IPSec VPN | Manual key IPSec VPNs |
|
|
Manual key IPSec VPNs
When using manual keys, complementary security parameters must be entered at both ends of the tunnel. In addition to encryption and authentication algorithms and keys, the security parameter index (SPI) is required. The SPI is an arbitrary value that defines the structure of the communication between the peers. With other methods, the SPI is generated automatically but with the manual key configuration it must be entered as part of the VPN setup.
The encryption and authentication keys must match on the local and remote peers, that is, the SPI values must be mirror images of each other. After you enter these values, the VPN tunnel can start without a need for the authentication and encryption algorithms to be negotiated. Provided you entered correct, complementary values, the tunnels are established between the peers. This means that the tunnel already exists between the peers. As a result, when traffic matches a policy requiring the tunnel, it can be authenticated and encrypted immediately.
•General configuration steps for a manual key VPN
•Adding a manual key VPN tunnel
General configuration steps for a manual key VPN
A manual key VPN configuration consists of a manual key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel.
To create a manual key VPN configuration
1Add a manual key VPN tunnel. See “Adding a manual key VPN tunnel” on page 181.
2Configure an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel. See “Configuring encrypt policies” on page 193.
Adding a manual key VPN tunnel
Configure a manual key tunnel to create an IPSec VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key.
To add a manual key VPN tunnel
1Go to VPN > IPSec > Manual Key.
2Select New to add a new manual key VPN tunnel.
3Type a VPN Tunnel Name.
The name can contain numbers
4Enter the Local SPI.
The Local Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.
5Enter the Remote SPI.
The Remote Security Parameter Index is a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range bb8 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.
181 |