Kyocera Command Center RX User Manual

Network Settings

70

Embedded Web Server

Prefix Length: When IPv6 is selected for IP Version, this specifies the prefix
length of the hosts or network with which the print system is connecting via IPSec.
If this field is blank, the specified addresses are considered to be host addresses.
Remote Peer Address: If Tunnel is selected in Encapsulation Mode, assign an
IP address that is remotely controlled.

3. Authentication: Configures the local side authentication when IKEv1 is selected

as Key Management Type. To set a character string as the shared key and use it
for communication, select Pre-shared Key and enter the string of the pre-shared
key in the text box. To use the CA-issued Device Certification or Root Certificate,
select the Certificates. When Certificates is selected, the availability of the
device certificate is shown. To make advanced settings, click Settings button and
select a certificate. Configure the device certificate on the Certificates page of
Security Settings.
Configures the local side and remote side authentication when IKEv2 is selected
as Key Management Type. Configure Authentication Type, Local ID Type,
Local ID, Devoce Certificate and Pre-shared Key on Local Side, and Authenti-
cation Type, Remote ID Type, Remote ID and Pre-shared Key on Remote Side.

4. Key Exchange (IKE phase1): When using IKE phase1, a secure connection with

the other end is established by generating ISAKMP SAs. Configure the following
items so that they meet the requirement of the other end.
Mode: Configures this item when IKEv1 is selected as Key Management Type.
Main Mode protects identifications but requires more messages to be exchanged
with the other end. Aggressive Mode requires fewer messages to be exchanged
with the other end than Main Mode but restricts identification protection and nar-
rows the extent of the parameter negotiations. When Aggressive Mode is
selected and Pre-shared Key is selected for Authentication Type, only host
addresses can be specified for IP addresses of the rule.
Hash: Selects the hash algorithm.
Encryption: Selects the encryption algorithm.
Diffie-Hellman Group: The Diffie-Hellman key-sharing algorithm allows two hosts
on an unsecured network to share a private key securely. Select the Diffie-Hellman
group to use for key sharing.
Lifetime (Time): Specifies the lifetime of an ISAKMP SA in seconds.

5. Data Protection (IKE phase2)

In IKE phase2, IPSec SAs such as ESP or AH are established by using SAs estab-
lished in IKE phase1. Configure the following items so that they meet the require-
ment of the other end.
Protocol: Select ESP or AH for the protocol. ESP protects the privacy and integ-
rity of the packet contents. Select the hash algorithm and encryption algorithm
below. AH protects the integrity of the packet contents using encryption checksum.
When you select AH as Protocols, you cannot use the AES-GCM-128, 192, or
256. Select the hash algorithm below.
Hash: Selects the hash algorithm. When you select AES-GCM-128, 192, or 256
on Encryption, you have to select the AES-GCM-128, 192, or 256 or the AES-
GMAC-128, 192, or 256 corresponding to the same bit.
Encryption: Selects the encryption algorithm. (When ESP is selected under Pro-
tocol.) When you select the AES-GCM-128, 192, or 256 on Hash, you have to
select the AES-GCM-128, 192, or 256 corresponding to the same bit. When you
select the AES-GMAC-128, 192, or 256 on Hash, you have to select the AES-
GCM-128, 192, or 256 corresponding to the same bit. If you do not select any
algorithm, the machine authenticates without encryption.
PFS: When PFS is turned On (enabled), even if a key is decrypted, the decrypted
key cannot be used to decrypt the other keys generated after the decryption. This
improves the safety, but imposes a heavy burden because of more key-generation
processes.
Diffie-Hekkman Group: When PFS is turned On (enabled), select the Diffie-Hekk-
man Group to use.
Lifetime Measurement: Select Time or Time & Data Size.