VPN
Manual key
FortiGate-5000 series Administration Guide
01-28008-0013-20050204
263
Manual key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• Prior knowledge of the encryption and/or authentication key is required (that is,
one of the VPN peers requires a specific IPSec encryption and/or authentication
key).
• Encryption and authentication needs to be disabled.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys on the
VPN > IPSEC > Manual Key
tab instead.
If one of the VPN peers uses specific authentication and encryption keys to establish
a tunnel, both VPN peers must be configured to use the same encryption and
authentication algorithms and keys.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel.
Enable perfect
forward
secrecy (PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
DH Group
Select one Diffie-Hellman group (1, 2, or 5). The remote peer or client must be
configured to use the same group.
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep
Alive
Enable the option if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec
If the FortiGate unit will relay DHCP requests from dialup clients to an external
DHCP server, you can select DHCP-IPsec Enable to enable DHCP over
IPSec services. The DHCP relay parameters must be configured separately.
For more information, see
“System DHCP” on page 79
.
Internet
browsing
If the tunnel will support an Internet-browsing configuration, select the
browsing interface from the list.
Quick Mode
Identities
Enter the method for choosing selectors for IKE negotiations:
•
To choose a selector from a firewall encryption policy, select Use selectors
from policy.
•
To disable selector negotiation, select Use wildcard selectors.
•
To specify the firewall encryption policy source and destination IP
addresses, select Specify a selector and then select the names of the
source and destination addresses from the Source address and Dest
address lists. You may optionally specify source and destination port
numbers and/or a protocol number.
Note:
It may not be safe or practical to define manual keys because network administrators
must be trusted to keep the keys confidential, and propagating changes to remote VPN peers in
a secure manner may be difficult.
Summary of Contents for FortiGate FortiGate-5020
Page 86: ...86 01 28008 0013 20050204 Fortinet Inc Dynamic IP System DHCP ...
Page 118: ...118 01 28008 0013 20050204 Fortinet Inc FortiManager System Config ...
Page 254: ...254 01 28008 0013 20050204 Fortinet Inc CLI configuration User ...
Page 318: ...318 01 28008 0013 20050204 Fortinet Inc CLI configuration Antivirus ...
Page 350: ...350 01 28008 0013 20050204 Fortinet Inc Using Perl regular expressions Spam filter ...
Page 370: ...370 01 28008 0013 20050204 Fortinet Inc CLI configuration Log Report ...
Page 382: ...382 01 28008 0013 20050204 Fortinet Inc Glossary ...
Page 402: ...402 01 28008 0013 20050204 Fortinet Inc Index ...