Authenticating remote peers and clients
Certificates or pre-shared keys restrict who can access the VPN tunnel, but they do not identify or authenticate the remote peers or dialup clients. You have the following options for authentication:
Methods of authenticating remote VPN peers
| Certificates or Pre-shared key | Local ID | User account pre-shared keys | Reference |
| Certificates | See Enabling VPN access for specific certificate holders on page 53. | ||
| Either | X | See Enabling VPN access by peer identifier on page 55. | |
| Pre-shared key | X | See Enabling VPN access with user accounts and pre-shared keys on page 56. | |
| Pre-shared key | X | X | See Enabling VPN access with user accounts and pre-shared keys on page 56. |
remote peers and clients
Repeated authentication in Internet Key Exchange (IKEv2) protocol
This feature provides the option to control whether a device requires its peer to re-authenticate or whether re-key is sufficient. It does not influence the re-authentication or re-key behavior of the device itself, which is controlled by the peer (with the default being to re-key).
This solution is in response to RFC 4478. This solution is intended to limit the time that security associations (SAs) can be used by a third party who has gained control of the IPsec peer.
CLI syntax:
config vpn ipsec phase1-interface edit p1 set reauth [enable | disable]
next
end
disable: Disable IKE SA re-authentication. enable: Enable IKE SA re-authentication.
Enabling VPN access for specific certificate holders
When a VPN peer or dialup client is configured to authenticate using digital certificates, it sends the Distinguished Name (DN) of its certificate to the FortiGate unit. This DN can be used to allow VPN access for the certificate holder. That is, a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN.
Before you begin
The following procedures assume that you already have an existing Phase 1 configuration (see Authenticating remote peers and clients on page 52). Follow the procedures below to add certificate-based authentication parameters to the existing configuration.
Before you begin, you must obtain the certificate DN of the remote peer or dialup client. If you are using the FortiClient application as a dialup client, refer to FortiClient online help for information about how to view the certificate DN. To view the certificate DN of a FortiGate unit, see Viewing server certificate information and obtaining the local DN on page 54.
Use the config user peer CLI command to load the DN value into the FortiGate configuration. For example, if a remote VPN peer uses server certificates issued by your own organization, you would enter information similar to the following:
config user peer edit DN_FG1000 set cn 192.168.2.160 set cn-type ipv4
end
The value that you specify to identify the entry (for example, DN_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the web-based manager.
If the remote VPN peer has a CA-issued certificate to support a higher level of credibility, you would enter information similar to the following in the CLI:
config user peer edit CA_FG1000 set ca CA_Cert_1 set subject FG1000_at_site1
end
The value that you specify to identify the entry (for example, CA_FG1000) is displayed in the Accept this peer certificate only list in the IPsec Phase 1 configuration when you return to the web-based manager. For more information about these CLI commands, see the “user” chapter of the FortiGate CLI Reference.
A group of certificate holders can be created based on existing user accounts for dialup clients. To create the user accounts for dialup clients, see the “User” chapter of the FortiGate Administration Guide. To create the certificate group afterward, use the config user peergrp CLI command. See the “user” chapter of the FortiGate CLI Reference.
Viewing server certificate information and obtaining the local DN
- Go to System > Certificates.
- Note the CN value in the Subject field (for example, CN = 172.16.10.125, CN = info@fortinet.com, or CN = www.example.com).
Viewing CA root certificate information and obtaining the CA certificate name
- Go to System > Certificates > CA Certificates.
- Note the value in the Name column (for example, CA_Cert_1).
Configuring certificate authentication for a VPN
With peer certificates loaded, peer users and peer groups defined, you can configure your VPN to authenticate users by certificate.
Enabling access for a specific certificate holder or a group of certificate holders
- At the FortiGate VPN server, go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
- Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
- From the Authentication Method list, select RSA Signature.
- From the Certificate Name list, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client
- Under Peer Options, select one of these options:
- To accept a specific certificate holder, select Accept this peer certificate only and select the name of the certificate that belongs to the remote peer or dialup client. The certificate DN must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin on page 53.
- To accept dialup clients who are members of a certificate group, select Accept this peer certificate group only and select the name of the group. The group must be added to the FortiGate configuration through CLI commands before it can be selected here. See Before you begin on page 53.
- If you want the FortiGate VPN server to supply the DN of a local server certificate for authentication purposes, select Advanced and then from the Local ID list, select the DN of the certificate that the FortiGate VPN server is to use.
- Select OK.