Encryption Key Auto Exchange Settings (Settings 1 to 4)
Device Management >Configuration > Security > IPsec > Encryption Key Auto Exchange Settings (Settings 1 to 4)

Use this page to configure the settings for automatic exchange of the IPsec encryption key. Settings 1 to 4 are the IPsec settings for communicating with specific peers.

Address Type

Select the address type used for IPsec communications. Selecting Inactive disables all the other settings on this page.

Local Address

Specify the address of the machine. You can enter the address in the format of "base address/mask length", or select one from the drop-down list.
To specify a range, click the option button, enter the base address, and then enter the mask length. The mask length must be in the range of 0 to 32 for IPv4, or 0 to 128 for IPv6, as shown in the following tables:

IPv4

IP address Mask Address range
192.168.1.1 32 192.168.1.1 only
192.168.5.0 24 192.168.5.0 to 192.168.5.255
0.0.0.0 0 All IPv4 addresses

IPv6

IP address Mask Address range
2001:1000:0:1234::1 128 2001:1000:0:1234::1 only
2001:1000:0:1234:: 80 2001:1000:0:1234:: to 2001:1000:0:1234:ffff:ffff:ffff:ffff
:: 0 All IPv6 addresses

Remote Address

Specify the address of the destination peer. Enter the address in the format of "base address/mask length".
To specify a range of addresses, follow the instructions for Local Address.

Security Level

Select one of the following security levels for IPsec communications. You can specify a set of values at once simply by selecting the security level that you require. When you select a security level, its corresponding values are displayed in the Security Details area. Only PSK Text requires manual configuration. If you want to change the settings under Security Details manually, select User Settings in the Security Level list.

Authentication Only

This level authenticates the destination peer and prevents packet tampering without applying packet encryption.

Authentication and Low Level Encryption

This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is slightly more vulnerable to cryptanalysis than Authentication and High Level Encryption.

Authentication and High Level Encryption

This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is more resistant to cryptanalysis than Authentication and Low Level Encryption. However, processing speed is significantly reduced due to the complex calculations involved in encryption/decryption.

User Settings

If you select User Settings, you can change the settings in the Security Details area manually.

Security Details

To Top of the Page

Security Policy

Select an option to specify how to manage IPsec.

Encapsulation Mode

Select one of the following encapsulation modes:

Transport

This mode protects the payload of IP packets. Select this mode for communication between IPsec hosts.

Tunnel

This mode protects entire IP packets. Select this mode for communication between security gateways (VPN devices, for example).

Note

Tunnel End Point

If you select Tunnel for Encapsulation Mode, you must also specify the IPsec coverage (i.e. the start and end of the tunnel end point).

Note

  • You must specify an IP address that is consistent with the specified Address Type.
  • For the start of the tunnel end point, enter the Local Address.
  • If you are using IPv6 addresses, you cannot specify link-local or site-local addresses.

IPsec Requirement Level

Specify how the machine responds when its IPsec settings do not match those of the destination peer. Select one of the following options:

Use When Possible

If the IPsec settings of this machine and the peer do not match, communications are exchanged in clear text; at all other times, communications are protected by IPsec.

Always Require

If the IPsec settings of this machine and the peer do not match, communications are disabled; at all other times, communications are protected by IPsec.

Authentication Method

Select the method of authenticating the destination peer. If you select PSK, enter the text for PSK Text.

PSK Text

The current status of the PSK (Pre-Shared Key) is displayed. If the message Not Set is displayed, click Change, and then enter the PSK text.

For details about PSK Text page

Phase 1

Hash Algorithm

Select the hash algorithm type for Phase 1.

Encryption Algorithm

Select the encryption algorithm type for Phase 1.

Diffie-Hellman Group

Select the Diffie-Hellman Group type for Phase 1.

Validity Period

Specify how long the communication channel for Phase 1 remains valid. You can enter a value between 300 and 172800 (seconds).

Phase 2

Security Protocol

Select the security protocol used for Phase 2. If you select AH, the Encryption Algorithm Permissions option is unavailable.

Authentication Algorithm

Select the authentication algorithm type for Phase 2.

Encryption Algorithm Permissions

Select the encryption algorithm type for Phase 2. You can select one or more types.

PFS

Specify whether to enable or disable the PFS group for Phase 2. To enable it, select a group type.

Validity Period

Specify how long the communication channel for Phase 2 remains valid. You can enter a value between 300 and 172800 (seconds).

Buttons

To Top of the Page

OK

Click to send the settings to the machine. To apply the settings, click OK on the IPsec page.

Cancel

Click to cancel the settings.

 

To Top of the Page