Fortinet FortiGate 4000 Switch User Manual


 
IPSec VPN Configuring encrypt policies
FortiGate-4000 Installation and Configuration Guide 249
Obtaining CA certificates
For the VPN peers to authenticate themselves to each other, they must both obtain a
CA certificate from the same certificate authority. The CA certificate provides the VPN
peers with a means to validate the digital certificates that they receive from other
devices.
The FortiGate unit obtains the CA certificate to validate the digital certificate that it
receives from the remote VPN peer. The remote VPN peer obtains the CA certificate
to validate the digital certificate that it receives from the FortiGate unit.
Importing CA certificates
Import the CA certificate from the management computer to the FortiGate unit.
To import the CA certificate
1 Go to VPN > Certificates > CA Certificates.
2 Select Import.
3 Enter the path or browse to locate the CA certificate on the management computer.
4 Select OK.
The CA is displayed on the CA Certificates list.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
Configuring encrypt policies
A VPN connects the local, internal network to a remote, external network. The
principal role of the encrypt policy is to define (and limit) which addresses on these
networks can use the VPN.
A VPN requires only one encrypt policy to control both inbound and outbound
connections. Depending on how you configure it, the policy controls whether users on
your internal network can establish a tunnel to the remote network (the outbound
connection), and whether users on the remote network can establish a tunnel to your
internal network (the inbound connection). This flexibility allows one encrypt policy to
do the same function as two regular firewall policies.
Although the encrypt policy controls both incoming and outgoing connections, it must
always be configured as an outgoing policy. An outgoing policy has a source address
on an internal network and a destination address on an external network. The source
address identifies the addresses on the internal network that are part of the VPN. The
destination address identifies the addresses on the remote network that are part of the
VPN.
Note: The CA certificate must adhere to the X.509 standard.