Kyocera TASKalfa Pro 15000c Pro 15000c Command Center RX User Guide - Page 55

Network Settings Local ID, Devoce Certificate and Pre-shared Key on Local Side, and Authentication Type, Remote ID Type, Remote ID and Pre-shared Key on Remote Side. 4. Key Exchange (IKE phase1): When using IKE phase1, a secure connection with the other end is established by generating ISAKMP SAs. Configure the following items so that they meet the requirement of the other end. Mode: Configures this item when IKEv1 is selected as Key Management Type. Main Mode protects identifications but requires more messages to be exchanged with the other end. Aggressive Mode requires fewer messages to be exchanged with the other end than Main Mode but restricts identification protection and narrows the extent of the parameter negotiations. When Aggressive Mode is selected and Pre-shared Key is selected for Authentication Type, only host addresses can be specified for IP addresses of the rule. Hash: Selects the hash algorithm. Encryption: Selects the encryption algorithm. Diffie-Hellman Group: The Diffie-Hellman key-sharing algorithm allows two hosts on an unsecured network to share a private key securely. Select the Diffie-Hellman group to use for key sharing. Lifetime (Time): Specifies the lifetime of an ISAKMP SA in seconds. 5. Data Protection (IKE phase2) In IKE phase2, IPSec SAs such as ESP or AH are established by using SAs established in IKE phase1. Configure the following items so that they meet the requirement of the other end. Protocol: Select ESP or AH for the protocol. ESP protects the privacy and integrity of the packet contents. Select the hash algorithm and encryption algorithm below. AH protects the integrity of the packet contents using encryption checksum. When you select AH as Protocols, you cannot use the AES-GCM-128, 192, or 256. Select the hash algorithm below. Hash: Selects the hash algorithm. When you select AES-GCM-128, 192, or 256 on Encryption, you have to select the AES-GCM-128, 192, or 256 or the AESGMAC-128, 192, or 256 corresponding to the same bit. Encryption: Selects the encryption algorithm. (When ESP is selected under Protocol.) When you select the AES-GCM-128, 192, or 256 on Hash, you have to select the AES-GCM-128, 192, or 256 corresponding to the same bit. When you select the AES-GMAC-128, 192, or 256 on Hash, you have to select the AESGCM-128, 192, or 256 corresponding to the same bit. If you do not select any algorithm, the machine authenticates without encryption. PFS: When PFS is turned On (enabled), even if a key is decrypted, the decrypted key cannot be used to decrypt the other keys generated after the decryption. This improves the safety, but imposes a heavy burden because of more key-generation processes. Diffie-Hekkman Group: When PFS is turned On (enabled), select the Diffie-Hekkman Group to use. Lifetime Measurement: Select Time or Time & Data Size. Lifetime (Time): Configure the lifetime of IPSec SA in seconds. Lifetime (Data Size): Configure this item when is Time & Data Size selected as Lifetime Measurement. Configure the lifetime (data size) of IPSec SA in kilobytes. Extended Sequence Number: Determines whether a sequence number is 64-bit extended by IPSec. To execute, select On. 6. Manual: If Key Management Type is set to Manual, configure: Protocol, Hash, Encryption, SPI Format, SPI for Inbound, SPI for Outbound, Key Format, Authentication Key for Inbound, Authentication Key for Outbound, Encryption Key for Inbound, Encryption Key for Outbound. Click Submit button to finalize settings. 3. Click Submit button. User Guide 51