Return to Overview

To "Settings/Registration Table"

This section describes the procedure for registering a new security policy.

• You can register up to 10 security policies. The registered security policies are displayed in order of their priority.

1. On the TCP/IP Settings screen, press [IPSec Settings] → select [On] for <Use IPSec>.

• If you set <Use IPSec> to 'On', the machine will not enter a complete Sleep mode.

2. In <Receive Non-Policy Packets>, specify the following settings → press [Reg.].

[Allow]: Allows the sending/receiving of packets that are not encrypted because they do not correspond to the security policy set on the IPSec Settings screen, in plain text.

[Reject]: Rejects the sending/receiving of packets that do not correspond to the security policy set on the IPSec Settings screen.

3. Enter the security policy name to register in [Policy Name] → press [Selector Settings].

4. On the Selector Settings screen, specify the local IP address to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the destination IP address in the packets matches the local IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the source IP address in the packets matches the local IP address specified in this procedure.

• If the link local address is set to a local IP address in this procedure for IPSec communication, the remote IP address set in step 5 should be a link local address.

• Applying a Security Policy to All Sent and Received IP Packets:

• Applying a Security Policy to the IP Packets Received from and Sent to the IPv4 Address Held By the Machine:

• Applying a Security Policy to the IP Packets Received from and Sent to the IPv6 Address Held By the Machine:

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv4 Address or IPv4 Network Address:

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv6 Address or IPv6 Network Address:

• Applying a Security Policy to All Sent and Received IP Packets:

• Select [All IP Addresses] for <Local Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to the IPv4 Address Held By the Machine:

• Select [IPv4 Address] for <Local Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to the IPv6 Address Held By the Machine:

• Select [IPv6 Address] for <Local Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv4 Address or IPv4 Network Address:

• Select [IPv4 Manual Settings] for <Local Address> → specify a single IPv4 address or range of IPv4 addresses. Also specify the subnet.

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv6 Address or IPv6 Network Address:

• Select [IPv6 Manual Settings] for <Local Address> → specify a single IPv6 address or range of IPv6 addresses. Also specify the IPv6 address and prefix length.

5. On the Selector Settings screen, specify the remote IP address to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the source IP address in the packets matches the remote IP address specified in this procedure. When sending IP packets, the registered security policy is applied if the destination IP address in the packets matches the remote IP address specified in this procedure.

• If the remote IP address is set to a local IP address in this procedure for IPSec communication, the local IP address set in step 4 must be a link local address.

• Applying a Security Policy to All Sent and Received IP Packets:

• Applying a Security Policy to the IP Packets Received from and Sent to All IPv4 Addresses Held By the Machine:

• Applying a Security Policy to the IP Packets Received from and Sent to All IPv6 Addresses Held By the Machine:

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv4 Address or IPv4 Network Address:

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv6 Address or IPv6 Network Address:

• Applying a Security Policy to All Sent and Received IP Packets:

• Select [All IP Addresses] for <Remote Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to All IPv4 Addresses Held By the Machine:

• Select [All IPv4 Addresses] for <Remote Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to All IPv6 Addresses Held By the Machine:

• Select [All IPv6 Addresses] for <Remote Address>.

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv4 Address or IPv4 Network Address:

• Select [IPv4 Manual Settings] for <Remote Address> → specify a single IPv4 address or range of IPv4 addresses. Also specify the subnet.

• Applying a Security Policy to the IP Packets Received from and Sent to the Specified IPv6 Address or IPv6 Network Address:

• Select [IPv6 Manual Settings] for <Remote Address> → specify a single IPv6 address or range of IPv6 addresses. Also specify the IPv6 address and prefix length.

6. On the Selector Settings screen, specify the destination port to apply the registered security policy to.

When receiving IP packets, the registered security policy is applied if the destination port in the packets matches the port number specified in this procedure. When sending IP packets, the registered security policy is applied if the source port in the packets matches the port number specified in this procedure.

• Applying a Security Policy to the IP Packets Received from and Sent to the Local Port and Remote Port Specified By Port Number:

• Applying a Security Policy to the IP Packets Received from and Sent to the Port Specified By Assigned Application:

• Applying a Security Policy to the IP Packets Received from and Sent to the Local Port and Remote Port Specified By Port Number:

• Select [Specify by Port Number] for <Port>.

• On the Specify by Port Number screen, set the local port and remote port.

[All Ports]: Select to specify all the local ports or all the remote ports.

[Single Port]: Select to specify a single local port or remote port according to the port number.

• Applying a Security Policy to the IP Packets Received from and Sent to the Port Specified By Assigned Application:

• Select [Specify by Service Name] for <Port>.

• On the Specify by Service Name screen, select a displayed service name → press [Service On/Off].

7. On the Register screen, press [IKE Settings] → select the mode to use for IKE phase 1.

[Main]: Select to set the Main mode. This mode has strong security because the IKE session itself is encrypted.

[Aggressive]: Select to set the Aggressive mode. This mode speeds up IKE sessions because they are not encrypted.

8. On the IKE Settings screen, specify the authentication method to use for IKE phase 1.

If you want to select the pre-shared key method, prepare a pre-shared key. To select a digital signature method, register the CA certificate in advance (see "Registering a CA Certificate File Installed from a Computer."), and install the key pair file and certificate file (see "Remote UI.").

