FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 262047
Description This article describes how to configure an IPSec VPN tunnel, using a certificate issued by FortiAuthenticator acting as an External CA with Certificate Revocation checking enabled (via OCSP)
Scope IPSec tunnels require certificate-based authentication with revocation checking.

In order to use certificates for IPSec authentication a FortiGate device requires the following:

  1. Its own device certificate was issued from FortiAuthenticator.

Certificates can be manually requested by generating a CSR from the FortiGate which is then signed by the FortiAuthenticator, however using SCEP automates this process.


Certificate enrollment using SCEP can be done directly on a Fortigate device:

Technical Tip: FortiGate Certificate enrollment using SCEP.


Or Certificate enrollment using SCEP can be managed via FortiManager:
Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA.


     2. The FortiAuthenticator CA certificate.
In FortiAuthenticator navigate to Certificate Management -> Certificate Authorities -> Local CA's, select the appropriate Certificate ID, and select 'Export Certificate'.


The exported certificate can then be imported to the FortiGate device as a CA certificate (System -> Certificates -> Create/Import).

The certificate can also be imported in bulk if managing devices via FortiManager, using a script run against the Device Database, example below:


config vpn certificate ca
    edit "MY_CA_CERT"
        set ca "-----BEGIN CERTIFICATE-----



    -----END CERTIFICATE-----"


     3. VPN Tunnel configured to use its own certificate to authenticate itself and the CA certificate to authenticate its peer(s).

Example Configuration:

config user peer
    edit "MY_CA_PEER"
      set ca "MY_CA_CERT"        <- CA cert imported in step 2.


config vpn ipsec phase1-interface
    edit "vpn1"
        set interface "port1"
        set authmethod signature
        set net-device disable
        set proposal aes256-sha256
        set remote-gw
        set certificate "MY_DEVICE_CERT"          <- Device cert installed in step 1.
        set peer "MY_CA_PEER"


config vpn ipsec phase2-interface
    edit "vpn1"
        set phase1name "vpn1"
        set proposal aes256-sha256


Note: Appropriate firewall policies and routing must be configured in addition to the above.


     4. Certificate revocation checking configured to ensure peers with revoked certificates are not authenticated.

This example uses OCSP, which sends on-demand requests to the OCSP server (FortiAuthenticator) to confirm a certificate's validity.


config vpn certificate ocsp-server
    edit "MY_OCSP_SRV"
        set url ""          <- FortiAuthenticator IP address.
        set cert "MY_CA_CERT"                             <- CA cert imported in step 2.


config vpn certificate setting
    set ocsp-status enable
    set ocsp-default-server "MY_OCSP_SRV"



Any attempt to connect to a peer that has a revoked certificate should fail, with an 'IPsec phase 1 error' entered into the VPN event log, with reason = 'invalid certificate'.


Running a debug should also confirm this:

diagnose debug application fnbamd -1

diagnose debug enable


Example output, showing the certificate status:

fnbamd_verify_ocsp_response-Cert status: REVOKED, reason=4(superseded)


Related Articles:

Cookbook: FortiAuthenticator as a certificate authority.

Technical Note: How to generate a CSR from FortiGate.

Technical Note: How to sign a CSR on FortiAuthenticator.