Chapter 11 IPsec VPN for FortiOS 5.0 : Manual-key configurations : Specify the manual keys for creating a tunnel
  
Specify the manual keys for creating a tunnel
Specify the manual keys for creating a tunnel as follows:
1. Go to VPN > IPsec > Manual Key and select Create New.
2. Include appropriate entries as follows:
Name
Type a name for the VPN tunnel.
Local SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer.
Remote SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer.
Remote Gateway
Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams.
Local Interface
Select the name of the physical, aggregate, or VLAN interface to which the IPsec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from System > Network > Interface settings. This is available in NAT mode only.
Encryption Algorithm
Select one of the following symmetric-key encryption algorithms:
DESDigital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three keys.
AES128 — A 128-bit block algorithm that uses a 128-bit key.
AES192 — A 128-bit block algorithm that uses a 192-bit key.
AES256 — A 128-bit block algorithm that uses a 256-bit key.
Encryption Key (Hex)
If you selected:
DES, type a 16-character hexadecimal number (0-9, a-f).
3DES, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters.
AES128, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters.
AES192, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters.
AES256, type a 64-character hexadecimal number (0-9, a-f) separated into four segments of 16 characters.
Authentication Algorithm
Select one of the following message digests:
MD5 — Message Digest 5 algorithm, which produces a 128-bit message digest.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
Authentication Key (Hex)
If you selected:
MD5, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters.
SHA1, type 40-character hexadecimal number (0-9, a-f) separated into one segment of 16 characters and a second segment of 24 characters.
IPsec Interface Mode
Select to create a route-based VPN. A virtual IPsec interface is created on the Local Interface that you selected. This option is available only in NAT mode.
3. Select OK.