182 Fortinet Inc.
Manual Keys IPSec VPN
Key management
There are three basic elements in any encryption system:
an algorithm which changes information into code,
a cryptographic key which serves as a secret starting point for the algorithm,
a management system to control the key.
IPSec provides two ways to handle key exchange and management: manual keying
and IKE for automated key management.
Manual Keys
Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

Manual Keys

When manual keys are employed, matching security parameters must be entered at
both ends of the tunnel. These settings, which include both the encryption and
authentication keys, must be kept secret so that unauthorized parties cannot decrypt
the data, even if they know which encryption algorithm is being used.

Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates

To facilitate deployment of multiple tunnels, an automated system of key management
is required. IPSec supports the automated generation and negotiation of keys using
the Internet Key Exchange protocol. This method of key management is typically
referred to as AutoIKE. Fortinet supports AutoIKE with pre-shared keys and AutoIKE
with certificates.

AutoIKE with pre-shared keys

When both peers in a session have been configured with the same pre-shared key,
they can use it to authenticate themselves to each other. The peers do not actually
send the key to each other. Instead, as part of the security negotiation process, they
use it in combination with a Diffie-Hellman group to create a session key. The session
key is used for encryption and authentication purposes, and is automatically
regenerated during the communication session by IKE.
Pre-shared keys are similar to the manual keys in that they require the network
administrator to distribute and manage matching information at the VPN peer sites.
Whenever a pre-shared key changes, the administrator must update both sites.

AutoIKE with certificates

This method of key management involves the participation of a trusted third party, the
certificate authority (CA). Each peer in a VPN is first required to generate a set of
keys, known as a public/private key pair. The CA signs the public key for each peer,
creating a signed digital certificate. The peer then contacts the CA to retrieve their own
certificates, plus that of the CA itself. Once the certificates have been uploaded to the
FortiGate units and appropriate IPSec tunnels and policies have been configured, the
peers are ready to start communicating. As they do, IKE manages the exchange of
certificates, transmitting signed digital certificates from one peer to another. The
signed digital certificates are validated by the presence of the CA certificate at each
end. With authentication complete, the IPSec tunnel is then established.
In some respects, certificates are simpler to manage than manual keys or pre-shared
keys. For this reason, certificates are best suited to large network deployments.