Description
This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.
Scope
Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Generate Server Certificate. Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crt
Generate client certificate through the following list of commands:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12
Note:
After entered command "openssl.exe req ...", it might show error "No such file or directory" in the console, we can fix it by input command:
set OPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.cnf
For example:
Solution
Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.
Configure user peer and peergrp:
config user peer
edit test1
set ca "" <----- specify the CA certificate already uploaded.
end
config user peergrp
edit user_group1
set member test1
end
Set up IPSEC VPN diaulp:
IKEv1:
Check, if needed, to enable NAT traversal. In this case, it is not required.
Verification:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.