[IPsec] Setting IPsec
Article ID: ART139674 | Date published: 05/13/2015 | Date last updated: 08/17/2015
 

Description

[IPsec] Setting IPsec

Solution

[IPsec] Setting IPsec

(1) [IPsec] - Key settings for use with IPsec can be selected as [Auto Key Exchange] or [Manual].

(1) [IPsec SA Encryption Algorithm] - Set the IPsec SA encryption algorithm to [AES- >3DES], [AES->3DES->DES] or [AES->3DES->DES - >NULL].

The specified algorithm will be checked for an applicable encryption algorithm starting from the left.

(2) [IPsec SA Authentication Algorithm] - Set the IPsec SA authentication algorithm to [HMAC_SHA1_96] or [HMAC_SHA1_96-> HMAC_MD5_96].

The specified algorithm will be checked for an applicable authentication algorithm starting from the left.

(3) [IPsec SA Validity Period (min)] - Set the duration of validity for IPsec SA (factory default setting is [480]).

(4) [ISAKMP SA Encryption Algorithm] - Set the SA encryption algorithm for use with auto key exchange protocol IKE to [AES->3DES] or [AES-> 3DES->DES].

(5) [ISAKMP SA Authentication Algorithm] - Set the SA authentication algorithm for use with auto key exchange protocol IKE to [SHA1] or [SHA1- >MD5].

(6) [DH Group] - Select [Group 2] or [Group 2->Group 1] for the key generation information that will be used in the DH algorithm for key exchange via auto key exchange protocol IKE.

(7) [ISAKMP SA Validity Period (min)] - Set the duration of validity for ISAKMP SA (factory default setting is [480]).

 

IPsec Set (Auto Key Exchange)

IPsec Sets 1 to 5 are available, and you can specify IPsec settings for one communication device for each IPsec Set.

(1) [IPsec Set] - Set IPsec Set to [Disable], [Enable in IPv4] or [Enable in IPv6].

(2) [IPsec Mode] - Set IPsec mode to [Tunnel Mode] or [Transport Mode].

(3) [Destination IPv4 Address], [Destination IPv6 Address] - Enter the IP address of the connection destination.

(4) [Source IPv4 Address], [Source IPv6 Address] - Enter the IP address of the source.

(5) [Security Protocol] - Set the IPsec protocol to [ESP], [AH] or [ESP and AH]. If [ESP] is selected, enter only the setting items relating to ESP. If [AH] is selected, enter only the setting items relating to AH. If [ESP and AH] is selected, enter all setting items.

(6) [Security Gateway IPv4 Address], [Security Gateway IPv6 Address] - If IPsec mode is set to [Tunnel Mode] in (2), set the IP address of the security gateway.

(7) [Destination Subnet Mask Length] (IPv4), [Destination Prefix Length] (IPv6) - This setting is required only if IPsec mode is set to [Tunnel Mode] in (2). If IPv6 is used, enter a desired prefix length for the connection destination in the range of 16 to 128. If IPv4 is used, enter a desired length in the range of 1 to 32.

(8) [IKE Pre-Shared Key] - Enter the pre-shared key for IKE (auto key exchange) (up to 127 characters).

Important

If the camera is rebooted during auto key exchange communication, a connection error may result after rebooting. In this case, connect again.

Note

If auto key exchange is used, it will take approximately 5 to 10 seconds before communication with the camera starts.

 

IPsec Set (Manual)

IPsec Sets 1 to 5 are available, and you can specify IPsec settings for one communication device for each IPsec Set.

(1) [IPsec Set] - Set IPsec Set to [Disable], [Enable in IPv4] or [Enable in IPv6].

(2) [IPsec Mode] - Set IPsec mode to [Tunnel Mode] or [Transport Mode].

(3) [Destination IPv4 Address], [Destination IPv6 Address] - Enter the IP address of the connection destination.

(4) [Source IPv4 Address], [Source IPv6 Address] - Enter the IP address of the source.

(5) [Security Protocol] - Set the IPsec protocol to [ESP], [AH] or [ESP and AH]. If [ESP] is selected, enter only the setting items relating to ESP. If [AH] is selected, enter only the setting items relating to AH. If [ESP and AH] is selected, enter all setting items.

(6) [Security Gateway IPv4 Address], [Security Gateway IPv6 Address] - If [IPsec Mode] is set to [Tunnel Mode] in (2), set the IP address of the security gateway.

