Authenticating IPsec VPN users with security certificates

Authenticating IPsec VPN users with security certificates

To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.

To enable the FortiGate unit to authenticate itself with a certificate:

  1. Install a signed server certificate on the FortiGate unit.

See To install or import the signed server certificate – web-based manager on page 118.

  1. Install the corresponding CA root certificate on the remote peer or client. If the remote peer is a FortiGate unit, see To install a CA root certificate on page 119.
  2. Install the certificate revocation list (CRL) from the issuing CA on the remote peer or client. If the remote peer is a FortiGate unit, see To import a certificate revocation list on page 119.
  3. In the VPN phase 1 configuration, set Authentication Method to Signature and from the Certificate Name list select the certificate that you installed in Step 1.

To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can be multiple peers.

To configure certificate authentication of a single peer

  1. Install the CA root certificate and CRL.
  2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. In the VPN phase 1 Peer Options, select peer certificate for Accept Types field and select the PKI user that you created in the Peer certificate

To configure certificate authentication of multiple peers (dialup VPN)

  1. Install the corresponding CA root certificate and CRL.
  2. Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
  3. Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI users who will use the IPsec VPN.

In the VPN phase 1 Peer Options, select peer certificate group for Accept Types field and select the PKI user group that you created in the Peer certificate group field.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU