:59785->999.999.999.999:4500,ifindex=47,vrf=0,len=626....
ike V=root:0: IKEv2 exchange=SA_INIT id=4e4531924d116d66/0000000000000000 len=622
ike 0: in 4E4531924D116D66000000000000000021202208000000000000026E2200008C0200004401010007030000080300000C0300000C0100000C800E0080030000080400000E03000008020000050300000802000006030000080200000700000008020000020000004402010007030000080300000C0300000C0100000C800E0100030000080400000E030000080200000503000008020000060300000802000007000000080200000228000108000E000098E83F52D……
ike V=root:0:4e4531924d116d66/0000000000000000:286: responder received SA_INIT msg
ike V=root:0:4e4531924d116d66/0000000000000000:286: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF58E4BA13F67F0000
ike V=root:0:4e4531924d116d66/0000000000000000:286: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E78E4BA13F67F0000
ike V=root:0:4e4531924d116d66/0000000000000000:286: VID Forticlient EAP Extension C1DC4350476B98A429B91781914CA43E28EB3A1A32000000
ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:4e4531924d116d66/0000000000000000:286: received notify type SIGNATURE_HASH_ALGORITHMS
ike V=root:0:4e4531924d116d66/0000000000000000:286: incoming proposal:
ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 1:
ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:
ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_512
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_384
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.
ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 2:
ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:
ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 256)
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_512
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_384
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.
ike V=root:0:4e4531924d116d66/0000000000000000:286: matched proposal id 1
ike V=root:0:4e4531924d116d66/0000000000000000:286: proposal id = 1:
ike V=root:0:4e4531924d116d66/0000000000000000:286: protocol = IKEv2:
ike V=root:0:4e4531924d116d66/0000000000000000:286: encapsulation = IKEv2/none
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=ENCR, val=AES_CBC (key_len = 128)
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=PRF, val=PRF_HMAC_SHA2_256
ike V=root:0:4e4531924d116d66/0000000000000000:286: type=DH_GROUP, val=MODP2048.
ike V=root:0:4e4531924d116d66/0000000000000000:286: lifetime=86400
ike V=root:0:4e4531924d116d66/0000000000000000:286: SA proposal chosen, matched gateway My-IPsec-VPN
ike V=root:0:My-IPsec-VPN:My-IPsec-VPN: created connection: 0x5561008c30 47 999.999.999.999->192.168.1.100:59785.
ike V=root:0:My-IPsec-VPN:286: processing notify type NAT_DETECTION_SOURCE_IP
ike V=root:0:My-IPsec-VPN:286: processing NAT-D payload
ike V=root:0:My-IPsec-VPN:286: NAT detected: PEER
ike V=root:0:My-IPsec-VPN:286: process NAT-D
ike V=root:0:My-IPsec-VPN:286: processing notify type NAT_DETECTION_DESTINATION_IP
ike V=root:0:My-IPsec-VPN:286: processing NAT-D payload
ike V=root:0:My-IPsec-VPN:286: NAT detected: ME PEER
ike V=root:0:My-IPsec-VPN:286: process NAT-D
ike V=root:0:My-IPsec-VPN:286: processing notify type SIGNATURE_HASH_ALGORITHMS
ike V=root:0:My-IPsec-VPN:286: FEC vendor ID received FEC but IP not set
ike 0:My-IPsec-VPN:286: FCT EAP 2FA extension vendor ID received
ike V=root:0:My-IPsec-VPN:286: responder preparing SA_INIT msg
ike V=root:0:My-IPsec-VPN:286: create NAT-D hash local 999.999.999.999/4500 remote 192.168.1.100/59785
ike V=root:0:My-IPsec-VPN:286: sending CERTREQ payload (len=21)
ike V=root:0:My-IPsec-VPN:286: certreq[0]: 'DE611F4514795A658F3A617E24A17292045C506A'
ike 0:My-IPsec-VPN:286: out 4E4531924D116D6636CC22DE3413CF572120222000000000000001B9220000300000002C010100040300000C0100000C800E00800300000802000005030000080300000C000000080400000E28000108000E000084E1D1ECDF56AF02AEA3C210056CB29FEDD9FFB34DE933E5AFD700EB0C8AF4F30FA2752F3BB9B4DA346A9BD46FCAFD55A07A9AF567F5FE2D…….
ike V=root:0:My-IPsec-VPN:286: sent IKE msg (SA_INIT_RESPONSE): 999.999.999.999:4500->192.168.1.100:59785, len=441, vrf=0, id=4e4531924d116d66/36cc22de3413cf57, oif=47
ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ei 16:687B168C0DB8F362141B198B41F88128
ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_er 16:F629E19F00F928EC2B7973AE6DB01C42
ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ai 32:9E571000676274B06B6C379E9F0DA1DF26D250D395A6AC8115FBADDD107F7775
ike 0:My-IPsec-VPN:286: IKE SA 4e4531924d116d66/36cc22de3413cf57 SK_ar 32:53E8113A27AD1A2C0794B335518D1231C9E9DD961CEE7AC9BCD41554D8B092AA <-- Machine Cert Connection attempt dies right here, and throws a "CertificateSignFailed" error in FortiClient
If I use a User Cert instead the connection attempt is able to continue on from that point with -->
ike V=root:0: comes 192.168.1.100:53295->999.999.999.999:4500,ifindex=47,vrf=0,len=2532....
ike V=root:0: IKEv2 exchange=AUTH id=1853c55dacb84fb9/50e180db3dc23c56:00000001 len=2528
ike 0: in 1853C55DACB84FB950E180DB3DC23C562E20230800000001000009E0230009C48705F9A97DED98540153D251971283E8BC137805CB626A96EF657878BBD3205555CE735777DAB207C98E416223F0B8E5B16E323A7C22C8B7641D276FA7CAE0C320FBEC5DB8E881F8….. and connect successfully
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all of your help. This does indeed appear to be an issue with FortiClient v. 7.4.4. I installed FortiClient 7.4.3 and was able to connect with the Machine certificate with no other changes.
Unfortunately, the reason I installed 7.4.4 to begin with was to enable the use of FortiToken MFA using ldap user accounts along with requiring certificate authentication. This ability, when using IKEv2, was supposed to be an added feature of 7.4.4. It does work correctly when using a user certificate, but does not seem to currently work when using a machine certificate (which is required to enable VPN before logon).
I guess I'll just have to stick with our SSL VPN a little longer until they get these issues worked out in a future release. sigh....
- « Previous
- Next »
Labels
-
FortiGate
10,818 -
FortiClient
2,214 -
FortiManager
906 -
FortiAnalyzer
691 -
5.2
687 -
5.4
638 -
FortiSwitch
599 -
FortiClient EMS
586 -
FortiAP
569 -
IPsec
446 -
6.0
416 -
SSL-VPN
394 -
FortiMail
381 -
5.6
362 -
FortiNAC
301 -
FortiWeb
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
187 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
121 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
SAML
79 -
Routing
79 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
Certificate
71 -
FortiADC
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
58 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
49 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
31 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2735 | |
| 1417 | |
| 812 | |
| 739 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.