Fortinet black logo

Cookbook

IPsec VPN authenticating a remote FortiGate peer with a certificate

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:344213
Download PDF

IPsec VPN authenticating a remote FortiGate peer with a certificate

This is a sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate in the GUI:
  1. Import the certificate.
  2. Configure user peers.
  3. Configure the HQ1 FortiGate.
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select No NAT Between Sites.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Remote Device, select IP Address.
      2. For the IP address, enter 172.16.202.1.
      3. For Outgoing interface, enter port1.
      4. For Authentication Method, select Signature.
      5. In the Certificate name field, select the imported certificate.
      6. From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
      7. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure the Local Subnets as 10.1.100.0.
      3. Configure the Remote Subnets as 172.16.101.0.
      4. Click Create.
  4. Configure the HQ2 FortiGate.
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select No NAT Between Sites.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Remote Device, select IP Address.
      2. For the IP address, enter 172.16.2001.
      3. For Outgoing interface, enter port25.
      4. For Authentication Method, select Signature.
      5. In the Certificate name field, select the imported certificate.
      6. From the Peer Certificate CA dropdown list, select the peer CA certificate.
      7. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 10.1.100.0.
      4. Click Create.
To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate using the CLI:
  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface.
    1. Configure HQ1.
      config system interface 
          edit "port1"
              set vdom "root"
              set ip 172.16.200.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 172.16.200.3
              set device "port1"
          next
      end
    2. Configure HQ2.
      config system interface
          edit "port25"
              set vdom "root"
              set ip 172.16.202.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 172.16.202.2
              set device "port25"
          next
      end
  2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel.
    1. Configure HQ1.
      config system interface
          edit "dmz"
              set vdom "root"
              set ip 10.1.100.1 255.255.255.0
          next
      end
    2. Configure HQ2.
      config system interface
          edit "port9"
              set vdom "root"
              set ip 172.16.101.1 255.255.255.0
          next
      end 
  3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step.
    1. Configure HQ1.
      config vpn certificate local
          edit "test1"
              ...
              set range global
          next
      end
      config vpn certificate ca
          edit "CA_Cert_1"
              ...
              set range global
          next
      end
    2. Configure HQ2.
      config vpn certificate local
          edit "test2"
              ...
              set range global
          next
      end
      config vpn certificate ca
          edit "CA_Cert_1"
              ...
              set range global
          next
      end
  4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
    1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
      1. Configure HQ1.
        config user peer
            edit "peer1"
                set ca "CA_Cert_1"
            next
        end
      2. Configure HQ2.
        config user peer
            edit "peer2"
                set ca "CA_Cert_1"
            next
        end
    2. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA.
      1. Configure HQ1.
        config user peer
            edit "peer1"
                set ca "Fortinet_CA"
            next
        end
      2. Configure HQ2.
        config user peer
            edit "peer2"
                set ca "Fortinet_CA"
            next
        end
  5. Configure the IPsec phase1-interface.
    1. Configure HQ1.
      config vpn ipsec phase1-interface
          edit "to_HQ2"
              set interface "port1"
              set authmethod signature
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.202.1
              set certificate "test1"
              set peer "peer1"
          next
      end
    2. Configure HQ2.
      config vpn ipsec phase1-interface
          edit "to_HQ1" 
              set interface "port25"
              set authmethod signature
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.200.1
              set certificate "test2"
              set peer "peer2"
          next
      end
  6. Configure the IPsec phase2-interface.
    1. Configure HQ1.
      config vpn ipsec phase2-interface
          edit "to_HQ2"
              set phase1name "to_HQ2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
          next
      end
    2. Configure HQ2.
      config vpn ipsec phase2-interface
          edit "to_HQ2"
              set phase1name "to_HQ1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
          next
      end
  7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
    1. Configure HQ1.
      config router static
          edit 2
              set dst 172.16.101.0 255.255.255.0
              set device "to_HQ2"
          next
          edit 3
              set dst 172.16.101.0 255.255.255.0
              set blackhole enable
              set distance 254
          next
      end
    2. Configure HQ2.
      config router static
          edit 2
              set dst 10.1.100.0 255.255.255.0
              set device "to_HQ1"
          next
          edit 3
              set dst 10.1.100.0 255.255.255.0
              set blackhole enable
              set distance 254
           next
      end
  8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel.
    1. Configure HQ1.
      config firewall policy
          edit 1
              set name "inbound"
              set srcintf "to_HQ2"
              set dstintf "dmz"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "outbound"
              set srcintf "dmz"
              set dstintf "to_HQ2"
              set srcaddr "10.1.100.0"
              set dstaddr "172.16.101.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Configure HQ2.
      config firewall policy
          edit 1
              set name "inbound"
              set srcintf "to_HQ1"
              set dstintf "port9"
              set srcaddr "10.1.100.0"
              set dstaddr "172.16.101.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "outbound"
              set srcintf "port9"
              set dstintf "to_HQ1"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  9. Run diagnose commands. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:
    ike 0: to_HQ2:15314: certificate validation failed
    

