IPsec Settings
IPsec settings for this machine can be made using a web browser from networked computers. (We use Web Image Monitor installed on this machine.) The following table explains individual setting items.
IPsec settings items
Setting | Description | Setting value |
---|---|---|
IPsec | Specify whether to enable or disable IPsec. |
|
Exclude HTTPS Communication | Specify whether to enable IPsec for HTTPS transmission. |
Specify "Active" if you do not want to use IPsec for HTTPS transmission. |
The IPsec setting can also be configured from the control panel.
Encryption key auto exchange security level
When you select a security level, certain security settings are automatically configured. The following table explains security level features.
Security level | Security level features |
---|---|
Authentication Only | Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption. Since the data is sent cleartext, data packets are vulnerable to eavesdropping attacks. Do not select this if you are exchanging sensitive information. |
Authentication and Low Level Encryption | Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides less security than "Authentication and High Level Encryption". |
Authentication and High Level Encryption | Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides higher security than "Authentication and Low Level Encryption". |
The following table lists the settings that are automatically configured according to the security level.
Setting | Authentication Only | Authentication and Low Level Encryption | Authentication and High Level Encryption |
---|---|---|---|
Security Policy | Apply | Apply | Apply |
Encapsulation Mode | Transport | Transport | Transport |
IPsec Requirement Level | Use When Possible | Use When Possible | Always Require |
Authentication Method | PSK | PSK | PSK |
Phase 1Hash Algorithm | MD5 | SHA1 | SHA256 |
Phase 1Encryption Algorithm | DES | 3DES | AES-128-CBC |
Phase 1Diffie-Hellman Group | 2 | 2 | 2 |
Phase 2Security Protocol | AH | ESP | ESP |
Phase 2Authentication Algorithm | HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256 | HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256 | HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256 |
Phase 2Encryption Algorithm Permissions | Cleartext (NULL encryption) | 3DES/AES-128/AES-192/AES-256 | AES-128/AES-192/AES-256 |
Phase 2PFS | Inactive | Inactive | 2 |
Encryption key auto exchange settings items
When you specify a security level, the corresponding security settings are automatically configured, but other settings, such as address type, local address, and remote address must still be configured manually.
After you specify a security level, you can still make changes to the auto configured settings. When you change an auto configured setting, the security level switches automatically to "User Setting".
Setting | Description | Setting value |
---|---|---|
Address Type | Specify the address type for which IPsec transmission is used. |
|
Local Address | Specify the machine's address. If you are using multiple addresses in IPv6, you can also specify an address range. | The machine's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address. |
Remote Address | Specify the address of the IPsec transmission partner. You can also specify an address range. | The IPsec transmission partner's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address. |
Security Policy | Specify how IPsec is handled. |
|
Encapsulation Mode | Specify the encapsulation mode. (auto setting) |
If you specify "Tunnel", you must then specify the "Tunnel End Point", which are the beginning and ending IP addresses. Set the same address for the beginning point as you set in "Local Address". |
IPsec Requirement Level | Specify whether to only transmit using IPsec or to allow cleartext transmission when IPsec cannot be established. (auto setting) |
|
Authentication Method | Specify the method for authenticating transmission partners. (auto setting) |
If you specify "PSK", you must then set the PSK text (using ASCII characters). If you are using "PSK", specify a PSK password using up to 32 ASCII characters. If you specify "Certificate", the certificate for IPsec must be installed and specified before it can be used. |
PSK Text | Specify the pre-shared key for PSK authentication. | Enter the pre-shared key required for PSK authentication. |
Phase 1 Hash Algorithm | Specify the Hash algorithm to be used in phase 1. (auto setting) |
|
Phase 1 Encryption Algorithm | Specify the encryption algorithm to be used in phase 1. (auto setting) |
|
Phase 1 Diffie-Hellman Group | Select the Diffie-Hellman group number used for IKE encryption key generation. (auto setting) |
|
Phase 1 Validity Period | Specify the time period for which the SA settings in phase 1 are valid. | Set in seconds from 300 sec. (5 min.) to 172800 sec. (48 hrs.). |
Phase 2 Security Protocol | Specify the security protocol to be used in Phase 2. To apply both encryption and authentication to sent data, specify "ESP" or "ESP+AH". To apply authentication data only, specify "AH". (auto setting) |
|
Phase 2 Authentication Algorithm | Specify the authentication algorithm to be used in phase 2. (auto setting) |
|
Phase 2 Encryption Algorithm Permissions | Specify the encryption algorithm to be used in phase 2. (auto setting) |
|
Phase 2 PFS | Specify whether to activate PFS. Then, if PFS is activated, select the Diffie-Hellman group. (auto setting) |
|
Phase 2 Validity Period | Specify the time period for which the SA settings in phase 2 are valid. | Specify a period (in seconds) from 300 (5min.) to 172800 (48 hrs.). |