Certificates - Fortinet FortiGate FortiGate-1000 Administration Manual

Certificates

Certificates
270
8 Add the following registry value to this key:
Value Name: ProhibitIPSec
Data Type: REG_DWORD
Value: 1
9 Save your changes and restart the computer for the changes to take effect.
You must add the ProhibitIPSec registry value to each Windows XP-based
endpoint computer of an L2TP or IPSec connection to prevent the automatic filter for
L2TP and IPSec traffic from being created. When the ProhibitIPSec registry value
is set to 1, your Windows XP-based computer does not create the automatic filter that
uses CA authentication. Instead, it checks for a local or active directory IPSec policy.
To connect to the L2TP VPN
1 Connect to your ISP.
2 Start the VPN connection that you configured in the previous procedure.
3 Enter your L2TP VPN User Name and Password.
4 Select Connect.
5 In the connect window, enter the User Name and Password that you use to connect to
your dialup network connection.
This user name and password is not the same as your VPN user name and password.
Digital certificates are downloadable files that you can install on the FortiGate unit and
its remote peers to support IPSec VPNs. Digital certificates can be used to
authenticate IPSec VPN peers. A digital certificate consists of a private key, a public
key, and some identifying information that has been digitally signed by a trusted third
party known as a certificate authority (CA). Because CAs can be trusted, the
certificates issued by a CA are deemed to be trustworthy.
To obtain a personal or site certificate, you must send a request to a CA that provides
digital certificates that adhere to the X.509 standard. The FortiGate unit provides a
way for you to generate the request. The generated request includes information such
as the FortiGate unit's public static IP address, domain name, or email address.
In return, the CA will verify the information and register the contact information on a
digital certificate that contains a serial number, an expiration date, a private key, and a
public key. The CA will then send the digital certificate to you to install on the
FortiGate unit. You must also obtain and install the CA's root certificate on the
FortiGate unit.
After the required personal or site certificates and root certificates have been installed
on the VPN peers, they identify themselves during phase 1 negotiations using
certificates. The FortiGate unit provides its public key to the remote peer so that the
remote peer can send encrypted messages to the FortiGate unit. The private key is
kept secret on the FortiGate unit for decrypting messages sent by the remote peer.
Conversely, the remote peer provides its public key to the FortiGate unit, which uses
the key to encrypt messages destined for the remote peer.
01-28006-0009-20041105
VPN
Fortinet Inc.