Site-to-site VPN with digital certificate

This is a sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

To configure IPsec VPN authenticating a remote FortiGate peer with a digital certificate in the GUI:
  1. Import the certificate.
  2. Configure user peers.
  3. Configure the HQ1 FortiGate.
    1.   Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
      1. Enter a VPN name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select No NAT Between Sites.
      5. Click Next.
    2. Configure the following settings for Authentication:
      1. For Remote Device, select IP Address.
      2. For the IP address, enter 172.16.202.1.
      3. For Outgoing interface, enter port1.
      4. For Authentication Method, select Signature.
      5. In the Certificate name field, select the imported certificate.
      6. From the Peer Certificate CA dropdown list, select the desired peer CA certificate.
      7. Click Next.
    3. Configure the following settings for Policy & Routing:
      1. From the Local Interface dropdown menu, select the local interface.
      2. Configure the Local Subnets as 10.1.100.0.
      3. Conf