Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Valued Contributor

SSLVPN Certificate Authentication - PKI Users



I have an issue with the certificate with SSLVPN. I went through the documentation and forum posts but still it is not working. The error is: Unable to establish the VPN connection. The VPN server may be unreachable or your identity certificate is not trusted (-5).


It is a firewall 80D with OSv5.0.11 in the lab environment.

Without the SSL Client Certificate Restrictive settings on the firewall policy the client is able to connect.

The problem is probably with the PKI user configuration. Can someone take a look where should be the problem and guide me how to fix it?


The certificate is valid. CA certificate, server certificate issued by the CA and the CRL is imported. CA certificate and client certificate is installed on the client side.


1) I have a PKI user configured "jsmith" from the CLI:

config user peer     edit "jsmith"         set ca "CA_Cert_1"         set subject ""     next end

(peer user configured as the in the Authentication Handbook)


2) This user is added to the Local User Group and this group is assigend to the SSLVPN policy with SSLVPN portal.

---the client is not able to connect.


3) I added the peer user into the peer group (as per the Authentication Handbook it is needed only for IPSec)

config user peergrp     edit "peergroup"         set member "jsmith"     next end

--- the client is still not able to connect.


What I did wrong?



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors