Technical Tip: Troubleshooting an IPsec signature-... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Fortinet Community > Knowledge Base > FortiGate

> Technical Tip: Troubleshooting an IPsec signature-...

dwickramasinghe1 Staff

Created on 04-25-2025 06:18 AM Edited on 04-26-2025 03:09 PM By jalejoFTNT

Article Id 389226
Technical Tip: Troubleshooting an IPsec signature-based tunnel not coming
up with a 'The peer's certificate is not verified' FortiClient error

Description This article describes how to handle the 'The peer's certificate is not verified' error on
FortiClient with IPsec signature-based authentication.
Scope FortiGate, FortiClient, IPsec, Windows.

1 de 4 29/04/2025, 13:41
Technical Tip: Troubleshooting an IPsec signature-... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Solution FortiClient can form a dial-up IPsec connection with FortiGate using signature-based
authentication (certificates).

In some cases, the FortiGate IKE debugs gives minimal information as to why an IPsec
tunnel is not coming up. For these types of scenarios, it is beneficial to verify the
FortiClient logs and check to see if the FortiGate IPsec Server certificate is trusted by the
endpoint.

This article assumes that the initial IPSEC configuration has been completed on both the
FortiGate and FortiClient.

See Dialup IPsec VPN with certificate authentication | FortiGate / FortiOS 7.6.2 | Fortinet
Document Lib....

To verify if FortiClient is encountering issues with trusting the IPsec server certificate,
check the IKE logs in the following location in Windows:

C:\Program Files\Fortinet\FortiClient\logs\trace\FortiIKE_x.log

Changing the FortiClient log level to debug is required for this step: see Technical Tip:
How to enable debug log in FortiClient.

After checking the FortiIKE_X.log file, check to see if the following error shows up:

2 de 4 29/04/2025, 13:41
Technical Tip: Troubleshooting an IPsec signature-... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Error:
the peer's certificate is not verified

This error indicates that the FortiGate IPsec Server certificate is not trusted by the
endpoint certificate authority store.

To resolve this issue, it is required to either upload the corresponding CA certificate onto
the affected endpoint, or use a certificate from a trusted vendor on the FortiGate IPsec
settings:

FortiGate GUI -> VPN -> VPN Tunnels -> *Select the desired tunnel* -> *Change the
Signature certificate to a trusted one*.

3 de 4 29/04/2025, 13:41
Technical Tip: Troubleshooting an IPsec signature-... - Fortinet Community https://community.fortinet.com/t5/tkb/articleprintpage/tkb-id/TKB20/artic...

Related articles:
Technical Tip: Using IPsec VPN certificates and peer IDs for remote users
Dialup IPsec VPN with certificate authentication | FortiGate / FortiOS 7.6.2 | Fortinet
Document Lib...
Technical Tip: How to enable debug log in FortiClient

164
 0 Kudos

Article Feedback

4 de 4 29/04/2025, 13:41