- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPsec dialup VPN with certificate authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec dialup VPN with certificate authentication
Hi All,
we are trying to establish an IPsec dialup connection between a router and a FGT 100EF with certificate authentication. Only for your information: The VPN configuration we already have is functional with PSK authentication, so the VPN IPsec config on both sides is OK. When we change the authentication from PSK to certificate, we get an issue. We generated a ca certificate and signed with it a server and a client certificate with openssl. We installed the ca and server certificate on the FGT 100EF, and on the other router we installed the ca and client certificate. When the router tries to establish a connection to the FGT 100EF we get an authentication error:
[style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: received peer identifier DER_ASN1_DN 'C = DE, ST = NRW, O = KomMITT, CN = 10.226.15.66'[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: re-validate gw ID[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: gw validate okay[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: Validating X.509 certificate[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: peer cert, subject='10.226.15.66', issuer='10.226.15.66'[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: peer ID verified[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: building fnbam peer candidate list[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: FNBAM_GROUP_NAME candidate '10.226.15.66'[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: certificate validation pending[/style] [style="background-color: #ffff99;"]ike 6:S2S_MSB099:95562: certificate validation failed[/style]
[style="background-color: #ff9900;"]config vpn ipsec phase1-interface[/style]
[style="background-color: #ff9900;"] edit "S2S_MSB099"[/style] [style="background-color: #ff9900;"] set type dynamic[/style] [style="background-color: #ff9900;"] set interface "vlink_MSB1"[/style] [style="background-color: #ff9900;"] set ip-version 4[/style] [style="background-color: #ff9900;"] set ike-version 1[/style] [style="background-color: #ff9900;"] set local-gw 0.0.0.0[/style] [style="background-color: #ff9900;"] set keylife 86400[/style] [style="background-color: #ff9900;"] set authmethod signature[/style] [style="background-color: #ff9900;"] set mode main[/style] [style="background-color: #ff9900;"] set peertype peer[/style] [style="background-color: #ff9900;"] set exchange-interface-ip disable[/style] [style="background-color: #ff9900;"] set mode-cfg disable[/style] [style="background-color: #ff9900;"] set proposal aes256-sha1[/style] [style="background-color: #ff9900;"] set add-route enable[/style] [style="background-color: #ff9900;"] set localid "CN=10.226.15.66"[/style] [style="background-color: #ff9900;"] set localid-type auto[/style] [style="background-color: #ff9900;"] set negotiate-timeout 30[/style] [style="background-color: #ff9900;"] set fragmentation enable[/style] [style="background-color: #ff9900;"] set dpd on-demand[/style] [style="background-color: #ff9900;"] set forticlient-enforcement disable[/style] [style="background-color: #ff9900;"] set comments ''[/style] [style="background-color: #ff9900;"] set npu-offload enable[/style] [style="background-color: #ff9900;"] set send-cert-chain enable[/style] [style="background-color: #ff9900;"] set dhgrp 5[/style] [style="background-color: #ff9900;"] set suite-b disable[/style] [style="background-color: #ff9900;"] set wizard-type custom[/style] [style="background-color: #ff9900;"] set xauthtype disable[/style] [style="background-color: #ff9900;"] set idle-timeout disable[/style] [style="background-color: #ff9900;"] set ha-sync-esp-seqno enable[/style] [style="background-color: #ff9900;"] set auto-discovery-sender disable[/style] [style="background-color: #ff9900;"] set auto-discovery-receiver disable[/style] [style="background-color: #ff9900;"] set auto-discovery-forwarder disable[/style] [style="background-color: #ff9900;"] set nattraversal enable[/style] [style="background-color: #ff9900;"] set rekey enable[/style] [style="background-color: #ff9900;"] set enforce-unique-id disable[/style] [style="background-color: #ff9900;"] set certificate "server"[/style] [style="background-color: #ff9900;"] set default-gw 0.0.0.0[/style] [style="background-color: #ff9900;"] set default-gw-priority 0[/style] [style="background-color: #ff9900;"] set peer "10.226.15.66"[/style] [style="background-color: #ff9900;"] set net-device disable[/style] [style="background-color: #ff9900;"] set tunnel-search selectors[/style] [style="background-color: #ff9900;"] set keepalive 10[/style] [style="background-color: #ff9900;"] set distance 15[/style] [style="background-color: #ff9900;"] set priority 0[/style] [style="background-color: #ff9900;"] set dpd-retrycount 3[/style] [style="background-color: #ff9900;"] set dpd-retryinterval 20[/style] [style="background-color: #ff9900;"] next[/style]
[style="background-color: #ff9900;"]config vpn ipsec phase2-interface[/style]
[style="background-color: #ff9900;"]edit "S2S_MSB099"[/style] [style="background-color: #ff9900;"] set phase1name "S2S_MSB099"[/style] [style="background-color: #ff9900;"] set proposal aes256-sha1[/style] [style="background-color: #ff9900;"] set pfs enable[/style] [style="background-color: #ff9900;"] set dhgrp 5[/style] [style="background-color: #ff9900;"] set replay enable[/style] [style="background-color: #ff9900;"] set add-route phase1[/style] [style="background-color: #ff9900;"] set auto-discovery-sender phase1[/style] [style="background-color: #ff9900;"] set auto-discovery-forwarder phase1[/style] [style="background-color: #ff9900;"] set keylife-type seconds[/style] [style="background-color: #ff9900;"] set single-source disable[/style] [style="background-color: #ff9900;"] set route-overlap use-new[/style] [style="background-color: #ff9900;"] set encapsulation tunnel-mode[/style] [style="background-color: #ff9900;"] set comments ''[/style] [style="background-color: #ff9900;"] set protocol 0[/style] [style="background-color: #ff9900;"] set src-addr-type subnet[/style] [style="background-color: #ff9900;"] set src-port 0[/style] [style="background-color: #ff9900;"] set dst-addr-type subnet[/style] [style="background-color: #ff9900;"] set dst-port 0[/style] [style="background-color: #ff9900;"] set dhcp-ipsec disable[/style] [style="background-color: #ff9900;"] set keylifeseconds 3600[/style] [style="background-color: #ff9900;"] set src-subnet 192.168.100.0 255.255.255.0[/style] [style="background-color: #ff9900;"] set dst-subnet 10.26.245.0 255.255.255.0[/style] [style="background-color: #ff9900;"] next[/style]
[style="background-color: #ff9900;"]end[/style]
Does somebody has an idea what's the issue? Many Thanks in Advance.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the exact same issue. The solution for me was to add the CA certificate on the spoke side. It wasn't added when generating the cert from the FortiManager.
(Please mark the post as Answered if you feel it does so..)
-- Bjørn Tore
-- Bjørn Tore
Related Posts
- Multiples SSIDs with Radius FortiAuthenticator +... 169 Views
- SSLVPN client certs and radius 184 Views
- User Getting The server you want... 243 Views
- 802.1x authentication for wifi users 234 Views
- Fortclient VPN Client Linux - IPSEC... 379 Views
Labels
-
FortiGate
6,524 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.