(7) [Destination Subnet Mask Length] (IPv4), [Destination Prefix Length] (IPv6) - This setting is required only if [IPsec Mode] is set to[Tunnel Mode] in (2). If IPv6 is used, enter a desired prefix length for the connection destination in the range of 16 to 128. If IPv4 is used, enter a desired length in the range of 1 to 32.

  • If [Security Protocol] is set to [ESP] or [ESP and AH] in (5), (8) [SA ESP Encryption Algorithm] to (15) [SA ESP SPI (inbound)] must be set.

(8) [SA ESP Encryption Algorithm] - Set the ESP encryption algorithm to [AES], [3DES], [DES] or [NULL] according to the encryption algorithm supported by the device to connect to. Normally [AES] or [3DES] is recommended.

(9) [SA ESP Authentication Algorithm] - Set the ESP authentication algorithm to [HMAC_SHA1_96], [HMAC_MD5_96] or [No Authentication] according to the authentication algorithm supported by the device to connect to. If [ESP] is used alone, [No Authentication] cannot be selected.

(10)[SA ESP Encryption Key (outbound)] - Set the SA encryption key for outbound. If [AES], [3DES] or [DES] was selected in (8), set a 128-bit, 192-bit or 64-bit hexadecimal, respectively. This item need not be set if [NULL] was selected.

(11)[SA ESP Authentication Key (outbound)] - Set the SA authentication key for outbound. If [HMAC_SHA1_96] or [HMAC_MD5_96] was selected in (9), set a 160-bit or 128-bit hexadecimal, respectively. This item need not be set if [No Authentication] was selected.

(12)[SA ESP SPI (outbound)] - Set the SA SPI value for outbound. Set a desired value in the range of 256 to 4294967295.

(13)[SA ESP Encryption Key (inbound)] - Set the SA encryption key for inbound. If [AES], [3DES] or [DES] was selected in (8), set a 128-bit, 192-bit or 64-bit hexadecimal, respectively. This item need not be set if [NULL] was selected. (14)[SA ESP Authentication Key (inbound)] Set the SA authentication key for inbound. If [HMAC_SHA1_96] or [HMAC_MD5_96] was selected in (9), set a 160-bit or 128-bit hexadecimal, respectively. This item need not be set if [No Authentication] was selected.

(15)[SA ESP SPI (inbound)] - Set the SA SPI value for inbound. Set a desired value in the range of 256 to 4294967295. Since this setting is used as an ID for identifying the SA, be careful not to specify an inbound SPI whose value is already used in the SPI for other ESP. If [Security Protocol] was set to [AH] or [ESP and AH]] in (5), (16) [SA AH Authentication Algorithm] to (20) [SA AH SPI (inbound)] must be set.

(16)[SA AH Authentication Algorithm] - Set the AH authentication algorithm to [HMAC_SHA1_96] or [HMAC_MD5_96] according to the authentication algorithm supported by the device to connect to.

(17)[SA AH Authentication Key (outbound)] - Set the SA authentication key for outbound. If [HMAC_SHA1_96] or [HMAC_MD5_96] was selected in (16), set a 160-bit or 128-bit hexadecimal, respectively.

(18)[SA AH SPI (outbound)] - Set the SA SPI value for outbound. Set a desired value in the range of 256 to 4294967295.

(19)[SA AH Authentication Key (inbound)] - Set the SA authentication key for inbound. If [HMAC_SHA1_96] or [HMAC_MD5_96] was selected in (16), set a 160-bit or 128-bit hexadecimal, respectively.

(20)[SA AH SPI (inbound)] - Set the SA SPI value for inbound.  Set a desired value in the range of 256 to 4294967295. Since this setting is used as an ID for identifying the SA, be careful not to specify an inbound SPI whose value is already used in the SPI for another AH.

Important

  • To run this camera with IPsec, the communicating devices and network must be set beforehand. Contact your System Administrator for these settings.

  • When connecting with IPsec, set the camera IP address manually. For IPv4 addresses, use addresses set with [Network] > [IPv4 Address Setting Method] > [Manual]. For IPv6 addresses, use addresses set with [Network] > [IPv6 Address (Manual)].

  • If any setting is changed from the [IPsec] menu, the camera may become inaccessible from the active web browser. Check beforehand the precautions in Ô‰mportantÔ in Ô›Reboot Item] Setting Items Requiring RebootingÔ¼/P>

Note

If IPsec is used, video transmission performance drops.