The send-cert-chain attribute set to enable by default in the vpn ipsec phase1 configuration does not cause the CA certificate chain (unnecessary Root CA certificate plus Issuing SubCA certificate) to be included anymore in the IKE_AUTH response by the FortiGate 100F VPN gateway after upgrading to FortiOS v7.4.3. Before the upgrade everything was working fine. Is this an unintended regression introduced by the firmware upgrade?
We upgraded from FortiOS 7.4.1 so the send-cert-chain bug could already have been introduced with version 7.4.2.
No reaction at all from Fortinet on the apparent send-cert-chain bug?
Hi,
- Have you tried to take ike debug for the IPSEC negotiation along with the debug for fnbamd process as well?
- I have not heard of a reported issue regarding this. Collecting the debugs will help us if we can see any issues with the negosiation.
Regards,
Shiva
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.