IPsec/SSL VPN

Back to discussions
Expand all | Collapse all

SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

  • 1.  SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

    Posted Feb 17, 2016 10:32 PM

    Hi,

    I am looking for someone with experience from setting this up. I have Googled tons of doumentation om how to configure this, but have no conclusive answers. Using FAC 4.0 and FOS 5.2.latest.

    Basically I have two issues: 1) I'm not 100% sure how SCEP is intended to work. 2) Configuration of the FAC seems non-trivial.

    For my first test I just wanted to generate a CA Cert on the FAC import the Cert in the FGT, and *manually* create an IPSec tunnel on the FGT. But the imported Cert is not available in the drop-down box in the P1 configuration. What did I do wrong?

    Secondly, attempted to enable SCEP on the tunnel, generate an enrollment form the FGT to the FAC - and see the request as 'Pending' in the FAC. Authorize it in the FAC - and then nothing happens? The Cert is never deployed to the FGT. What have I missed?

    Any pointers or tips are greatly appreciated!

    ~Mike



  • 2.  RE: SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

    Posted Feb 18, 2016 08:56 AM

    Mike,

    Regarding the manually setup:
    Do you expect the CA cert to show up in the P1 config?
    This is not correct. You should see the device cert in the drop-down box.

    Basic steps are (when using FAC):
    1 Sync the time on both FGT so they can verify the validity of the certificates
    2 on the FAC, create a "user" certificate for each FGT
    3 export the "user" certificates as PKCS#12
    4 export the FAC CA cert (the one used when signing the user certificates)
    5 import the "user" certificate on the relevant FGT as a "local" cert (type PKCS#12)
    6 import the CA cert on both FGT

    Under "system -> certificates -> external CA certificates" you should see the CA certificate on each FGT

    Under "system -> certificates -> certificates you should see the "user" certificate (different one on each FGT)
    This is also the cert that should be used in your P1 config.

    Regards
    Robby



  • 3.  RE: SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

    Posted Feb 24, 2016 11:42 PM

    Brilliant,

    Many thanks for explainning! I will test this and get back with results as soon as I have them. Once I get the manual way to work, I'll have a look into SCEP and see if I can get it to work as well.

    Regards,

    ~Mike



  • 4.  RE: SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

    Posted Mar 11, 2016 03:01 AM

    So, I finally got the chance to get this to work - both manually and via SCEP.

    However, a question arose during the PoC with the prospect:

    Is it possible to manually trigger a renewal request via the Fortigate CLI? I searched the CLI, Admin Guides, Google and what not, but to no avail.

    The problem is that if the tunnel is down, the auto-renewal will fail. But remote access to the device is still possible . So either a manual CSR/signing/import would work, but it would be much nicer if it were possible execute a renewal via CLI.

    Thanks



  • 5.  RE: SCEP for IPSec Site-to-Site VPN with FGT, FortiAuth as CA

    Posted Jan 30, 2017 12:04 PM

    Be sure to enable "Certificates" under "Feature Select --> Certificates".