    The following commands are useful to check IPsec phase1/phase2 interface status.

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
      vd: root/0
      name: to_HQ2
      version: 1
      interface: port1 11
      addr: 172.16.200.1:500 -> 172.16.202.1:500
      created: 7s ago
      peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
      peer-id-auth: yes
      IKE SA: created 1/1 established 1/1 time 70/70/70 ms
      IPsec SA: created 1/1 established 1/1 time 80/80/80 ms
      id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
      list all ipsec tunnel in vd 0
      name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
      bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfcaccept_traffic=1
      proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=42897/43200
      dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c
      ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2
      enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece
      ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
      

IPsec VPN authenticating a remote FortiGate peer with a certificate

This is a sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate in the GUI:
  1. Import the certificate.
  2. Configure user peers.
  3. Configure the HQ1 FortiGate.
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select No NAT Between Sites.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Remote Device, select IP Address.
      2. For the IP address, enter 172.16.202.1.
      3. For Outgoing interface, enter port1.
      4. For Authentication Method, select Signature.
      5. In the Certificate name field, select the imported certificate.
      6. From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
      7. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure the Local Subnets as 10.1.100.0.
      3. Configure the Remote Subnets as 172.16.101.0.
      4. Click Create.
  4. Configure the HQ2 FortiGate.
    1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select No NAT Between Sites.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Remote Device, select IP Address.
      2. For the IP address, enter 172.16.2001.
      3. For Outgoing interface, enter port25.
      4. For Authentication Method, select Signature.
      5. In the Certificate name field, select the imported certificate.
      6. From the Peer Certificate CA dropdown list, select the peer CA certificate.
      7. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure Local Subnets as 172.16.101.0.
      3. Configure the Remote Subnets as 10.1.100.0.
      4. Click Create.
To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate using the CLI:
  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface.
    1. Configure HQ1.
      config system interface 
          edit "port1"
              set vdom "root"
              set ip 172.16.200.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 172.16.200.3
              set device "port1"
          next
      end
    2. Configure HQ2.
      config system interface
          edit "port25"
              set vdom "root"
              set ip 172.16.202.1 255.255.255.0
          next
      end
      config router static
          edit 1
              set gateway 172.16.202.2
              set device "port25"
          next
      end
  2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel.
    1. Configure HQ1.
      config system interface
          edit "dmz"
              set vdom "root"
              set ip 10.1.100.1 255.255.255.0
          next
      end
    2. Configure HQ2.
      config system interface
          edit "port9"
              set vdom "root"
              set ip 172.16.101.1 255.255.255.0
          next
      end 
  3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step.
    1. Configure HQ1.
      config vpn certificate local
          edit "test1"
              ...
              set range global
          next
      end
      config vpn certificate ca
          edit "CA_Cert_1"
              ...
              set range global
          next
      end
    2. Configure HQ2.
      config vpn certificate local
          edit "test2"
              ...
              set range global
          next
      end
      config vpn certificate ca
          edit "CA_Cert_1"
              ...
              set range global
          next
      end
  4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
    1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
      1. Configure HQ1.
        config user peer
            edit "peer1"
                set ca "CA_Cert_1"
            next
        end
      2. Configure HQ2.
        config user peer
            edit "peer2"
                set ca "CA_Cert_1"
            next
        end
    2. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA.
      1. Configure HQ1.
