In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template. However, instead of using a pre-shared key for authentication, the FortiGates will use a certificate.
In this example, one FortiGate will be referred to as HQ and the other as Branch.
1. Enabling certificate management |
|
| On both FortiGates, go to System > Feature Visibility and make sure that Certificates is enabled. |  |
2. Obtaining necessary certificates |
|
|
|
|
|
This recipe requires the following files:
|
|
3. Installing the client certificates |
|
|
The client certificate is used for authentication and represents the individual identity of each FortiGate. |
|
|
On HQ, go to System > Certificates and select Import > Local Certificate. Set Type to Certificate, choose the Certificate file and the Key file for HQ, and enter the Password for the key file, if applicable. You can also change the Certificate Name. |
 |
|
HQ’s client certificate now appears in the list of Certificates on HQ. |
 |
|
On Branch, go to System > Certificates and select Import > Local Certificate. Set Type to Certificate, choose the Certificate file and the Key file for Branch, and enter the Password for the key file, if applicable. You can also change the Certificate Name. |
 |
|
Branch’s client certificate now appears in the list of Certificates on Branch. |
 |
4. Installing the CA certificates |
|
|
The CA certificate is used for verifying the identity of the remote FortiGate’s client certificate, which we imported in step 3. |
|
|
On HQ, go to System > Certificates and select Import > CA Certificate. Set Type to File, and upload the CA certificate that issued HQ’s certificate. |
 |
|
On HQ, go to System > Certificates and select Import > CA Certificate. Set Type to File, and upload the CA certificate that issued Branch’s certificate. . |
 |
|
The CA certificates now appear in HQ’s list of External CA Certificates with the automatically generated names CA_Cert_1 and CA_Cert_2. |
 |
|
Repeat this step exactly the same way on Branch. |
|
5. Configuring the IPsec VPN on HQ |
|
|
On HQ, go to VPN > IPsec Wizard and create a new tunnel. In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate. |
 |
|
In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46). After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu. |
 |
|
Select Signature for the Authentication Method. For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-HQ). For the Peer Certificate CA, we select the CA certificate for Branch that we imported in step 4 (in the example, CA_Cert_2). |
|
|
In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24). |
 |
|
A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies. |
 |
6. Configuring the IPsec VPN on Branch |
|
|
On Branch, go to VPN > IPsec Wizard and create a new tunnel. In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate. |
 |
|
In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142). After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.
|
 |
|
Select Signature for the Authentication Method. For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-Branch). For the Peer Certificate CA, we select the CA certificate for HQ that we imported in step 4 (in the example, CA_Cert_1). |
|
|
In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24). |
 |
|
A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies. |
 |
Results |
|
|
On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. If the tunnel is showing down, right-click under Status and select Bring Up. |
|
|
A user on either of the office networks should be able to connect to any address on the other office network transparently. If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network. |
|
The post Site-to-site IPsec VPN with certificate authentication appeared first on Fortinet Cookbook.