• Setting the Pre-Shared Key Method:

• Setting the Digital Signature Method:

• Setting the Pre-Shared Key Method:

• Press [Pre-Shared Key Method] → [Shared Key] for <Authentication Method> → enter the pre-shared key.

• Setting the Digital Signature Method:

• Press [Digital Sig. Method] → [Key and Certificate] for <Authentication Method>, select the key pair you want to use → press [Set as the Default Key] to register the key pair to use for IPSec.

You cannot set to use "Device Signature Key" or "AMS" (key pair for access restrictions).

• If you select a key pair that is using the RSA-MD5 or RSA-MD2 signature algorithm, policies with this key pair set are disabled when you set IPSec communication to comply with FIPS (Federal Information Processing Standards) 140-2. (See "Using an Encryption Method That Complies with FIPS 140-2.")

• You can check the content of a certificate by selecting a key pair on the Key and Certificate screen, and pressing [Certificate Details]. On the Certificate Details screen, you can press [Certificate] to verify the certificate.

• You can check what a key pair is being used for by selecting a key pair with 'Used' displayed for <Status> on the Key and Certificate screen, and pressing [Display Use Location].

9. On the IKE Settings screen, select the algorithm for the authentication and encryption to use for IKE phase 1.

• Specifying the Authentication and Encryption Algorithm:

• Automatically Setting the Authentication and Encryption Algorithm:

• Specifying the Authentication and Encryption Algorithm:

• Select [Manual Settings] for <Auth./Encryption Algorithm> → specify the authentication and encryption algorithm to apply to the IKE SA.

[SHA1] for <Authentication>: Select to set SHA1 (Secure Hash Algorithm 1) for the authentication algorithm. 160-bit hash values are supported.

[SHA2] for <Authentication>: Select to set SHA2 (Secure Hash Algorithm 2) for the authentication algorithm. 256-bit or 384-bit hash values are supported.

[3DES-CBC] for <Encryption>: Select to set 3DES (Triple Data Encryption Standard) for the encryption algorithm, and CBC (Cipher Block Chaining) for the encryption mode. 3DES takes longer to process because it performs DES three times, but enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[AES-CBC] for <Encryption>: Select to set AES (Advanced Encryption Standard) for the encryption algorithm, and CBC for the encryption mode. AES supports encryption keys with a key length of 128, 192, or 256 bits. As the supported key lengths are long, it enables increased encryption strength. CBC links the encryption result of the previous block with the next block to make it harder to decipher the encryption.

[Group1(762)] for <DH Group>: Select to set Group 1 for the DH (Diffie-Hellman) key exchange method. In Group 1, 762-bit MODP (Modular Exponentiation) is supported.

[Group2(1024)] for <DH Group>: Select to set Group 2 for the DH key exchange method. In Group 2, 1024-bit MODP is supported.

[Group14(2048)] for <DH Group>: Select to set Group 14 for the DH key exchange method. In Group 14, 2048-bit MODP is supported.

[ECDH P-256] for <DH Group>: Select to set the ECDH (Elliptic Curve Diffie Hellman) key exchange method with a 256-bit key length.

[ECDH P-384] for <DH Group>: Select to set the ECDH key exchange method with a 384-bit key length.

• Automatically Setting the Authentication and Encryption Algorithm:

• Select [Auto] for <Auth./Encryption Algorithm>.

The priority for the authentication and encryption algorithms is indicated below.

10. On the Register screen, press [IPSec Network Settings] → specify the SA validation time and validation type, and PFS (Perfect Forward Security).

[Time] and [Size] for <Validity>: Specify the validation period for the generated IKE SA and IPSec SA. In IPSec communications to which a valid security policy is applied, packets can be sent and received without conducting key exchange negotiations. Make sure to set either [Time] or [Size]. If you set both, the SA becomes invalid when the value set for either [Time] or [Size] is reached.

[On] for <PFS>: If you enable the PFS function, you can increase the confidentiality because even if one encryption key is exposed to a third party, the problem does not spread to other encryption keys.

[Off] for <PFS>: If you disable the PFS function, if one encryption key is exposed to a third party, other encryption keys may be able to be guessed. If you set <PFS> to 'On', the destination for PFS communication must also have PFS enabled.

11. On the IPSec Network Settings screen, select the algorithm for the authentication and encryption to use for IKE phase 2.

• Specifying the Authentication and Encryption Algorithm:

• Automatically Setting the Authentication and Encryption Algorithm:

• Specifying the Authentication and Encryption Algorithm:

• Select [Manual Settings] for <Auth./Encryption Algorithm>.

• Set the algorithm for the authentication method.

The authentication and encryption algorithms you can set are indicated below.

• If you set IPSec communication to comply with FIPS 140-2, policies with [ESP(AES-GCM)] set for the authentication method are disabled. At the same time, the authentication algorithm for this policy is automatically changed to SHA1 and the encryption algorithm for this policy is automatically changed to 3DES-CBC. (See "Using an Encryption Method That Complies with FIPS 140-2.")

• Automatically Setting the Authentication and Encryption Algorithm:

• Select [Auto] for <Auth./Encryption Algorithm>.

The ESP authentication/encryption methods are set. The priority for the authentication and encryption algorithms is indicated below.

• Back To Top