Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

HowTo: Setup up VPN certificates via WebUI

Hello Fortinet Community,

Q: How to set up a certificate-based VPN between FortiGate appliances via WebUI on recent FortiOS 7.x?

New Contributor II

A: After completing a VPN-Setup Sheet you need to create a certificate on each site. 


Give your certificate a self-explanatory name. If you have a static IP-address enter this under ‘common name’. If you do not have a static IP-address you should use a domain name instead which can be resolved over the Internet.

Download the certificate of the certification authority (CA). In this case it is the ‘Fortinet_CA_SSL’.

After you are done creating and downloading the certificates on both gateways you have to import the CA-Certificate from one gateway to the other gateway and vice versa under System>Certificates>Create/Import>CA Certificate

After importing the CA-Certificate you should see it under Remote CA Certificate 

Configuring the tunnel:

Enter the Remote Gateways IP Address and the outgoing interface.

Change mode from Pre-shared Key to Signature. And select the certificate under Certificate Name which you created on this gateway (in this example ‘Site2’).

In the next step you have to create a PKI User under Peer certificate and use your Imported CA-Certificate from your Remote gateway.

For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.

For Phase 2 enter the Local and Remote Address space. It would be Best Practice to use an Address Object for your Local and Remote Address space.

Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.


New Contributor II

Add a static route for your remote subnet pointing to the VPN-Tunnel Interface as well as another static Route pointing to the Blackhole interface.

Network > Static Routes > Create New




Last step is to add Firewall Policies to allow the VPN traffic to pass through.
Add a New Policies Policy & Objects > Firewall Policy > Create New


In this case you don’t need any NAT-Rules. You can restrict the access from the tunnel according to your needs by only selecting Services you really need to share.



After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec

Dashboard > Status > Add Widget



Now, you are able to check Phase 1 and Phase 2 status.




You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.



Wow, thanks for describing the steps so visually!

Could you please add how to set up a cert-based VPN between FortiGate and a 3rd party VPN gateway (e.g. Check Point)?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors