I set up a vdom-link between 2 vdoms( custA and root )
We use get a CAcert for our signing at Getacert . The rootCA was installed into the firewall also
100k foot view
Okay, so the 1st time that typically happens is the mechanism is used for generation of the CSR from the fortigate. In real life, your CA would be a public or private PKI.
https://www.getacert.com
On each FGT, you would craft a CSR. I like to keep the subject line small and with only a CN value.
This makes it very easy to diagnose the solution. So in this example, we are using. CN=root and CN=custA
e.g ( a very basic CSR )
Now, when you have the CSR signed, you can import it back into the FGT and you can verify the subject line.
e.g
openssl x509 -in fgt-2019-09-23-031604.cer -noout -subject
Okay brilliant, a simple subject line. Now we will define the peer match statements that would check the rootCA and the CN string type
#vdom=custA
config user peer
edit "root"
set ca "CA_Cert_2"
set cn "root"
next
end
#vdom=root
config user peer
edit "root"
set ca "CA_Cert_2"
set cn "custA"
next
end
Okay let's apply the configurations for phase1 and phase2
( 1st fw )
(root) # show vpn ipsec phase1-interface vpn1
config vpn ipsec phase1-interface
edit "vpn1"
set interface "vlink10"
set authmethod signature
set mode aggressive
set proposal aes128-sha256
set dhgrp 5
set remote-gw 10.19.199.2
set certificate "root"
set peer "custA"
next
end
(root) # show vpn ipsec phase2-interface vpn1-2
config vpn ipsec phase2-interface
edit "vpn1-2"
set phase1name "vpn1"
set auto-negotiate enable
next
end
( 2nd fw is a reverse of the 1st ) The other firewall have the following details;
config vpn ipsec phase1-interface
edit "vpn2"
set interface "vlink11"
set authmethod signature
set mode aggressive
set proposal aes128-sha256
set dhgrp 5
set remote-gw 10.19.199.1
set certificate "custA"
set peer "root"
next
end
(custA) #
(custA) # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "vpn2-2"
set phase1name "vpn2"
set auto-negotiate enable
next
end
In the fortiOS cfg you have to call up the local certificate and the peer string for validating the peer. The root CA and end-point needs to be imported into the fortigate.
Diagnostics cmds "diag vpn ike gateway" and "diag vpn tunnel list"
notice the peer-id is the certificate CN name.
So always double-check the proposal and CN values in your config if you have issues setting up ipsec site2site with rsa signatures.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \