Trying to set up an IKEv2 client-certificate-based IPsec connection from
a FortiClient 7.4.4 to a FortiGate VPN Gateway results in the following
error in the FortiGate log when evaluating the received IKE_AUTH
request:ike V=root:0:IPSec-Client:176: c...
The send-cert-chain attribute set to enable by default in the vpn ipsec
phase1 configuration does not cause the CA certificate chain
(unnecessary Root CA certificate plus Issuing SubCA certificate) to be
included anymore in the IKE_AUTH response by t...
Irrespective whether the FortiGate server certificate is directly issued
by a Root CA or by an Intermediate CA, the Root CA is always sent to the
IPsec VPN client in the CERT payload of the IKE_AUTH response. This
doesn't make any sense since no peer...
I'm enabling IKEv2 digital signatures with rsa-pss on a FortiGate VPN
Gateway: config vpn ipsec phase1-interface edit "xyz" ... set
digital-signature-auth enable set signature-hash-alg sha1 sha2-256
sha2-384 set rsa-signature-format pss nextendWhen t...
An essential element of the IKEv2 Digital Signature authentication as
defined by RFC 4724 is the SIGNATURE_HASH_ALGORITHMS notification
exchanged between the IPsec peers that defines which signature hash
algorithms can be used. On the FortiGate side ...
I analyzed the failed 3072 bit RSA signature in the previous post by
decrypting it withthe client certificate's public
key:3498BF31CDB5D249FCEBDAF2FF2312987EE2030D4B8E4EE9452AF51BC629990690FFD4D998E0DD6B531C5EE780263B2670C363D3996F84E2C71CEDE137428C2...
Today I installed the latest FortiClient Release v7.4.5 but
unfortunately the IKEv2 Digital Signature bug persists as the following
IKE_AUTH request parsing of the AUTH payloadfor an ecdsa-with-sha256
Digital Signature shows:2F Next Payload: 47 - CP0...
They reason that you don't have to specify a destination subnet with the
Fortinet Windows client is that Fortinet by default uses interface-or
route-based IPsec tunnels whereas strongSwan uses policy-based oned.
