Part 1 went over basic certificates needed for this setup as well as the VPN configuration required on the Fortigate to get this to work.
For Windows, you need to make sure the ROOT CA and client certificate are installed on the device.
The ROOT CA needs to be installed in the “Trusted Root Authorities” folder and the client certificate needs to be installed in the “Personal” certificates folder.
These need to be installed in the “Local Machine” certificates, not the user certificates:
Next, go to your “VPN Settings” and “Add a VPN”. Settings should look something like this:
Click Save
Then type “Win + R” and type ncpa.cpl
This will bring up all Network adapters on windows. Find the one associated with the VPN configuration you just created, right click on it and select “properties”.
Go to the security Tab and choose “Use Local Machine” certificates
Click “OK” to save.
Attempt to connect to the VPN.
Windows 10/11 vpn tends to be broken a lot of times depending on which version of windows you are running. If it doesn’t work, run these two commands in powershell run as admin:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /fREG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
Restart your computer and try to connect again. You should be connected!
If you are continuing to have issues and believe it may be due to certificate auth failure, you can use this powershell command for the host to not verify the subj alt names:reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v DisableIKENameEkuCheck /t REG_DWORD /d 1 /f
