Manual SAs require no negotiation; all values, including the keys, are static and specified in the configuration. As a result, each peer must have the same configured options for communication to take place.
To configure a manual IPSec security association, include statements at the [edit services ipsec-vpn rule rule-name term term-name then manual] hierarchy level:
-
direction (inbound | outbound |
bidirectional) {
-
-
authentication {
- algorithm (hmac-md5-96 | hmac-sha1-96);
- key (ascii-text key | hexadecimal key);
- }
-
auxiliary-spi auxiliary-spi-value;
-
-
encryption {
- algorithm algorithm;
- key (ascii-text key | hexadecimal key);
- }
-
protocol (ah | esp | bundle);
-
spi spi-value;
- }
To configure manual SA statements, do the following: