Manual Key - Fortinet FortiGate FortiGate-60M Administration Manual

VPN

Manual key

FortiGate-60M Administration Guide
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
• NULL-Do not use a message digest.
• MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the add button beside the fields for the second combination.
Enable replay Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
detection
back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
forward
secrecy (PFS)
DH Group Select one Diffie-Hellman group (1, 2, or 5). The remote peer or client must be
configured to use the same group.
Keylife Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Enable the option if you want the tunnel to remain active when no data is
being processed.
Alive
DHCP-IPSec If the FortiGate unit will relay DHCP requests from dialup clients to an external
DHCP server, you can select DHCP-IPsec Enable to enable DHCP over
IPSec services. The DHCP relay parameters must be configured separately.
For more information, see
Internet If the tunnel will support an Internet-browsing configuration, select the
browsing interface from the list.
browsing
Quick Mode Enter the method for choosing selectors for IKE negotiations:
Identities
• To choose a selector from a firewall encryption policy, select Use selectors
from policy.
• To disable selector negotiation, select Use wildcard selectors.
• To specify the firewall encryption policy source and destination IP
addresses, select Specify a selector and then select the names of the
source and destination addresses from the Source address and Dest
address lists. You may optionally specify source and destination port
numbers and/or a protocol number.
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• Prior knowledge of the encryption and/or authentication key is required (that is,
one of the VPN peers requires a specific IPSec encryption and/or authentication
key).
• Encryption and authentication needs to be disabled.
01-28007-0144-20041217
"System DHCP" on page
Manual key
75.
255