Link: CentreWare IS Help
ColorQube 8880 Help
Information Index
Properties
IPsec Actions Help

This page enables you to create, modify, and delete IPsec Actions. Once an IPsec Action is configured, it is available for selection on the IPsec Policies page in CentreWare IS. For more information about IPsec, see the IPsec Policies Help.

IPsec Actions enable you to do the following:

  • Pass: Permit network traffic to pass through (unencrypted) to a protocol and address. This default action cannot be deleted.
  • Block: Drop network traffic and stop communication with a protocol and address. This default action cannot be deleted.
  • Authenticate: Require IPsec authentication for the selected network traffic.
  • Encrypt: Require IPsec authentication and encryption for the selected network traffic.

Note: In order to use X.509 certificates for IPsec authentication, you must install the certificates from the Manage Certificates page in CentreWare IS before configuring IPsec. Select Security > Certificates in the left navigation panel to configure certificates. For more information about certificates, see the Manage Certificates Help.

Note: You must click Apply at the bottom of the page before you exit to save any changes and commit them to the IPsec Policy database.

Creating IPsec Actions

To create a new action, click Create Action at the bottom of the page. A series of pages display, which guide you through the process of creating an action. Each page shows your previous entries to make configuration easier. A maximum of 100 actions can be configured. After you have configured the list of IPsec Actions, and before you exit the page, click Apply at the bottom of the page to save the new groups and commit them to the IPsec Policy database.

First choose the Keying Method from Manual Keying or Internet Key Exchange (IKE), and assign a unique Name and Description to the action. IKE is the protocol used to set up a security association (SA) in the IPsec protocol suite. Name can be 64 characters in length maximum. Description can be 256 characters in length maximum. Name is required, and both Name and Description cannot contain the following special characters:
" ' & ? + = < > / \

Manual Keying

If Manual Keying is selected, configure the following:
  1. IPsec Mode - Select Tunnel or Transport. The default setting is Transport.
    • In Tunnel Mode, the entire IP packet (header and payload) is encrypted. Tunnel Mode provides portal-to-portal communications security in which security of packet traffic is provided to multiple machines by a single node. If Tunnel Mode is selected, enter the Remote Tunnel Address in the provided field. Remote Tunnel Address can be 40 characters in length maximum.
    • In Transport Mode, only the payload (message) of the IP packet is encrypted. Transport Mode provides end-to-end security of packet traffic in which the end point computers do the security processing.
  2. IPsec Proposal Protocol - Select Encapsulating Security Payload + Authentication Header (ESP+AH), ESP, or AH. ESP provides IP packet confidentiality to prevent people from determining the packet contents. AH provides a way to check that a packet came from a given source and that it has not been modified in transit. A protocol other than None must be selected.
    • For ESP+AH, select IPsec Encryption Algorithms to provide confidentiality and Hash Algorithms for authentication and integrity. Encryption Algorithms you can select include Advanced Encryption Standard CBC (AES-CBC), Triple Data Encryption Standard (3DES), and Data Encryption Standard (DES). Hash Algorithms you can select include SHA1 and MD5. At least one encryption algorithm and at least one hash algorithm is required. One pair of Inbound and Outbound SPI is used for ESP, and another pair is used for AH.
    • For ESP, in addition to the algorithms supported for ESP+AH, you can select Null Encryption Algorithm and None for Hash Algorithm. At least one encryption algorithm and at least one hash algorithm is required, and the combination of Null and None is not valid. For ESP, only one pair of Inbound and Outbound SPI are used.
    • For AH, Hash Algorithms you can select include SHA1 and MD5. At least one hash algorithm is required. For AH, only one pair of Inbound and Outbound SPI are used.
  3. Inbound SPI number, Inbound Decryption Key and Inbound Authentication Key - The Inbound SPI default is 0. Change the SPI number to any unsigned 32 bit integer. A key is a secret used in cryptographic algorithms. The Decryption Key and Authentication Key fields accept hexadecimal values. Decryption Key must be an exact length for these algorithms:
    • AES-CBC - 32 hexadecimal characters.
    • 3DES - 48 hexadecimal characters.
    • DES - 16 hexadecimal characters.
    Authentication Key must be an exact length for these algorithms:
    • SHA1 - 40 hexadecimal characters.
    • MD5 - 32 hexadecimal characters.
  4. Outbound SPI number, Outbound Encryption Key, Outbound Encryption IV and Outbound Authentication Key - The Outbound SPI default is 0. Change the SPI number to any unsigned 32 bit integer. The Encryption Key, Encryption IV, and Authentication Key fields accept hexadecimal values. Encryption Key must be an exact length for these algorithms:
    • AES-CBC - 32 hexadecimal characters.
    • 3DES - 48 hexadecimal characters.
    • DES - 16 hexadecimal characters.
    Encryption IV is optional. If used, it must be an exact length for these algorithms:
    • AES-CBC - 32 hexadecimal characters.
    • 3DES - 16 hexadecimal characters.
    • DES - 16 hexadecimal characters.
    Authentication Key must be an exact length for these algorithms:
    • SHA1 - 40 hexadecimal characters.
    • MD5 - 32 hexadecimal characters.

