FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
FortiGate IPSec VPN User Guide - FirewallShop.com
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Authenticating remote peers and clients<br />
Auto Key phase 1 parameters<br />
• You can permit access to remote peers or dialup clients who each have a<br />
unique peer ID and a unique preshared key. Each peer or client must have a<br />
user account on the <strong>FortiGate</strong> unit. See “Enabling <strong>VPN</strong> access using user<br />
accounts and pre-shared keys” on page 135.<br />
For authentication of users of the remote peer or dialup client device, see “Using<br />
XAuth authentication” on page 141.<br />
Enabling <strong>VPN</strong> access for specific certificate holders<br />
When a <strong>VPN</strong> peer or dialup client is configured to authenticate using digital<br />
certificates, it sends the DN of its certificate to the <strong>FortiGate</strong> unit. This DN can be<br />
used to allow <strong>VPN</strong> access for the certificate holder. That is, a <strong>FortiGate</strong> unit can<br />
be configured to deny connections to all remote peers and dialup clients except<br />
the one having the specified DN.<br />
Before you begin<br />
The following procedures assume that you already have an existing phase 1<br />
configuration (see “Authenticating the <strong>FortiGate</strong> unit with digital certificates” on<br />
page 129). Follow the procedures below to add certificate-based authentication<br />
parameters to the existing configuration.<br />
Before you begin, you must obtain the certificate DN of the remote peer or dialup<br />
client. If you are using the FortiClient Host Security application as a dialup client,<br />
refer to FortiClient online Help for information about how to view the certificate<br />
DN. To view the certificate DN of a <strong>FortiGate</strong> unit, see “To view server certificate<br />
information and obtain the local DN” on page 133.<br />
Afterward, use the config user peer CLI <strong>com</strong>mand to load the DN value into the<br />
<strong>FortiGate</strong> configuration. For example, if a remote <strong>VPN</strong> peer uses server<br />
certificates issued by your own organization, you would enter information similar<br />
to the following:<br />
config user peer<br />
edit DN_FG1000<br />
set cn 192.168.2.160<br />
set cn-type ipv4<br />
end<br />
The value that you specify to identify the entry (for example, DN_FG1000) is<br />
displayed in the Accept this peer certificate only list in the <strong>IPSec</strong> phase 1<br />
configuration when you return to the web-based manager.<br />
If the remote <strong>VPN</strong> peer has a CA-issued certificate to support a higher level of<br />
credibility, you would enter information similar to the following:<br />
config user peer<br />
edit CA_FG1000<br />
set ca CA_Cert_1<br />
set subject FG1000_at_site1<br />
end<br />
The value that you specify to identify the entry (for example, CA_FG1000) is<br />
displayed in the Accept this peer certificate only list in the <strong>IPSec</strong> phase 1<br />
configuration when you return to the web-based manager. For more information<br />
about these CLI <strong>com</strong>mands, see the “user” chapter of the <strong>FortiGate</strong> CLI<br />
Reference.<br />
<strong>FortiGate</strong> <strong>IPSec</strong> <strong>VPN</strong> Version 3.0 <strong>User</strong> <strong>Guide</strong><br />
132 01-30005-0065-20070716