●
IPSec supports communication to a unicast address (or a single device).
●
The machine cannot use both IPSec and DHCPv6 at the same time.
●
IPSec is unavailable in networks in which NAT or IP masquerade is implemented.
◼
Registration of Keys and Certificates
●
A certificate and key that can be generated by the machine conform to X.509v3. If you install a key or CA certificate
from a computer, make sure that they meet the following requirements:
Format
File extension
Public key algorithm
(and key length)
Certificate signature algorithm
Certificate thumbprint algorithm SHA1
*1
Requirements for the certificate contained in a key are pursuant to CA certificates.
*2
SHA384-RSA and SHA512-RSA are available only when the RSA key length is 1024 bits or more.
●
The machine does not support use of a certificate revocation list (CRL).
◼
Definition of "Weak Encryption"
When <Prohibit Use of Weak Encrypt.> is set to <On>, the use of the following algorithms are prohibited.
Hash:
HMAC:
Common key cryptosystem:
Public key cryptosystem:
●
Even when <Prohibit Weak Encryp. Key/Cert.> is set to <On>, the hash algorithm SHA-1, which is used for
signing a root certificate, can be used.
Appendix
*1
●
Key: PKCS#12
●
CA certificate: X.509v1 or X.509v3, DER (encoded binary), PEM
●
Key: ".p12" or ".pfx"
●
CA certificate: ".cer" or ".pem"
RSA (512 bits, 1024 bits, 2048 bits, or 4096 bits), ECDSA (P256, P384, P521)
SHA1-RSA, SHA256-RSA, SHA384-RSA
SHA256-ECDSA, SHA384-ECDSA, or SHA512-ECDSA
MD4, MD5, SHA-1
HMAC-MD5
RC2, RC4, DES
RSA encryption (512 bits/1024 bits), RSA signature (512 bits/1024 bits), DSA (512 bits/1024
bits), DH (512 bits/1024 bits)
712
*2
*2
, SHA512-RSA
, MD5-RSA, MD2-RSA, SHA1-ECDSA,