IPsec Settings

IPsec settings for this machine can be made on Web Image Monitor. The following table explains individual setting items.

IPsec settings items

Setting

Description

Setting value

IPsec

Specify whether to enable or disable IPsec.

Active

Inactive

Exclude HTTPS Communication

Specify whether to enable IPsec for HTTPS transmission.

Active

Inactive

Specify "Active" if you do not want to use IPsec for HTTPS transmission.

The IPsec setting can also be configured from the control panel.

Setting	Description	Setting value
IPsec	Specify whether to enable or disable IPsec.	Active Inactive
Exclude HTTPS Communication	Specify whether to enable IPsec for HTTPS transmission.	Active Inactive Specify "Active" if you do not want to use IPsec for HTTPS transmission.

Encryption key auto exchange security level

When you select a security level, certain security settings are automatically configured. The following table explains security level features.

Security level

Security level features

Authentication Only

Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption.
Since the data is sent cleartext, data packets are vulnerable to eavesdropping attacks. Do not select this if you are exchanging sensitive information.

Authentication and Low Level Encryption

Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides less security than "Authentication and High Level Encryption".

Authentication and High Level Encryption

Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides higher security than "Authentication and Low Level Encryption".

The following table lists the settings that are automatically configured according to the security level.

Setting

Authentication Only

Authentication and Low Level Encryption

Authentication and High Level Encryption

Security Policy

Apply

Apply

Apply

Encapsulation Mode

Transport

Transport

Transport

IPsec Requirement Level

Use When Possible

Use When Possible

Always Require

Authentication Method

PSK

PSK

PSK

Phase 1 Hash Algorithm

MD5

SHA1

SHA256

Phase 1 Encryption Algorithm

DES

3DES

AES-128-CBC

Phase 1 Diffie-Hellman Group

2

2

2

Phase 2 Security Protocol

AH

ESP

ESP

Phase 2 Authentication Algorithm

HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256

HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256

HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256

Phase 2 Encryption Algorithm Permissions

Cleartext (NULL encryption)

3DES/AES-128/AES-192/AES-256

AES-128/AES-192/AES-256

Phase 2 PFS

Inactive

Inactive

2

Security level	Security level features
Authentication Only	Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption. Since the data is sent cleartext, data packets are vulnerable to eavesdropping attacks. Do not select this if you are exchanging sensitive information.
Authentication and Low Level Encryption	Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides less security than "Authentication and High Level Encryption".
Authentication and High Level Encryption	Select this level if you want to encrypt the data packets as well as authenticate the transmission partner and prevent unauthorized packet tampering. Packet encryption helps prevent eavesdropping attacks. This level provides higher security than "Authentication and Low Level Encryption".

Setting	Authentication Only	Authentication and Low Level Encryption	Authentication and High Level Encryption
Security Policy	Apply	Apply	Apply
Encapsulation Mode	Transport	Transport	Transport
IPsec Requirement Level	Use When Possible	Use When Possible	Always Require
Authentication Method	PSK	PSK	PSK
Phase 1 Hash Algorithm	MD5	SHA1	SHA256
Phase 1 Encryption Algorithm	DES	3DES	AES-128-CBC
Phase 1 Diffie-Hellman Group	2	2	2
Phase 2 Security Protocol	AH	ESP	ESP
Phase 2 Authentication Algorithm	HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256	HMAC-SHA1-96/HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256	HMAC-SHA256-128/HMAC-SHA384-192/HMAC-SHA512-256
Phase 2 Encryption Algorithm Permissions	Cleartext (NULL encryption)	3DES/AES-128/AES-192/AES-256	AES-128/AES-192/AES-256
Phase 2 PFS	Inactive	Inactive	2

Encryption key auto exchange settings items

When you specify a security level, the corresponding security settings are automatically configured, but other settings, such as address type, local address, and remote address must still be configured manually.

After you specify a security level, you can still make changes to the auto configured settings. When you change an auto configured setting, the security level switches automatically to "User Setting".

Setting

Description

Setting value

Address Type

Specify the address type for which IPsec transmission is used.

Inactive

IPv4

IPv6

IPv4/IPv6 (Default Settings only)

Local Address

Specify the machine's address. If you are using multiple addresses in IPv6, you can also specify an address range.

The machine's IPv4 or IPv6 address.
If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.

Remote Address

Specify the address of the IPsec transmission partner. You can also specify an address range.

The IPsec transmission partner's IPv4 or IPv6 address.
If you are not setting an address range, enter 32 after an IPv4 address, or enter 128 after an IPv6 address.

Security Policy

Specify how IPsec is handled.

Apply

Bypass

Discard

Encapsulation Mode

Specify the encapsulation mode.
(auto setting)

Transport

Tunnel

If you specify "Tunnel", you must then specify the "Tunnel End Point", which are the beginning and ending IP addresses. Set the same address for the beginning point as you set in "Local Address".

IPsec Requirement Level

Specify whether to only transmit using IPsec or to allow cleartext transmission when IPsec cannot be established.
(auto setting)

Use When Possible

Always Require

Authentication Method

Specify the method for authenticating transmission partners.
(auto setting)

PSK

Certificate

If you specify "PSK", you must then set the PSK text (using ASCII characters).

If you are using "PSK", specify a PSK password using up to 32 ASCII characters.

If you specify "Certificate", the certificate for IPsec must be installed and specified before it can be used.

PSK Text

Specify the pre-shared key for
PSK authentication.

Enter the pre-shared key required for PSK authentication.

Remote ID

Specify the remote ID for certificate authentication.
When you select Certificate for Authentication Method, enter the subject Distinguished Names (DN).
You can enter the subject Distinguished Names (DN) using up to 191 ASCII characters.

Phase 1

Hash Algorithm

Specify the Hash algorithm to be used in phase 1.
(auto setting)

MD5

SHA1

SHA256

SHA384

SHA512

Phase 1

Encryption Algorithm

Specify the encryption algorithm to be used in phase 1.
(auto setting)

DES

3DES

AES-128-CBC

AES-192-CBC

AES-256-CBC

Phase 1

Diffie-Hellman Group

Select the Diffie-Hellman group number used for IKE encryption key generation.
(auto setting)

1

2

14

Phase 1

Validity Period

Specify the time period for which the SA settings in phase 1 are valid.

Set in seconds from 300 sec. (5 min.) to 172800 sec. (48 hrs.).

Phase 2

Security Protocol

Specify the security protocol to be used in Phase 2.

To apply both encryption and authentication to sent data, specify "ESP" or "ESP+AH".

To apply authentication data only, specify "AH".

(auto setting)

ESP

AH

ESP+AH

Phase 2

Authentication Algorithm

Specify the authentication algorithm to be used in phase 2.
(auto setting)

HMAC-MD5-96

HMAC-SHA1-96

HMAC-SHA256-128

HMAC-SHA384-192

HMAC-SHA512-256

Phase 2

Encryption Algorithm Permissions

Specify the encryption algorithm to be used in phase 2.
(auto setting)

Cleartext (NULL encryption)

DES

3DES

AES-128

AES-192

AES-256

Phase 2

PFS

Specify whether to activate PFS. Then, if PFS is activated, select the Diffie-Hellman group.
(auto setting)

Inactive

1

2

14

Phase 2

Validity Period

Specify the time period for which the SA settings in phase 2 are valid.

Specify a period (in seconds) from 300 (5min.) to 172800 (48 hrs.).