Manual Key; Creating A New Manual Key Configuration - Fortinet FortiGate Series Administration Manual

Manual Key

Manual Key

Creating a new manual key configuration

622
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
• You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.
For general information about how to configure an IPSec VPN, see the
VPN User Guide.
Figure 382: Manual Key list
Create New Create a new manual key configuration. See
configuration" on page
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption Algorithm The names of the encryption algorithms specified in the manual key
configurations.
Authentication The names of the authentication algorithms specified in the manual key
configurations.
Algorithm
Delete and Edit icons Delete or edit a manual key configuration.
If one of the VPN devices is manually keyed, the other VPN device must also be manually
keyed with the identical authentication and encryption keys. In addition, it is essential that
both VPN devices be configured with complementary Security Parameter Index (SPI)
settings. The administrators of the devices need to cooperate to achieve this.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. You must manually specify an SPI
for each SA. There is an SA for each direction, so for each VPN you must specify two
SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two
VPN devices.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
Delete
"Creating a new manual key
622.
FortiGate Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/
IPSec VPN
FortiGate IPSec
Edit
01-410-89802-20090903
• Feedback