We are configuring a site-to-site IPsec VPN with a remote peer (Cisco device, managed by Madrid Digital). The VPN negotiation fails during IKE exchange with the following error:
ike V=root:0:VPN-MadridDigit:3600: cert type not supported 7
We understand from RFC 2408, page 34 that type 7 refers to a Certificate Revocation List (CRL). The remote peer sends a CRL object as part of the certificate payload, which appears to trigger the failure on our FortiGate.
Our FortiGate environment:
Model: FortiGate-VM64-KVM
Firmware: v7.4.8 build2795 (GA.M)
Serial number: FGVMMLTM25010920
Mode: NAT
HA: Standalone
License valid until: 2026-06-23
Steps already taken (without success):
The local certificate and remote CA (CA_Cert_1) are correctly imported and marked as valid.
We confirmed that CA_Cert_1 does not contain:
crl-url
crl-check
auto-update
We attempted to disable CRL checking with:
config vpn certificate setting
set check-revocation disable
But the command fails with:
command parse error before 'check-revocation'
Return code -61
Similarly, we tried:
config vpn certificate ca
edit CA_Cert_1
set crl-check disable
But the command is not supported either.
Request:
Since other FortiGate models and FortiOS versions (according to community documentation and KBs) gracefully ignore unsupported certificate types like 7 (CRL), we would like to request:
Confirmation whether FortiGate-VM64 on FortiOS v7.4.8 should ignore CRL certificate type (7) during IKE negotiation by default.
If this behavior is unexpected, is there a hotfix, patch, or workaround to suppress the failure?
Is it possible to enable check-revocation through hidden configuration or under a specific context?
Any recommendations to prevent FortiGate from failing when receiving certificate type 7 in the IKE payload, even if we do not use or validate CRLs.
Available for support (on request):
WireShark capture of the IKE exchange showing the CRL (type 7) received
Full IPsec Phase 1 and Phase 2 configuration
Debug logs with diagnose debug application ike -1
Let me know if you need the capture file or a remote session to replicate.
Thank you in advance.
User | Count |
---|---|
2551 | |
1356 | |
795 | |
646 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.