IPsec VPN authenticating a remote FortiGate peer with a certificate

IPsec VPN authenticating a remote FortiGate peer with a certificate

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

  1. Import the certificate. 2. Configure user peers.
  2. Configure the HQ1 FortiGate:
  3. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  4. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1.
  5. For Authentication Method, select Signature.
  6. In the Certificate name field, select the imported certificate.
  7. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.
  • Click Next.
  1. Configure the following settings for Policy & Routing:
  2. From the Local Interface dropdown menu, select the proper local interface.
  3. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
  4. Click Create.
  5. Configure the HQ2 FortiGate:
  6. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
  7. Configure the following settings for Authentication:
    1. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
    2. For Authentication Method, select Signature.
    3. In the Certificate name field, select the imported certificate.
    4. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.
  • Click Next.
  1. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1

 

gateway 172.16.200.3 device “port1”

next

end

  1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

  1. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

  1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

  1. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step:
  2. Configure HQ1:

config vpn certificate local edit “test1” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next end

  1. Configure HQ2:

config vpn certificate local edit “test2” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next

end

  1. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
    1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following: Configure HQ1:

config user peer edit “peer1” set ca “CA_Cert_1”

next

end

  1. Configure HQ2:

config user peer edit “peer2” set ca “CA_Cert_1”

next

end

  1. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA:
    1. Configure HQ1:

config user peer edit “peer1” set ca “Fortinet_CA”

next

end

  1. Configure HQ2:

config user peer edit “peer2” set ca “Fortinet_CA”

next

end

  1. Configure the IPsec phase1-interface:
    1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set authmethod signature net-device enable

proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 172.16.202.1 set certificate “test1” set peer “peer1”

next

end

  1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set authmethod signature set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate “test2” set peer “peer2”

next

end

  1. Configure the IPsec phase2-interface:
    1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
  2. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” srcintf “port9” dstintf “to_HQ1”

set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:

ike 0: to_HQ2:15314: certificate validation failed

The following commands are useful to check IPsec phase1/phase2 interface status.

  1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

peer-id-auth: yes

IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms

id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-

43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

  1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c

ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece

ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.