Support > Business & Professional > Office Products > Network Camera > Technical Information > Examples of IPsec setup on connection pattern
Main Contents begins from here.
Support
Network Camera
Examples of IPsec setup on connection pattern
Setup Example of Tunnel de about IPsec
*The instructions provided here explain the setup conditions by connection pattern of IPsec (Transport/Tunnel mode) on IPv4 and IPv6, and show examples of IPsec setup about opposite equipment (VPN router, PC and camera).
The instructions provided here explain the setup procedure on the PC (Windows XP) on an encrypted communication.
Relation between IPsec connection (Transport/Tunnel mode) and opposite equipment on environment
| Environment | Connection pattern | Opposite equipment for IPsec(PC and router) | Setup Example |
|---|---|---|---|
| IPv4 | Windows XP | ||
| Yamaha RTX1000 | |||
| Netscreen-5XT | |||
| NEC IX1000/IX2000 series | |||
| Fujitsu Si-R150 | |||
| Allied Telesis AR450S | |||
| FURUKAWA ELECTRIC FITELnet-F100 | |||
| IIJ SEIL neu/2FE | |||
| IPv6 | --- | --- | |
| NEC IX1000/IX2000 series | |||
| IIJ SEIL neu/2FE | --- |
- * Connection pattern -The figure to be set is shown by pattern in LAN.
- * Setup Example - IPsec setup is shown on opposite equipment (router, PC and camera).
IPsec Transport mode (IPv4)
The items to be set on opposite equipment about IPsec/IKE
| IKE phase 1 | |
|---|---|
| Key Exchange mode | Main mode |
| Pre-shared Key | camera-sample |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1 |
| MODP Diffie-Hellman Group | Group2 (1,024 bits) |
| Lifetime | 28800 seconds |
| IKE phase 2 | |
|---|---|
| Applied protocol | ESP |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1-96 |
| PFS | Choose (D-H Group2) |
| Lifetime | 28800 seconds |
| Applied traffic for IPsec (IPsec policy) | |
|---|---|
| Origin IP address | 100.0.0.1 |
| Destination IP address | 200.0.0.253 |
| Protocol | TCP |
| Origin Port No. | ANY |
| Destination Port No. | 80 |
IPsec Tunnel mode (IPv4)
The items to be set on opposite equipment about IPsec/IKE
| IKE phase 1 | |
|---|---|
| Key Exchange mode | Main mode |
| Pre-shared Key | camera-sample |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1 |
| MODP Diffie-Hellman Group | Group2 (1,024 bits) |
| Lifetime | 28800 seconds |
| IKE phase 2 | |
|---|---|
| Applied protocol | ESP |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1-96 |
| PFS | Choose (D-H Group2) |
| Lifetime | 28800 seconds |
| Applied traffic for IPsec (IPsec policy) | |
|---|---|
| Origin Network | 100.1.0.0/24 |
| Destination Network | 200.0.0.253/32 |
| Origin IP address | 100.0.0.1 |
| Destination IP address | 200.0.0.253 |
| Protocol | ANY |
Setup example on Yamaha RTX1000 about IPsec
ip route 200.0.0.253 gateway tunnel 1 filter 1 2 100
tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
ipsec ike duration ipsec-sa 1 28800
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 3des-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike local address 1 100.0.0.1
ipsec ike local id 1 100.1.0.0/24
ipsec ike negotiate-strictly 1 off
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text camera-sample
ipsec ike remote address 1 200.0.0.253
ipsec ike remote id 1 200.0.0.253/32
tunnel enable 1
ip filter 1 reject * * udp * 500
ip filter 2 reject * * esp
ip filter 100 pass * *
ipsec auto refresh on
-------------------------------------------------------------
Note:
IPsec communication is not available with Yamaha RTX1000 by IPv6.
