Search

Manual Settings for an IPsec Template

Option Description
Template Name Type a name for the template (up to 16 characters).
Use Prefixed Template Select Custom.
Internet Key Exchange (IKE)

IKE is a communication protocol that is used to exchange encryption keys in order to carry out encrypted communication using IPsec. To carry out encrypted communication for that time only, the encryption algorithm that is necessary for IPsec is determined and the encryption keys are shared. For IKE, the encryption keys are exchanged using the Diffie-Hellman key exchange method, and encrypted communication that is limited to IKE is carried out.

Select Manual.

Authentication Key (ESP, AH)

Type the In/Out values.

These settings are necessary when Custom is selected for Use Prefixed Template, Manual is selected for Internet Key Exchange (IKE), and a setting other than None is selected for Hash for Encapsulating Security section.

image

The number of characters you can set differs depending on the setting you chose for Hash in the Encapsulating Security section.

If the length of the specified authentication key is different than the selected hash algorithm, an error will occur.

  • MD5: 128 bits (16 bytes)
  • SHA1: 160 bits (20 bytes)
  • SHA256: 256 bits (32 bytes)
  • SHA384: 384 bits (48 bytes)
  • SHA512: 512 bits (64 bytes)

When you specify the key in ASCII Code, enclose the characters in double quotation marks (").

Code key (ESP)

Type the In/Out values.

These settings are necessary when Custom is selected in Use Prefixed Template, Manual is selected in Internet Key Exchange (IKE), and ESP is selected in Protocol in Encapsulating Security.

image

The number of characters you can set differs depending on the setting you chose for Encryption in the Encapsulating Security section.

If the length of the specified code key is different than the selected encryption algorithm, an error will occur.

  • DES: 64 bits (8 bytes)
  • 3DES: 192 bits (24 bytes)
  • AES-CBC 128: 128 bits (16 bytes)
  • AES-CBC 256: 256 bits (32 bytes)

When you specify the key in ASCII Code, enclose the characters in double quotation marks (").

SPI

These parameters are used to identify security information. Generally, a host has multiple Security Associations (SAs) for several types of IPsec communication. Therefore, it is necessary to identify the applicable SA when an IPsec packet is received. The SPI parameter, which identifies the SA, is included in the Authentication Header (AH) and Encapsulating Security Payload (ESP) header.

These settings are necessary when Custom is selected for Use Prefixed Template, and Manual is selected for Internet Key Exchange (IKE).

Enter the In/Out values. (3-10 characters)

Encapsulating Security
  • Protocol
    Select ESP or AH.
    image
    • ESP is a protocol for carrying out encrypted communication using IPsec. ESP encrypts the payload (communicated contents) and adds additional information. The IP packet comprises the header and the encrypted payload, which follows the header. In addition to the encrypted data, the IP packet also includes information regarding the encryption method and encryption key, the authentication data, and so on.
    • AH is part of the IPsec protocol that authenticates the sender and prevents manipulation of the data (ensures the completeness of the data). In the IP packet, the data is inserted immediately after the header. In addition, the packets include hash values, which are calculated using an equation from the communicated contents, secret key, and so on, in order to prevent the falsification of the sender and manipulation of the data. Unlike ESP, the communicated contents are not encrypted, and the data is sent and received as plain text.
  • Encryption (Not available for the AH option.)
    Select DES, 3DES, AES-CBC 128, or AES-CBC 256.
  • Hash
    Select None, MD5, SHA1, SHA256, SHA384, or SHA512.

    None can be selected only when ESP is selected in Protocol.

    When AH+ESP is selected in Protocol, select each protocol for Hash(ESP) and Hash(AH).

  • SA Lifetime

    Specify the IKE SA lifetime.

    Type the time (seconds) and number of kilobytes (KByte).

  • Encapsulation Mode
    Select Transport or Tunnel.
  • Remote Router IP-Address

    Type the IP address (IPv4 or IPv6) of the remote router. Enter this information only when the Tunnel mode is selected.

    image
    SA (Security Association) is an encrypted communication method using IPsec or IPv6 that exchanges and shares information, such as the encryption method and encryption key, in order to establish a secure communication channel before communication begins. SA may also refer to a virtual encrypted communication channel that has been established. The SA used for IPsec establishes the encryption method, exchanges the keys, and carries out mutual authentication according to the IKE (Internet Key Exchange) standard procedure. In addition, the SA is updated periodically.
Did you find the information you needed?