IKE

If IKE is selected, configure the following:
  1. IKE Phase 1 Configuration Part 1 - Authentication through defining certificates for X.509 Certificate based authentication, or through a Pre-shared Key.
    • For X.509 Certificate, select the Local Device Certificate and Remote Certificate Trust Point from the list of certificates stored on the device. Certificates that have not been previously configured may need to be set up for use with IPsec.
    • If Pre-shared Key is selected, the pass phrase entered can be 128 characters in length maximum, cannot be blank, and cannot contain the following special characters:
      " ' & ? + = < > ;
  2. IKE Phase 1 Configuration Part 2
    • Select IPsec encryption/hash Authentication Transforms for use during IPsec protocol negotiation. A transform describes a security protocol with its corresponding algorithms. At least one transform is required.
    • The DH Group default Group 2 (1024-bit MODP) displays. This setting cannot be modified.
    • Specify the Key Lifetime. The default setting is 28800 seconds (8 hours). Key Lifetime can be specified in kilobytes (KB) or seconds. Kilobytes are based on the amount of network traffic sent over the policy. Seconds are based on when the policy is first connected to. Key Lifetime must be at least 12 seconds or 2560 KB.
  3. IKE Phase 2 Configuration
    • IPsec Mode - Select Tunnel or Transport. The default setting is Transport. If Tunnel Mode is selected, enter the Remote Tunnel Address in the provided field. Remote Tunnel Address can be 40 characters in length maximum.
    • Select IPsec encryption/hash pair SA Proposal Protocols for use during IPsec protocol negotiation. Choose None, ESP+AH, ESP, or AH. A proposal is a proposed hashing and encryption method that this device will offer to another device connecting to it, during the setup of an encrypted session. At least one of these proposals must match the proposals of a device that is attempting to connect, or a connection will not be made. The default setting is None. At least one proposal is required.
      • For ESP+AH, select IPsec Encryption Algorithms to provide confidentiality and Hash Algorithms for authentication and integrity. Encryption Algorithms you can select include Advanced Encryption Standard CBC (AES-CBC 128bit), Triple Data Encryption Standard (3DES), and Data Encryption Standard (DES). Hash Algorithms you can select include SHA1 and MD5. At least one encryption algorithm and at least one hash algorithm is required.
      • For ESP, in addition to the algorithms supported for ESP+AH, you can select Null Encryption Algorithm and None for Hash Algorithm. At least one encryption algorithm and at least one hash algorithm is required, and the combination of Null and None is not valid.
      • For AH, Hash Algorithms you can select include SHA1 and MD5. At least one hash algorithm is required.
    • Select the DH Group. Choose None or Group 2 (1024-bit MODP). Diffie-Hellman (DH) groups are used to determine the length of the base prime numbers used during the key exchange process. The cryptographic strength of any key derived depends, in part, on the strength of the DH Group upon which the prime numbers are based. Group 2 provides 1024 bits of keying strength.
    • Specify the Key Lifetime. The default setting is 3600 seconds (1 hour). Key Lifetime must be at least 12 seconds or 2560 KB.

Modifying IPsec Actions

To view or modify an action, click the Name of the action. You can sort the list of actions by Name or Description by clicking the column titles.

Deleting IPsec Actions

To delete an action, select the check box next to the action you want to delete, and then click Delete Action at the bottom of the page. Any action that is being used in an IPsec Policy cannot be deleted.

10 actions display per page. Navigate through multiple pages to locate an action by clicking the left or right arrows, or click the drop-down box to select a particular page to display.

Note: Access to the IPsec configuration pages in CentreWare IS can be restricted by the passwords and feature authorization settings on the Administrative Security Settings page. See the Administrative Security Settings Help for more information.
COPYRIGHT © 2014 Xerox Corporation. All Rights Reserved.
Link: Xerox website