Manual Key - Fortinet FortiGate FortiGate-1000 Administration Manual

VPN

Manual key

FortiGate-1000 Administration Guide
DH Group Select one Diffie-Hellman group (1, 2, or 5) to propose for Phase 2 of the
IPSec VPN connection. The remote peer must be configured to use the same
asymmetric key.
Keylife Select either Seconds or KBytes for the keylife, or select Both.
The keylife causes the IPSec key to expire after a specified amount of time,
after a specified number of kbytes of data have been processed by the VPN
tunnel, or both. If you select both, the key does not expire until both the time
has passed and the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service. P2
proposal keylife can be from 120 to 172800 seconds or from 5120 to
2147483648 kbytes.
Autokey Keep Enable autokey keep alive to keep the VPN connection open even if no data is
being transferred.
Alive
DHCP-IPSec If the tunnel will service remote dialup clients that broadcast a DHCP request
when connecting to the tunnel, select DHCP-IPSec. The FortiGate unit can
relay the request to an external DHCP server. For more information, see
"System DHCP" on page
Internet Select the Interface through which remote VPN users can connect to the
Internet. The internet browsing interface becomes the virtual source interface
browsing
from which VPN users can connect through the firewall to browse the Internet.
In most configurations, the Internet browsing interface would be the internal
interface and VPN users would be able to browse the Internet using the same
firewall policies as users on the internal network (for example, internal ->
external policies).
For more information, see
page 283
Quick Mode Use selectors from policy. Select this option for policy-based VPNs. A policy-
based VPN uses an encrypt policy to select which VPN tunnel to use for the
Identities
connection. In this configuration, the VPN tunnel is referenced directly from
the encrypt policy.
You must select this option if both VPN peers are FortiGate units.
Use wildcard selectors. Select this option for routing-based VPNs. A routing-
based VPN uses routing information to select which VPN tunnel to use for the
connection. In this configuration, the tunnel is referenced indirectly by a route
that points to a tunnel interface.
You must select this option if the remote VPN peer is a non-FortiGate unit that
has been configured to operate in tunnel interface mode.
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate
unit and a remote VPN peer that uses a manual key. The FortiGate unit must be
configured to use the same encryption and authentication algorithms used by the
remote peer.
A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN
gateway or client at the opposite end of the tunnel, selection of the encryption and
authentication algorithms, and the keys in hexadecimal format.
To configure a manual key VPN
1 Go to VPN > IPSEC > Manual Key and add a VPN tunnel.
2 Add the source address, destination address, and a firewall policy.
73.
01-28006-0009-20041105
"Internet browsing through a VPN tunnel" on
Manual key
255