Configuring IPSec Settings

Internet Protocol Security (IPSec or IPsec) is a protocol suite for encrypting data transported over a network, including Internet networks. While TLS only encrypts data used on a specific application, such as a Web browser or an e-mail application, IPSec encrypts either whole IP packets or the payloads of IP packets, offering a more versatile security system. The IPSec of the machine works in transport mode, in which the payloads of IP packets are encrypted. With this feature, the machine can connect directly to a computer that is in the same virtual private network (VPN). Check the system requirements and set the necessary configuration on the computer before you configure the machine.
System Requirements
IPSec functional restrictions
IPSec supports communication to a unicast address (or a single device).
IPSec is unavailable in networks in which NAT or IP masquerade is implemented.
Using IPSec with IP address filter
IP address filter settings are applied before the IPSec policies.

Configuring IPSec Settings

Before using IPSec for encrypted communication, you need to register security policies (SP). A security policy consists of the groups of settings described below. Up to 10 policies can be registered. After registering policies, specify the order in which they are applied.
Selector
Selector defines conditions for IP packets to apply IPSec communication. Selectable conditions include IP addresses and port numbers of the machine and the devices to communicate with.
IKE
IKE configures the IKEv1 that is used for key exchange protocol. Note that instructions vary depending on the authentication method selected.
[Pre-Shared Key Method]
A key of up to 24 alphanumeric characters can be shared with the other devices. Enable TLS for the Remote UI before specifying this authentication method (Enabling TLS Encrypted Communication for the Remote UI).
[Digital Signature Method]
The machine and the other devices authenticate each other by mutually verifying their digital signatures. Generate or install the key pair beforehand (Configuring Settings for Key Pairs and Digital Certificates).
AH/ESP
Specify the settings for AH/ESP, which is added to packets during IPSec communication. AH and ESP can be used at the same time. You can also select whether or not to enable PFS for tighter security.
1
Start the Remote UI and log on in System Manager Mode. Starting Remote UI
2
Click [Settings/Registration].
3
Click [Security Settings]  [IPSec Settings].
4
Click [Edit...].
5
Select the [Use IPSec] check box and click [OK].
If you want the machine to only receive packets that match one of the security policies that you define in the steps below, clear the [Receive Non-Policy Packets] check box.
6
Click [Register New Policy...].
7
Specify the Policy Settings.
1
In the [Policy Name] text box, enter up to 24 alphanumeric characters for a name that is used for identifying the policy.
2
Select the [Enable Policy] check box.
8
Specify the Selector Settings.
 
[Local Address]
Click the radio button for the type of IP address of the machine to apply the policy.
[All IP Addresses]
Select to use IPSec for all IP packets.
[IPv4 Address]
Select to use IPSec for all IP packets that are sent to or from the IPv4 address of the machine.
[IPv6 Address]
Select to use IPSec for all IP packets that are sent to or from an IPv6 address of the machine.
 
[Remote Address]
Click the radio button for the type of IP address of the other devices to apply the policy.
[All IP Addresses]
Select to use IPSec for all IP packets.
[All IPv4 Addresses]
Select to use IPSec for all IP packets that are sent to or from IPv4 addresses of the other devices.
[All IPv6 Addresses]
Select to use IPSec for all IP packets that are sent to or from IPv6 addresses of the other devices.
[IPv4 Manual Settings]
Select to specify a single IPv4 address or a range of IPv4 addresses to apply IPSec. Enter the IPv4 address (or the range) in the [Addresses to Set Manually] text box.
[IPv6 Manual Settings]
Select to specify a single IPv6 address or a range of IPv6 addresses to apply IPSec. Enter the IPv6 address (or the range) in the [Addresses to Set Manually] text box.
 
[Addresses to Set Manually]
If [IPv4 Manual Settings] or [IPv6 Manual Settings] is selected for [Remote Address], enter the IP address to apply the policy. You can also enter a range of addresses by inserting a hyphen between the addresses.

Entering IP addresses
Description
Example
Entering a single address
IPv4:
Delimit numbers with periods.
192.168.0.10
IPv6:
Delimit alphanumeric characters with colons.
fe80::10
Specifying a range of addresses
Insert a hyphen between the addresses.
192.168.0.10-192.168.0.20
Specifying a range of addresses with a prefix (IPv6 only)
Enter a number indicating the prefix length.
64
 
[Subnet Settings]
When manually specifying IPv4 address, you can express the range by using the subnet mask. Enter the subnet mask using periods to delimit numbers (example:"255.255.255.240").
[Prefix Length]
To specify a range of IPv6 addresses manually, you can also use Prefix Length to specify the range. Specify a range from 0 to 128 for Prefix Length (example: "64").
[Local Port]/[Remote Port]
If you want to create separate policies for each protocol, such as HTTP or SMTP, enter the appropriate port number for the protocol to determine whether to use IPSec.

