Technical Tip: Configuring certificate based IPSec tunnels with certificates issued by FortiAuthenticator

scollins · ‎06-30-2023

Description

This article describes how to configure an IPSec VPN tunnel, using a certificate issued by FortiAuthenticator acting as an External CA with Certificate Revocation checking enabled (via OCSP)

Scope

IPSec tunnels require certificate-based authentication with revocation checking.

Solution

In order to use certificates for IPSec authentication a FortiGate device requires the following:

Its own device certificate was issued from FortiAuthenticator.

Certificates can be manually requested by generating a CSR from the FortiGate which is then signed by the FortiAuthenticator, however using SCEP automates this process.

Certificate enrollment using SCEP can be done directly on a Fortigate device:

Technical Tip: FortiGate Certificate enrollment using SCEP.

Or Certificate enrollment using SCEP can be managed via FortiManager:
Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA.

2. The FortiAuthenticator CA certificate.
In FortiAuthenticator navigate to Certificate Management -> Certificate Authorities -> Local CA's, select the appropriate Certificate ID, and select 'Export Certificate'.

The exported certificate can then be imported to the FortiGate device as a CA certificate (System -> Certificates -> Create/Import).

The certificate can also be imported in bulk if managing devices via FortiManager, using a script run against the Device Database, example below:

config vpn certificate ca
edit "MY_CA_CERT"
set ca "-----BEGIN CERTIFICATE-----

MIIEFzCCAv+gAwIBAgIIXHL2M/nzy+cwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UE

h00DnkhFZuHp2SwKIEH8FbQ77d2iWEJM8qxpFEP31BB+MsfrgkCHCkcbA==

-----END CERTIFICATE-----"
next
end

3. VPN Tunnel configured to use its own certificate to authenticate itself and the CA certificate to authenticate its peer(s).

Example Configuration:

config user peer
edit "MY_CA_PEER"
set ca "MY_CA_CERT" <- CA cert imported in step 2.
next
end

config vpn ipsec phase1-interface
edit "vpn1"
set interface "port1"
set authmethod signature
set net-device disable
set proposal aes256-sha256
set remote-gw 192.168.0.1
set certificate "MY_DEVICE_CERT" <- Device cert installed in step 1.
set peer "MY_CA_PEER"
next
end

config vpn ipsec phase2-interface
edit "vpn1"
set phase1name "vpn1"
set proposal aes256-sha256
next
end

Note: Appropriate firewall policies and routing must be configured in addition to the above.

4. Certificate revocation checking configured to ensure peers with revoked certificates are not authenticated.

This example uses OCSP, which sends on-demand requests to the OCSP server (FortiAuthenticator) to confirm a certificate's validity.

config vpn certificate ocsp-server
edit "MY_OCSP_SRV"
set url "http://192.168.0.254:2560" <- FortiAuthenticator IP address.
set cert "MY_CA_CERT" <- CA cert imported in step 2.
next
end

config vpn certificate setting
set ocsp-status enable
set ocsp-default-server "MY_OCSP_SRV"
end

Notes:

Any attempt to connect to a peer that has a revoked certificate should fail, with an 'IPsec phase 1 error' entered into the VPN event log, with reason = 'invalid certificate'.

Running a debug should also confirm this:

diagnose debug application fnbamd -1

diagnose debug enable

Example output, showing the certificate status:

fnbamd_verify_ocsp_response-Cert status: REVOKED, reason=4(superseded)

Related Articles:

Cookbook: FortiAuthenticator as a certificate authority.

Technical Note: How to generate a CSR from FortiGate.

Technical Note: How to sign a CSR on FortiAuthenticator.