FortiClient Error: Credential or ssl vpn configuration is wrong (-7200)

When trying to start an SSL VPN connection on a Windows 10, Windows Server 2016 or 2019 with the FortiClient, it may be that the error message “Credential or ssl vpn configuration is wrong (-7200)” appears. The reason to drop connection to the endpoint during initializing caused by the encryption, which can be found in the settings of the Internet options.

Another symptom can be determined, the SSL-VPN connection and authentication are successfully established, but remote devices cannot be reached, and ICMP replies are also missing and result in a timeout.

How to solve ssl vpn failure

According to Fortinet support, the settings are taken from the Internet options. The Internet Options of the Control Panel can be opened via Internet Explorer (IE), or by calling inetcpl.cpl directly.

Press the Win+R keys enter inetcpl.cpl and click OK.

FortiClient Credential or ssl vpn configuration is wrong. Internet Options Delete personal settings

Select the Advanced tab

Click the Reset… button. If the Reset Internet Explorer settings button does not appear, go to the next step.

Click the Delete personal settings option

Click Reset

Open Internet Options again.

Go back to Advanced tab

Disable use TLS 1.0 (no longer supported)

Add website to Trusted sites

Add the SSL-VPN gateway URL to the Trusted sites. Usually, the SSL VPN gateway is the FortiGate on the endpoint side.

Internet Options Add SSL-VPN gateway URL to Trusted Sites

Go to the Security tab in Internet Options and choose Trusted sites then click the button Sites. Insert the SSL-VPN gateway URL into Add this website to the zone and click Add, here like https://sslvpn_gateway:10443 as placeholder.

Note: The default Fortinet certificate for SSL VPN was used here, but using a validated certificate won’t make a difference.

Furthermore, the SSL state must be reset, go to tab Content under Certificates. Click the Clear SSL state button.

The SSL VPN connection should now be possible with the FortiClient version 6 or later, on Windows Server 2016 or later, also on Windows 10.

Don’t get success yet ?

If you haven’t had any success up to this point, don’t despair now, there is more help available, may the following is the case!

Credentials or SSLVPN configuration is wrong

If you may use an FortiClient 7 on Windows 10 or Windows 11, then create a new local user on the FortiGate and add it to the SSL-VPN group.

Add the user to the SSLVPN group assigned in the SSL VPN settings.

Try to verify the credentails using the web mode, for this in SSL-VPN Portals the Web Mode must my enabled.

Note that the group with the affected user is assigned under SSL-VPN Settings at Authentication/Portal Mapping.

FortiGate SSL-VPN Settings Authentication/Portal Mapping

Try to authenticate the vpn connection with this user.

It worked here with this attempt, but I haven’t yet been able to successfully carry out the authentication via LDAP server,

If your attempt was more successful and you know more ? please let us know and post your comment!

Issue using FortiClient on Windows 11

FortiClient SSL-VPN connects successfully on Windows 10 but not on Windows 11. An article by the staff was posted in the fortinet community they describes a potential cause for why SSL-VPN connections may fail on Windows 11 yet work correctly on Windows 10.

SSL-VPN tunnel-mode connections via FortiClient fail at 48% on Windows 11, it appears: Credential or SSLVPN configuration is wrong (-7200). We remember, tunnel-mode connections was working fine on Windows 10.

Users are unable to authenticate if they are in a User Group that is configured in an SSL-VPN Authentication/Portal Mapping (also known authentication-rule in the CLI), but they can successfully authenticate when using the All Other Users/Groups catch-all authentication rule.

Windows 11 is uses TLS 1.3 by default for outbound TLS connections, whereas Windows 10 appears to use TLS 1.2 by default.

If TLS-AES-256-GCM-SHA384 is removed from the list, Windows 11/FortiClient will still be able to establish a TLS 1.3 connection using one of the alternative TLS Cipher Suites available. This will appear as a successful TLS connection in a packet capture tool such as Wireshark.

Windows 11 may be unable to connect to the SSL-VPN if the ciphersuite setting on the FortiGate has been modified to remove TLS-AES-256-GCM-SHA384, and an SSL-VPN authentication-rule has been created for a given User Group that has the cipher setting set to high (which it is by default).

The solution can be found with the following command using in the FortiGate CLI should solve the issue:

config vpn ssl settings
  unset ciphersuite
end

or possibly with the next command:

config vpn ssl settings
  append ciphersuite TLS-AES-256-GCM-SHA384
end

Note see Microsoft learn about TLS Cipher Suites in Windows 11

Setting Up and customize OpenVPN Client on Windows, macOS and Linux

VPN (Virtual Private Network) is becoming more and more widely used. OpenVPN is a free application for building a virtual private network over an encrypted TLS connection. The increasingly popular OpenVPN client enables VPN connections to access its data from anywhere, for example, when working in the home office, or with a private cloud.

