Site-to-site VPN with digital certificate
This is a sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.
To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate in the GUI:
- Import the certificate.
- Configure user peers.
- Configure the HQ1 FortiGate.
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
- Enter a VPN name.
- For Template Type, select Site to Site.
- For Remote Device Type, select FortiGate.
- For NAT Configuration, select No NAT Between Sites.
- Click Next.
- Configure the following settings for Authentication:
- For Remote Device, select IP Address.
- For the IP address, enter 172.16.202.1.
- For Outgoing interface, enter port1.
- For Authentication Method, select Signature.
- In the Certificate name field, select the imported certificate.
- From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
- Click Next.
- Configure the following settings for Policy & Routing:
- From the Local Interface dropdown menu, select the local interface.
- Configure the Local Subnets as 10.1.100.0.
- Conf
- Go to VPN > IPsec Wizard and configure the following settings for VPN Setup: