Technical Tip: Site-to-Site IPsec VPN Configuration with Certificate-Based Authentication.

Bhuvanesh · ‎01-20-2026

Description

This article describes how to configure a Site-to-Site IPsec VPN using certificate-based authentication on FortiGate firewalls.
Instead of using a pre-shared key (PSK), the VPN peers authenticate each other using X.509 certificates signed by a trusted Root Certificate Authority (CA).

Scope

FortiGate.

Solution

Step 1: Create or obtain the Root CA Certificate and then import it under Create/Import -> Remote Certificate.

Step 2: Obtain a child/server/client certificate with .p12 format and import it under Create/Import -> Certificate.

Choose with Certificate + key or Certificate with .p12 Format.

Screenshot 2026-01-02 154203.png

Screenshot 2026-01-02 154157.png

Here, the Root CA is tftpFortinet, and the Server/Entity/Client Certificate is FortiGateCert_cert.

Root CA.png

The same procedure must be followed on the peer device.

Step 3. Configure IPSec tunnels on both the Firewalls, and then choose the authentication as Signature instead of Pre-Shared Key.

Technical Tip: How to set up IPsec VPN between two FortiGates (Using VPN Setup wizard and custom pro...

Local Firewall:

Choose the Entity Certificate as the imported Server Certificate, which has .p12 format

Root CA_upd.png

For the Peer Certificate, create a new PKI user, enter the required name, and select the imported Root CA.

Root CA___.png

All other configurations remain the same; only the authentication method should be changed from Pre-Shared Key to Signature.

The same steps must be followed for the Remote Firewall.

Sample Output:

Use the following CLI commands to verify tunnel status:

Screenshot 2026-01-02 Root.png

IPSec using FortiGate default certificates:

Troubleshooting Tip: IPSec tunnel with certificate-based authentication between two FortiGates

Technical Tip: Site-to-Site IPsec VPN Configuration with Certificate-Based Authentication.

You are leaving our website