        config user peer
            edit "peer1"
                set ca "Fortinet_CA"
            next
        end
      2. Configure HQ2.
        config user peer
            edit "peer2"
                set ca "Fortinet_CA"
            next
        end
  5. Configure the IPsec phase1-interface.
    1. Configure HQ1.
      config vpn ipsec phase1-interface
          edit "to_HQ2"
              set interface "port1"
              set authmethod signature
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.202.1
              set certificate "test1"
              set peer "peer1"
          next
      end
    2. Configure HQ2.
      config vpn ipsec phase1-interface
          edit "to_HQ1" 
              set interface "port25"
              set authmethod signature
              set net-device enable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 172.16.200.1
              set certificate "test2"
              set peer "peer2"
          next
      end
  6. Configure the IPsec phase2-interface.
    1. Configure HQ1.
      config vpn ipsec phase2-interface
          edit "to_HQ2"
              set phase1name "to_HQ2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
          next
      end
    2. Configure HQ2.
      config vpn ipsec phase2-interface
          edit "to_HQ2"
              set phase1name "to_HQ1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
              set auto-negotiate enable
          next
      end
  7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
    1. Configure HQ1.
      config router static
          edit 2
              set dst 172.16.101.0 255.255.255.0
              set device "to_HQ2"
          next
          edit 3
              set dst 172.16.101.0 255.255.255.0
              set blackhole enable
              set distance 254
          next
      end
    2. Configure HQ2.
      config router static
          edit 2
              set dst 10.1.100.0 255.255.255.0
              set device "to_HQ1"
          next
          edit 3
              set dst 10.1.100.0 255.255.255.0
              set blackhole enable
              set distance 254
           next
      end
  8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel.
    1. Configure HQ1.
      config firewall policy
          edit 1
              set name "inbound"
              set srcintf "to_HQ2"
              set dstintf "dmz"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "outbound"
              set srcintf "dmz"
              set dstintf "to_HQ2"
              set srcaddr "10.1.100.0"
              set dstaddr "172.16.101.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
    2. Configure HQ2.
      config firewall policy
          edit 1
              set name "inbound"
              set srcintf "to_HQ1"
              set dstintf "port9"
              set srcaddr "10.1.100.0"
              set dstaddr "172.16.101.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
          edit 2
              set name "outbound"
              set srcintf "port9"
              set dstintf "to_HQ1"
              set srcaddr "172.16.101.0"
              set dstaddr "10.1.100.0"
              set action accept
              set schedule "always"
              set service "ALL"
          next
      end
  9. Run diagnose commands. The diagnose debug application ike -1 command is the key to troubleshoot why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:
    ike 0: to_HQ2:15314: certificate validation failed
    

    The following commands are useful to check IPsec phase1/phase2 interface status.

    1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:
      vd: root/0
      name: to_HQ2
      version: 1
      interface: port1 11
      addr: 172.16.200.1:500 -> 172.16.202.1:500
      created: 7s ago
      peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
      peer-id-auth: yes
      IKE SA: created 1/1 established 1/1 time 70/70/70 ms
      IPsec SA: created 1/1 established 1/1 time 80/80/80 ms
      id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
    2. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:
      list all ipsec tunnel in vd 0
      name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0
      bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfcaccept_traffic=1
      proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0
      stat: rxp=0 txp=0 rxb=0 txb=0
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate
      src: 0:0.0.0.0/0.0.0.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
      SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
      life: type=01 bytes=0/0 timeout=42897/43200
      dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c
      ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2
      enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece
      ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0