Registering a Security Policy

This section describes the procedure for registering a new security policy.


Remarks
  • You can register up to 10 security policies. The registered security policies are displayed in order of their priority.

  1. On the TCP/IP Settings screen, press [IPSec Settings] → select [On] for <Use IPSec>.

  • If you set <Use IPv4> to 'On', the machine will not enter the Sleep mode completely.
  1. In <Receive Non-policy Packets>, specify the following settings → press [Register].

[Allow]: Allows the sending/receiving of packets that are not encrypted because they do not correspond to the security policy set on the IPSec Settings screen, in plain text.

[Reject]: Rejects the sending/receiving of packets that do not correspond to the security policy set on the IPSec Settings screen.

  1. Enter the security policy name to register in [Policy Name] → press [Selector Settings].

  1. On the Selector Settings screen, specify the local IP address to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the destination IP address in the packets matches the local IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the source IP address in the packets matches the local IP address specified in this procedure.

  • IPSec is not applied for link local addresses included when the following are selected. IPSec packets sent to link local addresses are discarded.
  • [All IP addresses] for <Local Address>
  • [IPv6 Address] for <Local Address>
  • [IPv6 Manual Settings] for <Local Address>

  • Select [All IP addresses] for <Local Address>.


  • Select [IPv4 Address] for <Local Address>.

  • Select [IPv6 Address] for <Local Address>.

  • Select [IPv4 Manual Settings] for <Local Address> → specify a single IPv4 address or range of IPv4 addresses. Also specify the subnet.


  • Select [IPv6 Manual Settings] for <Local Address> → specify a single IPv6 address or range of IPv6 addresses. Also specify the IPv6 address and prefix length.

  1. On the Selector Settings screen, specify the remote IP address to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the source IP address in the packets matches the remote IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the destination IP address in the packets matches the remote IP address specified in this procedure.


  • Select [All IP addresses] for <Remote Address>.

  • Select [All IPv4 addresses] for <Remote Address>.

  • Select [All IPv6 addresses] for <Remote Address>.

  • Select [IPv4 Manual Settings] for <Remote Address> → specify a single IPv4 address or range of IPv4 addresses. Also specify the subnet.

  • Select [IPv6 Manual Settings] for <Remote Address> → specify a single IPv6 address or range of IPv6 addresses. Also specify the IPv6 address and prefix length.
  1. On the Selector Settings screen, specify the destination port to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the destination port in the packets matches the port number specified in this procedure. When sending IP packets, the registered security policy is applied if the source port in the packets matches the port number specified in this procedure.


  • Select [Specify by Port Number] for <Port>.
  • On the Specify by Port Number screen, set the local port and remote port.

[All ports]: Select to specify all the local ports or all the remote ports.

[Specify Port]: Select to specify a single local port or remote port according to the port number.


  • Select [Specify by Service Name] for <Port>.
  • On the Specify by Service Name screen, select a displayed service name → press [Service On/Off].

  1. On the Register screen, press [IKE Settings] → select the mode to use for IKE phase 1.

[Main]: Select to set the Main mode. This mode has strong security because the IKE session itself is encrypted.

[Aggressive]: Select to set the Aggressive mode. This mode speeds up IKE sessions because they are not encrypted.

  1. On the IKE Settings screen, specify the authentication method to use for IKE phase 1.

If you want to select the pre-shared key method, prepare a pre-shared key. To select the digital signature method, it is necessary to install a key pair file and CA certificate file created on a PC in advance using the Remote UI.


  • Press [Pre-shared Key Method] → [Shared Key] for <Authentication Method> → enter the pre-shared key.


  • Press [Digital sig. Method] → [Key and Certificate] for <Authentication Method>, select the key pair you want to use → press [Set as the Default Key] to register the key pair to use for IPSec.

You cannot set to use "Device Signature Key" or "AMS" (key pair for access restrictions). The key pair used for SSL can also be used as the key for IPSec.

  • The key pair used for this product and the root CA certificate used in the device to communicate with must be issued from the same root certificate authority.
  • It is necessary to use the Remote UI to delete a key pair registered for IPSec.(See "Remote UI.")
  • You can check the content of a certificate by selecting a key pair on the Key and Certificate screen, and pressing [Certificate Details]. On the Certificate Details screen, you can press [Certificate Verification] to verify the certificate.
  • You can check what a key pair is being used for by selecting a key pair with 'Using' displayed for <Used> on the Key and Certificate screen, and pressing [Display Use Location].
  1. On the IKE Settings screen, select the algorithm for the authentication and encryption to use for IKE phase 1.

