Manual Key Configuration

Manual key configuration is one of two methods to negotiate the encryption keys for an IPsec SA. The other method is IKE.

Advantages

  • Does not depend on the IKE protocol, so less processing is used initially to negotiate the SA Security Association.

  • You do not need to open UDP 500 (ISAKMP) in the firewall.

  • It is your only option when configuring an IPsec VPN for ICMP Internet Control Message Protocol echo or timestamp traffic only.

Disadvantages

  • Lengthy keys can be mistyped.

  • Keys can be leaked.

  • Keys can be difficult to manage with multiple remote sites.

  • Cannot be used to create a site-to-site IPsec VPN with the HP ProCurve Secure Router 7000dl series.

  • Cannot be used to configure a client-to-site VPN with multiple clients.

  • Cannot be used with IKE mode config.

 

How to Configure

Configure the manual keys in Step 2 of 4 of the Add IPsec Policy window (VPN > IPsec > IPsec Policies) by following these instructions:

  1. For Key Exchange Method, select Manual.

  2. For Local Gateway, select one of the following:

  • IP Address — Type the IP address of the local gateway. This IP address must already be configured in the SELF zone.

  • Use VLAN IP Address — Select the TMS VLAN that contains the Threat Management Services zl Module's VPN gateway interface.

  1. For Remote Gateway IP Address, type the IP address of the remote VPN gateway.

  2. [ESP Encapsulating Security Protocol or AH Authentication Header] Keys — The IPsec proposal that you selected in Step 1 of 4 determines which fields populate this section.

  • For SPI Security Parameters Index Number, type a number between 256 and 2147483647 in decimal format. (In the log messages, the SPI may be represented by hexadecimal characters).

  • For the inbound and outbound encryption keys (ESP only), type a key with the following number of characters:

  • 3DES Triple Data Encryption Standard — 24

  • AES Advanced Encryption Standard -128 — 16

  • AES-192 — 24

  • AES-256 — 32

  1. For the inbound and outbound authentication keys, type a key with the following number of characters:

  2. MD5 Message Digest algorithm 5 — 16

  3. SHA Secure Hash Algorithm -1 — 20

  4. AES-XCBC eXtended Cipher Block Chaining — 16

 

The inbound key on the module must be identical to the outbound key on the remote endpoint, and the outbound key on the module must be identical to the inbound key on the remote endpoint.