Chapter 11 IPsec VPN for FortiOS 5.0 : IPsec VPN in the web-based manager : Manual Key : Manual key configuration settings
  
Manual key configuration settings
If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. In addition, it is essential that both VPN devices be configured with complementary Security Parameter Index (SPI) settings. The administrators of the devices need to cooperate to achieve this.
If you are not familiar with the security policies, SAs, selectors, and SA databases for your particular installation, do not attempt these procedures without qualified assistance.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to link the datagrams to the SA. When an ESP datagram is received, the recipient refers to the SPI to determine which SA applies to the datagram. You must manually specify an SPI for each SA. There is an SA for each direction, so for each VPN you must specify two SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two VPN devices.To use manual keys, you must first enable the feature. To do this, go to System > Admin > Settings and select IPSec Manual Key from the Display Options on GUI section.
 
Name
Type a name for the VPN tunnel. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN.
Local SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Remote SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer.
Remote Gateway
Enter the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams.
Local Interface
This option is available in NAT mode only. Select the name of the interface to which the IPsec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from the network interface settings.
Encryption Algorithm
Select one of the following symmetric-key encryption algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES, where plain text is encrypted three times by three keys.
AES128 — a 128-bit block Cipher Block Chaining algorithm that uses a 128-bit key.
AES192 — a 128-bit block Cipher Block Chaining ) algorithm that uses a 192-bit key.
AES256 — a 128-bit block Cipher Block Chaining algorithm that uses a 256-bit key.
Note: The algorithms for encryption and authentication cannot both be NULL.
Authentication Algorithm
Select one of the following message digests:
NULL –– Do not use a message digest.
MD5 — Message Digest 5 algorithm, which produces a 128-bit message digest.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
SHA256 — Secure Hash Algorithm 2, which produces a 256-bit message digest.
SHA384 – Secure Hash Algorithm 2, which produces a 384-bit message digest.
SHA512 – Secure Has Algorithm 2, which produces a 512-bit message digest.
Note: The Algorithms for encryption and authentication cannot both be NULL.
IPsec Interface Mode
Create a virtual interface for the local end of the VPN tunnel. Select this check box to create a route-based VPN, clear it to create a policy-based VPN.
This is available only in NAT mode.