Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

miblo69
New Contributor

SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

Hi,

I am looking for someone with experience from setting this up. I have Googled tons of doumentation om how to configure this, but have no conclusive answers. Using FAC 4.0 and FOS 5.2.latest.

Basically I have two issues: 1) I'm not 100% sure how SCEP is intended to work. 2) Configuration of the FAC seems non-trivial.

For my first test I just wanted to generate a CA Cert on the FAC import the Cert in the FGT, and *manually* create an IPSec tunnel on the FGT. But the imported Cert is not available in the drop-down box in the P1 configuration. What did I do wrong?

Secondly, attempted to enable SCEP on the tunnel, generate an enrollment form the FGT to the FAC - and see the request as 'Pending' in the FAC. Authorize it in the FAC - and then nothing happens? The Cert is never deployed to the FGT. What have I missed?

Any pointers or tips are greatly appreciated!

~Mike

4 REPLIES 4
Robby_FTNT
Staff
Staff

Mike,

Regarding the manually setup:
Do you expect the CA cert to show up in the P1 config?
This is not correct. You should see the device cert in the drop-down box.

Basic steps are (when using FAC):
1 Sync the time on both FGT so they can verify the validity of the certificates
2 on the FAC, create a "user" certificate for each FGT
3 export the "user" certificates as PKCS#12
4 export the FAC CA cert (the one used when signing the user certificates)
5 import the "user" certificate on the relevant FGT as a "local" cert (type PKCS#12)
6 import the CA cert on both FGT

Under "system -> certificates -> external CA certificates" you should see the CA certificate on each FGT

Under "system -> certificates -> certificates you should see the "user" certificate (different one on each FGT)
This is also the cert that should be used in your P1 config.

Regards
Robby

miblo69

Brilliant,

Many thanks for explainning! I will test this and get back with results as soon as I have them. Once I get the manual way to work, I'll have a look into SCEP and see if I can get it to work as well.

Regards,

~Mike

miblo69

So, I finally got the chance to get this to work - both manually and via SCEP.

However, a question arose during the PoC with the prospect:

Is it possible to manually trigger a renewal request via the Fortigate CLI? I searched the CLI, Admin Guides, Google and what not, but to no avail.

The problem is that if the tunnel is down, the auto-renewal will fail. But remote access to the device is still possible . So either a manual CSR/signing/import would work, but it would be much nicer if it were possible execute a renewal via CLI.

Thanks

jmandziara

Be sure to enable "Certificates" under "Feature Select --> Certificates".

Announcements
Check out our Community Chatter Blog! Click here to get involved