How to Configure Manual Key VPN
Symptom
- Manual Key VPNs is not the preferred method of establishing VPNs because the session keys can be compromised when relaying the key information between the peers.
- This poses a risk to the data being sniffed if the keys are known. However,
- In some circumstances manual key VPNs may be required for deployment. For example:
- When the Palo Alto Networks device is establishing a VPN with a legacy router
- When we want to reduce the overhead of generating session keys
Environment
- Palo Alto Firewalls.
- Supported PAN-OS
- Manual Key
- IPsec VPNs
Resolution
The screenshot below shows the mandatory fields (marked in yellow) while configuring the manual key VPNs. A best practice in configuring the tunnel is to include all the details and match them with the settings on the peer.
GUI: Network > IPSec Tunnels > General
Specify the Authentication and Encryption algorithm from the respective drop-downs. Enter the keys in Hex format and make sure each of the key sizes match the selected algorithms. For example, SHA1 requires that you have a pattern in xxxxxxxx format repeated 5 times with a ' - ' separator between each pattern.
For example, a valid SHA1 key is "12345678-12345678-12345678-12345678-12345678". A valid key for aes128 is "abcdef12-abcdef12-abcdef12-abcdef12".
The local and the remote SPIs are also in Hex format. Make sure that their values match between the local device and the remote peer. The example screenshot below shows the local SPI as :0023abcd: and the remote SPI as "1234abcd".
GUI: Network > IPSec Tunnels > General
Select the Interface and the IP address from where the ESP/AH packets would be sourced from, and then configure the tunnel's remote peers IP address.