Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
jintrah_FTNT
Staff
Staff

Created on ‎09-21-2015 05:22 AM Edited on ‎02-25-2025 09:02 AM By Moderator

Article Id 197820

Technical Note: How to configure IPsec dialup VPN with certificate based authentication

Description

 
This article explains the steps to configure the IPsec dial-up VPN with certificate based authentication.
 
Scope
 
FortiClient.


Solution

 

Requirements:
  • CA certificate.
  • Server certificate.
  • Client certificate.
The following example deploys openssl commands to generate the required certificates.
  1. Generate CA Certificate ca.crt:

opensslgenrsa -des3 -out ca.key 4096
opensslreq -new -x509 -days 365 -key ca.key -out ca.crt
 
  1. Generate Server Certificate server.crt:

opensslgenrsa -des3 -out server.key 4096
opensslreq -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out server.crt
 
  1. Generate Server Certificate client.crt and convert to .p12 format for exporting with private keys:

opensslgenrsa -des3 -out client.key 4096
opensslreq -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12
 
  1. FortiGate and FortiClient Configuration:
  1. Import CA and Server certificates on FortiGate.
ranjith_FD37226_tn_FD37226-1.jpg
ranjith_FD37226_tn_FD37226-2.jpg
  1. Configure user peer and peer usergroup.

config user peer
    edit user1
        set ca CA_Cert_2
    end

config user peergrp
    edit user_group1
        set member user1
    end
 
  1. FortiGate IPsec config.
ranjith_FD37226_tn_FD37226-3.jpg
  1. FortiClient config.

The CA certificate is imported and placed in the Trusted Root Certification Authorities of IE.

Select Authentication Method in the IPsec VPN connection settings.
ranjith_FD37226_tn_FD37226-4.jpg

Load the client certificate (.p12) under File -> Settings -> Certificate management.
ranjith_FD37226_tn_FD37226-5.jpg
ranjith_FD37226_tn_FD37226-6.jpg

 

Related articles:

Technical Tip: PKI peer user/usergroup creation for certificate authentication

19258
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.