Purpose
This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.
Expectations, Requirements
Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:
Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:
Configuration
Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.
Configure user peer and peergrp:
1) Check, if needed, to enable NAT traversal. In this case it is not required.
Verification
This article describes all needed configuration and how to create the certificates using openSSL to setup dial-up IPsec VPN users with security certificates like an authentication method.
Expectations, Requirements
Download the openSSL software. In this case, it was downloaded in a Windows PC.
Generate in the openSSL the CA certificate (crt) with the commands below:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ca.key 4096Generate Server Certificate
C:\OpenSSL-Win64\bin>openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Create a CSR in the FortiGate and download it to be signed through the openSSL software using following command:
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ipsecdialup.crtFinally generate client certificate through the following list of commands:
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out client.key 4096
C:\OpenSSL-Win64\bin>openssl req -new -key client.key -out client.csr
C:\OpenSSL-Win64\bin>openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
C:\OpenSSL-Win64\bin>openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12
Configuration
Import the CA certificate and Server Certificate to the FortiGate:
Go to System -> Certificates -> Import -> Local Certificate and select server certificate.
Go to System -> Certificates -> Import -> CA Certificate and select CA certificate.
Configure user peer and peergrp:
#config user peerSet up IPSEC VPN diaulp:
edit test1
set ca "" <----- specify the CA certificate already uploaded.
end
#config user peergrp
edit user_group1
set member test1
end
1) Check, if needed, to enable NAT traversal. In this case it is not required.
2) Specify the server certificate and peergrp as follow:
3) At last, specify the user group for XAUTH:
Import the CA certificate and client certificate to the user side:1) Import CA certificate in the IE to Trusted Root Certification Authorities in the PC running FortiClient.2) Import the client certificate to the FortiClient:
3) At last, select the authentication method in the FortiClient to X.509 certificate to use the client certificate already uploaded previously.
Verification
Once all described above is finished, attempt connection from FortiClient to FortiGate and open following debug flow into FortiGate to see all IPsec negotiation:
#diag debug disable#diag debug reset#diag debug appl ike -1#diag debug enable
After connection, test the debug to be disabled with the commands below:
#diag debug reset#diag debug disable
