Manual Key IPSec VPN
FortiGate Version 4.0 MR1 Administration Guide
622 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
• You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec
VPN User Guide.
Figure 382: Manual Key list
Creating a new manual key configuration
If one of the VPN devices is manually keyed, the other VPN device must also be manually
keyed with the identical authentication and encryption keys. In addition, it is essential that
both VPN devices be configured with complementary Security Parameter Index (SPI)
settings. The administrators of the devices need to cooperate to achieve this.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. You must manually specify an SPI
for each SA. There is an SA for each direction, so for each VPN you must specify two
SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two
VPN devices.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.
Create New Create a new manual key configuration. See “Creating a new manual key
configuration” on page 622.
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption Algorithm The names of the encryption algorithms specified in the manual key
configurations.
Authentication
Algorithm
The names of the authentication algorithms specified in the manual key
configurations.
Delete and Edit icons Delete or edit a manual key configuration.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
To Next Page
Loading...
Need help?
General