Encryption Key Auto Exchange Settings (Default Settings)
Device Management > Configuration > Security >
IPsec > Encryption Key Auto Exchange Settings (Default Settings)
Use this page to configure the settings for automatic exchange of the IPsec encryption key. The Default Settings are the IPsec settings for communicating with peers not specified on the Settings 1 to Settings 4 pages.
Address Type
Select the address type used for IPsec communications. Selecting Inactive disables all the other settings on this page.
Security Level
Select one of the following security levels for IPsec communications. You can specify a set of values at once simply by selecting the security level that you require. When you select a security level, its corresponding values are displayed in the Security Details area. Only PSK Text requires manual configuration. If you want to change the settings under Security Details manually, select User Settings in the Security Level list.
Authentication Only
This level authenticates the destination peer and prevents packet tampering without applying packet encryption.
Authentication and Low Level Encryption
This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is slightly more vulnerable to cryptanalysis than Authentication and High Level Encryption.
Authentication and High Level Encryption
This level authenticates the destination peer and encrypts packets to protect them from tampering. This level is more resistant to cryptanalysis than Authentication and Low Level Encryption. However, processing speed is significantly reduced due to the complex calculations involved in encryption/decryption.
User Settings
If you select User Settings, you can change the settings in the Security Details area manually.
Security Details
Security Policy
Select an option to specify how to manage IPsec.
Encapsulation Mode
Select one of the following encapsulation modes:
Transport
This mode protects the payload of IP packets. Select this mode for communications between IPsec hosts.
Tunnel
This mode protects entire IP packets. Select this mode for communications between security gateways (VPN devices, for example).
Note
- If you select Transport, the Tunnel End Point option is unavailable.
Tunnel Address Type
Select the tunnel address type that you require.
Tunnel End Point
If you select Tunnel for Encapsulation Mode, you must also specify the IPsec coverage (i.e. the start and end of the tunnel end point).
Note
- You must specify an IP address that is consistent with the specified Address Type.
- For the start of the tunnel end point, enter the Local Address.
- If you are using IPv6 addresses, you cannot specify link-local or site-local addresses.
IPsec Requirement Level
Specify how the machine responds when its IPsec settings do not match those of the destination peer. Select one of the following responses:
Use When Possible
If the IPsec settings are inconsistent with the peer, communication is performed in clear text; at all other times, communication is protected by IPsec.
Always Require
If the IPsec settings are inconsistent with the peer, communication is disabled; at all other times, communication is protected by IPsec.
Authentication Method
Select the method of authenticating the destination peer. If you select PSK, you must enter a text string for PSK Text.
PSK Text
The current status of the PSK (Pre-Shared Key) is displayed. If the message Not Set is displayed, click Change, and then enter the PSK text string.
For details about the PSK Text pagePhase 1
Hash Algorithm
Select the hash algorithm type for Phase 1.
Encryption Algorithm
Select the encryption algorithm type for Phase 1.
Diffie-Hellman Group
Select the Diffie-Hellman Group type for Phase 1.
Validity Period
Specify how long the communication channel for Phase 1 remains valid. You can enter a value between 300 and 172800 (seconds).
Phase 2
Security Protocol
Select the security protocol for Phase 2. If you select AH, the Encryption Algorithm Permissions option is unavailable.
Authentication Algorithm
Select the authentication algorithm type for Phase 2.
Encryption Algorithm Permissions
Select the encryption algorithm type for Phase 2. You can select one or more types.
PFS
Select whether to enable or disable the PFS group for Phase 2. If you want to enable it, select a group type.
Validity Period
Specify how long the communication channel for Phase 2 remains valid. You can enter a value between 300 and 172800 (seconds).
Buttons
OK
Click to send the settings to the machine. To apply the settings, click OK on the IPsec page.
Cancel
Click to cancel the settings.