IPSec is not applied to the following packets
Loopback, multicast, and broadcast packets
IKE packets (using UDP on port 500)
ICMPv6 neighbor solicitation and neighbor advertisement packets
9
Specify the IKE Settings.
[IKE Mode]
The mode used for the key exchange protocol is displayed. The machine supports the main mode, not the aggressive mode.
[Authentication Method]
Select [Pre-Shared Key Method] or [Digital Signature Method] for the method used when authenticating the machine. You need to enable TLS for the Remote UI before selecting [Pre-Shared Key Method] (Enabling TLS Encrypted Communication for the Remote UI). You need to generate or install a key pair before selecting [Digital Signature Method] (Configuring Settings for Key Pairs and Digital Certificates).
[Valid for]
Specify how long a session lasts for IKE SA (ISAKMP SA). Enter the time in minutes.
[Authentication]/[Encryption]/[DH Group]
Select an algorithm from the drop-down list. Each algorithm is used in the key exchange.
[Authentication]
Select the hash algorithm.
[Encryption]
Select the encryption algorithm.
[DH Group]
Select the Diffie-Hellman group, which determines the key strength.
 Using a pre-shared key for authentication
1
Click the [Pre-Shared Key Method] radio button for [Authentication Method] and then click [Shared Key Settings...].
2
Enter up to 24 alphanumeric characters for the pre-shared key and click [OK].
3
Specify the [Valid for] and [Authentication]/[Encryption]/[DH Group] settings.
 Using a key pair and preinstalled CA certificates for authentication
1
Click the [Digital Signature Method] radio button for [Authentication Method] and then click [Key and Certificate...].
2
Click [Register Default Key] on the right of a key pair you want to use.

Viewing details of a key pair or certificate
You can check the details of the certificate or verify the certificate by clicking the corresponding text link under [Key Name], or the certificate icon. Verifying Key Pairs, Device Signature Keys, and Certificates
3
Specify the [Valid for] and [Authentication]/[Encryption]/[DH Group] settings.
10
Specify the IPSec Network Settings.
[Use PFS]
Select the check box to enable Perfect Forward Secrecy (PFS) for IPSec session keys. Enabling PFS enhances the security while increasing the load on the communication. Make sure that PFS is also enabled for the other devices.
[Specify by Time]/[Specify by Size]
Set the conditions for terminating a session for IPSec SA. IPSec SA is used as a communication tunnel. Select either or both of the check boxes as necessary. If both check boxes are selected, the IPSec SA session is terminated when either of the conditions has been satisfied.
[Specify by Time]
Enter a time in minutes to specify how long a session lasts.
[Specify by Size]
Enter a size in megabytes to specify how much data can be transported in a session.
[Select Algorithm]
Select the [ESP], [ESP (AES-GCM)], or [AH (SHA1)] check box(es) depending on the IPSec header and the algorithm used. AES-GCM is an algorithm for both authentication and encryption. If [ESP] is selected, also select algorithms for authentication and encryption from the [ESP Authentication] and [ESP Encryption] drop-down lists.
[ESP Authentication]
To enable the ESP authentication, select [SHA1] for the hash algorithm. Select [Do Not Use] if you want to disable the ESP authentication.
[ESP Encryption]
Select the encryption algorithm for ESP. You can select [NULL] if you do not want to specify the algorithm, or select [Do Not Use] if you want to disable the ESP encryption.
[Connection Mode]
The connection mode of IPSec is displayed. The machine supports transport mode, in which the payloads of IP packets are encrypted. Tunnel mode, in which whole IP packets (headers and payloads) are encapsulated is not available.
11
Click [OK].
If you need to register an additional security policy, return to step 6.
12
Arrange the order of policies listed under [Registered IPSec Policies].
Policies are applied from one at the highest position to the lowest. Click [Up] or [Down] to move a policy up or down the order.

Editing a policy
Click the corresponding text link under [Policy Name] for the edit screen.
Deleting a policy
Click [Delete] on the right of the policy name you want to delete  click [OK].
13
Restart the machine.
Turn OFF the machine, wait for at least 10 seconds, and turn it back ON.
You can enable or disable the IPSec communication from <Menu>. Use IPSec
14E7-08W