Created on 11-22-2005 12:00 AM Edited on 04-28-2023 01:02 AM By Jean-Philippe_P
Description | This article describes how to use IPSec VPN certificates and peer IDs for remote users. |
Scope |
- All FortiGate units running FortiOS v2.80 MR11. - FortiClient 2.0. |
Solution |
When using certificates to authenticate remote VPN IPSec users, it is possible to configure the FortiGate unit to only authenticate certain certificates based on information in the Subject ('Issued Common Name') field.
Note: This article assumes that the reader is already familiar with the basic FortiGate and FortiClient VPN certificate configuration requirements.
To configure the FortiGate unit: 1) Go to VPN -> IPSec -> Phase 1. 2) Select Accept this peer ID.
The ‘Subject’ field of the certificate, will be the Peer ID value that will be used by the FortiGate unit to authenticate.
In the example above, it is simply the Common Name with an email address, but this could be a full Domain Name containing Country (C), Organization (O), Organizational Unit (OU), and Common Name (CN) information.
PeerID authentication could then be based on the entire Subject field, or just part of it.
If there are multiple remote VPN users with certificates, it is necessary to define each of these users on the FortiGate unit. Place them in a 'peer certificate group', and then authenticate on this group.
This will allow a single Phase 1 configuration for all the remote users. It can also be used to control precisely which FortiClient (certificate) a user can or cannot authenticate, as long as each of one have unique Subject information.
This feature can only be configured via CLI commands. See the example below:
# config user peer
The 'ca' information is obtained from the web-based manager by going to VPN -> Certificates -> CA Certificates, and using the Name from the list.
It is also possible to obtain the information using the CLI command execute vpn cert ca list. After configuring the User peer and User peergrp fields, it is displayed, and configurable in the web-based manager.
An authenticated remote FortiClient user will be displayed as follows in the FortiGate unit's IPSec Monitor. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.