IPsec Settings

IPsec settings for this machine can be made on Web Image Monitor. The following table explains individual setting items.

Encryption Key Auto Exchange / Manual Settings - Shared Settings

Setting	Description	Setting Value
IPsec	Specify whether to enable or disable IPsec.	Active Inactive
Exclude HTTPS Transmission	Specify whether to enable IPsec for HTTPS transmission.	Active Inactive Specify "Active" if you do not want to use IPsec for HTTPS transmission.
Encryption Key Manual Settings	Specify whether to enable Encryption Key Manual Settings, or use Encryption Key Auto Exchange Settings only.	Active Inactive Specify "Active" if you want to use "Encryption Key Manual Exchange Settings".

Setting

Description

Setting Value

IPsec

Specify whether to enable or disable IPsec.

Active
Inactive

Exclude HTTPS Transmission

Specify whether to enable IPsec for HTTPS transmission.

Active
Inactive

Specify "Active" if you do not want to use IPsec for HTTPS transmission.

Encryption Key Manual Settings

Specify whether to enable Encryption Key Manual Settings, or use Encryption Key Auto Exchange Settings only.

Active
Inactive

Specify "Active" if you want to use "Encryption Key Manual Exchange Settings".

Encryption Key Auto Exchange Security Level

When you select a security level, certain security settings are automatically configured. The following table explains security level features.

Security Level	Security Level Features
Authentication Only	Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption. Since the data is sent in cleartext, data packets are vulnerable to eavesdropping attacks. Do not select this if you are exchanging sensitive information.
Authentication and Low Level Encryption	Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides less security than "Authentication and High Level Encryption".
Authentication and High Level Encryption	Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides higher security than "Authentication and Low Level Encryption".

Security Level

Security Level Features

Authentication Only

Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption.

Since the data is sent in cleartext, data packets are vulnerable to eavesdropping attacks. Do not select this if you are exchanging sensitive information.

Authentication and Low Level Encryption

Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides less security than "Authentication and High Level Encryption".

Authentication and High Level Encryption

Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides higher security than "Authentication and Low Level Encryption".

The following table lists the settings that are automatically configured according to the security level.

Setting	Authentication Only	Authentication and Low Level Encryption	Authentication and High Level Encryption
Security Policy	Apply	Apply	Apply
Encapsulation Mode	Transport	Transport	Transport
IPsec Requirement Level	Use When Possible	Use When Possible	Always Require
Authentication Method	PSK	PSK	PSK
Phase 1 Hash Algorithm	MD5	SHA1	SHA1
Phase 1 Encryption Algorithm	DES	3DES	3DES
Phase 1 Diffie-Hellman Group	2	2	2
Phase 2 Security Protocol	AH	ESP	ESP
Phase 2 Authentication Algorithm	HMAC-MD5-96/HMAC-SHA1-96	HMAC-MD5-96/HMAC-SHA1-96	HMAC-SHA1-96
Phase 2 Encryption Algorithm	Cleartext (NULL encryption)	DES/3DES/AES-128/AES-192/AES-256	3DES/AES-128/AES-192/AES-256
Phase 2 PFS	Inactive	Inactive	2

Encryption Key Auto Exchange Setting Items

When you specify a security level, the corresponding security settings are automatically configured, but other settings, such as address type, local address, and remote address must still be configured manually.

After you specify a security level, you can still make changes to the auto configured settings. When you change an auto configured setting, the security level switches automatically to "User Setting".

