Technical Tip: FortiGate certificate communication with a specific source IP

ssteo · ‎09-29-2025

Description

This article describes how to use a specific source IP for certificate communication.

Scope

FortiGate.

Solution

In some scenario, when validation of certificates over an IPsec tunnel only allow certain IPs to pass through.

If the source IP is not specific, it will use the IPsec interface IP for outgoing traffic.

In this case, it is possible to specify the source IP with the configuration below:

config vpn certificate setting

set source-ip x.x.x.x

end

It is possible to run a packet sniffer to verify the communication.

Below is the sample before the specific source IP. In this case, it uses an IPsec tunnel IP 10.10.10.1 to communicate with the certificate server.

FortiGate-Spoke # diagnose sniffer packet any "host 192.168.10.20 and port 80" 4 0
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.10.20 and port 80]
14.839389 ipsec1 out 10.10.10.1.23244 -> 192.168.10.20.80: syn 1555689492
17.996293 ipsec1 out 10.10.10.1.23244 -> 192.168.10.20.80: syn 1555689492

Below is the sample after the specific source IP. In this case, it will use the loopback IP 10.20.10.254 to communicate with the certificate server.

FortiGate-Spoke # diagnose sniffer packet any "host 192.168.10.20 and port 80" 4 0
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.10.20 and port 80]

205.291447 ipsec1 out 10.20.10.254.23258 -> 192.168.10.20.80: syn 2173764965

Technical Tip: FortiGate certificate communication with a specific source IP

You are leaving our website