Encryption Key Auto Exchange Settings (Settings 1 to 4)
Device Management >Configuration > Security >
IPsec > Encryption Key Auto Exchange Settings (Settings 1 to 4)
Use this page to configure the settings for automatic exchange of the IPsec encryption key. Settings 1 to 4 are the IPsec settings for communicating with specific peers.
Address Type
Select the address type used for IPsec communications. Selecting Inactive disables all the other settings on this page.
Local Address
Specify the address of the machine.
You can enter the address in the format of "base address/mask length", or select one from the drop-down list.
To specify a range, click the option button, enter the base address, and then enter the mask length.
The mask length must be in the range of 0 to 32 for IPv4, or 0 to 128 for IPv6, as shown in the following tables:
IPv4
| IP address | Mask | Address range |
|---|---|---|
| 192.168.1.1 | 32 | 192.168.1.1 only |
| 192.168.5.0 | 24 | 192.168.5.0 to 192.168.5.255 |
| 0.0.0.0 | 0 | All IPv4 addresses |
IPv6
| IP address | Mask | Address range |
|---|---|---|
| 2001:1000:0:1234::1 | 128 | 2001:1000:0:1234::1 only |
| 2001:1000:0:1234:: | 80 | 2001:1000:0:1234:: to 2001:1000:0:1234:ffff:ffff:ffff:ffff |
| :: | 0 | All IPv6 addresses |
Remote Address
Specify the address of the destination peer. Enter the address in the format of "base address/mask length".
To specify a range of addresses, follow the instructions for Local Address.
Security Level
Select one of the following security levels for IPsec communications. You can specify a set of values at once simply by selecting the security level that you require. When you select a security level, its corresponding values are displayed in the Security Details area. Only PSK Text requires manual configuration. If you want to change the settings under Security Details manually, select User Settings in the Security Level list.
Authentication Only
This level authenticates the destination peer and prevents packet tampering without applying packet encryption.
Authentication and Low Level Encryption
This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is slightly more vulnerable to cryptanalysis than Authentication and High Level Encryption.
Authentication and High Level Encryption
This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is more resistant to cryptanalysis than Authentication and Low Level Encryption. However, processing speed is significantly reduced due to the complex calculations involved in encryption/decryption.
User Settings
If you select User Settings, you can change the settings in the Security Details area manually.
Security Details
Security Policy
Select an option to specify how to manage IPsec.
Encapsulation Mode
Select one of the following encapsulation modes:
Transport
This mode protects the payload of IP packets. Select this mode for communication between IPsec hosts.
Tunnel
This mode protects entire IP packets. Select this mode for communication between security gateways (VPN devices, for example).
Note
- If you select Transport, the Tunnel End Point option is unavailable.
Tunnel End Point
If you select Tunnel for Encapsulation Mode, you must also specify the IPsec coverage (i.e. the start and end of the tunnel end point).
Note
- You must specify an IP address that is consistent with the specified Address Type.
- For the start of the tunnel end point, enter the Local Address.
- If you are using IPv6 addresses, you cannot specify link-local or site-local addresses.
IPsec Requirement Level
Specify how the machine responds when its IPsec settings do not match those of the destination peer. Select one of the following options:
Use When Possible
If the IPsec settings of this machine and the peer do not match, communications are exchanged in clear text; at all other times, communications are protected by IPsec.
Always Require
If the IPsec settings of this machine and the peer do not match, communications are disabled; at all other times, communications are protected by IPsec.
Authentication Method
Select the method of authenticating the destination peer. If you select PSK, enter the text for PSK Text.
PSK Text
The current status of the PSK (Pre-Shared Key) is displayed. If the message Not Set is displayed, click Change, and then enter the PSK text.
For details about PSK Text pagePhase 1
Hash Algorithm
Select the hash algorithm type for Phase 1.
Encryption Algorithm
Select the encryption algorithm type for Phase 1.
Diffie-Hellman Group
Select the Diffie-Hellman Group type for Phase 1.
Validity Period
Specify how long the communication channel for Phase 1 remains valid. You can enter a value between 300 and 172800 (seconds).
Phase 2
Security Protocol
Select the security protocol used for Phase 2. If you select AH, the Encryption Algorithm Permissions option is unavailable.
Authentication Algorithm
Select the authentication algorithm type for Phase 2.
Encryption Algorithm Permissions
Select the encryption algorithm type for Phase 2. You can select one or more types.
PFS
Specify whether to enable or disable the PFS group for Phase 2. To enable it, select a group type.
Validity Period
Specify how long the communication channel for Phase 2 remains valid. You can enter a value between 300 and 172800 (seconds).
Buttons
OK
Click to send the settings to the machine. To apply the settings, click OK on the IPsec page.
Cancel
Click to cancel the settings.