Registering a Security Policy |
This section describes the procedure for registering a new security policy. |
Remarks |
|
||||||
|
[Allow]: Allows the sending/receiving of packets that are not encrypted because they do not correspond to the security policy set on the IPSec Settings screen, in plain text. [Reject]: Rejects the sending/receiving of packets that do not correspond to the security policy set on the IPSec Settings screen. |
|
When receiving IP packets, the registered security policy is applied if the destination IP address in the packets matches the local IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the source IP address in the packets matches the local IP address specified in this procedure.
|
|
|
|
|
|
When receiving IP packets, the registered security policy is applied if the source IP address in the packets matches the remote IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the destination IP address in the packets matches the remote IP address specified in this procedure. |
|
|
|
|
|
When receiving IP packets, the registered security policy is applied if the destination port in the packets matches the port number specified in this procedure. When sending IP packets, the registered security policy is applied if the source port in the packets matches the port number specified in this procedure. |
[All ports]: Select to specify all the local ports or all the remote ports. [Specify Port]: Select to specify a single local port or remote port according to the port number. |
|
[Main]: Select to set the Main mode. This mode has strong security because the IKE session itself is encrypted. [Aggressive]: Select to set the Aggressive mode. This mode speeds up IKE sessions because they are not encrypted. |
If you want to select the pre-shared key method, prepare a pre-shared key. To select the digital signature method, it is necessary to install a key pair file and CA certificate file created on a PC in advance using the Remote UI. |
|
You cannot set to use "Device Signature Key" or "AMS" (key pair for access restrictions). The key pair used for SSL can also be used as the key for IPSec.
|
|
[SHA1] for <Authentication>: Select to set SHA1 (Secure Hash Algorithm 1) for the authentication algorithm. 160-bit hash values are supported. [MD5] for <Authentication>: Select to set MD5 (Message Digest Algorithm 5) for the authentication algorithm. 128-bit hash values are supported. [3DES-CBC] for <Encryption>: Select to set 3DES (Triple Data Encryption Standard) for the encryption algorithm, and CBC (Cipher Block Chaining) for the encryption mode. 3DES takes longer to process because it performs DES three times, but enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption. [AES-CBC] for <Encryption>: Select to set AES (Advanced Encryption Standard) for the encryption algorithm, and CBC for the encryption mode. AES supports encryption keys with a key length of 128, 192, or 256 bits. As the supported key lengths are long, it enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption. [Group1(762)] for <DH Group>: Select to set Group 1 for the DH (Diffie-Hellman) key exchange method. In Group 1, 762-bit MODP (Modular Exponentiation) is supported. [Group2(1024)] for <DH Group>: Select to set Group 2 for the DH key exchange method. In Group 2, 1024-bit MODP is supported. [Group14(2048)] for <DH Group>: Select to set Group 14 for the DH key exchange method. In Group 14, 2048-bit MODP is supported. |
The priority for the authentication and encryption algorithms is indicated below.
|
[Time] and [Size] for <Validity>: Specify the validation period for the generated IKE SA and IPSec SA. In IPSec communications to which a valid security policy is applied, packets can be sent and received without conducting key exchange negotiations. Make sure to set either [Time] and [Size]. If you set both, the SA becomes invalid when the value set for either [Time] or [Size] is reached. [On] for <PFS>: If you enable the PFS function, you can increase the confidentiality because even if one encryption key is exposed to a third party, the problem does not spread to other encryption keys. [Off] for <PFS>: If you disable the PFS function, if one encryption key is exposed to a third party, other encryption keys may be able to be guessed. If you set <PFS> to 'On', the destination for PFS communication must also have PFS enabled. |
|
[SHA1] for <ESP Auth.>: Select to set SHA1 as the algorithm for the ESP authentication method. 160-bit hash values are supported. [MD5] for <ESP Auth.>: Select to set MD5 as the algorithm for the ESP authentication method. 128-bit hash values are supported. [NULL] for <ESP Auth.>: Select to not set the algorithm for the ESP authentication method. [3DES-CBC] for <ESP Encryption>: Select to set 3DES for the ESP encryption algorithm, and CBC for the encryption mode. 3DES takes longer to process because it performs DES three times, but enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption. [AES-CBC] for <ESP Encryption>: Select to set AES for the ESP encryption algorithm, and CBC for the encryption mode. AES supports encryption keys with a key length of 128, 192, or 256 bits. As the supported key lengths are long, it enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption. [NULL] for <ESP Encryption>: Select to not set the algorithm for the ESP encryption method. [SHA1] for <AH Auth.>: Select to set SHA1 as the algorithm for the AH authentication method. 160-bit hash values are supported. [MD5] for <AH Auth.>: Select to set MD5 as the algorithm for the AH authentication method. 128-bit hash values are supported. |
The ESP authentication/encryption methods are set. The priority for the authentication and encryption algorithms is indicated below.
|