beautypg.com

Manual key, Manual key” on – Fortinet 100A User Manual

Page 253

background image

VPN

Phase 2 advanced options

FortiGate-100A Administration Guide

01-28007-0068-20041203

253

Manual key

If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:

• Prior knowledge of the encryption and/or authentication key is required (that is,

one of the VPN peers requires a specific IPSec encryption and/or authentication
key).

• Encryption and authentication needs to be disabled.

You can select either of the following message digests to check the

authenticity of messages during an encrypted session:

NULL-Do not use a message digest.

MD5-Message Digest 5, the hash algorithm developed by RSA Data
Security.

SHA1-Secure Hash Algorithm 1, which produces a 160-bit message
digest.

To specify one combination only, set the Encryption and Authentication

options of the second combination to NULL. To specify a third combination,

use the add button beside the fields for the second combination.

Enable replay
detection

Optionally enable or disable replay detection. Replay attacks occur when an

unauthorized party intercepts a series of IPSec packets and replays them

back into the tunnel.

Enable perfect
forward
secrecy (PFS)

Enable or disable PFS. Perfect forward secrecy (PFS) improves security by

forcing a new Diffie-Hellman exchange whenever keylife expires.

DH Group

Select one Diffie-Hellman group (1, 2, or 5). The remote peer or client must be

configured to use the same group.

Keylife

Select the method for determining when the phase 2 key expires: Seconds,

KBytes, or Both. If you select both, the key expires when either the time has

passed or the number of KB have been processed. The range is from 120 to

172800 seconds, or from 5120 to 2147483648 KB.

Autokey Keep
Alive

Enable the option if you want the tunnel to remain active when no data is

being processed.

DHCP-IPSec

If the FortiGate unit will relay DHCP requests from dialup clients to an external

DHCP server, you can select DHCP-IPsec Enable to enable DHCP over

IPSec services. The DHCP relay parameters must be configured separately.

For more information, see

“System DHCP” on page 73

.

Internet
browsing

If the tunnel will support an Internet-browsing configuration, select the

browsing interface from the list.

Quick Mode
Identities

Enter the method for choosing selectors for IKE negotiations:

To choose a selector from a firewall encryption policy, select Use selectors
from policy.

To disable selector negotiation, select Use wildcard selectors.

To specify the firewall encryption policy source and destination IP
addresses, select Specify a selector and then select the names of the
source and destination addresses from the Source address and Dest
address lists. You may optionally specify source and destination port
numbers and/or a protocol number.