Description
This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.
Scope
Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate Server Certificate. Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crt
Generate client certificate through the following list of commands:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12
Note:
After entered command "openssl.exe req ...", it might show error "No such file or directory" in the console, we can fix it by input command:
set OPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.cnf
For example:
Solution
Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.
Configure user peer and peergrp:
config user peer
edit test1
set ca "" <----- specify the CA certificate already uploaded.
end
config user peergrp
edit user_group1
set member test1
end
Set up IPSEC VPN diaulp:
IKEv1:
Check, if needed, to enable NAT traversal. In this case, it is not required.
Specify the server certificate and peergrp as follows:
At last, specify the user group for XAUTH:
IKEv2:
Import the CA certificate and client certificate (.p12 format including private key) to the user side. After that, verify the import in MMC > Certificate (current user):
- The CA certificate should be presented on Trusted Root Certification Authorities -> Certificates.
- The user certificate should be presented on Personal -> Certificate.
At last, select the authentication method in the FortiClient to X.509 certificate to use the client certificate already previously uploaded.
For example:
As a result, it could connect successfully:
Verification:
Once all described above is finished, attempt connection from FortiClient to FortiGate and open the following debug flow into FortiGate to see all IPsec negotiation:
diagnose debug disable
diagnose debug reset
diagnose debug console time en#diag debug app ike -1
diagnose vpn ike log filter rem-add4 <WAN_IP_of_client>
diagnose debug enable
After connection, test the debug to be disabled with the commands below:
diagnose debug reset
diagnose debug disable