This article shows the client deployment and use of OpenVPN. OpenVPN is available for free for many operating systems, in addition to Windows there is a client for macOS, for iOS, Linux and Android devices.

How to do it

OpenVPN client install on Windows

The OpenVPN client can be deployed from the Windows Package Manager using winget ran in the command prompt.

C:\> winget install --id OpenVPNTechnologies.OpenVPN

OpenVPN for Windows can also be downloaded from the community website here, on Windows 10 with double-clicking OpenVPN-2.5.0-I601-amd64.msi start the setup.

Choose Customize to goes through the setup wizard, because here only the client components are needed, we choose the selection.

Continuous Installing OpenVPN..

OpenVPN Installing Completed.

Start OpenVPN

A glance at the taskbar shows now the OpenVPN icon

OVPN configuration import at the client

The OpenVPN Access Server is available for Windows, Linux and FreeBSD, and there are an increasing number of devices that can be used as OpenVPN servers, such as pfSense and OPNsense or OpenWrt, from commercial manufacturer like Sophos formerly Astaro or Synology NAS and many more.

The file with the configuration for the client, such as openvpn.zip, which was previously exported on the VPN server or router need to unpacked, the files ca.crt, README.txt and VPNConfig.ovpn are usually extracted.

The configuration file here in this example VPNConfig.ovpn may have a different file name. Hint! if you change the file name to i.e. office-davos.ovpn, then this name appears in the context menu at connection.

The file VPNConfig.ovpn usually has to be open in an editor, for this I use Notepad and change YOUR_SERVER_IP to the public IP address of the VPN gateway, or the firewall on which is the NAT mapping to the VPN termination device.

After saving VPNConfig.ovpn, the configuration is imported.

Right-clicking above the icon in the Systemtry opens the context menu from which you choose to import file.

Wenn man die Datei VPNConfig.ovpn umbenennt zB. Office-Arbon.ovpn, erscheint im Kontextmenü Verbinden der entsprechende Name als Ziel.

Tip! If you rename the file VPNConfig.ovpn eg. Home-Office.ovpn, the corresponding name appears as the target in the Connect context menu.

Connecting from the context menu prompts to enter the user and password, which is the user on the VPN Router or with use LDAP authentication the user on the server.

OpenVPN Connection Login — Figure: OpenVPN Connection

If the connection is successful, the OpenVPN icon will appear green.

Useful post on this topic can be found in OpenVPN Connection Script
you might also be interested in OpenVPN Connect using on iPhone and Android

OpenVPN client setup on macOS

OpenVPN Connect v3 Client for macOS is a complete installation program for macOS, after the installation the ovpn file can be imported for an OpenVPN connection to an access server. If the downloaded OpenVPN Connect v3 for macOS is installed on a Mac on which OpenVPN Connect v3 is already installed and configured, it will be updated to the new version with all settings retained.

How to install OpenVPN on macOS Catalina — OpenVPN Installer on macOS Catalina

OpenVPN Connect for macOS Import and Edit

openvpn connect import — OpenVPN Connect for macOS Import and Edit

OpenVPN Connect for macOS — OVPN file import on macOS catalina.

Deploy OpenVPN client on Linux

With the standard installation, OpenVPN is usually already installed together with the network management tools, in this case you can go directly to Import OVPN configuration file below. The easiest way to deploy the OpenVPN client using the package management system is to run the following commands as root on a Red Hat based Linux distribution such as Fedora or CentOS:

[sam@fedora ~]$ sudo su -
[sudo] password for sam
[root@fedora ~]# dnf install openvpn

Install the OpenVPN on Debian and Ubuntu based distributions as follows:

[sam@debian ~]$ sudo su -
[sudo] password for sam
[root@debian ~]# apt-get install openvpn

Running the OpenVPN client with the downloaded configuration file, using the -config argument to pass the configuration file:

openvpn -config VPNConfig.ovpn

The connection can also be established via a GUI client, to install the OpenVPN GUI from the shell:

sudo apt-get install network-manager-openvpn-gnome

Import OVPN configuration file

Now you can call the Connection Manager by clicking on the network icon – VPN Connections – Configuring VPN.

on Ubuntuimport OpenVPN use VPN-Connection Manager — Illustration: OpenVPN GUI Ubuntu

By clicking on Add – Import Saved VPN Configuration – Create a new VPN connection. The next step is to import the previously downloaded VPNConfig.ovpn file. The connection can now be started from the taskbar.

For Linux Mint with Cinnamon desktop, you click on the network icon in the taskbar and go to network settings.

Click + to create a new network connection.

on Cinnamon open saved VPN-config to import OpenVPN

Import saved VPN configuration from the VPNConfig.ovpn file. After entering the user and password, the saved connection can be started in the taskbar.

Import the OVPN file via the Network Manager of Linux Mint and Cinnamon Desktop.

UNBLOG Tutorials

Tag Archives: VPN Connectivity

Credential or ssl vpn configuration is wrong