FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
jintrah_FTNT
Staff
Staff
Article Id 197820
Description
This article explains the steps to configure the IPsec dialup VPN with certificate based authentication.

Solution
Requirements:
  • CA certificate
  • Server certificate
  • Client certificate
The following example deploys openssl commands to generate the required certificates.

1) Generate CA Certificate ca.crt :
>opensslgenrsa -des3 -out ca.key 4096
>opensslreq -new -x509 -days 365 -key ca.key -out ca.crt

2) Generate Server Certificate server.crt :
>opensslgenrsa -des3 -out server.key 4096
>opensslreq -new -key server.key -out server.csr
>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out server.crt

3) Generate Server Certificate client.crt  and convert to .p12 format for exporting with private keys :
>opensslgenrsa -des3 -out client.key 4096
>opensslreq -new -key client.key -out client.csr
>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out client.crt
>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12

4) FortiGate and FortiClient Configuration:

a) Import CA and Server certificates on FortiGate.

ranjith_FD37226_tn_FD37226-1.jpg

ranjith_FD37226_tn_FD37226-2.jpg

b) Configure user peer and peer usergroup.
#config user peer
#edit user1
#set ca CA_Cert_2
#end

#config user peergrp
#edit user_group1
#set member user1
#end

c) FortiGate IPSec config.

ranjith_FD37226_tn_FD37226-3.jpg

d) FortiClient config.

The ca certificate is imported and placed in Trusted Root Certification Authorities of IE.

Select Authentication Method in the IPSec VPN connection settings.

ranjith_FD37226_tn_FD37226-4.jpg

Load the client certificate (.p12) under File > settings > Certificate management.

ranjith_FD37226_tn_FD37226-5.jpg

ranjith_FD37226_tn_FD37226-6.jpg

Contributors