A: After completing a VPN-Setup Sheet you need to create a certificate on each site.
Give your certificate a self-explanatory name. If you have a static IP-address enter this under ‘common name’. If you do not have a static IP-address you should use a domain name instead which can be resolved over the Internet.
Download the certificate of the certification authority (CA). In this case it is the ‘Fortinet_CA_SSL’.
After you are done creating and downloading the certificates on both gateways you have to import the CA-Certificate from one gateway to the other gateway and vice versa under System>Certificates>Create/Import>CA Certificate
After importing the CA-Certificate you should see it under Remote CA Certificate
Configuring the tunnel:
Enter the Remote Gateways IP Address and the outgoing interface.
Change mode from Pre-shared Key to Signature. And select the certificate under Certificate Name which you created on this gateway (in this example ‘Site2’).
In the next step you have to create a PKI User under Peer certificate and use your Imported CA-Certificate from your Remote gateway. .
For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
For Phase 2 enter the Local and Remote Address space. It would be Best Practice to use an Address Object for your Local and Remote Address space.
Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.