Setup example on Netscreen-5XT about IPsec
[VPNs] -> [AutoKey Advanced] -> [P1 Proposal]
Name : IKEP01
Authentication Method: Preshare
DH Group : Group 2
Encryption Algorithm : 3DES-CBC
Hash Algorithm : SHA-1
Lifetime : 28800sec
[VPNs] -> [AutoKey Advanced] -> [P2 Proposal]
Name : SAP01
Perfect Forward Secrecy : DH Group 2
Encapsulation : Encryption (ESP)
Encryption Algorithm : 3DES-CBC
Authentication Algorithm: SHA-1
Lifetime
In Time : 28800sec
In Kbytes : 0Kbytes
[VPNs] -> [AutoKey Advanced] -> [Gateway]
Gateway Name : Camera
Security Level : Custom
Remote Gateway Type : Static IP Address
IP Address/Hostname: 200.0.0.253
Preshared Key : camera-sample
Local ID : 100.0.0.1
Outgoing Interface : untrust
[Advanced]
Security Level : Custom
Phase 1 Proposal: IKEP01
Mode (Initiator) : Main (ID Protection)
[VPNs] -> [Autokey IKE]
VPN Name : Camera
Security Level: Custom
Remote Gateway: Predefined
Predefined : Camera
[Advanced]
Security Level : Custom
Phase 2 Proposal: SAP01
[Objects] -> [Addresses] -> [List]
Address Name : Netscreen
IP Address/Domain Name: 100.1.0.0 / 255.255.255.0
Zone : Trust
[Objects] -> [Addresses] -> [List]
Addresses Name : Camera
IP Address/Domain Name: 200.0.0.253 / 255.255.255.255
Zone : Untrust
[Policies]
From: Trust, To: Untrust
Source Address
Address Book : Netscreen
Destination Book
Address Book : Camera
Service : ANY
Action : Tunnel
Tunnel
VPN : Camera
Modify matching bidirectional VPN policy: Enable
-------------------------------------------------------------
Note:
This is a setup example for GUI. IPsec communication is not available with Netscreen-5XT by IPv6.
Setup example on NEC IX1000/IX2000 series about IPsec
ike proposal IKEP01 encryption 3des hash sha group 1024-bit lifetime 28800
ipsec autokey-proposal SAP01 esp-3des esp-sha lifetime time 28800
ip access-list LIST permit ip src 100.1.0.0/24 dest 200.0.0.253/32
ike policy PEER peer 200.0.0.253 key camera-sample mode main IKEP01
ike local-id PEER address 100.0.0.1
ike remote-id PEER address 200.0.0.253
ipsec autokey-map TUN LIST peer 200.0.0.253 pfs 1024-bit esp-level require SAP01
ipsec local-id TUN 100.1.0.0/24
ipsec remote-id TUN 200.0.0.253/32
interface Ethernet0.0
ip ufs-cache enable
ipsec policy tunnel TUN
-------------------------------------------------------------
Setup example on Fujitsu Si-R150 about IPsec
ipsec 0 range 100.1.0.0/24 200.0.0.253/32
ipsec 0 path ike 100.0.0.1 200.0.0.253
ipsec 0 encrypt 3des-cbc
ipsec 0 auth hmac-sha1
ipsec 0 pfs modp1024
ipsec 0 lifetime 28800s
ipsec 1 range 200.0.0.253/32 100.1.0.0/24
ipsec 1 path ike 200.0.0.253 100.0.0.1
ipsec 1 encrypt 3des-cbc
ipsec 1 auth hmac-sha1
ipsec 1 pfs modp1024
ipsec 1 lifetime 28800s
ike remote 0 address 200.0.0.253
ike remote 0 shared key text "camera-sample"
ike remote 0 proposal 0 encrypt 3des-cbc
ike remote 0 proposal 0 hash hmac-sha1
ike remote 0 proposal 0 pfs modp1024
ike remote 0 proposal 0 lifetime 28800s
-------------------------------------------------------------
Note:
IPsec communication is not available with Si-R150 by IPv6.
Setup example on Allied Telesis AR450S about IPsec
add user=secoff password=secoff privilege=securityofficer
login secoff
create enco key=1 type=general value="camera-sample"
create isakmp policy="ISAKMPSA" peer=200.0.0.253 authtype=preshared key=1 encalg=des hashalg=sha expirysec=28800 mode=main group=2 localid=100.0.0.1 remoteid=200.0.0.253 senddel=true sendnotify=true sendid=true
create ipsec saspec=1 key=isakmp protocol=esp mode=tunnel encalg=des hashalg=sha
create ipsec saspec=2 key=isakmp protocol=esp mode=tunnel encalg=des hashalg=md5
create ipsec bundlespec=1 key=isakmp string="1 or 2" expirysec=10000
create ipsec policy="ISAKMP" int=eth0 action=permit transport=udp lport=500 rport=500
create ipsec policy="SP" int=eth0 action=ipsec key=isakmp bundle=1 peer=200.0.0.253 laddr=100.1.0.0/24 lmask=255.255.255.0 lport=any raddr=200.0.0.253 rmask=255.255.255.255 rport=any transport=any group=2 usepfskey=true
enable ipsec
enable isakmp
enable system security_mode
Note:
IPsec communication is not available with Allied Telesis AR450 by IPv6.
