Hello Fortinet Community,
Q: How to set up a certificate-based VPN between FortiGate appliances via WebUI on recent FortiOS 7.x?
A: After completing a VPN-Setup Sheet you need to create a certificate on each site.
System>Certificates>Create/Import>Certificate
Give your certificate a self-explanatory name. If you have a static IP-address enter this under ‘common name’. If you do not have a static IP-address you should use a domain name instead which can be resolved over the Internet.
Download the certificate of the certification authority (CA). In this case it is the ‘Fortinet_CA_SSL’.
After you are done creating and downloading the certificates on both gateways you have to import the CA-Certificate from one gateway to the other gateway and vice versa under System>Certificates>Create/Import>CA Certificate
After importing the CA-Certificate you should see it under Remote CA Certificate
Configuring the tunnel:
Enter the Remote Gateways IP Address and the outgoing interface.
Change mode from Pre-shared Key to Signature. And select the certificate under Certificate Name which you created on this gateway (in this example ‘Site2’).
In the next step you have to create a PKI User under Peer certificate and use your Imported CA-Certificate from your Remote gateway.
.
For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
For Phase 2 enter the Local and Remote Address space. It would be Best Practice to use an Address Object for your Local and Remote Address space.
Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
Add a static route for your remote subnet pointing to the VPN-Tunnel Interface as well as another static Route pointing to the Blackhole interface.
Network > Static Routes > Create New
Last step is to add Firewall Policies to allow the VPN traffic to pass through.
Add a New Policies Policy & Objects > Firewall Policy > Create New
In this case you don’t need any NAT-Rules. You can restrict the access from the tunnel according to your needs by only selecting Services you really need to share.
After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec
Dashboard > Status > Add Widget
Now, you are able to check Phase 1 and Phase 2 status.
<
You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.
Wow, thanks for describing the steps so visually!
Could you please add how to set up a cert-based VPN between FortiGate and a 3rd party VPN gateway (e.g. Check Point)?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.