The setup is similar to my earlier IKEv2 blogs, but we will use a use group and authenticate the user from the local FortiOS database.
I'm using the macosx and android strongswan clients in this blog.
You can monitor the client logs for statistics and for any errors. The logs are very detail and will show the device challenge and assignments.
On the fortigate a IPSEC-SA will be presented upon a successful establishments.
Once the client has connect in the WebGUI ipsec monitor you will not find any end-user details which is horrible. Also notice each vpn-tunnel session is prepended with the <vpntunnel_name>_<+Number>. You will need to use the diag vpn ike gateway command to id the actual user.
Here's the fortigate configurations
in the android client do NOT select send request to CA, this will generate a lot of wasted IKEv2 messages
The vpn client only needs the server name and identity, here's a a typical Android setup.
Do you not leave the "CA certificate Select Automatically " enable. Uncheck and defined the root CA-cert that signed the server certificate.
If all goes well you should have a connected vpn status, if not download the loads and start reviewing
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=