Fortinet black logo

Cookbook

Pre-shared key vs digital certificates

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:560886
Download PDF

Pre-shared key vs digital certificates

A FortiGate can authenticate itself to remote peers or dialup clients using either a pre-shared key or a digital certificate.

Pre-shared key

Using a pre-shared key is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). There also needs to be a secure way to distribute the pre-shared key to the peers.

If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate, these are configured in user accounts, not in the phase 1 settings.

The pre-shared key must contain at least six printable characters and should be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

If you authenticate the FortiGate using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.

To authenticate the FortiGate using a pre-shared key:
  1. Go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.
  2. Configure or edit the Network section as needed.
  3. Configure or edit the Authentication settings as follows:

    Method

    Pre-shared Key

    Pre-shared Key

    <string>

    IKE Version

    1 or 2

    Mode

    Aggressive or Main

    Peer Options

    Select an Accept Type and the corresponding peer. Options vary based on the Remote Gateway and Authentication Method settings in the Network section.

    Peer Options are only available in Aggressive mode.

  4. For the Phase 1 Proposal section, keep the default settings unless changes are needed to meet your requirements.
  5. Optionally, for authentication parameters for a dialup user group, define XAUTH parameters.
  6. Click OK.

Digital certificates

To authenticate the FortiGate using digital certificates, you must have the required certificates installed on the remote peer and on the FortiGate. The signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer. If you use certificates to authenticate the FortiGate, you can also require the remote peers or dialup clients to authenticate using certificates. See Site-to-site VPN with digital certificate for a detailed example.

To authenticate the FortiGate using a digital certificate:
  1. Go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.
  2. Configure or edit the Network section as needed.
  3. Configure or edit the Authentication settings as follows:

    Method

    Signature

    Certificate Name

    Select the certificate used to identify this FortiGate. If there are no imported certificates, use Fortinet_Factory.

    IKE Version

    1 or 2

    Mode

    Aggressive is recommended.

    Peer Options

    For Accept Type, select Peer certificate and select the peer and the CA certificate used to authenticate the peer. If the other end is using the Fortinet_Factory certificate, then use the Fortinet_CA certificate here.

  4. For the Phase 1 Proposal section, keep the default settings unless changes are needed to meet your requirements.
  5. Optionally, for authentication parameters for a dialup user group, define XAUTH parameters.
  6. Click OK.

Pre-shared key vs digital certificates

A FortiGate can authenticate itself to remote peers or dialup clients using either a pre-shared key or a digital certificate.

Pre-shared key

Using a pre-shared key is less secure than using certificates, especially if it is used alone, without requiring peer IDs or extended authentication (XAuth). There also needs to be a secure way to distribute the pre-shared key to the peers.

If you use pre-shared key authentication alone, all remote peers and dialup clients must be configured with the same pre-shared key. Optionally, you can configure remote peers and dialup clients with unique pre-shared keys. On the FortiGate, these are configured in user accounts, not in the phase 1 settings.

The pre-shared key must contain at least six printable characters and should be known by network administrators. For optimum protection against currently known attacks, the key must consist of a minimum of 16 randomly chosen alphanumeric characters. The limit is 128 characters.

If you authenticate the FortiGate using a pre-shared key, you can require remote peers or dialup clients to authenticate using peer IDs, but not client certificates.

To authenticate the FortiGate using a pre-shared key:
  1. Go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.
  2. Configure or edit the Network section as needed.
  3. Configure or edit the Authentication settings as follows:

    Method

    Pre-shared Key

    Pre-shared Key

    <string>

    IKE Version

    1 or 2

    Mode

    Aggressive or Main

    Peer Options

    Select an Accept Type and the corresponding peer. Options vary based on the Remote Gateway and Authentication Method settings in the Network section.

    Peer Options are only available in Aggressive mode.

  4. For the Phase 1 Proposal section, keep the default settings unless changes are needed to meet your requirements.
  5. Optionally, for authentication parameters for a dialup user group, define XAUTH parameters.
  6. Click OK.

Digital certificates

To authenticate the FortiGate using digital certificates, you must have the required certificates installed on the remote peer and on the FortiGate. The signed server certificate on one peer is validated by the presence of the root certificate installed on the other peer. If you use certificates to authenticate the FortiGate, you can also require the remote peers or dialup clients to authenticate using certificates. See Site-to-site VPN with digital certificate for a detailed example.

To authenticate the FortiGate using a digital certificate:
  1. Go to VPN > IPsec Tunnels and create a new tunnel, or edit an existing one.
  2. Configure or edit the Network section as needed.
  3. Configure or edit the Authentication settings as follows:

    Method

    Signature

    Certificate Name

    Select the certificate used to identify this FortiGate. If there are no imported certificates, use Fortinet_Factory.

    IKE Version

    1 or 2

    Mode

    Aggressive is recommended.

    Peer Options

    For Accept Type, select Peer certificate and select the peer and the CA certificate used to authenticate the peer. If the other end is using the Fortinet_Factory certificate, then use the Fortinet_CA certificate here.

  4. For the Phase 1 Proposal section, keep the default settings unless changes are needed to meet your requirements.
  5. Optionally, for authentication parameters for a dialup user group, define XAUTH parameters.
  6. Click OK.