Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie12092
New Contributor III

Using Same Certificate for IPSec VPN Authentication

Hi,

I know this is not best practice to use same certificate on all FortiGate for IPSec VPN Authentication.

But I'm wondering, let say I deployed Hub and Spoke with 10 branches connect to DC as hub.

Can all FortiGate use same certificate for IPSec VPN authentication? Does FortiGate can authenticate each other?

 

Thanks

Ari

1 Solution
gfleming

Oh I'm sorry I mis-read you original question. I thought you were using the certificates for IPSec remote access for clients. This is site-to-site IPSec VPN?

 

If so yes fairly certain it will work if you use the same certificates everywhere. Just note this provides almost exactly the same security as PSK. If one certificate is compromised you have to reset every node and reconfigure the certificates.

Cheers,
Graham

View solution in original post

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Ari,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
gfleming
Staff
Staff

You can do it but it will be hard to make it a trusted certificate for all of your clients. It will need SANs or wildcard CN so that each FortiGate that is presenting it will be verified accordingly. Otherwise users will get untrusted certificate warnings. 

 

Why not just have one central FortiGate as your VPN gateway? 

Cheers,
Graham
arie12092
New Contributor III

Hi,

So, technically it's possible to use same certificate on the FortiGate branches to connect to the FortiGate DC in IPSec VPN, but it requires to different in SAN or wildcard CN, is it correct?

What will happen when the certificate doesn't have SAN or wildcard CN? Will the IPSec VPN authentication between FortiGate branch and FortiGate DC fail?

 

Thanks

Arie

gfleming

Oh I'm sorry I mis-read you original question. I thought you were using the certificates for IPSec remote access for clients. This is site-to-site IPSec VPN?

 

If so yes fairly certain it will work if you use the same certificates everywhere. Just note this provides almost exactly the same security as PSK. If one certificate is compromised you have to reset every node and reconfigure the certificates.

Cheers,
Graham
arie12092
New Contributor III

Hi,

 

Yes, it's for site-to-site IPSec VPN.

Thanks for your insight.

Labels
Top Kudoed Authors