This option displays all the Protocol Groups saved and the details of each Protocol Group.
1. From the IP Sec page, click on the [Protocol Groups] tab under IPsec heading.
2. Protocol Groups can be deleted by highlighting a Protocol Group in the IP Protocol Groups area and clicking on the [Delete] button. If the Protocol Group selected is not being used by a security policy, then click on the [OK] button.
3. To add or edit a Protocol Group in the IP Protocol Groups area click on either the [Add New Protocol Group] button or highlight a Protocol Group and click on the [Edit] button.
Note:If you change the name of a Protocol Group that is being used in Security policy, then the updated protocol group name will also be reflected in the security policy entry.
a. In the IP Protocol Group Details area, enter the name of the protocol group in the [Group Name] field.
b. Enter description for this protocol group in the [Description] field.
c. Check the required services checkboxes for this protocol group under [Service Name].
4. In the Custom Protocol area:
a. Check the corresponding checkboxes to select or deselect a custom protocol. Enter details in the [Service Name] field.
b. From the [Protocol] drop-down menu select the protocol type.
c. Enter the port number in the [Port] field.
d. From the [Device is] drop-down menu, select either [Server] or [Client].
Note:The Service Name, Protocol Type, Port Number and Device is fields for a Custom Protocol will be disabled when its associated checkbox is unchecked.
5. Click on the [Save] button to return to the IPSec page.
Actions
This option displays the list of actions associated with the IPsec security policies. You can view and manage IP actions that can be used in the security policies.
1. From the IP Sec page, click on the [Actions] tab under IPsec heading.
2. To delete an Action, highlight an Action in the IP Actions area and click on the [Delete] button. If the Action selected is not being used by a security policy, then click on the [OK] button.
3. To add or edit an Action, in the IP Protocol Group area:
a. Click either on the [Add New Action] button to add a new Action or highlight an Action and click on the [Edit] button to edit details of an Action.
Note:If you change the name of an Action that is being used in Security policy, then the updated action name will also change in the security policy entry.
4. Step 1 of 2 page displays, in the IP Action Details area:
a. Enter a name for this IP Action in the [Action Name] field.
b. Enter description for this IP Action in the [Description] filed.
5. In the Keying Method area:
a. Select a Keying Method. This will specify the type of authentication used in an IP Sec policy.
Select one of the following:
• Manual Keying - this method is used if client devices are not configured for, or do not support, IKE.
• Internet Key Exchange (IKE)- this is a keying protocol that works on top of IPsec. IKE offers a number of benefits including: automatic negotiation and authentication; anti-replay services; certification authority (CA) support; and the ability to change encryption keys during an IPsec session. Generally, IKE is used as part of virtual private networking.
• X.509 Certificate (Local Certificate) - this is a public key certificate.
• Trusted Root Certificate.
• Pre-shared Key Passphrase - the use of pre-shared key authentication is not recommended because it is a relatively weak authentication method.
b. If you select [Internet Key Exchange (IKE)], enter the pre-shared key passphrase in the [Pre-shared Key Passphrase] field.
Note:Only one Action may be created when selecting Internet Key Exchange (IKE) Keying Method.
6. Click on the [Next] button to display the Step 2 of 2 screen.
If you Selected Manual Keying as the Keying Method:
1. In the Mode Selections area, select one of the [IPsec Mode] options from the drop-down menu:
• Transport Mode - this is the default Mode for IP Sec. This only encrypts the IP payload.
• Tunnel Mode - this mode encrypts the IP header and the payload. It provides protection on an entire IP packet by treating it as an AH (Authentication Header) or ESP (Encapsulating Secuirty Payload) payload.
When this mode is selected, you have the option of specifying a host IP Address 2. In the Security Selections area select preferred option and enter the required information.
3. Click on the [Save] button to return to the IP Sec - Action page.
If you Selected Internet Key Exchange (IKE) as the Keying Method:
IKE Phase 1 authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges.
IKE Phase 2 negotiates IP Sec System Administrator to set up the IP Sec tunnel.
1. In the IKE Phase 1 area:
a. For [Key Lifetime] enter length of time that this key will live, either in seconds, minutes or hours.
b. Select required option from the [DH Group] drop-down menu. Choose one of following:
• DH Group 2 - which provides a 1024 bit Modular Exponential (MODP) keying strength.
• DH Group 14 - which provides a 2048 bit MODP keying strength. Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys.
c. For Hash - Encryption, check the required checkboxes:
• SHA1 (Secure Hash Algorithm 1) and MD5 (Message Digest 5) are one-way hashing algorithms used to authenticate packet data. Both produce a 128-bit hash. The SHA1 algorithm is generally considered stronger but slower than MD5. Select MD5 for better encryption speed, and SHA1 for better security.
• 3DES (Triple-Data Encryption Standard) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput.
• AES (Advanced Encryption Standard) is a more secure method compared to 3DES.
2. In the IKE Phase 2 area:
a. Select from the [IPSec Mode] drop-down menu one of the following:
• Transport Mode - this provides a secure connection between two endpoints as it encapsulates the IP payload, while Tunnel Mode encapsulates the entire IP packet.
• Tunnel Mode - this provides a virtual ‘secure hop’ between two gateways. It is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet.
b. If you select [Tunnel Mode], then select either [Disabled], [IPv4 Address] or [IPv6 Address].
c. If you select IPv4 Address or IPv6 Address, enter IP Address details.
d. From the [IPsec Security] drop-down menu, select either, Both, ESP or AH.
AH (Authentication Header) and ESP (Encapsulating Security Payload) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt and authenticate (ESP) the data flowing over that connection. They can be used independently or together.
e. For [Key Lifetime] enter length of time that this key will be valid for, either in seconds, minutes or hours.
f. Select the preferred option from the [Perfect Forward Secrecy] drop-down menu. Default is
‘None’
g. Check the required checkboxes for [Hash] and [Encryption].
Hash refers to the authentication mode, which calculates an Integrity Check Value (ICV) over the packet's contents. This is built on top of a cryptographic hash (MD5 or SHA1).
Encryption uses a secret key to encrypt the data before transmission. This hides the contents of the packet from eavesdroppers. Algorithm choices are AES and 3DES
Note:Encryption will not be shown if [IPsec Security] is set to AH.
3. Click on the [Save] button to return to the IPSec - Action page.