Note:
Lifetime (unit: second) in Phase2 should be set to a value other than 28,800.(expirysec=10000 in the above setup)
Setup example on FURUKAWA ELECTRIC FITELnet-F100 about IPsec
enable
configure terminal
vpn enable
crypto isakmp policy 1
authentication prekey
key ascii camera-sample
encryption 3des
hash sha
negotiation-mode main
group 2
lifetime 28800
my-identity 100.0.0.1
peer-identity address 200.0.0.253
exit
ipsec transform-set Transform01 esp-3des esp-sha-hmac
ipsec access-list 1 ipsec ip 100.1.0.0/24 0.0.0.255 200.0.0.253 0.0.0.0
crypto map Camera 1
match address 1
set peer address 200.0.0.253
set transform-set Transform01
set pfs group2
set security-association lifetime seconds 28800
set security-association ipsec-src-id 100.1.0.0/24 0.0.0.255
exit
interface ewan 1
crypto map Camera
exit
end
-------------------------------------------------------------
Note:
IPsec communication is not available with FITELnet-F100 by IPv6. (The setup is done with GUI.)
Setup example on IIJ SEIL neu/2FE about IPsec
ike proposal add IKEP01 authentication preshared-key encryption 3des hash sha1 dh-group modp1024 lifetime-of-time 28800s
ike peer add PEER exchange-mode main proposals IKEP01 address 200.0.0.253 check-level obey my-identifier address peers-identifier address
ike preshared-key add 200.0.0.253 camera-sample
ipsec security-association proposal add SAP01 authentication-algorithm hmac-sha1 encryption-algorithm 3des lifetime-of-time 28800s pfs-group modp1024 my-identifier address
ipsec security-association add TUN-SA tunnel 100.0.0.1 200.0.0.253 ike SAP01 esp enable
ipsec security-policy add TUN-SP security-association TUN-SA src 100.1.0.0/24 dst 200.0.0.253/32 protocol any srcport any dstport any enable
Note:
The setup is done with GUI.
IPsec Transport mode (IPv6)
The items to be set on opposite equipment about IPsec/IKE
| IKE phase 1 | |
|---|---|
| Key Exchange mode | Main mode |
| Pre-shared Key | camera-sample |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1 |
| MODP Diffie-Hellman Group | Group2 (1,024 bits) |
| Lifetime | 28800 seconds |
| IKE phase 2 | |
|---|---|
| Applied protocol | ESP |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1-96 |
| PFS | Choose (D-H Group2) |
| Lifetime | 28800 seconds |
| Applied traffic for IPsec (IPsec policy) | |
|---|---|
| Origin IP address | 2001:1:2:3::1 |
| Destination IP address | 2001:4:5:6::1 |
| Protocol | TCP |
| Origin Port No. | ANY |
| Destination Port No. | 80 |
IPsec Tunnel mode (IPv6)
The items to be set on opposite equipment about IPsec/IKE
| IKE phase 1 | |
|---|---|
| Key Exchange mode | Main mode |
| Pre-shared Key | camera-sample |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1 |
| MODP Diffie-Hellman Group | Group2 (1,024 bits) |
| Lifetime | 28800 seconds |
| IKE phase 2 | |
|---|---|
| Applied protocol | ESP |
| Cipher Algorithm | 3DES-CBC |
| Message-Digest Algorithm | HMAC-SHA-1-96 |
| PFS | Choose (D-H Group2) |
| Lifetime | 28800 seconds |
| Applied traffic for IPsec (IPsec policy) | |
|---|---|
| Origin Network | 2001:1:2:3::/64 |
| Destination Network | 2001:4:5:6::1/128 |
| Origin IP address | 2001:1:2:3::1 |
| Destination IP address | 2001:4:5:6::1 |
| Protocol | TCP |
- Microsoft and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Banner area begins from here.
Sub Menu begins from here.
Support > Business & Professional > Office Products > Network Camera > Technical Information > Examples of IPsec setup on connection pattern
