Xerox ColorQube 9201 System Administrator Manual page 167

IKE Phase 2 negotiates IP Secs System Administrator to set up the IP Sec tunnel.
1. In the IKE Phase 1 area:
a. For [Key Lifetime] enter length of time that this key will live, either in seconds, minutes or
hours.
b. Select required option from the [DH Group] drop-down menu, choose one of following:
• DH Group 2 - which provides a 1024 bit Modular Exponential (MODP) keying strength.
• DH Group 14, which provides a 2048 bit MODP keying strength. Diffie-Hellman (DH) is a
public-key cryptography scheme that allows two parties to establish a shared secret over
an insecure communications channel. It is also used within IKE to establish session keys.
c. For Hash - Encryption, check the required checkboxes:
• SHA1 (Secure Hash Algorithm 1) and MD5 (Message Digest 5) are one-way hashing
algorithms used to authenticate packet data. Both produce a 128-bit hash. The SHA1
algorithm is generally considered stronger but slower than MD5. Select MD5 for better
encryption speed, and SHA1 for better security.
3DES (Triple-Data Encryption Standard) is a variation on DES that uses a 168-bit key. As
•
a result, 3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput.
• AES (Advanced Encryption Standard) is a more secure method compared to 3DES.
2. In the IKE Phase 2 area:
a. Select from the [IPSec Mode] drop-down menu one of the following:
• Transport Mode: This provides a secure connection between two endpoints as it
encapsulates the IP payload, while Tunnel Mode encapsulates the entire IP packet.
• Tunnel Mode: This provides a virtual 'secure hop' between two gateways. It is used to
form a traditional VPN, where the tunnel generally creates a secure tunnel across an
untrusted Internet.
b. If you select [Tunnel Mode], then select either [Disabled], [IPv4 Address] or [IPv6 Address].
c. If you select IPv4 Address or IPv6 Address, enter IP Address details.
From the [IPsec Security] drop-down menu, select either, Both, ESP or AH.
d.
AH (Authentication Header) and ESP (Encapsulating Security Payload) are the two main
wire-level protocols used by IPsec, and they authenticate (AH) and encrypt and authenticate
(ESP) the data flowing over that connection. They can be used independently or together.
e. For [Key Lifetime] enter length of time that this key will be valid for, either in seconds,
minutes or hours.
f. Select the preferred option from the [Perfect Forward Secrecy] drop-down menu. Default is
'None'.
g. Check the required checkboxes for [Hash] and [Encryption].
Hash refers to the authentication mode, which calculates an Integrity Check Value (ICV) over
the packet's contents. This is built on top of a cryptographic hash (MD5 or SHA1).
Encryption uses a secret key to encrypt the data before transmission. This hides the contents
of the packet from eavesdroppers. Algorithm choices are AES and 3DES.
Encryption will not be shown if [IPsec Security] is set to AH.
Note:
3. Click on the [Save] button to return to the IP Sec - Action page.
Xerox ColorQube™ 9201/9202/9203
System Administrator Guide
Security
159