Global Home You are here:Support > containsBusiness & Professional > containsOffice Products > containsNetwork Camera > containsTechnical Information > containsExamples of IPsec setup on connection pattern


Main Contents begins from here.

Support

Network Camera

Examples of IPsec setup on connection pattern

Setup Example of Tunnel de about IPsec

*The instructions provided here explain the setup conditions by connection pattern of IPsec (Transport/Tunnel mode) on IPv4 and IPv6, and show examples of IPsec setup about opposite equipment (VPN router, PC and camera).

The instructions provided here explain the setup procedure on the PC (Windows XP) on an encrypted communication.

Relation between IPsec connection (Transport/Tunnel mode) and opposite equipment on environment

Environment Connection pattern Opposite equipment for IPsec(PC and router) Setup Example
IPv4 Windows XP
Yamaha RTX1000
Netscreen-5XT
NEC IX1000/IX2000 series
Fujitsu Si-R150
Allied Telesis AR450S
FURUKAWA ELECTRIC FITELnet-F100
IIJ SEIL neu/2FE
IPv6 --- ---
NEC IX1000/IX2000 series
IIJ SEIL neu/2FE ---
  • * Connection pattern -The figure to be set is shown by pattern in LAN.
  • * Setup Example - IPsec setup is shown on opposite equipment (router, PC and camera).

IPsec Transport mode (IPv4)

IPsec Transport mode (IPv4)

The items to be set on opposite equipment about IPsec/IKE

IKE phase 1
Key Exchange mode Main mode
Pre-shared Key camera-sample
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1
MODP Diffie-Hellman Group Group2 (1,024 bits)
Lifetime 28800 seconds
IKE phase 2
Applied protocol ESP
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1-96
PFS Choose (D-H Group2)
Lifetime 28800 seconds
Applied traffic for IPsec (IPsec policy)
Origin IP address 100.0.0.1
Destination IP address 200.0.0.253
Protocol TCP
Origin Port No. ANY
Destination Port No. 80

IPsec Tunnel mode (IPv4)

IPsec Tunnel mode (IPv4)

The items to be set on opposite equipment about IPsec/IKE

IKE phase 1
Key Exchange mode Main mode
Pre-shared Key camera-sample
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1
MODP Diffie-Hellman Group Group2 (1,024 bits)
Lifetime 28800 seconds
IKE phase 2
Applied protocol ESP
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1-96
PFS Choose (D-H Group2)
Lifetime 28800 seconds
Applied traffic for IPsec (IPsec policy)
Origin Network 100.1.0.0/24
Destination Network 200.0.0.253/32
Origin IP address 100.0.0.1
Destination IP address 200.0.0.253
Protocol ANY

Setup example on Yamaha RTX1000 about IPsec

ip route 200.0.0.253 gateway tunnel 1 filter 1 2 100
tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp 3des-cbc sha-hmac
ipsec ike duration ipsec-sa 1 28800
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 3des-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike local address 1 100.0.0.1
ipsec ike local id 1 100.1.0.0/24
ipsec ike negotiate-strictly 1 off
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text camera-sample
ipsec ike remote address 1 200.0.0.253
ipsec ike remote id 1 200.0.0.253/32
tunnel enable 1
ip filter 1 reject * * udp * 500
ip filter 2 reject * * esp
ip filter 100 pass * *
ipsec auto refresh on
-------------------------------------------------------------

Note:
IPsec communication is not available with Yamaha RTX1000 by IPv6.

Setup example on Netscreen-5XT about IPsec

[VPNs] -> [AutoKey Advanced] -> [P1 Proposal]
Name : IKEP01
Authentication Method: Preshare
DH Group : Group 2
Encryption Algorithm : 3DES-CBC
Hash Algorithm : SHA-1
Lifetime : 28800sec

[VPNs] -> [AutoKey Advanced] -> [P2 Proposal]
Name : SAP01
Perfect Forward Secrecy : DH Group 2
Encapsulation : Encryption (ESP)
Encryption Algorithm : 3DES-CBC
Authentication Algorithm: SHA-1
Lifetime
In Time : 28800sec
In Kbytes : 0Kbytes

[VPNs] -> [AutoKey Advanced] -> [Gateway]
Gateway Name : Camera
Security Level : Custom
Remote Gateway Type : Static IP Address
IP Address/Hostname: 200.0.0.253
Preshared Key : camera-sample
Local ID : 100.0.0.1
Outgoing Interface : untrust

[Advanced]
Security Level : Custom
Phase 1 Proposal: IKEP01
Mode (Initiator) : Main (ID Protection)

[VPNs] -> [Autokey IKE]
VPN Name : Camera
Security Level: Custom
Remote Gateway: Predefined
Predefined : Camera

[Advanced]
Security Level : Custom
Phase 2 Proposal: SAP01

[Objects] -> [Addresses] -> [List]
Address Name : Netscreen
IP Address/Domain Name: 100.1.0.0 / 255.255.255.0
Zone : Trust

[Objects] -> [Addresses] -> [List]
Addresses Name : Camera
IP Address/Domain Name: 200.0.0.253 / 255.255.255.255
Zone : Untrust

[Policies]
From: Trust, To: Untrust
Source Address
Address Book : Netscreen
Destination Book
Address Book : Camera
Service : ANY
Action : Tunnel
Tunnel
VPN : Camera
Modify matching bidirectional VPN policy: Enable
-------------------------------------------------------------

Note:
This is a setup example for GUI. IPsec communication is not available with Netscreen-5XT by IPv6.

Setup example on NEC IX1000/IX2000 series about IPsec

ike proposal IKEP01 encryption 3des hash sha group 1024-bit lifetime 28800
ipsec autokey-proposal SAP01 esp-3des esp-sha lifetime time 28800
ip access-list LIST permit ip src 100.1.0.0/24 dest 200.0.0.253/32
ike policy PEER peer 200.0.0.253 key camera-sample mode main IKEP01
ike local-id PEER address 100.0.0.1
ike remote-id PEER address 200.0.0.253
ipsec autokey-map TUN LIST peer 200.0.0.253 pfs 1024-bit esp-level require SAP01
ipsec local-id TUN 100.1.0.0/24
ipsec remote-id TUN 200.0.0.253/32
interface Ethernet0.0
ip ufs-cache enable
ipsec policy tunnel TUN
-------------------------------------------------------------

Setup example on Fujitsu Si-R150 about IPsec

ipsec 0 range 100.1.0.0/24 200.0.0.253/32
ipsec 0 path ike 100.0.0.1 200.0.0.253
ipsec 0 encrypt 3des-cbc
ipsec 0 auth hmac-sha1
ipsec 0 pfs modp1024
ipsec 0 lifetime 28800s
ipsec 1 range 200.0.0.253/32 100.1.0.0/24
ipsec 1 path ike 200.0.0.253 100.0.0.1
ipsec 1 encrypt 3des-cbc
ipsec 1 auth hmac-sha1
ipsec 1 pfs modp1024
ipsec 1 lifetime 28800s
ike remote 0 address 200.0.0.253
ike remote 0 shared key text "camera-sample"
ike remote 0 proposal 0 encrypt 3des-cbc
ike remote 0 proposal 0 hash hmac-sha1
ike remote 0 proposal 0 pfs modp1024
ike remote 0 proposal 0 lifetime 28800s
-------------------------------------------------------------

Note:
IPsec communication is not available with Si-R150 by IPv6.

Setup example on Allied Telesis AR450S about IPsec

add user=secoff password=secoff privilege=securityofficer
login secoff
create enco key=1 type=general value="camera-sample"
create isakmp policy="ISAKMPSA" peer=200.0.0.253 authtype=preshared key=1 encalg=des hashalg=sha expirysec=28800 mode=main group=2 localid=100.0.0.1 remoteid=200.0.0.253 senddel=true sendnotify=true sendid=true
create ipsec saspec=1 key=isakmp protocol=esp mode=tunnel encalg=des hashalg=sha
create ipsec saspec=2 key=isakmp protocol=esp mode=tunnel encalg=des hashalg=md5
create ipsec bundlespec=1 key=isakmp string="1 or 2" expirysec=10000
create ipsec policy="ISAKMP" int=eth0 action=permit transport=udp lport=500 rport=500
create ipsec policy="SP" int=eth0 action=ipsec key=isakmp bundle=1 peer=200.0.0.253 laddr=100.1.0.0/24 lmask=255.255.255.0 lport=any raddr=200.0.0.253 rmask=255.255.255.255 rport=any transport=any group=2 usepfskey=true
enable ipsec
enable isakmp
enable system security_mode

Note:
IPsec communication is not available with Allied Telesis AR450 by IPv6.

