Authenticating IPsec VPN users with security certificates
To require VPN peers to authenticate by means of a certificate, the FortiGate unit must offer a certificate to authenticate itself to the peer.
To enable the FortiGate unit to authenticate itself with a certificate:
4. In the VPN phase 1 configuration, set
Authentication Method to
RSA Signature and from the
Certificate Name list select the certificate that you installed in Step
1.
To authenticate a VPN peer using a certificate, you must install a signed server certificate on the peer. Then, on the FortiGate unit, the configuration depends on whether there is only one VPN peer or if this is a dialup VPN that can he multiple peers.
To configure certificate authentication of a single peer
1. Install the CA root certificate and CRL.
2. Create a PKI user to represent the peer. Specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
3. In the VPN phase 1 Peer Options, select Accept this peer certificate only and select the PKI user that you created.
To configure certificate authentication of multiple peers (dialup VPN)
1. Install the corresponding CA root certificate and CRL.
2 Create a PKI user for each remote VPN peer. For each user, specify the text string that appears in the Subject field of the user’s certificate and then select the corresponding CA certificate.
3 Use the config user peergrp CLI command to create a peer user group. Add to this group all of the PKI users who will use the IPsec VPN.
In the VPN phase 1 Peer Options, select Accept this peer certificate group only and select the peer group that you created.