  • Select [Manual Settings] for <Auth./Encryption Algorithm> → specify the authentication and encryption algorithm to apply to the IKE SA.

[SHA1] for <Authentication>: Select to set SHA1 (Secure Hash Algorithm 1) for the authentication algorithm. 160-bit hash values are supported.

[MD5] for <Authentication>: Select to set MD5 (Message Digest Algorithm 5) for the authentication algorithm. 128-bit hash values are supported.

[3DES-CBC] for <Encryption>: Select to set 3DES (Triple Data Encryption Standard) for the encryption algorithm, and CBC (Cipher Block Chaining) for the encryption mode. 3DES takes longer to process because it performs DES three times, but enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[AES-CBC] for <Encryption>: Select to set AES (Advanced Encryption Standard) for the encryption algorithm, and CBC for the encryption mode. AES supports encryption keys with a key length of 128, 192, or 256 bits. As the supported key lengths are long, it enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[Group1(762)] for <DH Group>: Select to set Group 1 for the DH (Diffie-Hellman) key exchange method. In Group 1, 762-bit MODP (Modular Exponentiation) is supported.

[Group2(1024)] for <DH Group>: Select to set Group 2 for the DH key exchange method. In Group 2, 1024-bit MODP is supported.

[Group14(2048)] for <DH Group>: Select to set Group 14 for the DH key exchange method. In Group 14, 2048-bit MODP is supported.


  • Select [Auto] for <Auth./Encryption Algorithm>.

The priority for the authentication and encryption algorithms is indicated below.

Priority Authentication Algorithm Encryption Algorithm DH Key Exchange Method
1 SHA1 AES (128-bit) Group 2
2 MD5
3 SHA1 AES (192-bit)
4 MD5
5 SHA1 AES (256-bit)
6 MD5
7 SHA1 3DES
8 MD5
  1. On the Register screen, press [IPSec Network Settings] → specify the SA validation time and validation type, and PFS (Perfect Forward Security).

[Time] and [Size] for <Validity>: Specify the validation period for the generated IKE SA and IPSec SA. In IPSec communications to which a valid security policy is applied, packets can be sent and received without conducting key exchange negotiations. Make sure to set either [Time] and [Size]. If you set both, the SA becomes invalid when the value set for either [Time] or [Size] is reached.

[On] for <PFS>: If you enable the PFS function, you can increase the confidentiality because even if one encryption key is exposed to a third party, the problem does not spread to other encryption keys.

[Off] for <PFS>: If you disable the PFS function, if one encryption key is exposed to a third party, other encryption keys may be able to be guessed. If you set <PFS> to 'On', the destination for PFS communication must also have PFS enabled.

  1. On the IPSec Network Settings screen, select the algorithm for the authentication and encryption to use for IKE phase 2.

  • Select [Manual Settings] for <Auth./Encryption Algorithm>.
  • Set the ESP authentication/encryption method, or the algorithm for the AH authentication method.

[SHA1] for <ESP Auth.>: Select to set SHA1 as the algorithm for the ESP authentication method. 160-bit hash values are supported.

[MD5] for <ESP Auth.>: Select to set MD5 as the algorithm for the ESP authentication method. 128-bit hash values are supported.

[NULL] for <ESP Auth.>: Select to not set the algorithm for the ESP authentication method.

[3DES-CBC] for <ESP Encryption>: Select to set 3DES for the ESP encryption algorithm, and CBC for the encryption mode. 3DES takes longer to process because it performs DES three times, but enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[AES-CBC] for <ESP Encryption>: Select to set AES for the ESP encryption algorithm, and CBC for the encryption mode. AES supports encryption keys with a key length of 128, 192, or 256 bits. As the supported key lengths are long, it enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[NULL] for <ESP Encryption>: Select to not set the algorithm for the ESP encryption method.

[SHA1] for <AH Auth.>: Select to set SHA1 as the algorithm for the AH authentication method. 160-bit hash values are supported.

[MD5] for <AH Auth.>: Select to set MD5 as the algorithm for the AH authentication method. 128-bit hash values are supported.


  • Select [Auto] for <Auth./Encryption Algorithm>.

The ESP authentication/encryption methods are set. The priority for the authentication and encryption algorithms is indicated below.

Priority Algorithm for ESP Authentication Method Algorithm for ESP Encryption Method
1 SHA1 AES (128-bit)
2 MD5
3 SHA1 AES (192-bit)
4 MD5
5 SHA1 AES (256-bit)
6 MD5
7 SHA1 3DES
8 MD5