Hi,
I know this is not best practice to use same certificate on all FortiGate for IPSec VPN Authentication.
But I'm wondering, let say I deployed Hub and Spoke with 10 branches connect to DC as hub.
Can all FortiGate use same certificate for IPSec VPN authentication? Does FortiGate can authenticate each other?
Thanks
Ari
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Oh I'm sorry I mis-read you original question. I thought you were using the certificates for IPSec remote access for clients. This is site-to-site IPSec VPN?
If so yes fairly certain it will work if you use the same certificates everywhere. Just note this provides almost exactly the same security as PSK. If one certificate is compromised you have to reset every node and reconfigure the certificates.
Hello Ari,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
You can do it but it will be hard to make it a trusted certificate for all of your clients. It will need SANs or wildcard CN so that each FortiGate that is presenting it will be verified accordingly. Otherwise users will get untrusted certificate warnings.
Why not just have one central FortiGate as your VPN gateway?
Hi,
So, technically it's possible to use same certificate on the FortiGate branches to connect to the FortiGate DC in IPSec VPN, but it requires to different in SAN or wildcard CN, is it correct?
What will happen when the certificate doesn't have SAN or wildcard CN? Will the IPSec VPN authentication between FortiGate branch and FortiGate DC fail?
Thanks
Arie
Oh I'm sorry I mis-read you original question. I thought you were using the certificates for IPSec remote access for clients. This is site-to-site IPSec VPN?
If so yes fairly certain it will work if you use the same certificates everywhere. Just note this provides almost exactly the same security as PSK. If one certificate is compromised you have to reset every node and reconfigure the certificates.
Hi,
Yes, it's for site-to-site IPSec VPN.
Thanks for your insight.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.