VPN IPSEC Manual Key
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 297
Creating a new manual key configuration
If one of the VPN devices uses specific authentication and/or encryption keys to
establish a tunnel, both VPN devices must be configured to use identical
authentication and/or encryption keys. In addition, it is essential that both VPN
devices be configured with complementary Security Parameter Index (SPI)
settings.
Each SPI identifies a Security Association (SA). The value is placed in ESP
datagrams to link the datagrams to the SA. When an ESP datagram is received,
the recipient refers to the SPI to determine which SA applies to the datagram. An
SPI must be specified manually for each SA. Because an SA applies to
communication in one direction only, you must specify two SPIs per configuration
(a local SPI and a remote SPI) to cover bidirectional communications between two
VPN devices.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key
and select Create New.
Figure 181:New Manual Key
Authentication
Algorithm
The names of the authentication algorithms specified in the manual
key configurations.
Delete and Edit
icons
Delete or edit a manual key configuration.
!
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
Name Type a name for the VPN tunnel. The maximum name length is 15
characters for an interface mode VPN, 35 characters for a policy-
based VPN.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles outbound traffic on the local
FortiGate unit. The valid range is from 0x100 to 0xffffffff. This
value must match the Remote SPI value in the manual key
configuration at the remote peer.
Remote SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles inbound traffic on the local FortiGate
unit. The valid range is from 0x100 to 0xffffffff. This value must
match the Local SPI value in the manual key configuration at the
remote peer.
To Next Page
Loading...
