IPsec
Configuration > Security> IPsec
Use this page to configure the IPsec communication settings.
IPsec
Select whether to enable or disable IPsec communications.
If you select "Active", the machine will search from Parameter 1 to Parameter 10 for the IPsec policy that matches the IPsec settings of the destination, and will then begin processing IP packets according to that policy.
Parameter 1 - Parameter 10
Displays the parameters of IPsec policies registered in the machine. You can register up to 10 policies. The machine begins searching for the policy from the top of the list, and selects the first match.
An "IPsec Policy" determines whether or not IP packets are secured by IPsec and which functions are used if they are.
Address Type
Select the address type used for IPsec communications. Selecting Inactive disables all the other settings on this page.
Local Address
Specify the address of the machine. You can enter the address in the format of "base address/mask length", or select one from the drop-down list.
To specify a range, enter the base address, and then enter the mask length.
The mask length must be in the range of 0 to 32 for IPv4, or 0 to 128 for IPv6, as shown in the following tables:
IPv4
| IP address | Mask | Address range |
|---|---|---|
| 192.168.1.1 | 32 | 192.168.1.1 only |
| 192.168.5.0 | 24 | 192.168.5.0 to 192.168.5.255 |
| 0.0.0.0 | 0 | All IPv4 addresses |
IPv6
| IP address | Mask | Address range |
|---|---|---|
| 2001:1000:0:1234::1 | 128 | 2001:1000:0:1234::1 only |
| 2001:1000:0:1234:: | 80 | 2001:1000:0:1234:: to 2001:1000:0:1234:ffff:ffff:ffff:ffff |
| :: | 0 | All IPv6 addresses |
Remote Address
Specify the address of the destination peer. Enter the address in the format of "base address/mask length".
To specify a range of addresses, follow the instructions for Local Address.
Protocol Number
Enter the protocol number to specify the transport protocol. You can enter up to 3 numeric characters. Enter "0" for any arbitrary protocol.
Port Number
If the protocol number is "6" (TCP) or "17" (UDP), you can specify a port number for Local and Remote Addresses respectively. Enter "0" for any arbitrary port.
IPsec Parameter
Security Protocol
Select the security protocol used for IPsec communication.
AH
Provides secure transmission through authentication of packets only, including headers.
ESP
Provides secure transmission through both encryption and authentication. This protocol does not provide header authentication.
ESP+AH
Provides secure transmission through both encryption and authentication. These protocols provide header authentication.
AH Authentication Algorithm
Select an authentication algorithm for AH.
ESP Authentication Algorithm
Select an authentication algorithm for ESP.
ESP Encryption Algorithm
Select an encryption algorithm for ESP.
IPsec Process Method
Specify how the IP packets are processed.
Apply
IPsec is applied, so all transmitted and received IP packets are protected by IPsec.
Bypass
IPsec is not applied, so no transmitted or received IP packets are protected by IPsec.
Discard
All IP packets are discarded.
IPsec-SA Validity Period
Specify the life time of IPsec SA (Security Association).
Specify it in time (seconds) or traffic volume (KB) between peers.
If you specify both a timed lifetime and a traffic-volume lifetime, SA will expire after the first of these lifetimes is reached, and the newly negotiated SA will replace it.
IKEv1Parameter
Encryption Algorithm
Select the encryption algorithm type for ISAKMP-SA.
Hash Algorithm
Select the hash algorithm type for ISAKMP-SA.
Authentication Method
Select the method of authenticating the destination peer. If you select PSK, enter the text for PSK Text.
PSK Text
Enter the PSK (Pre-Shared Key) text string used for authenticating the destination peer. You can use up to 32 alphanumeric characters, including spaces.
Apply
You can set or change the PSK text only when this check box is selected.
Confirm PSK Text
Confirm the PSK text string by entering it again in this box.
To create the PSK text string, the text entered here must match that in the PSK Text box.
Diffie-Hellman Group
Select the Diffie-Hellman group number used for IKE encryption key generation.
PFS Group
Specify whether PFS (Perfect Forward Secrecy) is active or inactive. If you want PFS to be active, select a group number.
IPsec Requirement Level
Specify how the machine responds when its IPsec settings do not match those of the destination peer. Select one of the following options:
Always Require
If the IPsec settings of this machine and the peer do not match, communications are disabled.
Use When Possible
If the IPsec settings of this machine and the peer do not match, communications are exchanged in clear text.
Unique
Only the communications using the transport layer protocol specified in Protocol Number are protected by IPsec. If the IPsec settings of this machine and the peer do not match, the communications are disabled. The communications using other transport layer protocols are exchanged in clear text.
ISAKMP-SA Validity Period
Specify the life time of ISAKMP-SA.
Buttons
Refresh
Click to update the currently displayed information.
Note
- Before making the settings, click Refresh to obtain the machine's current status.
OK
Click to apply the settings.
Cancel
Click to cancel the settings.