Using IPsec communication

Configure the setting if your environment requires IPsec.

The IPsec technology prevents the falsification or leakage of data on the IP packet basis by using encryption technology. As IPsec encrypts data in the network layer, secure communication is ensured even if you use protocols in an upper layer or applications that do not support encryption.

  1. In the administrator mode, select [Network] - [TCP/IP Setting] - [IPsec] - [IPsec Setting], then click [OK].

  2. Click [Edit] from [IKEv1] or [IKEv2] in [IPsec Setting], then configure the following settings.

    Settings

    Description

    [Encryption Algorithm]

    Select the encryption algorithm to create a common key used for communication.

    [Authentication Algorithm]

    Select the authentication algorithm to create a common key used for communication.

    [Encryption Key Validity Period]

    Specify the validity period of a common key to securely create a common key used to encrypt communications.

    When this period has expired, a new key is created. This can secure the communication.

    [Diffie-Hellman Group]

    Select the Diffie-Hellman group.

    [Negotiation Mode]

    Select the method to securely create a common key used to encrypt communications.

  3. From [SA] in [IPsec Setting], click [Create] and register the Security Association (SA).

    supplementary explanationUp to 10 groups can be registered for the SA.

    Settings

    Description

    [Name]

    Enter the SA name (using 1 to 10 characters, excluding ").

    [Encapsulation Mode]

    Select an IPsec operation mode.

    [Security Protocol]

    Select a security protocol.

    [Key Exchange Method]

    Select the key replacement method to securely create a common key used to encrypt communications.

    [Tunnel End Point]

    Enter the IP address of the peer's IPsec gateway.

    This is required when [Tunnel] is selected in [Encapsulation Mode].

    [Lifetime After Establishing SA]

    Enter the lifetime of a common key used to encrypt communications.

    [IKE Setting]

    Configure IKE settings used for this SA.

    This is required when [IKEv1] or [IKEv2] is selected in [Key Exchange Method].

    [Authentication Method]

    Select an authentication method.

    [Local Authentication Method]

    Select the authentication method of this machine when [IKEv2] is selected in [Key Exchange Method].

    [Peer Authentication Method]

    Select the peer authentication method when [IKEv2] is selected in [Key Exchange Method].

    [ESP Encryption Algorithm]

    If you select [ESP] for [Security Protocol], configure the ESP encryption algorithm.

    [ESP Authentication Algorithm]

    If you select [ESP] for [Security Protocol], configure the ESP authentication algorithm.

    [AH Authentication Algorithm]

    If you select [AH] for [Security Protocol], configure the AH authentication algorithm.

    [Perfect ForwardSecrecy]

    Select this check box if you wish to increase the IKE strength.

    Selecting this check box increases the time spent for communication.

    [Diffie-Hellman Group(IKEv1)]/[Diffie-Hellman Group(IKEv2)]

    Select the Diffie-Hellman group.

    [Manual Key Settings]

    When using a device that does not support automatic key exchange using IKE, configure each parameter manually.

    This is required when [Manual Key] is selected in [Key Exchange Method].

    [Encryption Algorithm]

    Select the algorithm to be used for encryption.

    [Authentication Algorithm]

    Select the algorithm to be used for authentication.

    [SA Index]

    Specify the SA Security Parameter Index to be added to the IPsec header.

    [Common Key Encryption]

    Specify the common key used for encryption.

    You can specify different common keys respectively for send and receive.

    [Common Key Authentication]

    Specify the common key used for authentication.

    You can specify different common keys respectively for send and receive.

  4. From [Peer] in [IPsec Setting], click [Create] and register peers of this machine.

    supplementary explanationUp to 10 peers can be registered.

    Settings

    Description

    [Name]

    Enter the peer name (using 1 to 10 characters, excluding ").

    [Set IP Address]

    Specify the IP address of the peer.

    [Pre-Shared Key Text]

    Enter the Pre-Shared Key text to be shared with the peer.

    • [ASCII]: Enter the Pre-Shared Key text using ASCII characters (up to 128).

    • [HEX]: Enter the Pre-Shared Key text using hexadecimal characters (up to 256).

    Specify the same text as that for the peer.

    [Key-ID String]

    Enter the Key-ID to be specified for the Pre-Shared Key (using up to 128 characters).

