Manual key, Manual key” on – Fortinet 100A User Manual
Page 253
VPN
Phase 2 advanced options
FortiGate-100A Administration Guide
01-28007-0068-20041203
253
Manual key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• Prior knowledge of the encryption and/or authentication key is required (that is,
one of the VPN peers requires a specific IPSec encryption and/or authentication
key).
• Encryption and authentication needs to be disabled.
You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
•
NULL-Do not use a message digest.
•
MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.
•
SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the add button beside the fields for the second combination.
Enable replay
detection
Optionally enable or disable replay detection. Replay attacks occur when an
unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel.
Enable perfect
forward
secrecy (PFS)
Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forcing a new Diffie-Hellman exchange whenever keylife expires.
DH Group
Select one Diffie-Hellman group (1, 2, or 5). The remote peer or client must be
configured to use the same group.
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep
Alive
Enable the option if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec
If the FortiGate unit will relay DHCP requests from dialup clients to an external
DHCP server, you can select DHCP-IPsec Enable to enable DHCP over
IPSec services. The DHCP relay parameters must be configured separately.
.
Internet
browsing
If the tunnel will support an Internet-browsing configuration, select the
browsing interface from the list.
Quick Mode
Identities
Enter the method for choosing selectors for IKE negotiations:
•
To choose a selector from a firewall encryption policy, select Use selectors
from policy.
•
To disable selector negotiation, select Use wildcard selectors.
•
To specify the firewall encryption policy source and destination IP
addresses, select Specify a selector and then select the names of the
source and destination addresses from the Source address and Dest
address lists. You may optionally specify source and destination port
numbers and/or a protocol number.