vpn site to site tunnel between Fortigate and CIsco certificate issues
Hi,
Can someone please help me understand how a certificate works on a firewall. The concept and how the firewalls authenticate certs.
The scenario is a Fortigate 100d with a cisco ASA (3rd party) Certificate based VPN.
We have setup a tunnel however i don't see many logs due to firewall in shared datacentre managed external. However they do not support certificate based VPN tunnels.
We initially setup on pre shared key and was fine. So we know all the other settings are correct.
We have created a CSR on the fortigate and completed this with a CA "Digicert" we have loaded the cert into the firewall (Fortigate using web gui) We have received the Certificate Authority (Go Daddy from external 3rd party and installed these. Now remote_Cert1 2 etc.
We have setup the VPN tunnel to use the Peer certificate and pointed to 1 of the Go Daddy Remote-Certs. No option on a Fortigate to use 2 certs.
The info we are getting from the Cisco side debug is as follows
IPSEC An inbound LAN to LAN SA xxx between IP and IP (user==IP has been created
same and outbound LAN to LAN created
AAA retrieved default group policy IP for user =IP
local remote connection established. then it say an IPSEC inbound/outbound LAN to LAN has been deleted.
The CIsco (3rd party side have no experience on Fortigate( they are seeing a message saying our certificate has been successfully validated SN x subject name CN = company etc.
The tunnel won't come up on the fortigate. So any info on what is going on here and an explanation as to how the SSL works on the devices (firewalls appreciated.)
Does it look at the CA to verify the cert and never we exchange certs/private keys with the other side. Which is what someone was asking.
Thanks
Can someone please help me understand how a certificate works on a firewall. The concept and how the firewalls authenticate certs.
The scenario is a Fortigate 100d with a cisco ASA (3rd party) Certificate based VPN.
We have setup a tunnel however i don't see many logs due to firewall in shared datacentre managed external. However they do not support certificate based VPN tunnels.
We initially setup on pre shared key and was fine. So we know all the other settings are correct.
We have created a CSR on the fortigate and completed this with a CA "Digicert" we have loaded the cert into the firewall (Fortigate using web gui) We have received the Certificate Authority (Go Daddy from external 3rd party and installed these. Now remote_Cert1 2 etc.
We have setup the VPN tunnel to use the Peer certificate and pointed to 1 of the Go Daddy Remote-Certs. No option on a Fortigate to use 2 certs.
The info we are getting from the Cisco side debug is as follows
IPSEC An inbound LAN to LAN SA xxx between IP and IP (user==IP has been created
same and outbound LAN to LAN created
AAA retrieved default group policy IP for user =IP
local remote connection established. then it say an IPSEC inbound/outbound LAN to LAN has been deleted.
The CIsco (3rd party side have no experience on Fortigate( they are seeing a message saying our certificate has been successfully validated SN x subject name CN = company etc.
The tunnel won't come up on the fortigate. So any info on what is going on here and an explanation as to how the SSL works on the devices (firewalls appreciated.)
Does it look at the CA to verify the cert and never we exchange certs/private keys with the other side. Which is what someone was asking.
Thanks
ASKER
Hi Pete,
So we should be able to resolve the remote certificate CN name so example.example.com and vice versa?
so for us if i have used my company website on the certificate CN this wouldn't resolve to the firewall ip?
Yes we uploaded the trusted CA etc to the Fortigate
So we should be able to resolve the remote certificate CN name so example.example.com and vice versa?
so for us if i have used my company website on the certificate CN this wouldn't resolve to the firewall ip?
Yes we uploaded the trusted CA etc to the Fortigate
ASKER
Pete,
Does the Certificate need to have the IP in when creating the CSR? The fortigate has options for IP email etc.
when you say resolve the name to the IP do you mean the IP of the firewall?
Does the Certificate need to have the IP in when creating the CSR? The fortigate has options for IP email etc.
when you say resolve the name to the IP do you mean the IP of the firewall?
Hi,
Regarding your Issue, the first step you have to do is import the digital CA to Both ( FortiGate & CISCO ) then proceed to the next step which is configuring the IPSec tunnel using Signature for authentication.
you can find these steps on ( Cisco support doc site & Fortinet cookbook site).
CISCO
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html
Fortifate
https://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-certificate-authentication-56/
Regarding your Issue, the first step you have to do is import the digital CA to Both ( FortiGate & CISCO ) then proceed to the next step which is configuring the IPSec tunnel using Signature for authentication.
you can find these steps on ( Cisco support doc site & Fortinet cookbook site).
CISCO
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html
Fortifate
https://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-certificate-authentication-56/
ASKER
Hi Ibrahim,
Could you explain this bit more?
Regarding your Issue, the first step you have to do is import the digital CA to Both ( FortiGate & CISCO ) then proceed to the next step which is configuring the IPSec tunnel using Signature for authentication.
Do you mean the Certificate Authority's for my cert and his on both devices? We have the Go Daddy which are their's. He has ours by digicert
Thanks
Could you explain this bit more?
Regarding your Issue, the first step you have to do is import the digital CA to Both ( FortiGate & CISCO ) then proceed to the next step which is configuring the IPSec tunnel using Signature for authentication.
Do you mean the Certificate Authority's for my cert and his on both devices? We have the Go Daddy which are their's. He has ours by digicert
Thanks
Hi
The point is by using either DigiCert or Godadi CA on both ends ( FortiGate and CISCO ). for instance, if Fortigate uses Godadi CA then Cisco Have to use the same CA with the same Key to bring the tunnel up.
The point is by using either DigiCert or Godadi CA on both ends ( FortiGate and CISCO ). for instance, if Fortigate uses Godadi CA then Cisco Have to use the same CA with the same Key to bring the tunnel up.
ASKER
yes were using digicert and the Cisco has the CA
we have their CA's
We don't give them our actual certificate that stay on our firewall and they keep their own.
we have their CA's
We don't give them our actual certificate that stay on our firewall and they keep their own.
Hi,
I'd like from you to return back to the Fortinet Cookbook link that I provided to you, So you have to follow the steps of installing the Certificate regarding your scenario. If your site is HQ, you have to do the steps as its. Otherwise, follow the Configuration steps if your site is branch then you have to configure the certificate that used in the HQ site.
keep me up to date.
I'd like from you to return back to the Fortinet Cookbook link that I provided to you, So you have to follow the steps of installing the Certificate regarding your scenario. If your site is HQ, you have to do the steps as its. Otherwise, follow the Configuration steps if your site is branch then you have to configure the certificate that used in the HQ site.
keep me up to date.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Unlike a Computer, the ASA does not come with a host of trusted CA certificates you have to import them, I suspect the Fortigate will be the same.
Regards,
Pete