Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

Created on ‎06-14-2023 07:17 AM Edited on ‎06-14-2023 08:59 PM

HowTo: Setup up VPN certificates via WebUI

Hello Fortinet Community,

Q: How to set up a certificate-based VPN between FortiGate appliances via WebUI on recent FortiOS 7.x?

Labels:
1635
3 REPLIES 3
MarEng
New Contributor II

Created on ‎06-14-2023 07:18 AM Edited on ‎06-14-2023 07:24 AM

A: After completing a VPN-Setup Sheet you need to create a certificate on each site. 

System>Certificates>Create/Import>Certificate


Give your certificate a self-explanatory name. If you have a static IP-address enter this under ‘common name’. If you do not have a static IP-address you should use a domain name instead which can be resolved over the Internet.

Download the certificate of the certification authority (CA). In this case it is the ‘Fortinet_CA_SSL’.


After you are done creating and downloading the certificates on both gateways you have to import the CA-Certificate from one gateway to the other gateway and vice versa under System>Certificates>Create/Import>CA Certificate

After importing the CA-Certificate you should see it under Remote CA Certificate 


Configuring the tunnel:





Enter the Remote Gateways IP Address and the outgoing interface.

Change mode from Pre-shared Key to Signature. And select the certificate under Certificate Name which you created on this gateway (in this example ‘Site2’).



In the next step you have to create a PKI User under Peer certificate and use your Imported CA-Certificate from your Remote gateway.
.


For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.



For Phase 2 enter the Local and Remote Address space. It would be Best Practice to use an Address Object for your Local and Remote Address space.



Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.



 

1629
stekue
New Contributor II
In response to MarEng

Created on ‎06-14-2023 07:19 AM

Add a static route for your remote subnet pointing to the VPN-Tunnel Interface as well as another static Route pointing to the Blackhole interface.


Network > Static Routes > Create New

 

 

  

Last step is to add Firewall Policies to allow the VPN traffic to pass through.
Add a New Policies Policy & Objects > Firewall Policy > Create New

 

In this case you don’t need any NAT-Rules. You can restrict the access from the tunnel according to your needs by only selecting Services you really need to share.

 

 

After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec


Dashboard > Status > Add Widget

 

 

Now, you are able to check Phase 1 and Phase 2 status.

 

<

 

You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.

 

1624
Dannу
Contributor
In response to stekue

Created on ‎06-14-2023 08:51 PM

Wow, thanks for describing the steps so visually!

Could you please add how to set up a cert-based VPN between FortiGate and a 3rd party VPN gateway (e.g. Check Point)?

1378
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.