Created on 01-06-2023 06:58 AM Edited on 01-09-2023 01:49 AM By Jean-Philippe_P
Description | This article describes how to set up IPsec VPN using the Certificates generated on FortiManager for authentication. |
Scope | FortiManager, IPSEC, Certificate. |
Solution |
1) Create a Certificate template under Provisioning Templates:
Once the template is created, 'right-click' on the template and select 'Generate'.
Select all the devices to generate the certificate.
Once the certificate is generated, an installation is necessary to create the certificates locally on FortiGates.
Since this example is focused on the usage of FortiManager as CA, the VPNs are created in the traditional method on FortiManager :
Create IPsec phase-1, select auth method as 'signature', and make sure the newly generated certificate is selected from the list :
Create the relevant Phase-2 / route config depending on the setting (static routing was used on this setup.) / firewall rules to allow IPsec traffic. Perform an installation.
Once the VPNs are created on the devices, IPsec should come up and start working.
Note: Certificates on the FortiGate are signed by the local CA on the FortiManager.
This certificate can be located under Policy & Objects -> Object Configurations -> Advanced -> CA Certificates.
Note. It may be necessary to enable the 'Advanced' menu Tools in Display options. If this CA is not installed on the FortiGates, the tunnel may fail to come up with the following Error.
At the first policy installation, FortiManager installs this certificate to FortiGate as well.
After the root CA is installed on both FortiGate, the VPN debug should no longer display the 'certificate validation failed' message:
Note: Regardless of where the certificate is generated (whether FortiManager or external), the 'certificate validation failed' error in IKE debug, which is pointing to FortiGate, means that it is not able to confirm the integrity and the validity of the certificate (it can also point to an expired certificate / a certificate signed by an untrusted CA). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.