Encryption Key Auto Exchange Settings Configuration Flow

To change the transmission partner authentication method for encryption key auto exchange settings to "Certificate", you must first install and assign a certificate. For details about creating and installing a device certificate, see User Guide of your device. For the method of assigning installed certificates to IPsec, see Selecting the certificate for IPsec.

1. Log in as the network administrator from Web Image Monitor.
   For details on how to log in, see User Guide of your device.

2. Point to [Device Management], and then click [Configuration].

3. Click [IPsec] under "Security".

4. Click [Edit] under "Encryption Key Auto Exchange Settings".

5. Make encryption key auto exchange settings in [Settings 1].
   If you want to make multiple settings, select the settings number and add settings.

6. Click [OK].

7. Select [Active] for "IPsec" in "IPsec".

8. Set "Exclude HTTPS Communication" to [Active] if you do not want to use IPsec for HTTPS transmission.

9. Click [OK].

10. Updating... appears. Wait for about 1 or 2 minutes, and then click [OK].
    If the previous screen does not appear again after you click [OK], wait for a while, and then click the web browser's refresh button.

11. Log out.

Using Web Image Monitor, select the certificate to be used for IPsec. You must install the certificate before it can be used. For details about creating and installing a device certificate, see User Guide of your device.

1. Log in as the network administrator from Web Image Monitor.
   For details on how to log in, see User Guide of your device.

2. Point to [Device Management], and then click [Configuration].

3. Click [Device Certificate] under "Security".

4. Select the certificate to be used for IPsec from the drop-down list box in "IPsec" under "Certification".

5. Click [OK].
   The certificate for IPsec is specified.

6. Updating... appears. Wait for about 1 or 2 minutes, and then click [OK].
   If the previous screen does not appear again after you click [OK], wait for a while, and then click the web browser's refresh button.

7. Log out.

Configure the computer's IPsec SA settings, so that they exactly match the machine's security level on the machine. Setting methods differ according to the computer's operating system. The example procedure shown here uses Windows 10 when the "Authentication and Low Level Encryption" security level is selected.

1. Click the [Start] button, and click [Windows System] - [Control Panel] - [System and Security] - [Windows Defender Firewall].

2. Click [Advanced settings] - [Properties], and select the [IPsec Settings] tab.

3. Select [Yes] in [IPsec exemptions], and then click [Customize] in [IPsec defaults].

4. Select [Advanced] in [Key exchange (Main Mode)], and then click [Customize].

5. Click [Add] in [Security methods] to add a new security method.
   Select [SHA-1] for [Integrity algorithm], [3DES] for [Encryption algorithm], [Diffie-Hellman Group 14] for [Key exchange algorithm].

6. Set [Minutes] to [300] in [Key lifetimes] and select the [Use Diffie-Hellman for enhanced security.] check box in [Key exchange options], and then click [OK].

7. Select [Advanced] in [Data protection (Quick Mode)], and then click [Customize].

8. Select the [Require encryption for all connection security rules that use these settings] check box.

9. Click [Add] in [Data integrity and encryption] to add a new setting.
   Select [ESP] for [Protocol], [3DES] for [Encryption algorithm], [SHA-1] for [Integrity algorithm], and set [Key lifetimes] to “5 (minutes)/100,000 (KB)”.
   If a combination of [ESP], [3DES], and [SHA-1] has already been registered, a new setting cannot be created. In that case, select the registered setting, click [Edit] and change [Key lifetimes].

10. Click [OK].

11. Select [Advanced] in [Authentication method], and then click [Customize].

12. Click [Add] in [First authentication methods] to add a new authentication method.
    Select [Preshared key] as the credential type and enter the key.

13. Click [OK] three times.

14. In the [Windows Defender Firewall with Advanced Security] screen, right-click [Connection Security Rules] and click [New Rule].
    The [New Connection Security Rule Wizard] appears.

15. Select [Custom], and then click [Next] twice.

16. Select [Request authentication for inbound and outbound connections] and click [Next].

17. Select [Default] and click [Next].

18. Select [Any] or [TCP] in [Protocol type] and click [Next].
    If [TCP] is selected, specify the endpoint port if necessary.

19. Make sure the [Domain] check box is selected, and click [Next].

20. Enter a name that you want to use for [Name], enter a [Description] if necessary, and click [Finish].

21. Right-click the created rule and click [Properties].

22. In the [Remote Computers] tab, select [These IP addresses] for [Endpoint 1] and [Endpoint 2], and click [Add] to set the IP addresses.
    Enter the IP address of the PC for [Endpoint 1] and the IP address of the device for [Endpoint 2].

23. In the [Authentication] tab, select [Request inbound and outbound] in [Authentication mode] and click [OK].
    To enable Perfect Forward Secrecy (PFS), proceed to Step 24.
    If PFS will not be used, proceed to Step 27.

24. Click the [Start] button, and click [Windows PowerShell] - [Windows PowerShell].

25. Enter “Get-NetIPsecQuickModeCryptoSet” and press the [Enter] key.

26. Enter “Set-NetIPsecQuickModeCryptoSet” and press the [Enter] key to set “Name” and “PerfectForwardSecrecyGroup”.
    For “Name”, enter the value of the name displayed by “Get-NetIPsecQuickModeCryptoSet”.
    For “PerfectForwardSecrecyGroup”, specify “none/DH1/DH2/DH14”.

27. In the [Windows Defender Firewall with Advanced Security] screen, right-click the rule you created and click [Enable Rule].
    The IPsec settings on your computer will be enabled.