Using IPsec communication
Configure the setting if your environment requires IPsec.
The IPsec technology prevents the falsification or leakage of data on the IP packet basis by using encryption technology. As IPsec encrypts data in the network layer, secure communication is ensured even if you use protocols in an upper layer or applications that do not support encryption.
Select [Network] - [TCP/IP Setting] - [IPsec] - [IPsec Setting] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and click [OK].
Click [Edit] from [IKEv1] or [IKEv2] in [IPsec Setting], then configure the following settings.
Setting
Description
[Encryption Algorithm]
Select the encryption algorithm to create a common key used for communication.
[Authentication Algorithm]
Select the authentication algorithm to create a common key used for communication.
[Encryption Key Validity Period]
Specify the validity period of a common key to securely create a common key used to encrypt communications (default: [28800] sec.).
When this period has expired, a new key is created. This can secure the communication.
[Diffie-Hellman Group]
Select the Diffie-Hellman group (default: [Group 2]).
[Negotiation Mode]
Select the negotiation mode (default: [Main Mode]). This option is not available in [IKEv2].
From [SA] in [IPsec Setting], click [Registration] and register the Security Association (SA).
Up to 10 groups can be registered for the SA.
Setting
Description
[Name]
Enter the SA name (using 1 to 10 characters, excluding ").
[Encapsulation Mode]
Select the IPsec operation mode (default: [Transport]).
[Security Protocol]
Select a security protocol.
[Key Exchange Method]
Select the key replacement method to securely create a common key used to encrypt communications (default: [IKEv1]).
[Tunnel End Point]
If [Tunnel] is selected in [Encapsulation Mode], enter the IP address of the IPsec gateway that is used as a peer.
[Lifetime After Establishing SA]
Enter the lifetime of a common key used to encrypt communications (default: [3600] sec.).
[IKE Setting]
Configure IKE settings used for this SA. This is required when [IKEv1] or [IKEv2] is selected in [Key Exchange Method].
[Authentication Method]: Select the authentication method.
[Local Authentication Method]: Select the authentication method of this machine when [IKEv2] is selected in [Key Exchange Method].
[Peer Authentication Method]: Select the peer authentication method when [IKEv2] is selected in [Key Exchange Method].
[ESN]: When applying the 64-bit extended sequence number, set this option to ON.
[Replay Detection]: When enabling replay defense, set this option to ON.
[ESP Encryption Algorithm]: If you select [ESP] for [Security Protocol], configure the ESP encryption algorithm.
[ESP Authentication Algorithm]: If you select [ESP] for [Security Protocol], configure the ESP authentication algorithm.
[AH Authentication Algorithm]: If you select [AH] for [Security Protocol], configure the AH authentication algorithm.
[Perfect Forward-Secrecy]: When increasing the IKE intensity, set this option to ON. Setting to ON increases the time spent for communication.
From [Peer] in [IPsec Setting], click [Registration] and register peers of this machine.
Up to 10 peers can be registered.
Setting
Description
[Peer]
When registering a peer, set this option to ON (default: OFF).
[Name]
Enter the peer name (using 1 to 10 characters, excluding ").
[Set IP Address]
Select the method to specify the peer address. Specify the IP address of the peer depending on the selected method.
[Pre-Shared Key Text]
Enter the Pre-Shared Key text to be shared with a peer using up to 128 ASCII characters or up to 256 hexadecimal characters.
Specify the same text as that for the peer.
[Key-ID String]
Enter the Key-ID to be specified for the Pre-Shared Key (using up to 128 bytes).
From [Protocol Setting] in [IPsec Setting], click [Registration] and specify the protocol used for IPsec communication.
Up to 10 protocols can be specified.
Setting
Description
[Protocol Setting]
When registering the protocol setting, set this option to ON (default: OFF).
[Name]
Enter the group name with the protocol specified (using 1 to 10 characters, excluding ").
[Protocol Identification Setting]
Select a protocol used for IPsec communication (default: [No Selection]).
[Port No.]
If [TCP] or [UDP] has been selected in [Protocol Identification Setting], specify the port number used for IPsec communication.
[ICMP Message Type]
Specify the ICMP message type when [ICMP] is selected in [Protocol Identification Setting].
[ICMPv6 Message Type]
Specify the ICMP message type when [ICMPv6] is selected in [Protocol Identification Setting].
Select [Network] - [TCP/IP Setting] - [IPsec] - [Enable IPsec] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and click [OK].
In [Enable IPsec], configure the following settings.
Setting
Description
[IPsec]
When using IPsec, set this option to ON (default: OFF).
[Dead Peer Detection]
If no response can be confirmed from the peer in a certain period, the SA with the peer is deleted. Select a time that elapses before sending survival confirmation information to the peer how has not responded (default: [15] sec.).
[Cookies]
Select whether to enable the defense using Cookies against denial-of-service attacks (default: [Disable]).
[ICMP Pass]
Select whether to apply IPsec to the Internet Control Message Protocol (ICMP) (default: [Disable]). Select [Enable] to allow the ICMP packets to pass without applying IPsec to the ICMP.
[ICMPv6 Pass]
Select whether to apply IPsec to the Internet Control Message Protocol for IPv6 (ICMPv6) (default: [Disable]). Select [Enable] to allow the ICMPv6 packets to pass without applying IPsec to the ICMPv6.
[Default Action]
Select an action to be taken if no settings meet the [IPsec Policy] while IPsec communication is enabled (default: [Allow]). Select [Deny] to discard IP packets that do not meet the [IPsec Policy] settings.
[Certificate Verification Level Settings]
To verify the certificate, select items to be verified.
[Expiration Date]: Confirm whether the certificate is within the validity period (default: ON).
[Key Usage]: Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer (default: OFF).
[Chain]: Confirm whether there is a problem in the certificate chain (certificate path) (default: OFF). The chain is validated by referencing the external certificates managed on this machine.
[Expiration Date Confirmation]: Confirm whether the certificate has expired (default: OFF). The expiration date confirmation is performed in the order of OCSP (Online Certificate Status Protocol) service, and CRL (Certificate Revocation List).
From [IPsec Policy] in [Enable IPsec], click [Registeration], then configure the following settings.
IP packet conditions can be specified to pass or allow the IP packets that meet each of the conditions.
Setting
Description
[IPsec Policy]
Select whether to use the IPsec policy (default: [OFF]).
[Name]
Enter the IPsec policy name (using 1 to 10 characters, excluding ").
[Peer]
Select a peer setting. Select the setting from those registered in [Peer] in [IPsec Setting].
[Protocol Setting]
Select a protocol. Select the setting from those registered in [Protocol Setting] in [IPsec Setting].
[IPsec Setting]
Select an SA setting. Select the setting from those registered in [SA] in [IPsec Setting].
[Communication Type]
Select a direction of IPsec communication.
[Action]
Select the operation for the IP packet that matches the specified condition.
[Protected]: Protect the IP packets that met the conditions.
[Allow]: Do not protect the IP packets that met the conditions.
[Deny]: Discard the IP packets that met the conditions.
[Cancel]: Refuse the IP packets that met the conditions.
Select [IPsec] - [Communication Check], then check that a connection with a peer can be established normally by the configured setting.
Enter the peer's IP address into [IP Address], then click [Check Connection].