Communication modeThis machine only supports transport mode for IPSec communication. As a result, authentication and encryption is only applied to the data portions of IP packets.
Key exchange protocolThis machine supports Internet Key Exchange version 1 (IKEv1) for exchanging keys based on the Internet Security Association and Key Management Protocol (ISAKMP). For the authentication method, set either the pre-shared key method or the digital signature method.
When setting the pre-shared key method, you need to decide on a passphrase (pre-shared key) in advance, which is used between the machine and the IPSec communication peer.
When setting the digital signature method, use a CA certificate and a PKCS#12 format key and certificate to perform mutual authentication between the machine and the IPSec communication peer. For more information on registering new CA certificates or keys/certificates, see Registering a Key and Certificate for Network Communication. Note that SNTP must be configured for the machine before it uses this method. Making SNTP Settings
|
Regardless of the setting of <Format Encryption Method to FIPS 140-2> for IPSec communication, an encryption module which has already obtained FIPS140-2 certification will be used.
In order to make IPSec communication comply with FIPS 140-2, you must set the key length of both DH and RSA for IPSec communication to 2048-bit or longer in the network environment that the machine belongs to.
Only the key length for DH can be specified from the machine.
Take note when configuring your environment, as there are no settings for RSA in the machine.
You can register up to 10 security policies.
|
1
|
Press <Selector Settings>.
|
||||||||||||||
2
|
Specify the IP address to apply the IPSec policy to.
Specify the IP address of this machine in <Local Address>, and specify the IP address of the communication peer in <Remote Address>.
|
||||||||||||||
3
|
Specify the port to apply IPSec to.
Press <Specify by Port Number> to use port numbers when specifying the ports that IPSec applies to. Select <All Ports> to apply IPSec to all port numbers. To apply IPSec to a specific port number, press <Single Port> and enter the port number. After specifying the ports, press <OK>. Specify the port of this machine in <Local Port>, and specify the port of the communication peer in <Remote Port>.
Press <Specify by Service Name> to use service names when specifying the ports that IPSec applies to. Select the service in the list, press <Service On/Off> to set it to <On>, and press <OK>.
|
||||||||||||||
4
|
Press <OK>.
|
1
|
Press <IKE Settings>.
|
||||||||||
2
|
Configure the necessary settings.
<IKE Mode>
Select the operation mode for the key exchange protocol. Security is enhanced if you select <Main> because the IKE session itself is encrypted, but the speed of the session is slower than with <Aggressive>, which does not encrypt the entire session.
<Authentication Method>
Select one of the authentication methods described below.
<Authentication/Encryption Algorithm>
Select either <Auto> or <Manual Settings> to set how to specify the authentication and encryption algorithm for IKE phase 1. If you select <Auto>, an algorithm that can be used by both this machine and the communication peer is set automatically. If you want to specify a particular algorithm, select <Manual Settings> and configure the settings below.
|
||||||||||
3
|
Press <OK>.
|
When <IKE Mode> is set to <Main> on the <IKE Settings> screen and <Authentication Method> is set to <Pre-Shared Key Method>, the following restrictions apply when registering multiple security policies.
Pre-shared key method key: when specifying multiple remote IP addresses to which a security policy is to be applied, all shared keys for that security policy are identical (this does not apply when a single address is specified).
Priority: when specifying multiple remote IP addresses to which a security policy is to be applied, the priority of that security policy is below security policies for which a single address is specified.
|
1
|
Press <IPSec Network Settings>.
|
||||||
2
|
Configure the necessary settings.
<Validity>
Set a period of validity for the generated IKE SA and IPSec SA. Make sure to set either <Time> or <Size>. If you set both, the period of validity ends when either value is reached.
<PFS>
If you set the Perfect Forward Secrecy (PFS) function to <On>, the secrecy of the encryption key is increased, but the communication speed is slower. In addition, the PFS function must be enabled on the communication peer device.
<Authentication/Encryption Algorithm>
Select either <Auto> or <Manual Settings> to set how to specify the authentication and encryption algorithm for IKE phase 2. If you select <Auto>, the ESP authentication and encryption algorithm is set automatically. If you want to specify a particular authentication method, press <Manual Settings> and select one of the authentication methods below.
|
||||||
3
|
Press <OK> <OK>.
|
Managing IPSec policiesYou can edit policies on the screen displayed in step 3.
To edit the details of a policy, select the policy in the list and press <Edit>.
To disable a policy, select the policy in the list and press <Policy On/Off>.
To delete a policy, select the policy in the list and press <Delete> <Yes>.
|