Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dinesh_FTNT
Staff
Staff

Created on ‎03-22-2015 02:51 AM Edited on ‎05-04-2025 10:27 PM By Community Manager

Article Id 194400

Technical Tip: How to configure dialup IPsec VPN using RSA

Description

 

This article explains how to configure Client Site IPsec VPN using RSA. The following certificates will be required to configure dial-up VPN using RSA:
  • Server Certificate.
  • CA certificate.
  • User certificate.


Scope

 

FortiGate.


Solution

 

The following steps can be used to configure certificate-based authentication for dial-up VPN.

On the FortiGate, add the server certificate under Local Certificates.
dinesh_FD36367_tn_FD36367-1.jpg

Add the CA certificate under CA Certificates.
dinesh_FD36367_tn_FD36367-2.jpg

Create PKI users.

config user peer
    edit "ssluser1"
        set ca "CA_Cert_1"
        set subject "ssluser1"  <- Subject should match the user certificate.
    next
end

This should be created for all other users.

Add the PKI users to PKI groups.

config user peergrp
    edit "peergrp"
        set member "ssluser1"
    next
end

On the Dial-up VPN profile, select the server certificate and peergroup.
dinesh_FD36367_tn_FD36367-3.jpg

On the Client's PC:
Add the user certificate on FortiClient.

Go to File -> Settings -> Certificate Management, enable 'Use Local Certificate Uploads (IPsec only)' and import the user certificate.
dinesh_FD36367_tn_FD36367-4.jpg

Select the User certificate on the VPN profile.
dinesh_FD36367_tn_FD36367-5.jpg

The user will now be able to connect to the VPN successfully.

Troubleshooting:
If an issue is still observed in establishing VPN, debug using the following commands.

diagnose vpn ike log-filter dst-addr4  x.x.x.x
diagnose debug application ike -1
diagnose debug enable

Here, x.x.x.x is the PC IP address from which the VPN is to be established.
 

To stop the debugs, run the following commands:

 

diagnose debug disable
diagnose debug reset

 
Note:
Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
5777
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.