12.03.2015 Views

FortiGate Administration Guide - FirewallShop.com

FortiGate Administration Guide - FirewallShop.com

FortiGate Administration Guide - FirewallShop.com

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

VPN IPSEC<br />

Manual Key<br />

Encryption<br />

Algorithm<br />

Authentication<br />

Algorithm<br />

Delete and Edit<br />

icons<br />

The names of the encryption algorithms specified in the manual key<br />

configurations.<br />

The names of the authentication algorithms specified in the manual<br />

key configurations.<br />

Delete or edit a manual key configuration.<br />

Creating a new manual key configuration<br />

If one of the VPN devices uses specific authentication and/or encryption keys to<br />

establish a tunnel, both VPN devices must be configured to use identical<br />

authentication and/or encryption keys. In addition, it is essential that both VPN<br />

devices be configured with <strong>com</strong>plementary Security Parameter Index (SPI)<br />

settings.<br />

Each SPI identifies a Security Association (SA). The value is placed in ESP<br />

datagrams to link the datagrams to the SA. When an ESP datagram is received,<br />

the recipient refers to the SPI to determine which SA applies to the datagram. An<br />

SPI must be specified manually for each SA. Because an SA applies to<br />

<strong>com</strong>munication in one direction only, you must specify two SPIs per configuration<br />

(a local SPI and a remote SPI) to cover bidirectional <strong>com</strong>munications between two<br />

VPN devices.<br />

!<br />

Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases<br />

for your particular installation, do not attempt the following procedure without qualified<br />

assistance.<br />

To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key<br />

and select Create New.<br />

Figure 228:New Manual Key<br />

Name Type a name for the VPN tunnel. The maximum name length is 15<br />

characters for an interface mode VPN, 35 characters for a policybased<br />

VPN.<br />

Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that<br />

represents the SA that handles outbound traffic on the local<br />

<strong>FortiGate</strong> unit. The valid range is from 0x100 to 0xffffffff. This<br />

value must match the Remote SPI value in the manual key<br />

configuration at the remote peer.<br />

<strong>FortiGate</strong> Version 3.0 MR5 <strong>Administration</strong> <strong>Guide</strong><br />

01-30005-0203-20070830 355

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!