Skip to main content
mmontes
Staff
mmontes
Staff
July 5, 2017

Technical Tip: Dial-up IPsec VPN users with security certificates (authentication method)

  • July 5, 2017
  • 0 replies
  • 18121 views

Description


This article describes all the needed configuration and how to create the certificates using OpenSSL to set up dial-up IPsec VPN users with security certificates as an authentication method.

 

Scope

 

Download the OpenSSL software. In this case, it was downloaded on a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt

 

Generate Server Certificate. Create a CSR in the FortiGate and download it to be signed through the OpenSSL software using the following command:

 

C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crt

 

Generate a client certificate through the following list of commands:

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name "test" -out client.p12

 

Note:

After entering the command 'openssl.exe req ...', it might show the error 'No such file or directory' in the console. It is possible to fix it by input command: 

 

set OPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.cnf 

 

For example:

 

Screenshot.png


Solution


Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select the server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select the CA certificate.

Configure user peer and peergrp:

 

config user peer
    edit test1
        set ca ""                 <----- Specify the CA certificate already uploaded.
end

config user peergrp
    edit user_group1
        set member test1
end

 

Set up IPsec VPN dial-up:

 

IKEv1:
Check, if needed, to enable NAT traversal. In this case, it is not required.

 

IPSEC VPN 1.PNG
 
Specify the server certificate and peergrp as follows:
 
IPSEC VPN 2.PNG
 
At last, specify the user group for XAUTH:
 
 IPSEC VPN 3.PNG
 
IKEv2:
 
1.png
 
2.png
 
For the firewall policy, no user group is needed as the authentication is handled through the certificate itself :
 
Screenshot 2025-12-04 112224.png
 
 
Import the CA certificate and the client certificate (.p12 format, including the private key) to the user's side. After that, verify the import in MMC -> Certificate (current user):
  • The CA certificate should be presented on Trusted Root Certification Authorities -> Certificates.
  • The user certificate should be presented on Personal -> Certificate.

 

Screenshot3.png

 

Finally, select the authentication method in FortiClient to use the X. 509 certificate that was previously uploaded.
For example:
 
3.png

 

As a result, it could connect successfully:
 
Screenshot4.png

 

Verification:

Once all is described above is finished, attempt a connection from FortiClient to FortiGate and open the following debug flow into FortiGate to see all IPsec negotiation:
 
diagnose debug disable
diagnose debug reset
diagnose debug console time en
diagnose debug app ike -1
diagnose vpn ike log filter rem-add4 <WAN_IP_of_client>
diagnose debug enable
 
After the connection, test the debug to be disabled with the commands below:
 
diagnose debug reset
diagnose debug disable
    Terms & ConditionsAccessibility statement