Note:
Lifetime (unit: second) in Phase2 should be set to a value other than 28,800.(expirysec=10000 in the above setup)

Setup example on FURUKAWA ELECTRIC FITELnet-F100 about IPsec

enable
configure terminal
vpn enable
crypto isakmp policy 1
authentication prekey
key ascii camera-sample
encryption 3des
hash sha
negotiation-mode main
group 2
lifetime 28800
my-identity 100.0.0.1
peer-identity address 200.0.0.253
exit
ipsec transform-set Transform01 esp-3des esp-sha-hmac
ipsec access-list 1 ipsec ip 100.1.0.0/24 0.0.0.255 200.0.0.253 0.0.0.0
crypto map Camera 1
match address 1
set peer address 200.0.0.253
set transform-set Transform01
set pfs group2
set security-association lifetime seconds 28800
set security-association ipsec-src-id 100.1.0.0/24 0.0.0.255
exit
interface ewan 1
crypto map Camera
exit
end
-------------------------------------------------------------

Note:
IPsec communication is not available with FITELnet-F100 by IPv6. (The setup is done with GUI.)

Setup example on IIJ SEIL neu/2FE about IPsec

ike proposal add IKEP01 authentication preshared-key encryption 3des hash sha1 dh-group modp1024 lifetime-of-time 28800s

ike peer add PEER exchange-mode main proposals IKEP01 address 200.0.0.253 check-level obey my-identifier address peers-identifier address

ike preshared-key add 200.0.0.253 camera-sample

ipsec security-association proposal add SAP01 authentication-algorithm hmac-sha1 encryption-algorithm 3des lifetime-of-time 28800s pfs-group modp1024 my-identifier address

ipsec security-association add TUN-SA tunnel 100.0.0.1 200.0.0.253 ike SAP01 esp enable

ipsec security-policy add TUN-SP security-association TUN-SA src 100.1.0.0/24 dst 200.0.0.253/32 protocol any srcport any dstport any enable

Note:
The setup is done with GUI.

IPsec Transport mode (IPv6)

IPsec Transport mode (IPv6)

The items to be set on opposite equipment about IPsec/IKE

IKE phase 1
Key Exchange mode Main mode
Pre-shared Key camera-sample
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1
MODP Diffie-Hellman Group Group2 (1,024 bits)
Lifetime 28800 seconds
IKE phase 2
Applied protocol ESP
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1-96
PFS Choose (D-H Group2)
Lifetime 28800 seconds
Applied traffic for IPsec (IPsec policy)
Origin IP address 2001:1:2:3::1
Destination IP address 2001:4:5:6::1
Protocol TCP
Origin Port No. ANY
Destination Port No. 80

IPsec Tunnel mode (IPv6)

IPsec Tunnel mode (IPv6)

The items to be set on opposite equipment about IPsec/IKE

IKE phase 1
Key Exchange mode Main mode
Pre-shared Key camera-sample
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1
MODP Diffie-Hellman Group Group2 (1,024 bits)
Lifetime 28800 seconds
IKE phase 2
Applied protocol ESP
Cipher Algorithm 3DES-CBC
Message-Digest Algorithm HMAC-SHA-1-96
PFS Choose (D-H Group2)
Lifetime 28800 seconds
Applied traffic for IPsec (IPsec policy)
Origin Network 2001:1:2:3::/64
Destination Network 2001:4:5:6::1/128
Origin IP address 2001:1:2:3::1
Destination IP address 2001:4:5:6::1
Protocol TCP
  • Microsoft and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Banner area begins from here.

Global Home You are here:Support > containsBusiness & Professional > containsOffice Products > containsNetwork Camera > containsTechnical Information > containsExamples of IPsec setup on connection pattern