Site-to-site IPsec VPN with certificate authentication

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template. However, instead of using a pre-shared key for authentication, the FortiGates will use a certificate.

In this example, one FortiGate will be referred to as HQ and the other as Branch.

1. Enabling certificate management

On both FortiGates, go to System > Feature Visibility and make sure that Certificates is enabled.  

2. Obtaining necessary certificates

This recipe requires the following files:

  • Client certificate for HQ and its matching private key
  • Client certificate for Branch and its matching private key
  • CA certificate that issued HQ’s certificate
  • CA certificate that issued Branch’s certificate

3. Installing the client certificates

The client certificate is used for authentication and represents the individual identity of each FortiGate.

On HQ, go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for HQ, and enter the Password for the key file, if applicable. You can also change the Certificate Name.

 

HQ’s client certificate now appears in the list of Certificates on HQ.

 

On Branch, go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for Branch, and enter the Password for the key file, if applicable. You can also change the Certificate Name.

 

Branch’s client certificate now appears in the list of Certificates on Branch.

 
 

4. Installing the CA certificates

The CA certificate is used for verifying the identity of the remote FortiGate’s client certificate, which we imported in step 3.

On HQ, go to System > Certificates and select Import > CA Certificate.

Set Type to File, and upload the CA certificate that issued HQ’s certificate.

 

On HQ, go to System > Certificates and select Import > CA Certificate.

Set Type to File, and upload the CA certificate that issued Branch’s certificate.

.

 

The CA certificates now appear in HQ’s list of External CA Certificates with the automatically generated names CA_Cert_1 and CA_Cert_2. 

 

Repeat this step exactly the same way on Branch.

5. Configuring the IPsec VPN on HQ

On HQ, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

 

In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

 

Select Signature for the Authentication Method.

For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-HQ).

For the Peer Certificate CA, we select the CA certificate for Branch that we imported in step 4 (in the example, CA_Cert_2).

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24).

 

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

 

6. Configuring the IPsec VPN on Branch

On Branch, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

 

In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

 

 

Select Signature for the Authentication Method.

For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-Branch).

For the Peer Certificate CA, we select the CA certificate for HQ that we imported in step 4 (in the example, CA_Cert_1).

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24).

 

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

 

Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. If the tunnel is showing down, right-click under Status and select Bring Up.

 

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network.

 

John Headley

John Headley

Technical Support Engineer at Fortinet
John Headley works in Dallas as part of Fortinet's technical support team. He is proudly Fortinet NSE8 certified.
John Headley
  • Was this helpful?
  • Yes   No
A server certificate will also work.
The CA that issues the certificate can be a public CA, such as DigiCert, or a private CA, such as a FortiAuthenticator or your Windows Domain Controller.
Sometimes the certificate and key are combined into a single PKCS#12 file. If that is the case, select PKCS #12 Certificate instead.
Take note of which CA certificate was assigned which name. We will reference these names in a later step.