Search

IKEv2 Settings for an IPsec Template

Option Description
Template Name Type a name for the template (up to 16 characters).
Use Prefixed Template Select Custom, IKEv2 High Security, or IKEv2 Medium Security. The setting items are different depending on the selected template.
Internet Key Exchange (IKE)

IKE is a communication protocol that is used to exchange encryption keys in order to carry out encrypted communication using IPsec. To carry out encrypted communication for that time only, the encryption algorithm that is necessary for IPsec is determined and the encryption keys are shared. For IKE, the encryption keys are exchanged using the Diffie-Hellman key exchange method, and encrypted communication that is limited to IKE is carried out.

If you selected Custom in Use Prefixed Template, select IKEv2.
Authentication Type
  • Diffie-Hellman Group

    This key exchange method allows secret keys to be securely exchanged over an unprotected network. The Diffie-Hellman key exchange method uses a discrete logarithm problem, not the secret key, to send and receive open information that was generated using a random number and the secret key.

    Select Group1, Group2, Group5, or Group14.

  • Encryption
    Select DES, 3DES, AES-CBC 128, or AES-CBC 256.
  • Hash
    Select MD5, SHA1, SHA256, SHA384 or SHA512.
  • SA Lifetime

    Specify the IKE SA lifetime.

    Type the time (seconds) and number of kilobytes (KByte).

Encapsulating Security
  • Protocol
    Select ESP.
    image
    ESP is a protocol for carrying out encrypted communication using IPsec. ESP encrypts the payload (communicated contents) and adds additional information. The IP packet comprises the header and the encrypted payload, which follows the header. In addition to the encrypted data, the IP packet also includes information regarding the encryption method and encryption key, the authentication data, and so on.
  • Encryption
    Select DES, 3DES, AES-CBC 128, or AES-CBC 256.
  • Hash
    Select MD5, SHA1, SHA256, SHA384, or SHA512.
  • SA Lifetime

    Specify the IKE SA lifetime.

    Type the time (seconds) and number of kilobytes (KByte).

  • Encapsulation Mode
    Select Transport or Tunnel.
  • Remote Router IP-Address

    Type the IP address (IPv4 or IPv6) of the remote router. Enter this information only when the Tunnel mode is selected.

    image
    SA (Security Association) is an encrypted communication method using IPsec or IPv6 that exchanges and shares information, such as the encryption method and encryption key, in order to establish a secure communication channel before communication begins. SA may also refer to a virtual encrypted communication channel that has been established. The SA used for IPsec establishes the encryption method, exchanges the keys, and carries out mutual authentication according to the IKE (Internet Key Exchange) standard procedure. In addition, the SA is updated periodically.
Perfect Forward Secrecy (PFS)

PFS does not derive keys from previous keys that were used to encrypt messages. In addition, if a key that is used to encrypt a message was derived from a parent key, that parent key is not used to derive other keys. Therefore, even if a key is compromised, the damage will be limited only to the messages that were encrypted using that key.

Select Enabled or Disabled.

Authentication method.

Select the authentication method. Select Pre-Shared Key, Certificates, EAP - MD5, or EAP - MS-CHAPv2.

image

EAP is an authentication protocol that is an extension of PPP. By using EAP with IEEE802.1x, a different key is used for user authentication during each session.

The following settings are necessary only when EAP - MD5 or EAP - MS-CHAPv2 is selected in Authentication method.:

  • Mode

    Select Server-Mode or Client-Mode.

  • Certificate

    Select the certificate.

  • User Name

    Type the user name (up to 32 characters).

  • Password

    Type the password (up to 32 characters). The password must be entered two times for confirmation.

Pre-Shared Key

When encrypting communication, the encryption key is exchanged and shared beforehand using another channel.

If you selected Pre-Shared Key for the Authentication method., type the Pre-Shared Key (up to 32 characters).

  • Local/ID Type/ID

    Select the sender's ID type, and then type the ID.

    Select IPv4 Address, IPv6 Address, FQDN, E-mail Address, or Certificate for the type.

    If you select Certificate, type the common name of the certificate in the ID field.

  • Remote/ID Type/ID

    Select the recipient's ID type, and then type the ID.

    Select IPv4 Address, IPv6 Address, FQDN, E-mail Address, or Certificate for the type.

    If you select Certificate, type the common name of the certificate in the ID field.

Certificate If you selected Certificates for Authentication method., select the certificate.
image

You can select only the certificates that were created using the Certificate page of Web Based Management's Security configuration screen.

Did you find the information you needed?