Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jiisla
New Contributor

IPsec VPN Fails with "cert type not supported 7" Upon Receiving CRL – FortiGate-VM64 v7.4.8

We are configuring a site-to-site IPsec VPN with a remote peer (Cisco device, managed by Madrid Digital). The VPN negotiation fails during IKE exchange with the following error:

ike V=root:0:VPN-MadridDigit:3600: cert type not supported 7

We understand from RFC 2408, page 34 that type 7 refers to a Certificate Revocation List (CRL). The remote peer sends a CRL object as part of the certificate payload, which appears to trigger the failure on our FortiGate.

Our FortiGate environment:

Model: FortiGate-VM64-KVM

Firmware: v7.4.8 build2795 (GA.M)

Serial number: FGVMMLTM25010920

Mode: NAT

HA: Standalone

License valid until: 2026-06-23

Steps already taken (without success):

The local certificate and remote CA (CA_Cert_1) are correctly imported and marked as valid.

We confirmed that CA_Cert_1 does not contain:

crl-url

crl-check

auto-update

We attempted to disable CRL checking with:

config vpn certificate setting
set check-revocation disable

But the command fails with:

command parse error before 'check-revocation'
Return code -61

Similarly, we tried:

config vpn certificate ca
edit CA_Cert_1
set crl-check disable

But the command is not supported either.

Request:

Since other FortiGate models and FortiOS versions (according to community documentation and KBs) gracefully ignore unsupported certificate types like 7 (CRL), we would like to request:

Confirmation whether FortiGate-VM64 on FortiOS v7.4.8 should ignore CRL certificate type (7) during IKE negotiation by default.

If this behavior is unexpected, is there a hotfix, patch, or workaround to suppress the failure?

Is it possible to enable check-revocation through hidden configuration or under a specific context?

Any recommendations to prevent FortiGate from failing when receiving certificate type 7 in the IKE payload, even if we do not use or validate CRLs.

Available for support (on request):

WireShark capture of the IKE exchange showing the CRL (type 7) received

Full IPsec Phase 1 and Phase 2 configuration

Debug logs with diagnose debug application ike -1

Let me know if you need the capture file or a remote session to replicate.

Thank you in advance.

0 REPLIES 0
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors