Operating system
|
Windows XP/Vista/7/8/Server 2003/Server 2008/Server 2012
|
|
Connection mode
|
Transport mode
|
|
Key exchange protocol
|
IKEv1 (main mode)
|
|
Authentication method
|
Pre-shared key
Digital signature
|
|
Hash algorithm
(and key length) |
HMAC-SHA1-96
HMAC-SHA2 (256 bits or 384 bits)
|
|
Encryption algorithm
(and key length) |
3DES-CBC
AES-CBC (128 bits, 192 bits, or 256 bits)
|
|
Key exchange algorithm/group (and key length)
|
Diffie-Hellman (DH)
Group 1 (768 bits)
Group 2 (1024 bits)
Group 14 (2048 bits)
|
|
ESP
|
Hash algorithm
|
HMAC-SHA1-96
|
Encryption algorithm
(and key length) |
3DES-CBC
AES-CBC (128 bits, 192 bits, or 256 bits)
|
|
Hash algorithm/encryption algorithm (and key length)
|
AES-GCM (128 bits, 192 bits, or 256 bits)
|
|
AH
|
Hash algorithm
|
HMAC-SHA1-96
|
NOTE
|
IPSec functional restrictions
IPSec supports communication to a unicast address (or a single device).
The machine cannot use both IPSec and DHCPv6 at the same time.
IPSec is unavailable in networks in which NAT or IP masquerade is implemented.
Using IPSec with IP address filter
IP address filter settings are applied before the IPSec policies.
|
1
|
In the [Policy Name] text box, enter up to 24 alphanumeric characters for a name that is used for identifying the policy.
|
2
|
Select the [Enable Policy] check box.
|
[All IP Addresses]
|
Select to use IPSec for all IP packets.
|
[IPv4 Address]
|
Select to use IPSec for all IP packets that are sent to or from the IPv4 address of the machine.
|
[IPv6 Address]
|
Select to use IPSec for all IP packets that are sent to or from an IPv6 address of the machine.
|
[All IP Addresses]
|
Select to use IPSec for all IP packets.
|
[All IPv4 Addresses]
|
Select to use IPSec for all IP packets that are sent to or from IPv4 addresses of the other devices.
|
[All IPv6 Addresses]
|
Select to use IPSec for all IP packets that are sent to or from IPv6 addresses of the other devices.
|
[IPv4 Manual Settings]
|
Select to specify a single IPv4 address or a range of IPv4 addresses to apply IPSec. Enter the IPv4 address (or the range) in the [Addresses to Set Manually:] text box.
|
[IPv6 Manual Settings]
|
Select to specify a single IPv6 address or a range of IPv6 addresses to apply IPSec. Enter the IPv6 address (or the range) in the [Addresses to Set Manually:] text box.
|
Description
|
Example
|
|
Entering a single address
|
IPv4:
Delimit numbers with periods. |
192.168.0.10
|
IPv6:
Delimit alphanumeric characters with colons. |
fe80::10
|
|
Specifying a range of addresses
|
Insert a hyphen between the addresses.
|
192.168.0.10-192.168.0.20
|
Specifying a range of addresses with a prefix (IPv6 only)
|
Enter the address, followed by a slash and a number indicating the prefix length.
|
fe80::1234/64
|
[Authentication:]
|
Select the hash algorithm.
|
[Encryption:]
|
Select the encryption algorithm.
|
[DH Group:]
|
Select the Diffie-Hellman group, which determines the key strength.
|
1
|
Click the [Pre-Shared Key Method:] radio button for [Authentication Method:] and then click [Shared Key Settings...].
|
2
|
Enter up to 24 alphanumeric characters for the pre-shared key and click [OK].
|
3
|
Specify the [Valid for:] and [Authentication:]/[Encryption:]/[DH Group:] settings.
|
1
|
Click the [Digital Signature Method:] radio button for [Authentication Method:] and then click [Key and Certificate...].
|
2
|
Click [Register Default Key] on the right of a key pair you want to use.
NOTE:
Viewing details of a key pair or certificate You can check the details of the certificate or verify the certificate by clicking the corresponding text link under [Key Name], or the certificate icon. Verifying Key Pairs and Digital Certificates
|
3
|
Specify the [Valid for:] and [Authentication:]/[Encryption:]/[DH Group:] settings.
|
[Specify by Time]
|
Enter a time in minutes to specify how long a session lasts.
|
[Specify by Size]
|
Enter a size in megabytes to specify how much data can be transported in a session.
|
[ESP Authentication:]
|
To enable the ESP authentication, select [SHA1] for the hash algorithm. Select [Do Not Use] if you want to disable the ESP authentication.
|
[ESP Encryption:]
|
Select the encryption algorithm for ESP. You can select [NULL] if you do not want to specify the algorithm, or select [Do Not Use] if you want to disable the ESP encryption.
|