Management Functions
Authentication Functions
LDAP servers that are supported by the machine are Windows Server 2008/Server 2012 Active Directory.
The machine communicates with LDAP servers using LDAPv3.
UTF-8 is the supported character encoding used when the text data is transmitted between the machine and an LDAP server.
Firewall Settings
Up to 16 IP addresses (or ranges of IP addresses) can be specified for both IPv4 and IPv6.
The packet filters described in this section control communications over TCP, UDP, and ICMP.
Up to 32 MAC addresses can be specified.
IPSec
IPSec that is supported by the machine conforms to RFC2401, RFC2402, RFC2406, and RFC4305.
|
Operating system
|
Windows Vista/7/8/Server 2008/Server 2012
|
|
|
Connection mode
|
Transport mode
|
|
|
Key exchange protocol
|
IKEv1 (main mode)
|
|
|
Authentication method
|
Pre-shared key
Digital signature
|
|
|
Hash algorithm
(and key length) |
HMAC-SHA1-96
HMAC-SHA2 (256 bits or 384 bits)
|
|
|
Encryption algorithm
(and key length) |
3DES-CBC
AES-CBC (128 bits, 192 bits, or 256 bits)
|
|
|
Key exchange algorithm/group (and key length)
|
Diffie-Hellman (DH)
Group 1 (768 bits)
Group 2 (1024 bits)
Group 14 (2048 bits)
|
|
|
ESP
|
Hash algorithm
|
HMAC-SHA1-96
|
|
Encryption algorithm
(and key length) |
3DES-CBC
AES-CBC (128 bits, 192 bits, or 256 bits)
|
|
|
Hash algorithm/encryption algorithm (and key length)
|
AES-GCM (128 bits, 192 bits, or 256 bits)
|
|
|
AH
|
Hash algorithm
|
HMAC-SHA1-96
|
 |
|
IPSec supports communication to a unicast address (or a single device).
The machine cannot use both IPSec and DHCPv6 at the same time.
IPSec is unavailable in networks in which NAT or IP masquerade is implemented.
|
Registration of Keys and Certificates
A certificate and key that can be generated by the machine conform to X.509v3. If you install a key or CA certificate from a computer, make sure that they meet the following requirements:
|
Format
|
Key: PKCS#12*1
CA certificate: X.509v1 or X.509v3, DER (encoded binary), PEM
|
|
File extension
|
Key: ".p12" or ".pfx"
CA certificate: ".cer" or ".pem"
|
|
Public key algorithm
(and key length) |
RSA (512 bits, 1024 bits, 2048 bits, or 4096 bits), ECDSA (P256, P384, P521)
|
|
Certificate signature algorithm
|
SHA1-RSA, SHA256-RSA, SHA384-RSA*2, SHA512-RSA*2, MD5-RSA, MD2-RSA, SHA1-ECDSA, SHA256-ECDSA, SHA384-ECDSA, or SHA512-ECDSA
|
|
Certificate thumbprint algorithm
|
SHA1
|
|
*1Requirements for the certificate contained in a key are pursuant to CA certificates.
*2SHA384-RSA and SHA512-RSA are available only when the RSA key length is 1024 bits or more.
|
|
|
|
The machine does not support use of a certificate revocation list (CRL).
|
Definition of "Weak Encryption"
When <Prohibit Use of Weak Encrypt.> is set to <On>, the use of the following algorithms is prohibited.
|
Hash:
|
MD4, MD5, SHA-1
|
|
HMAC:
|
HMAC-MD5
|
|
Common key cryptosystem:
|
RC2, RC4, DES
|
|
Public key cryptosystem:
|
RSA encryption (512 bits/1024 bits), RSA signature (512 bits/1024 bits), DSA (512 bits/1024 bits), DH (512 bits/1024 bits)
|
|
|
|
Even when <Prohibit Weak Encryp. Key/Cert.> is set to <On>, the hash algorithm SHA-1, which is used for signing a root certificate, can be used.
|
Import/Export of the Setting Data
See Setting Menu List.