  5. From [Protocol Setting] in [IPsec Setting], click [Create] and specify the protocol used for IPsec communication.

    supplementary explanationUp to 10 protocols can be specified.

    Settings

    Description

    [Name]

    Enter the protocol name (using 1 to 10 characters, excluding ").

    [Protocol Identification Setting]

    Select a protocol used for IPsec communication.

    [Port Number]

    If [TCP] or [UDP] has been selected in [Protocol Identification Setting], specify the port number used for IPsec communication.

    [ICMP Message Type]

    Select the ICMP message type when [ICMP] is selected in [Protocol Identification Setting].

    • [Echo Request/Reply]: Specify an ICMP message for echo request or response.

    • [No Selection]: You do not specify the ICMP message type.

    [ICMPv6 Message Type]

    Select the ICMP message type when [ICMPv6] is selected in [Protocol Identification Setting].

    • [Echo Request/Reply]: Specify an ICMP message for echo request or response.

    • [No Selection]: You do not specify the ICMP message type.

  6. In the administrator mode, select [Network] - [TCP/IP Setting] - [IPsec] - [Enable IPsec], then click [OK].

  7. In [Enable IPsec], configure the following settings.

    Settings

    Description

    [IPsec]

    Select [ON] to use the IPsec.

    [Dead Peer Detection]

    If no response can be confirmed from the peer in a certain period, the SA with the peer is deleted.

    Select a time that elapses before sending survival confirmation information to the peer how has not responded.

    [Cookies]

    Select whether to enable the defense using Cookies against denial-of-service attacks.

    [ICMP Pass]

    Select whether to apply IPsec to the Internet Control Message Protocol (ICMP).

    Select [Enable] to allow the ICMP packets to pass without applying IPsec to the ICMP.

    [ICMPv6 Pass]

    Select whether to apply IPsec to the Internet Control Message Protocol for IPv6 (ICMPv6).

    Select [Enable] to allow the ICMPv6 packets to pass without applying IPsec to the ICMPv6.

    [Default Action]

    Select an action to be taken if no settings meet the [IPsec Policy] while IPsec communication is enabled.

    Select [Deny] to discard IP packets that do not meet the [IPsec Policy] settings.

    [Certificate Verification Level Settings]

    To verify the certificate, select items to be verified.

    If you select [Confirm] at each item, the certificate is verified for each item.

    [Validity Period]

    Confirm whether the certificate is still valid.

    [Confirm] is specified by default.

    [Key Usage]

    Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer.

    [Do Not Confirm] is specified by default.

    [Chain]

    Confirm whether there is a problem in the certificate chain (certificate path).

    The chain is validated by referencing the external certificates managed on this machine.

    [Do Not Confirm] is specified by default.

    [Expiration Date Confirmation]

    Confirm whether the certificate has expired.

    Confirm for expiration of the certificate in the following order.

    • OCSP (Online Certificate Status Protocol) service

    • CRL (Certificate Revocation List)

    [Do Not Confirm] is specified by default.

  8. From [IPsec Policy] in [Enable IPsec], click [Create], then configure the following settings.

    supplementary explanationIP packet conditions can be specified to pass or allow the IP packets that meet each of the conditions.

    Settings

    Description

    [Name]

    Enter the IPsec policy name (using 1 to 10 characters, excluding ").

    [Peer]

    Select a peer setting.

    Select the setting from those registered in [Peer] in [IPsec Setting].

    [Protocol Setting]

    Select a protocol.

    Select the setting from those registered in [Protocol Setting] in [IPsec Setting].

    [IPsec Setting]

    Select a peer setting.

    Select the setting from those registered in [SA] in [IPsec Setting].

    [Communication Type]

    Select a direction of IPsec communication.

    [Action]

    Select an action to be taken for the IP packets that met [Peer], [Protocol Setting], and [Communication Type].

    • [Protected]: Protect the IP packets that met the conditions.

    • [Allow]: Do not protect the IP packets that met the conditions.

    • [Deny]: Discard the IP packets that met the conditions.

    • [Cancel]: Refuse the IP packets that met the conditions.

  9. In the administrator mode, select [Network] - [TCP/IP Setting] - [IPsec] - [Communication Check], then check that a connection with a peer can be established normally by the specified setting.

    supplementary explanationEnter the peer's IP address into [IP Address], then click [Check Connection].