procedure 5-4: using manual keying as an alternative to ike
1.when editing the vpn settings, you may select manual keying. at that time, the edit menu changes to look like the screen below:
2.incoming spi - enter a security parameter index that the remote host will send to identify the security association (sa). this will be the remote host’s outgoing spi.
3.outgoing spi - enter a security parameter index that this firewall will send to identify the security association (sa). this will be the remote host’s incoming spi.
the spi should be a string of hexadecimal [0-9,a-f] characters, and should not be used in any other security association.
for simplicity or troubleshooting, the incoming and outgoing spi can be identical.
4.for encryption protocol, select one:
figure 5-18: vpn encryption options
a.null - fastest, but no security.
b.des - the data encryption standard (des) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. faster but less secure than 3des or aes.
c.3des - (triple des) achieves a higher level of security by encrypting the data three times using des with three different, unrelated keys.
d.aes - 128, - 192, or - 256. most secure. advanced encryption standard, a symmetric 128-bit block data encryption technique. it is an iterated block cipher with a variable block length and a variable key length. the block length and the key length can be independently specified to 128, 192 or 256 bits.the u.s government adopted the algorithm as its encryption technique in october 2000, replacing the des encryption it used. aes works at multiple network layers simultaneously.
e.enter a hexadecimal encryption key
1 for des, enter 16 hexadecimal [0-9,a-f] characters.
2 for 3des, enter 48 hexadecimal [0-9,a-f] characters.
the encryption key must match exactly the key used by the remote router or host.
5.select the authentication protocol
1 md5 (default) - 128 bits, faster but less secure.
2 sha-1 - 160 bits, slower but more secure.
6.enter 32 hexadecimal characters for the authentication key. the authentication key must match exactly the key used by the remote router or host.
7.click the netbios enable check box to allow netbios over the vpn tunnel.
8.click apply to enter the sa into the table.