This is a sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.
To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate in the GUI:
- Import the certificate.
- Configure user peers.
- Configure the HQ1 FortiGate.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Enter a VPN name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select No NAT Between Sites.
- Click Next.
- Configure the following settings for Authentication:
- For Remote Device, select IP Address.
- For the IP address, enter 172.16.202.1.
- For Outgoing interface, enter port1.
- For Authentication Method, select Signature.
- In the Certificate name field, select the imported certificate.
- From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select the local interface.
- Configure the Local Subnets as 10.1.100.0.
- Configure the Remote Subnets as 172.16.101.0.
- Click Create.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Configure the HQ2 FortiGate.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Enter a VPN name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select No NAT Between Sites.
- Click Next.
- Configure the following settings for Authentication:
- For Remote Device, select IP Address.
- For the IP address, enter 172.16.2001.
- For Outgoing interface, enter port25.
- For Authentication Method, select Signature.
- In the Certificate name field, select the imported certificate.
- From the Peer Certificate CA dropdown list, select the peer CA certificate.
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select the local interface.
- Configure Local Subnets as 172.16.101.0.
- Configure the Remote Subnets as 10.1.100.0.
- Click Create.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate using the CLI:
- Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface.
- Configure HQ1.
config system interface edit "port1" set vdom "root" set ip 172.16.200.1 255.255.255.0 next end config router static edit 1 set gateway 172.16.200.3 set device "port1" next end - Configure HQ2.
config system interface edit "port25" set vdom "root" set ip 172.16.202.1 255.255.255.0 next end config router static edit 1 set gateway 172.16.202.2 set device "port25" next end
- Configure HQ1.
- Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel.
- Configure HQ1.
config system interface edit "dmz" set vdom "root" set ip 10.1.100.1 255.255.255.0 next end - Configure HQ2.
config system interface edit "port9" set vdom "root" set ip 172.16.101.1 255.255.255.0 next end
- Configure HQ1.
- Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step.
- Configure HQ1.
config vpn certificate local edit "test1" ... set range global next end config vpn certificate ca edit "CA_Cert_1" ... set range global next end - Configure HQ2.
config vpn certificate local edit "test2" ... set range global next end config vpn certificate ca edit "CA_Cert_1" ... set range global next end
- Configure HQ1.
- Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
- If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
- Configure HQ1.
config user peer edit "peer1" set ca "CA_Cert_1" next end - Configure HQ2.
config user peer edit "peer2" set ca "CA_Cert_1" next end
- Configure HQ1.
- If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA.
- Configure HQ1.
config user peer edit "peer1" set ca "Fortinet_CA" next end - Configure HQ2.
config user peer edit "peer2" set ca "Fortinet_CA" next end
- Configure HQ1.
- If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following:
- Configure the IPsec phase1-interface.
- Configure HQ1.
config vpn ipsec phase1-interface edit "to_HQ2" set interface "port1" set authmethod signature set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set certificate "test1" set peer "peer1" next end - Configure HQ2.
config vpn ipsec phase1-interface edit "to_HQ1" set interface "port25" set authmethod signature set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate "test2" set peer "peer2" next end
- Configure HQ1.
- Configure the IPsec phase2-interface.
- Configure HQ1.
config vpn ipsec phase2-interface edit "to_HQ2" set phase1name "to_HQ2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next end - Configure HQ2.
config vpn ipsec phase2-interface edit "to_HQ2" set phase1name "to_HQ1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set auto-negotiate enable next end
- Configure HQ1.
- Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down.
- Configure HQ1.
config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device "to_HQ2" next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254 next end - Configure HQ2.
config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device "to_HQ1" next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254 next end
- Configure HQ1.
- Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel.
- Configure HQ1.
config firewall policy edit 1 set name "inbound" set srcintf "to_HQ2" set dstintf "dmz" set srcaddr "172.16.101.0" set dstaddr "10.1.100.0" set action accept set schedule "always" set service "ALL" next edit 2 set name "outbound" set srcintf "dmz" set dstintf "to_HQ2" set srcaddr "10.1.100.0" set dstaddr "172.16.101.0" set action accept set schedule "always" set service "ALL" next end - Configure HQ2.
config firewall policy edit 1 set name "inbound" set srcintf "to_HQ1" set dstintf "port9" set srcaddr "10.1.100.0" set dstaddr "172.16.101.0" set action accept set schedule "always" set service "ALL" next edit 2 set name "outbound" set srcintf "port9" set dstintf "to_HQ1" set srcaddr "172.16.101.0" set dstaddr "10.1.100.0" set action accept set schedule "always" set service "ALL" next end
- Configure HQ1.
- Run
diagnosecommands. Thediagnose debug application ike -1command is the key to troubleshoot why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:ike 0: to_HQ2:15314: certificate validation failed
The following commands are useful to check IPsec phase1/phase2 interface status.
- Run the
diagnose vpn ike gateway listcommand on HQ1. The system should return the following:vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2 peer-id-auth: yes IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2
- Run the
diagnose vpn tunnel listcommand on HQ1. The system should return the following:list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
- Run the