FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
ssener
Staff
Staff
Article Id 242241
Description This article describes how to set up IPsec VPN using the Certificates generated on FortiManager for authentication.
Scope FortiManager, IPSEC, Certificate.
Solution

1) Create a Certificate template under Provisioning Templates:

 

ssener_0-1673016397928.png

 

Once the template is created, 'right-click' on the template and select 'Generate'.

 

ssener_1-1673016397931.png

 

Select all the devices to generate the certificate.

 

ssener_2-1673016397933.png

 

ssener_3-1673016397934.png

 

Once the certificate is generated, an installation is necessary to create the certificates locally on FortiGates.

 

ssener_4-1673016397938.png

 

Since this example is focused on the usage of FortiManager as CA, the VPNs are created in the traditional method on FortiManager :

 

Create IPsec phase-1, select auth method as 'signature', and make sure the newly generated certificate is selected from the list :

 

ssener_5-1673016397942.png

 

Create the relevant Phase-2 / route config depending on the setting (static routing was used on this setup.) / firewall rules to allow IPsec traffic.

Perform an installation.

 

Once the VPNs are created on the devices, IPsec should come up and start working.

 

Note:

Certificates on the FortiGate are signed by the local CA on the  FortiManager.

 

ssener_6-1673016397945.png

 

This certificate can be located under Policy & Objects -> Object Configurations -> Advanced -> CA Certificates.

 

Note.

It may be necessary to enable the 'Advanced' menu Tools in Display options.

If this CA is not installed on the FortiGates, the tunnel may fail to come up with the following Error.

 

ssener_7-1673016397947.png

 

At the first policy installation, FortiManager installs this certificate to FortiGate as well.

 

ssener_8-1673016397954.png

 

After the root CA is installed on both FortiGate, the VPN debug should no longer display the 'certificate validation failed' message:

 

ssener_9-1673016397956.png

 

ssener_10-1673016397959.png

 

Note: Regardless of where the certificate is generated (whether FortiManager or external), the 'certificate validation failed' error in IKE debug, which is pointing to FortiGate, means that it is not able to confirm the integrity and the validity of the certificate (it can also point to an expired certificate / a certificate signed by an untrusted CA).