Irrespective whether the FortiGate server certificate is directly issued by a Root CA or by an Intermediate CA, the Root CA is always sent to the IPsec VPN client in the CERT payload of the IKE_AUTH response. This doesn't make any sense since no peer is going to trust a self-signed certificate received via an untrusted channel. Omitting the unnecessary Root CA certificate would help to reduce the number of IKEv2 fragments needed to transmit the huge IKE_AUTH response.
Hi strongX509,
For better or worse(?), this is a consistent pattern in TLS as done by FortiGates.
You will see the same behaviour with admin GUI, SSL-VPN, captive portals, HTTPS-type server-load-balancing VIPs, ...
It doesn't technically break anything, which is, I assume, the reason why this has never been addressed.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.