vpn : ipsec manualkey
 
ipsec manualkey
Use this command to configure manual keys for IPSec tunnel-mode VPN tunnels. You configure a manual key tunnel to create an IPSec tunnel-mode VPN tunnel between the FortiGate unit and a remote IPSec VPN client or gateway that is also using manual key.
A manual key VPN tunnel consists of a name for the tunnel, the IP address of the VPN gateway or client at the opposite end of the tunnel, and the encryption and authentication algorithms to use for the tunnel. Because the keys are created when you configure the tunnel, no negotiation is required for the VPN tunnel to start. However, the VPN gateway or client that connects to this tunnel must use the same encryption and authentication algorithms and must have the same encryption and authentication keys.
Syntax
config vpn ipsec manualkey
edit <tunnel_name>
set authentication <authentication_algorithm>
set authkey <authentication_key>
set encryption <method>
set enckey <encryption_key>
set interface <interface_name>
set localspi <local_spi_number>
set local-gw <address_ipv4>
set npu-offload {enable | disable}
set remote-gw <address_ipv4>
set remotespi <remote_spi_number>
end
The authentication, encryption, interface, remote-gw, localspi, and remotespi fields are required. All other fields are optional.
Variable
Description
Default
edit <tunnel_name>
Enter a name for the tunnel.
No default.
authentication <authentication_algorithm>
Enter one of the following authentication algorithms:
md5
null
sha1
sha256
sha384
sha512
Make sure you use the same algorithm at both ends of the tunnel.
Note: encryption and authentication cannot both be null.
null
authkey <authentication_key>
This field is available when authentication is set to md5, sha1, or sha256.
Enter the key in 16-digit (8-byte) segments separated by hyphens. For example (MD5):
0102030405060708-090a0b0c0d0e0f10
For a SHA1 key, the final segment is only 8 digits (4 bytes).
If authentication is md5, enter a 32-digit (16-byte) hexadecimal number.
If authentication is sha1, enter a 40-digit (20-byte) hexadecimal number.
If authentication is sha256, enter a 64-digit (32-byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
Use the same authentication key at both ends of the tunnel.
-
(No default.)
encryption <method>
Enter one of the following encryption algorithms:
3des
aes128
aes192
aes256
aria128
aria192
aria256
des
seed
null
The ARIA and seed algorithms are not available on some models.
Make sure you use the same algorithm at both ends of the tunnel.
Note: encryption and authentication cannot both be null.
null
enckey <encryption_key>
This field is available when encryption is set to 3des, aes128, aes192, aes256, or des. Enter the associated encryption key:
If encryption is des, enter a 16 digit (8 byte) hexadecimal number.
If encryption is 3des, enter a 48 digit (24 byte) hexadecimal number.
If encryption is aes128, enter a 32 digit (16 byte) hexadecimal number.
If encryption is aes192, enter a 48 digit (24 byte) hexadecimal number.
If encryption is aes256, enter a 64 digit (32 byte) hexadecimal number.
Digits can be 0 to 9, and a to f.
For all of the above, separate each 16 digit (8 byte) hexadecimal segment with a hyphen.
Use the same encryption key at both ends of the tunnel.
-
(No default.)
interface <interface_name>
Enter the name of the physical, aggregate, or VLAN interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from system interface settings (see “interface”).
You cannot change interface if a firewall policy references this VPN.
Null.
local-gw <address_ipv4>
Optionally, specify a secondary IP address of the interface selected in interface to use for the local end of the VPN tunnel. If you do not specify an IP address here, the FortiGate unit obtains the IP address of the interface from the system interface settings (see “interface”).
0.0.0.0
localspi <local_spi_number>
Local Security Parameter Index. Enter a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f) in the range 0x100 to FFFFFFF. This number must be added to the Remote SPI at the opposite end of the tunnel.
0x100
npu-offload {enable | disable}
Enable or disable offload of VPN session to NPU.
enable
remote-gw <address_ipv4>
The IP address of the remote gateway external interface.
0.0.0.0
remotespi <remote_spi_number>
Remote Security Parameter Index. Enter a hexadecimal number of up to eight digits in the range 0x100 to FFFFFFF. This number must be added to the Local SPI at the opposite end of the tunnel.
0x100