Setting	Description	Setting Value
Address Type	Specify the address type for which IPsec transmission is used.	Inactive IPv4 IPv6 IPv4/IPv6 (Default Settings only)
Local Address	Specify the machine's address. If you are using multiple addresses in IPv6, you can also specify an address range.	The machine's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.
Remote Address	Specify the address of the IPsec transmission partner. You can also specify an address range.	The IPsec transmission partner's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.
Encapsulation Mode	Specify the encapsulation mode. (auto setting)	Transport Tunnel (Tunnel beginning address - Tunnel ending address) If you specify "Tunnel", you must then specify the "Tunnel End Points", which are the beginning and ending IP addresses. Set the same address for the beginning point as you set in "Local Address".
IPsec Requirement Level	Specify whether to only transmit using IPsec, or to allow cleartext transmission when IPsec cannot be established. (auto setting)	Use When Possible Always Require
Authentication Method	Specify the method for authenticating transmission partners. (auto setting)	PSK Certificate If you specify PSK, you must then set the PSK text (using ASCII characters). If you specify Certificate, the certificate for IPsec must be installed and specified before it can be used.
Phase 1 HASH Algorithm	Specify the HASH algorithm to be used in phase 1. (auto setting)	MD5 SHA1
Phase 1 Encryption Algorithm	Specify the encryption algorithm to be used in phase 1. (auto setting)	DES 3DES
Phase 1 Diffie-Hellman Group	Specify the Diffie-Hellman group number. (auto setting)	1 2
Phase 1 Validity Period	Specify the time period for which the SA settings in phase 1 are valid.	Set in seconds from 300 sec. (5 min.) to 172800 sec. (48 hrs.).
Phase 2 Security Protocol	Specify the security protocol to be used in Phase 2. (auto setting)	ESP AH ESP+AH
Phase 2 Authentication Algorithm	Specify the authentication algorithm to be used in phase 2. (auto setting)	HMAC-MD5-96 HMAC-SHA1-96
Phase 2 Encryption Algorithm Permissions	Specify the encryption algorithm to be used in phase 2. (auto setting)	Cleartext (NULL encryption) DES 3DES AES-128 AES-192 AES-256
Phase 2 PFS	Specify whether to activate PFS. Then, if PFS is activated, select the Diffie-Hellman group. (auto setting)	Inactive 1 2 14
Phase 2 Validity Period	Specify the time period for which the SA settings in phase 2 are valid.	Specify a period (in seconds) from 300 (5min.) to 172800 (48 hrs.).

Encryption Key Manual Settings Items

Setting	Description	Setting Value
Address Type	Specify the address type for which IPsec transmission is used.	Inactive IPv4 IPv6 IPv4/IPv6 (Default Settings only)
Local Address	Specify the machine's address. If you are using multiple IPv6 addresses, you can also specify an address range.	The machine's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.
Remote Address	Specify the address of the IPsec transmission partner. You can also specify an address range.	The IPsec transmission partner's IPv4 or IPv6 address. If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.
Encapsulation Mode	Select the encapsulation mode.	Transport Tunnel (Tunnel beginning address - Tunnel ending address) If you select "Tunnel", set the "Tunnel End Point", the beginning and ending IP addresses. In "Tunnel End Point", set the same address for the beginning point as you set in "Local Address".
SPI (Output)	Specify the same value as your transmission partner's SPI input value.	Any number between 256 and 4095
SPI (Input)	Specify the same value as your transmission partner's SPI output value.	Any number between 256 and 4095
Security Protocol	To use encryption and authentication data, specify EPS. To use authentication data only, specify AH.	EPS AH
Authentication Algorithm	Specify the authentication algorithm.	HMAC-MD5-96 HMAC-SHA1-96
Authentication Key	Specify the key for the authentication algorithm.	Specify a value within the ranges shown below, according to the encryption algorithm. hexadecimal value 0-9, a-f, A-F If HMAC-MD5-96, set 32 digits If HMAC-SHA1-96, set 40 digits ASCII IF HMAC-MD5-96, set 16 characters If HMAC-SHA1-96, set 20 characters
Encryption Algorithm	Specify the encryption algorithm.	Cleartext (NULL encryption) DES 3DES AES-128 AES-192 AES-256
Encryption Key	Specify the key for the encryption algorithm.	Specify a value within the ranges shown below, according to the encryption algorithm. hexadecimal value 0-9, a-f, A-F DES, set 16 digits 3DES, set 48 digits AES-128, set 32 digits AES-192, set 48 digits AES-256, set 64 digits ASCII DES, set 8 characters 3DES, set 24 characters AES-128, set 16 characters AES-192, set 24 characters AES-256, set 32 characters