DescriptionThis article explains how to configure Client Site IPsec VPN using RSA.
The following certificates will be required to configure dialup VPN using RSA:
- Server Certificate.
- CA certificate.
- User certificate.
ScopeFortiOS version 5.0 and v5.2.
SolutionThe following steps can be used to configure certificate based authentication for dialup VPN.
1) On the FortiGate, add the server certificate under Local Certificates.
2) Add the CA certificate under CA Certificates.
3) Create PKI users.
config user peer
edit "ssluser1"
set ca "CA_Cert_1"
set subject "ssluser1" ----{ Subject should match the user certificate.
next
end
This should be created for all other users.
4) Add the PKI users to PKI groups.
config user peergrp
edit "peergrp"
set member "ssluser1"
next
end
5) On the Dial-up VPN profile, select the server certificate and peergroup.
On the Client PC
1) Add the user certificate on FortiClient.
Go to File > Settings > Certificate Management > Enable “Use Local Certificate Uploads (IPsec only)” > Import the user certificate.
2) Select the User certificate on the VPN profile.
The user will now be able to connect to the VPN successfully.
Troubleshooting
If an issue is still observed in establishing VPN, debug using the following commands.
diagnose vpn ike log-filter dst-addr4 x.x.x.x
diagnose debug application ike -1
diagnose debug enable
where x.x.x.x is the PC IP address from which the VPN is to be established.