Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 3597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec vpn site to site using digital certificate

nedal tomeh

hello

site (a) :headquarters (HQ)  fortigate 

site (B) branch office (BO) sophos xg 430 latest update

i built vpn site to site using a preshared key between two sites and work fine

but when change authentication type to digital certificate tunnel goes down

whats should i do to solve the certificate problem?

hint: i upload root and intermediate certificates to certificate authorities , then upload FortiGate branch office certificate to certificate and choose FortiGate branch office as local certificate and FortiGate root certificate as a remote certificate .

any help about cert files and should i use ?

should i sent sophos certificate to fortigate ?

thanks alot



This thread was automatically locked due to age.
  • +1

    Hello,

    this question led to a small learning session with our apprentice this morning, which give us the diagram I am copying here for better understanding of that setup:

    When using certificates in a VPN Site-to-Site configuration, you always need BOTH certificates on BOTH sides to verify you are talking to the right partner.

    And of course you need them to be trusted by your firewall system.

    So the main task when seeting this up is "How do I transfer the certificates from one site to the other" ?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    thanks  my friend 

    i will test your solution 

  • 0 in reply to nedal tomeh

    Forgot to say:

    at the Sophos device "Remote certificate" has to be the certificate of the Fortigate device.

    At the other side (the Fortigate screenshot) point "2." you have to put the Sophos certificate after importing it to the Fortigate.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    ok

    as shown in the diagram

    from two sites:1- generate Generate Self Signed Certificate, 2- download default (root certificate)

    Sophos site: use FortiGate branch certificate as local certificate, use FortiGate root certificate as remote certificate

    FortiGate site: use Sophos root certificate in step 1 (certificate name), use Sophos self-signed certificate

    in step 2  (peer certificate)

    is it true?

    thank you

  • +1 in reply to nedal tomeh

    No, you completely mixed it up:

    Sophos side:

    S-1. You use your locally generated certificate FROM THE SOPHOS itself as "local certificate".

    S-2. You export the fortigate client certificate (you call it "branch certificate") ON THE FORTIGATE.

    S-3. You export the Fortigate signing CA certificate that was used to sign the "branch certificate" on the FORTIGATE as above.

    S-4. You then transfer both certs from the Fortigate-Site to the Sophos-Site. (use the .PEM format)

    S-5. In Sophos-Menu "System/Certificates" you import the Fortigate CA cert into the Sophos as "Certificate Authorities (CA)". This is mandatory for the client certificate of the Fortigate to become a "trusted" certificate.

    S-6. Now you import the Fortigate client certificate ("your branch cert") into the Sophos as a normal "Certificate"

    S-7. Now you use the Fortigate client certificate (from step S-6) as the "remote certificate" in your VPN-configuration..

    Fortigate side:

    F-1. You use the SAME Fortigate client certificate (your "branch certificate" as the "local certificate" (here called "Signature" in the VPN coniguration)

    F-2. You export the "Sophos VPN signing CA" and the Sophos client certificate you used as "local certificate" in step S-1.

    F-3. You then transfer both certs from the Sophos-Site to the Fortigate-Site. (use the .PEM format, as before)

    F-4. In Fortigate-Menu "System/Certificates" you first import the "Sophos VPN signing CA-cert" as a "CA-Certificate". Note that you cannot give the certs a name, it's automaticalle named "CA_Cert_1" by the Fortigate.

    F-5. Then you import the Sophos client certificate as "Remote Certificate", this gets the name "Remote_Cert_1"

    F-6. You now can use this Sophos client "Remote_Cert_1" as your "Peer certificate" in the VPN configuration of the Fortigate (Screenshot point 2.)

    Hope this clarifies things.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hi Sir

    is it possible if the Fortigate will issue the certificate for both sides.

    if it is ok

    what must we do 

  • 0 in reply to nedal tomeh

    Every Sophos already HAS a least one certificate, so why do you want to do that?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    But to answer your question: yes, you could use any certificate, that you want.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML