Download - IPSec Board-B2 SM Rev0 091109
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 1/52
54321
Security: IPSec Board-B2
Service Manual
September 11, 2009Revision 0
IPSec Overview
Settings
Installation
Maintenance
Service Mode
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 2/52
54321
0
00-2
0-2
Application
This manual has been issued by Canon Inc. for qualied persons to learn technical theory,
installation, maintenance, and repair of products. This manual covers all localities where the
products are sold. For this reason, there may be information in this manual that does not
apply to your locality.
Corrections
This manual may contain technical inaccuracies or typographical errors due to improvements
or changes in products. When changes occur in applica0-2le products or in the contents of
this manual, Canon will release technical information as the need arises. In the event of major
changes in the contents of this manual over a long or short period, Canon will issue a new
edition of this manual.
The following paragraph does not apply to any countries where such provisions are
inconsistent with local law.
Trademarks
The product names and company names used in this manual are the registered trademarks
of the individual companies.
Copyright
This manual is copyrighted with all rights reserved. Under the copyright laws, this manual may
not be copied, reproduced or translated into another language, in whole or in part, without the
written consent of Canon Inc.
(C) CANON INC. 2009
Caution
Use of this manual should be strictly supervised to avoid disclosure of condential
information.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 3/52
0
00-3
0-3
ContentsIPSec Overview
IPSec Overview ---------------------------------------------------------------1-2
What is IPSec? --------------------------------------------------------------------- 1-2Modes of operation ---------------------------------------------------------------- 1-4
Protocol of authentication and cryptographic ------------------------------- 1-4
Key exchange protocols---------------------------------------------------------- 1-5
Specications ------------------------------------------------------------------1-6
Operating Conditions of IPSec ------------------------------------------------- 1-6
Supported Devices ------------------------------------------------------------------------ 1-6
Supported Functions ------------------------------------------------------------- 1-6
Applicable Packets ------------------------------------------------------------------------ 1-6
Specications for Network Port --------------------------------------------------------- 1-6
Specications for Security Policy --------------------------------------------- 1-7
Menu Items in IPSec Setting Window ---------------------------------------- 1-8
Other Specications--------------------------------------------------------------1-10
Restrictions ------------------------------------------------------------------- 1-11
Notication of Deletion of SAD -----------------------------------------------1-11
Coniction with Sleep Function ------------------------------------------------1-11
Link-Local Address --------------------------------------------------------------1-11
Certicate Method ---------------------------------------------------------------1-11
Restrictions when Registering Multiple Policies---------------------------1-12
Internal processing when restricted patterns occur -------------------------------1-12
Settings
Settings Window --------------------------------------------------------------2-2
Path to IPSec Settings window ------------------------------------------------ 2-2
IPSec Settings window ---------------------------------------------------------- 2-2
Registration/Edit Window --------------------------------------------------2-4
Path to Registration/Edit Window --------------------------------------------- 2-4
Policy Name ------------------------------------------------------------------------- 2-4
Selector Settings ------------------------------------------------------------------- 2-4
IKE Settings ------------------------------------------------------------------------- 2-5
IPSec Settings ---------------------------------------------------------------------- 2-5
Selector Settings Window --------------------------------------------------2-6
Path to Selector Settings Window --------------------------------------------- 2-6
Local Address Settings/Remote Address Settings ------------------------ 2-6
Port Settings ------------------------------------------------------------------------ 2-7
IKE Settings --------------------------------------------------------------------2-8
Path to IKE Settings Window -------------------------------------------------- 2-8Mode ---------------------------------------------------------------------------------- 2-8
Authentication Method ------------------------------------------------------------ 2-9
Auth./Encryption Algorithm ------------------------------------------------------ 2-9
IPSec Network Settings --------------------------------------------------- 2-10
Validity -------------------------------------------------------------------------------2-10
PFS -----------------------------------------------------------------------------------2-10
Authentication/Encryption Algorithm ---------------------------------------- 2-11
Connection Mode -------------------------------------------------------------------------- 2-12
Installation
Installation/Settings Procedure --------------------------------------------3-2
Flow of installation settings for basic IPSec --------------------------------- 3-2
Review of security policy------------------------------------------------------------------ 3-2
Security policy settings -------------------------------------------------------------------- 3-2
Operation check----------------------------------------------------------------------------- 3-2
Points to note at installation -------------------------------------------------------------- 3-2
IPSec settings and operation check --------------------------------------3-3
Setting procedure on device side ---------------------------------------------- 3-3
Setting procedure on PC side -------------------------------------------------- 3-4
Operation check -------------------------------------------------------------------3-13
Maintenance
FAQ -------------------------------------------------------------------------------4-2
Troubleshooting ---------------------------------------------------------------4-2
Service Mode
IPSec Security Board Status Check Test -------------------------------5-2
Procedure for IPSec Security Board Status Check Test ----------------- 5-2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 4/52
0
00-4
0-4
Deletion of All Registered Policies ----------------------------------------5-4
Procedure to Delete All Registered Policies -------------------------------- 5-4
Acquisition of Debug Logs --------------------------------------------------5-5
Procedure to Obtain Debug Logs ---------------------------------------------- 5-5
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 5/52
0
00-5
0-5
Explanation of Symbols
The following symbols are used throughout this Service Manual.
Symbols Explanation
Using it for general attention, warning, a notice of the danger that does not specify.
Using the possibility of the electric shock for notice to be careful to.
Mention about written item in the copier BASIC series to understand mention
contents.
The following rules apply throughout this Service Manual:
1. Each chapter contains sections explaining the purpose of specic functions and the
relationship between electrical and mechanical systems with reference to the timing of
operation.
In the diagrams, represents the path of mechanical drive; where a signal name
accompanies the symbol, the arrow indicates the direction of the electric signal.
The expression "turn on the power" means ipping on the power switch, closing the front
door, and closing the delivery unit door, which results in supplying the machine with power.
2.In the digital circuits, '1' is used to indicate that the voltage level of a given signal is "High",
while '0' is used to indicate "Low". (The voltage value, however, differs from circuit to
circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD signal goes on
when '0'.
In practically all cases, the internal mechanisms of a microprocessor cannot be checked in
the eld. Therefore, the operations of the microprocessors used in the machines are not
discussed: they are explained in terms of from sensors to the input of the DC controller
PCB and from the output of the DC controller PCB to the loads.
The descriptions in this Service Manual are subject to change without notice for productimprovement or other purposes, and major changes will be communicated in the form of
Service Information bulletins.
All service persons are expected to have a good understanding of the contents of this Service
Manual and all relevant Service Information bulletins and be able to identify and isolate faults
in the machine.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 6/52
1
1
IPSec Overview
IPSec Overview
Specications
Restrictions
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 7/52
1
11-2
1-2
IPSec Overview
What is IPSec?
IPSec is a function to provide secure IP communication to all packets at the IP level.
The IPSec function can be applied to all IP packets regardless of IPv6 and IPv4.
Since the IPSec function is applied to each IP packet, applications do not need to support thefunction.
Communication between the nodes to which IPSec settings are applied automatically
becomes secure communication while applications are not aware.
In IPSec, whether or not to apply encryption and other processing is determined according
to the data in each communication packet. To be specic, any of the following operations is
performed:
The IPSec settings are applied to a packet which satises the conditions. (Authentication
and encryption are performed.)
The IPSec settings are not applied to a packet which does not satisfy the conditions, and
the normal operation is performed.
A packet which does not satisfy the conditions is discarded.
As the conditions mentioned above, the start-point addresses, end-point addresses, protocol,
and destination port are used. These condition items used to sort out communication packets
are generally called "selectors. " The concept of the "selector" is close to that of ltering in a
router (the selector is called "IP Filter" in Windows), and multiple selectors can be dened.
A selector including detailed processing to be actually applied in particular is called "security
policy. " In security policy, the details of the IPSec protocol (AH, ESP, or IPComp) and mode
(transport mode or tunnel mode) are also included.
•
•
•
Example use cases of this product are provided below.
Case 1) Encrypt all print communications from a host computer with the IPSec settings.
Host computerwith IPSec settings
Host computerwithout IPSec settings
IP Network
Print protocol:ipr,raw,ftp,IPP
Unencrypted data
Encrypted data
Case 2) Encrypt Send communications to the le server and host computer, and not encrypt
print communications.
P r i n t
S e n d
IP Network
Scan Print1
S e n d
Scan
Encrypted data
Confidentiality1
Confidentiality1
Print1
Host computer
Host computer File Server
File Server
Sen
d Protocol:smb, ftp
Send Protocol:smb, ftp
Unencrypted data
Print protocol:ipr, raw, ftp, IPP
Print protocol:ipr, raw, ftp, IPP
Encrypted data
S
e
nd protocol:smb, ftp
Send protocol:smb, ftp
Confidentiality2
Confidentiality2
Confidentiality2.tif
Confidentiality2.tif
Confidentiality1.tif
Confidentiality1.tif
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 8/52
1
11-3
1-3
Case 3) Encrypt Internet FAX and Email transmission.*
IP Network
:
Scan
G3FAX.tif
Fax
Fax
PSTN
G3FAX.tif
G3Fax.tif
Confidentiality1Confidentiality1
Host computer Host computer Unencrypted data
Encrypted data
Protocol: smtpProtocol: smtp
Confidentiality1Confidentiality1
Mail Server
Encrypted data
Protocol: smtpProtocol: smtp
PSTN
* In Case 3, it is assumed that IPSec is also functioning between the main server and host
computer.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 9/52
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 10/52
1
11-5
1-5
Key exchange protocols
IPSec has some key exchange protocols to execute authentication and encryption. This
product supports IKEv1 (Internet Key Exchange version 1), which exchanges keys based on
the standard protocol ISAKMP (Internet Security Association and Key Management Protocol).
IKE has two processing phases: It creates SA (Security Association) used by IKE in the phase
1, and creates SA (IPSec SA) used by IPSec in the phase 2.
IKE
IKE Phase 1
IPSecEncrypted communication through IPSec
1. Proposal and selection of conditions
3. Exchange of key by DH
5. Authentication between devices
2. Determination of condition of SA
4. Creation of key
6. Verification that the other end is legitimate
Phase1:ISAKMP SA is generated, and the communication of IKE is encrypted.
7. Exchange of conditions and elements to create SA
8. Determination of conditions for SA.
Phase 2: IPSec SA is created, and communication through IPSec is started.
IKE Phase 2
Proposes several conditionsincluding the algorithm andlifetime of key, etc.
Creates and sends anumeric value which is usedas a keyelement
Sends the ID and path
phrase, etc.
Selects one of theconditions.
Creates and sends thenumeral value which is usedas a key element.
Sends the ID and pathphrase, etc.
Encryption method, hashmethod, connectionconditions such as lifetimeof key, subnet, host, keyelement, etc
.
Accepted
Encryption method, hashmethod, connectionconditions such as lifetimeof key, subnet, host, keyelement, etc.
In this product, as an authentication method of IKE, either the pre-shared key method or the
digital signature method can be used.
When you use the pre-shared key method, you need to determine a keyword (up to 24characters) called a pre-shared key beforehand, which is shared with the devices sending
and receiving data. After setting the pre-shared key of the connection end with which IPSec
communication is made in the operation panel of this product, you can make authentication in
the pre-shared key method.
When you use a key in the electronic signature method, you need to install the key pair le
and CA Certicate le created in the PC using UI, and then register the installed les in the
operation panel of this product.
Using the CA certicate, authentication is mutually performed with the connection end of the
IPSec communication.
The accepted key pair and CA certicate for the authentication in the electronic signature
method are shown below:
RSA algorithm
X.509 Certicate
Key pair in PKCS#12 format
•
•
•
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 11/52
1
11-6
1-6
Specications
Operating Conditions of IPSec
A device needs to satisfy all the following conditions to use the IPSec function.
It is a supported device of IPSec.
The IPSec security board is installed.*The IPSec function is enabled in the Local UI or remote UI. (It is disabled in the initial
setting upon shipment from the factory. See Users Manual or this manual regarding how to
enable the IPSec function.)
* To install the IPSec security board, PCI board Expansion Kit, which is available as an
option, needs to be installed.
Supported Devices
The devices supported by IPSec are multifunction machines after imageRUNNER
C5180/5185/4580 and printers after LBP3310.
IPSec Security Board, which is an option, needs to be purchased and installed in any of these
devices.
Supported Functions
Among major functions stipulated by IPSec, those supported by this product are shown
below:
Function Support Remarks
IPsec of IPv4 Support
IPsec of IPv6 Support
AH NULL Support
HMAC-SHA-1-96 Support
HMAC-MD5-96 Support
AES-XCBC-MAC-96 Not Support
ESP NULL Support
DES-CBC Not Support
3DES-CBC Support
AES-CBC Support
AES-CTR Not Support
Other Not Support
Manual SA Not Support
IKEv1 Support
•
••
Function Support Remarks
IKEv2 Not Support
IKEv1 phase 1 Main Mode Support
Aggressive Mode Support
Authentication
Method
(IKEv1)
Pre-shared key Support
Digital signature(RSA) Support
Public key encryption Not Support
Advanced public key
encryption
Not Support
DH(IKEv1) Group 0(not in use) Not Support
Group 1 Support
Group 2 Support
Group 5 Not Support
Group 14 Support
Group 15 Not Support
Group 16 Not Support
Group 17 Not Support
Group 18 Not Support
Other Not Support
Encryption
(IKEv1)
DES-CBC Not Support
3DES-CBC Support
AES-CBC Support
AES-CTR Not Support
Other Not Support
Authentication
(IKEv1)
AUTH-HMAC-SHA1-96 Support
AUTH-HMAC-MD5-96 Support
AUTH-HMAC-XCBC-96 Not Support
Applicable Packets
The packets to which this product applies the IPSec processing are those exchanged via the
following protocols.
TCP
UDP
ICMP
Specications for Network Port
The network port used by the IPSec function is shown below:
Protocol Port No. Description
UDP 500 Used to receive and send keys when the ISAKMP protocol
exchanges keys.
•
•
•
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 12/52
1
11-7
1-7
Specications for Security Policy
The specications for security policy are shown below:
Item Value Remarks
Policy name 1 to 24 characters in ASCII
Number of policies that
can be registered
10 The table area which controls
policies is called security policy
database (SPD).
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 13/52
1
11-8
1-8
Menu Items in IPSec Setting Window
Menu name/ Item name Remarks Initial
setting
Use IPSec
ON Enables the IPSec function.
OFF Disables the IPSec function. available
Receive Non-policy Packet
Allow Allows the packet which does not meet the policy. available
Reject Rejects the packet which does not meet the policy.Policy On/Off Enables or disables the selected policy.
Regi. Registers a new policy.
Selector Settings Sets the selector which works as a lter of IPSec.
Local Address Makes the lter setting of a packet when a local
address exists in the packet.
All IP Address Targets IP addresses for all local addresses. available
All IPv4 Addresses Targets all IPv4 addresses for its own local address.
All IPv6 Addresses Targets all IPv6 addresses for its own local address.
IPv4 Manual
Settings
Targets specied IPv4 addresses for its own local
address.
Single Address Species a signal address.
Range Address Species the range of addresses.
Subnet Settings Species addresses by the subnet.
IPv6 Manual
Settings
Targets specied IPv6 addresses for its own local
address.
Single Address Species a signal address.
Range Address Species the range of addresses.
Subnet Settings Species a prex of addresses.
Remote Address Makes the lter setting of a packet when a remote
address exists in the packet.
All IP Address Targets IP addresses for all remote addresses. available
All IPv4 Addresses Targets all IPv4 addresses for its own remote address.
All IPv6 Addresses Targets all IPv6 addresses for its own remote address.
IPv4 Manual
Settings
Targets specied IPv4 addresses for its own remote
address.
Single Address Species a signal address.
Range Address Species the range of addresses.
Subnet Settings Species addresses by the subnet.
IPv6 Manual
Settings
Targets specied IPv6 addresses for its own remote
address.
Single Address Species a signal address.
Range Address Species the range of addresses.
Subnet Settings Species addresses by the subnet.
Menu name/ Item name Remarks Initial
setting
Port Makes the lter setting of a packet when a port
number exists in the packet.
Specify by Port Number Makes the setting by manually specifying a port.
Local Port Species local ports.
All Port Targets all local ports. available
Single Settings Species a target local port individually.
Remote Port Species remote ports.
All Port Targets all remote ports. availableSingle Settings Species a target remote port individually.
Specify by Service
Name
Makes the lter setting of a packet by specifying a
service name.
Service On/Off Species On or Off for 7 services of "SMTP Receive",
"SMTP Send", "HTTP Client", "HTTP Server", "POP3",
"LDP", and "RAW. "
IKE Settings Makes the settings related to IKE (key exchange
protocol) of security policy.
IKE Mode Sets the ISAKMP message exchange protocol.
Main Sets the ISAKMP message exchange protocol to the
Main mode.
available
Aggressive Sets the ISAKMP message exchange protocol to the
Aggressive mode.
Authentication Method Sets the authentication method of IKE.Pre-shared Key Method Sets the authentication method of IKE to the pre-
shared key method.
available
Shared Key Sets the shared key which is used as the pre-shared
key of IKE.
Digital Signature
Method
Sets the authentication method of IKE to the digital
signature method.
Key and Certicate. Makes the settings related to digital signature.
Key Settings Sets the key which is used for digital signature.
Certicate Details Checks the information about the registered
certicate.
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 14/52
1
11-9
1-9
Authentication/Encryption
Algorithm
Sets the authentication and encryption algorithms to
IKE.
Auto Sets the authentication and encryption algorithms to
IKE automatically.
available
Manual Settings Sets the authentication and encryption algorithms to
IKE manually.
Regi. Registers the authentication and encryption
algorithms.
Authentication Sets the authentication algorithm.
SHA 1 Sets the authentication algori thm to SHA 1.
MD 5 Sets the authent icat ion a lgori thm to MD 5.
Encryption Sets the encryption algori thm.
3 DES-CBC Sets the encrypt ion algorithm to 3 DES-CBC. availab le
AES-CBC Sets the encryption algorithm to AES-CBC.
DH Group Sets the DH algorithm.
Group1 (762) Sets the DH algorithm to Group 1.
Group2 (1024) Sets the DH algorithm to Group 2. available
Group3 (2048) Sets the DH algorithm to Group 3.
Menu name/ Item name Remarks Initial
setting
Edit Edits the already registered authentication and
encryption algorithms.
Delete Deletes the already registered authentication and
encryption algorithms.
IPSec Setting Sets how to process the packet which satises the
conditions specied by the selector.
Validity Sets the update validity of SA of IPsec/IKE.
Time Sets the update validity of SA of IPsec/IKE by time. 480Size Sets the update validity of SA of IPsec/IKE by the
le size.
Not
available
Connection Mode Sets the connection mode in which IPsec is applied.
Transport Sets the connection mode of IPsec to the transport
mode.
available
IPv4 Tunnel Not supported. -
IPv6 Tunnel Not supported. -
PFS Sets On/Off of Perfect Forward Secrecy (PFS) of
IPsec.
ON Sets On to PFS of IPsec.
OFF Sets Off to PFS of IPsec. available
Auth./Encryption Algorithm Sets the authentication and encryption algorithms.
Auto Sets the authentication and encryption algorithms
automatically.Manual Settings Sets the authentication and encryption algorithms
manually.
Regi. Registers the authentication and encryption
algorithms.
ESP Sets ESP as the authentication and encryption
algorithms.
available
AH Sets AH as the authentication and encryption
algorithms.
Edit Edits the already registered policies. The items that
can be edited are same as those for registration.
Delete Deletes the already registered policies.
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 15/52
1
11-10
1-10
Other Specications
Retry intervals
In the IKE negotiation, when no response is returned from the connection end, a retry is
made. The rst retry interval can be set in the Service Mode. The second and later retries are
made at the intervals twice as long as the previous retry interval. The maximum interval is 10
sec.
Example: Setting values of the retry intervals and actual retry intervals
sec
Retrytiming when
thefirst retry
intervalisset to1sec
0 5 10 15 20 25 30 35
2sec 4sec 8sec 10sec
6sec
10sec
3sec
7sec
1sec
10sec 10sec
10sec 10sec 10sec
10sec
Twice TwiceTwice Twice
Retry ismadeatintervalstwiceas long asthe previous
interval
Sincethe maximuminterval is
10sec, ret riesaremadeat 10-
secintervalshereafter .Retrytiming when
thefirst retry
intervalisset to
3 sec
Retrytiming when
thefirst retry
intervalisset to
7sec
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 16/52
1
11-11
1-11
Restrictions
Notication of Deletion of SAD
When Security Association (SA) of IPsec is established between an external device and this
device, Security Association Database (SAD) is established between them.
If any of the following operations is performed in this state, there is a need to notify deletion of
the policy to the other end.
One of the devices is shut down (the power is turned Off).
The policy in question is disabled.
The policy in question is deleted.
The IPsec function is turned Off (disabled).
However, this device does not support this policy deletion notication function, if any of the
aforementioned operations is performed, the policy needs to be manually deleted from SAD
in the other end.
Coniction with Sleep Function
When the sleep function of the device is enabled, if "Use IPSec" in the IPsec settings is set to
"On" (enabled), the device does not go into the sleep mode (S3 mode).
Meanwhile, if the IPsec setting is set to "Off" (disabled), it goes into the sleep mode.
Link-Local Address
When you make the selector settings including Link-Local Address, IPsec is not applied to the
packets addressed to link-local addresses, and they are discarded. For instance, when "IPv6
Address" is selected in Local Selector Settings, the packets addressed to link-local addresses
are discarded.
In the case of manually specied addresses, those with the prex "fe80" are considered as
link-local addresses.
However, in the models after iRA C5030/iRA C9075 Series, IPsec can be applied to IPv6 link
local addresses.
Note that link-local addresses and global addresses cannot be specied at the same time.
For instance, all IPv6 addresses are considered as global addresses. Therefore, fe80::xxxx,
::/0, and 1111::xxxx, etc. cannot be assigned to them. If a local address is a link-local address,
a remote address needs to be also a link-local address.
When "IPv6 Address" is selected in Local Address, and "All IPv6 Address" in Remote
Address, IPsec is also applied to link-local addresses.
•
•
•
•
Certicate Method
When you select the certicate method in IKE, a specied key pair needs to be issued by
the same root certicate authority which issued the certicate of the other end of IPsec
communication. Thus, a key pair with a self-signed certicate has a different root, and the
negotiation fails.
Since the certicate validity is checked, the devices need to preset the time using SNTP, etc.
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 17/52
1
11-12
1-12
Restrictions when Registering Multiple Policies
When the Mode Settings of IEKv1 is Main Mode, and multiple policies are registered with the
Pre-shared Key Method, there are the following restrictions due to the specication limits of
the IEKv1 protocol.
1) A same pre-shared key must be applied to all the policies in which a single address is
not specied as the remote address.
2) The policies in which a single address is not specied as a remote address must have
lower priority than those in which a single address is specied.
The table below shows the registration patterns.
Pattern 1: Combination in which no restrictions occur
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3
Pattern 2: Combination which violates the aforementioned restriction 1) (The items in blue are
violations.)
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge4
Although the policy names "ccc" and "ddd" do not specify a single address as the remote
address, different pre-shared keys are set.
Pattern 3: Combination which violates the aforementioned restriction 2). (The items in blue
are violations.)
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address 9100 All IPv4 Address All Port hoge2
3 ccc All IPv6 Address 9100 All IPv6 Address All Port hoge2
4 ddd All IPv4 Address All Port 172.24.222.222 All Port hoge3
Although the policy names "bbb" and "ccc" do not specify a single address as the remote
address, their priority is higher than "ddd. "
Pattern 4: Combination which violates the aforementioned restriction 2). (The items in blue
are violations.)
policy
priority
policy
name
local address local
port
remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.1.1/255.255.0.0 All Port hoge
2 bbb All IPv4 Address 9100 172.24.111.111 All Port hoge2
Although the policy name "aaa" species a single address as the remote address, its priority
is higher than "bbb. "
imageRUNNER 3225/3235/3245 JE version internally performs the following processing so
that the above restricted patterns cannot be registered.
Processing 1) Insert a policy at an appropriate priority when registering or editing it.
Processing 2) When a policy is registered, if a single address is not specied as the remote
address, and the specied pre-shared key is different from the one specied to the group,
the policy cannot be registered.
(imageRUNNER 3225/3235/3245 FIGS and later models)
Processing 3) When a policy is registered, if a single address is not specied as the remote
address, and the specied pre-shared key is different from the one specied to the group,
the pre-shared key of the latest policy is applied to all the pre-shared keys.
(imageRUNNER 3225/3235/3245 JE)
Processing 4) When the policy priority order is changed, change of the order which does
not meet the restricted specications cannot be made.
Internal processing when restricted patterns occur
The detailed operations of the aforementioned internal processing (Processing 1 to 4) are
explained below.
Automatic insertion of policy (Processing 1)
When a policy is newly registered or edited, check the Remote Address setting, and insert the
policy at an appropriate priority.
For instance, when a new policy (policy name "eee" in the table below) is registered to a
device in which several policies have already been registered, it is normally added at the
bottom. However, the remote address setting violates the restrictions, it is registered not at
the bottom but at an appropriate priority.
•
•
•
•
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 18/521
11-13
1-13
List of existing policies
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv6 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv4 Address 9100 All IPv6 Address All Port hoge3
List of policies after registration
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 eee All IPv4 Address All Port 172.24.133.133 All Port hoge4
4 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
5 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3
Prohibition of Registration (Processing 2)
When a policy is registered, if "Single Address" is specied in Remote Address, and the
specied pre-shared key is different from the one specied to the group, the policy cannot be
registered. (imageRUNNER 3225/3235/3245 FIGS or later)
When registering a new policy or editing an existing policy, if any option other than "Single
Address" is selected in Remote Address, the policy cannot be registered if the specied pre-
shared key is different from the registered one specied to the group.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, the policy violates the restrictions, and the registration fails.
List of existing policies
policypriority
policyname
local address local port remote address remote port pre-sharedkey
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3
Policy that you attempt to newly register
policy
name
local address local port remote address remote port pre-shared
key
eee All IPv6 Address 80 172.24.133.133 All Port hoge4
When you attempt to register the above policy, the following message appears: "Check
the settings. When Pre-shared Key Method for AUTH Method is set to other than a single
address, the shared key characters must be the same when registering multiple policies. "
Unication of pre-shared key (Processing 3)
When a policy is registered, if a single address is not specied as the remote address, and
the specied pre-shared key is different from the one specied to the group, the pre-shared
key of the latest policy is applied to all the pre-shared keys.
(imageRUNNER 3225/3235/3245 JE)
When a new policy is registered or an existing policy is edited, if any option other than "Single
Address" is specied in Remote Address, a message to ask whether or not to use a same
pre-shared key for all the registered policies appears. If you agree, the pre-shared key of
the last registered policy is applied to all the pre-shared keys of the policies of which remote
address is specied by group.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, all the pre-shared keys of the policies of which remoteaddress is not a single address are standardized.
List of existing policies
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3
List of policies after registration
policypriority
policyname
local address local port remote address remote port pre-sharedkey
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge4
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge4
5 eee All IPv6 Address 80 All IPv6 Address All Port hoge4
1
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 19/521
11-14
1-14
Prohibition of change of the policy order (Processing 4)
When you change the priority order of policies, change of the order which violates the
restricted specications is prohibited.
For instance, when the policies given in the table below are already registered, if you
attempt to move the policy "bbb" to the lower position using "Lower Priority, " it violates the
restrictions, and the attempt fails.
policy
priority
policy
name
local address local port remote address remote port pre-shared
key
1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge
2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2
3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3
4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3
On imageRUNNER 3225/3235/3245 FIGS and later devices, if you attempt to change the
order of policies against the restrictions, the following message appears: "When Pre-shared
Key Method is set for AUTH Method, a policy with a single remote address cannot a lower
priority than other policies. "
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 20/52
2
2
Settings
Settings WindowRegistration/Edit Window
Selector Settings Window
IKE Settings
IPSec Network Settings
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 21/522
22-2
2-2
Settings Window
The IPSec settings are made in the system control window in the operation panel of the
device.
Path to IPSec Settings window
The path to the registration/edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings
IPSec Settings window
In the IPSec Settings window, you can set whether or not to use IPSec, policies to which
IPSec is applied, and their priority, etc.
[Use IPSec]
This item is used to set whether or not to use the IPSec function. The default setting is "Off. "
[Receive Non-policy Packets]This item is used to set whether to allow or reject a packet which does not meet any of the
registered policies. The default setting is "Allow. "
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 22/522
22-3
2-3
[Policy List]
With this product, up to 10-pattern policies can be registered in a device. The table area
which controls policies in a device is called Security Policy Database (SPD).
The policy list shows a list of the registered policies.
The specications for the policy list are given below:
Up to 10 policies can be registered and displayed.
Even when no policy is registered, the priority numbers from 1 to 10 are displayed.
When a policy is registered, it is added at the bottom of the list.
When a packet is received, whether or not to apply policies in the ascending order of
priority is determined.When a registered policy is deleted, the policies in the lower priority are moved up.
To set On/Off of a policy, select a policy and press "Policy On/Off. "
Although up to 24 characters in ASCII can be set as a policy name, a whole name might
not be displayed in the list.
To set the priority order of policies, select a policy and press "Raise Priority" or "Lower
Priority. "
[Policy On/Off]
This item is used to set "On" or "Off" to the status of the policy selected in the list.
[Regi.]
Press this item to create or register a new policy.
For information on the policy registration window, see "Registration/Edit Window. "
[Edit]
Press this item to edit the policy selected in the list.
For information on the policy registration window, see "Registration/Edit Window. "
•
•
•
•
•
•
•
•
[Delete]
Press this item to delete the policy selected in the list.
For information on the policy registration window, see "Registration/Edit Window. "
[Print List]
This item is used to print out the settings of a registered policy.
Print sample
********************************* IPSec Policy List *********************************
Priority:1 ON Policy Name Policy-1 Selector Settings Local Address All IPv4 Addresss Remote Address All IP Addresses
Port Local Port All Port Remote Port All Port IKE Settings IKE Mode Main Authentication Method Digital sig. Method Auth./Encryption Algorithm Auto IPSec Network Settings Validity Time ON 480 min Size ON 10 MB PFS OFF Auth./Encryption Algorithm Auto Connect. Mode Transport
Priority:2 ON Policy Name Policy-2 Selector Settings Local Address All IP addresses
2009 03/16 MON 11:46 iR-ADV C5051 001 .
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 23/522
22-4
2-4
Registration/Edit Window
In the registration/edit window, policies used by IPSec are registered or edited.
Path to Registration/Edit Window
The path to the registration/edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings >Regi. or > Edit
("Edit" must be pressed while a policy is selected.)
Policy Name
This item is use to set a policy name.
Selector Settings
This item is used to set a selector.
When you press "Selector, " the Selector Settings window appears. For more details, see
Selector Setting Window.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 24/522
22-5
2-5
IKE Settings
In this window, the ISAKMP message exchange protocol (IKE mode) and authentication
method are set. For more details, see IKE Settings.
IPSec Settings
In this window, the IPSec communication settings are made. For more details, see IPSec
Network Settings.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 25/522
22-6
2-6
Selector Settings Window
In the Selector Settings window, the settings of the conditions to determine the processing
applied to a packet are made.
The conditions are Start-point IP Address, End-point IP Address, protocol, and destination
port, etc. A communication packet which satises these conditions is selected.
Path to Selector Settings Window
The path to the selector edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >
Edit > Selector Settings
Local Address Settings/Remote Address Settings
These items are used to set whether or not to target the start-point address and end-point
address in communication packets.
All IP Address
Select this option when you target all local addresses.
All IPv4 Addresses
Select this option when you target the packets which have a local IPv4 address at the start-
point address or end-point address.
All IPv6 Addresses
Select this option when you target the packets which have a local IPv6 address at the start-
point address or end-point address.
IPv4 Manual Settings
Select this option when you specify a specic IPv4 address or specify the range of IPv4
addresses. When you press this option, the setting window is opened.
IPv6 Manual Settings
Select this option when you specify a specic IPv6 address or specify the range of IPv6
addresses. When you press this option, the setting window is opened.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 26/522
22-7
2-7
Port Settings
This item is used to set whether or not to apply IPSec to the packets which include a specic
port (or service).
Specify by Port Number
Select this option when you specify a specic port number. When you press this item, the
setting window is opened.
In Local Port or Remote Port, select "All Ports" or "Specify Port. "
When you specify a port (Specify Port), enter a port number.
Specify by Service Name
Select this option when you specify packets not by a port number, but by a service name.
When you press this item, the setting window is opened.
Set On or Off to the seven services, "SMTP Receive", "SMTP Send", "HTTP Client", "HTTP
Server", "POP3", "LDP", and "RAW".
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 27/52
2
2-8
2-8
IKE Settings
This item is used to make the settings related to Key exchange protocols.
Path to IKE Settings Window
The path to the IKE edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >
Edit > IKE Settings
Mode
This item is used to specify the mode to exchange ISAKMP messages when IKE SA is
created in the IKE Phase 1.
The available modes are the main mode and aggressive mode.
The differences between the main mode and aggressive mode in the IKE Phase 1 are shown
in the table below.
Mode Description
Main mode The Phase 1 is nished after three sets of transmission and reception of
ISAKMP messages.
1st and 2nd messages (Negotiation of ISAKMP SA parameters)
3rd and 4th messages (Exchange of parameters for key calculation and
execution of key calculation)
5th and 6th messages (Authentication of IPSec communication end
(device))
IKE Phase 1
1. Proposal and selection of conditions
3. Exchange of key by DH
5. Authentication between devices
2. Determination of condition of SA
4. Creation of key
6. Verification that the other end is legitimate
Phase 1 ISAKMP SA is generated, and exchange by IKE is encrypted.
Proposes several conditions
including the algorithm and
lifetime of key, etc.
Creates and sends a
numeric value which is used
as a key element
Sends the ID and path
phrase, etc.
Selects one of the
conditions.
Creates and sends the
numeral value which is used
as a key element.
Sends the ID and path
phrase, etc.
Aggressive mode The encryption process upon authentication is omitted, and the Phase 1 is
nished after one and a half sets of transmission and reception of ISAKMP
messages. While this mode can nish the Phase 1 faster than the Main
mode, restrictions occur on negotiation of SA. On the other hand, it eases
the restrictions on the Main mode.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 28/52
2
2-9
2-9
Authentication Method
The IPSec function uses two authentication methods for the IKE Phase 1: One in the pre-
shared key authentication, and the other is the digital signature authentication.
Pre-shared Key Method
Select this option when you make authentication using a pre-shared key. Input a key to be
shared in the input eld of Shared Key.
Digital Sig. Method
Select this option when you make authentication not using a pre-shared key but using a
digital signature.
Auth./Encryption Algorithm
This item is used to set the authentication and encryption algorithms.
Manual Settings of authentication and encryption algorithms
This option is used to manually set the authentication and encryption algorithms of IKE.
Select one or more authentication algorithms from SHA1 and MD5. You can select both.
Select one or more encryption algorithms from 3DEC-CBC and AES-CBC. You can select
both.
Select one DH group from Grouop1 (762), Grouop2 (1024), and Grouop3 (2048).
Auto Settings of authentication and encryption algorithms
When you select the Auto settings of the authentication and encryption algorithms for IKE,
IKE SA makes negotiations for algorithm patterns in accordance with the priority given below.
Priority Authentication Encryption DH
1 SHA1 AES(128) 2
2 MD5 AES(128) 2
3 SHA1 AES(192) 2
4 MD5 AES(192) 2
5 SHA1 AES(256) 2
6 MD5 AES(256) 2
7 SHA1 3DES 2
8 MD5 3DES 2
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 29/52
2
2-10
2-10
IPSec Network Settings
This item is used to make the setting related to IPSec Network.
Validity
This item is used to set the update validity of Security Association (SA) of IPsec/IKE.
The validity specied in this setting is applied both to the update period for SA of IPsec and
that of IKE.
The validity is specied in minutes or in MB. The settable range is 1 to 65535 minutes or 1 to
65535MB. In the initial setting, Time is set to 480 minutes (8 hours), and Size is not specied.
You can not specify "0" to Time and Size.
In Validity, either Size or Time needs to be specied.
When the both are specied, SA is invalidated whichever reaches the validity fast. The IPsec
communication within the validity can exchange ESP packets without negotiations of key
exchange.
Negotiations of the validity vary according to the setting at the host of the other end. For
instance, if the validity shorter than the one set in a host is proposed during the IKE Phase 1,
the host may reject negotiations.
IKE Phase 1
Proposes the condition.
Host computer B
(Responder)Host computer A
(Initiator)
Rejects the condition.
Since the condition proposed bythe host A is shorter than the
validity set in the host B, thehost B rejects negotiations.
A validity setting shorter than
the validity set in the host Bis proposed as the condition.
In the communication between the devices which support this product, the validity at the
initiator* is used.
* The node which makes IKE communication is called the IKE peer, the side which issues
an IKE request is called the initiator, and the side which receives a request is called the
responder.
PFS
When a shared key is leaked to any malicious third parties, there is a risk that they might beable to forecast the keys to be generated. Enabling Perfect Forward Secrecy (PFS) prevents
third parties from forecasting the keys to be generated even if they obtain a shared secret
key.
Although load upon key exchange is increased if PFS is enabled, the condentiality is
enhanced.
The initial setting of PFS is "Off".
A same PFS setting must be set to the hosts between which negotiations are made.
Therefore, when the PFS setting is set to On, that of the other end must be set to On as well.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 30/52
2
2-11
2-11
Authentication/Encryption Algorithm
This item is used to set the authentication and encryption algorithms in the IPSec network.
You can select Auto Settings or Manual Settings.
Manual Settings of Authentication/Encryption AlgorithmThis option is used to set the authentication and encryption algorithms.
First of all, select ESP which performs authentication and encryption of packets or AH which
performs only authentication of packets.
1) When ESP is selected
The ESP authentication algorithm and ESP encryption algorithm are set.
Select the authentication algorithm from MD5, SHA1, and NULL. You can select both MD5
and SHA1 at the same time. In the initial setting, SHA1 is selected.
Select the encryption a lgorithm from 3DES-CBC, AES-CBC, and NULL. You can select both
3DES-CBC and AES-CBC at the same time. In the initial setting, 3DES-CBC is selected.
You cannot set NULL to both ESP authentication and ESP encryption.
2) When AH is selectedSelect one or more AH authentication algorithms from SHA 1 and MD5. If you do not select
either, the OK button is disabled (grayed out), and you cannot nish the setting.
2
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 31/52
2
2-12
2-12
Auto Settings of authentication and encryption algorithms
When you select the Auto settings of the authentication and encryption algorithms for the
IPSec Network, IPSec SA makes negotiations for algorithm patterns in accordance with the
priority given below. Servers also wait in the same priority.
Priority AH ESP authenticat ion ESP encrypt ion
1 NULL SHA1 AES (128)
2 NULL MD5 AES (128)
3 NULL SHA1 AES (192)
4 NULL MD5 AES (192)
5 NULL SHA1 AES (256)
6 NULL MD5 AES (256)
7 NULL SHA1 3DES
8 NULL MD5 3DES
Connection Mode
This item is used to display the IPSec connection mode.
This function supports the transport mode only, and therefore "Transport" is displayed.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 32/52
3
3
Installation
Installation/SettingsProcedure
IPSec settings and
operation check
3
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 33/52
3
3-2
3-2
Installation/Settings Procedure
Flow of installation settings for basic IPSec
Following is the ow of basic IPSec settings.
Review of security policy
To install the IPSec on the network, review to decide which packet to apply IPSec.
1) Decide to adopt the IPSec process to the communication between which host and which
host.
2) Decide to adopt the IPSec process to which protocol and which port.
3) Decide how to handle the packets other than the foregoing packets.
4) Decide whether to execute packet authentication only or execute authentication and
encryption.
5) Decide what to use as an authentication method and encryption algorithm.
Etc.
In principle, users to review the security policy on the network of user site.
Security policy settings
According to the security policy reviewed as above, make the IPSec settings on the device
and the host that will be the device's IPSec communication partner.
Operation check
Establish a communication and check whether the specied IPSec function operates properly
or not.
Points to note at installation
When specifying IPSec settings, note that IPSec negotiates each other to decide how to
establish the IPSec communication such as port number etc. Thus, the common selector
setting should be specied to each host.
Take the case of IPSec communication between Windows PC and this device for instance,
if remote UI (local port is number 80 and remote port is all port) is specied on this device,
on Windows side, "TCP" protocol must be selected and also "From any port" must be
specied as transmission port and number "80" must be specied as address port; otherwise,
negotiation will fail. (This means negotiation will fail even if "From any port" is specied, "all
port" etc. is specied for address port.)
3
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 34/52
3
3-3
3-3
IPSec settings and operation check
Make the IPSec settings on the PC that will be the communication partner of the device with
IPSec specied.
At this time, installation procedure in the simple conguration is outlined.
Example of conguration
IPSec settings are specied for 1 PC and 1 iR device, and check the operation.
Encrypted dataPrintPrint
Document
Setting procedure on device side
Following is the procedure of device IPSec settings
1. Create a security policy.
Create a security policy with the following contents.
1) Enable IPSec and register the policy.
Use IPSec : ON
Receive Non-policy Packets : Allow
2) Register the Policy Name.
3)Selector Settings
Local Address : All IP addresses
Remote Address : All IP addresses
Port > Specify by Port Number: All Ports
3
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 35/52
3
3-4
3-4
4) IKE Settings
IKE Mode : Main
Authentication Method : Pre-shared Key Method
Shared Key : canon (any)
Auth/Encryption Algorithm: Auto
5) IPSec Network Settings
Validity : 480 mins (default)
: 0MB (default)
PFS : OFF
Auth./Encryption Algorithm: Auto
Connect. Mode : Transport (xed)
2. Enable the security policy.
Enable the security policy (Policy-1) created in step 1.
Setting procedure on PC side
Following is the PC settings (Windows Server 2003).
1. Console registration
1) Select [Run...] from a start menu and input mmc in [Open] and then, click [OK] button.
33 5
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 36/52
3
3-5
3-5
2) When the console is displayed, select [Add/Remove Snap-in...] from a le menu.
3) Click [Add...] button.
4) Select [IP Security Policy Management] and click [Add] button.
5) Select [Local Computer] and click [Finish] button.
33 6
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 37/52
3
3-6
3-6
6) Click [Close] button.
7) Make sure that "IP Security Policy on Local Computer" is displayed and click [OK] button.
2. Registration of IP Security Policy
1) Right click [IP Security Policy on Local Computer] on the console and select [Create IP
Security Policy…].
2) When IP Security Policy Wizard is started, click [Next] button.
33 7
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 38/52
3
3-7
3-7
3) Enter the IP Security Policy name and click [Next] button.
4) Untick [Activate the default response rule..] and click [Next] button.
5) When a wizard is completed, click [Finish] button.
6) When IP Security Policy properties is displayed, click [Add..] button.
33 8
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 39/52
3
3-8
3-8
7) When Security Rule Wizard is started, click [Next] button.
8) Select [This rule does not specify a tunnel] and click [Next] button.
9) Select [All network connections] and click [Next] button.
10) Select [All IP trafc..] and click [Edit..] button.
33 9
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 40/52
3
3-9
3-9
11) Put a name to lter and click [Edit..] button.
12) Display [Addresses] tab and select [Ant IP Address] for both [Source address] and
[Destination address].
13) Display [Protocol] tab and select [Any] in [Select a protocol type].
14) Display [Description] tab and input a comment for identication (arbitrary), and click [OK]
button.
33 10
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 41/52
3
3-10
3-10
15) Click [OK] button.
16) Click [Next] button.
17) Select [Require Security] and click [Next] button.
18) Select [Use this string to protect the key exchange (pre-shared key)] and enter the Pre-
shared key specied on the device side into entry eld, and click [Next] button.
33-11
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 42/52
3
3-11
3-11
19) Click [Finish] button.
20) Click [OK] button.
21) Click [OK] button.
3. Application of the security policy.
1) Right click the created policy and select [Assign].
33-12
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 43/52
3
3-12
3-12
MEMOIf the setting of currently applied policy has been changed, it is necessary to un-assign
the application and assign it again.
33-13
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 44/52
3
3 13
3-13
Operation check
1. Send ping from a PC to a device.
If IPSec is enabled, [Negotiating IP Security] is displayed at the rst time of sending a ping
and there will be a reply at the second time or later.
Example of success
If key exchange of IPSec has been failed, all results are [Negotiating IP Security] (including
the case that the receiver does not support IPSec.).
Example of failure
2. Check with a network capture software.
Here, described is the operation check method with using free software [Wireshark].
1) Install Wireshark.
Source of installer or installation method is omitted.
2) Start Wireshark.
3) Click [Show the Capture Options] button.
33-14
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 45/52
3
3 14
3-14
4) Select a PC network card on [Interface] and click [Start] button.
5) Establish a communication by either submitting a print instruction from a PC to a device or
by displaying a ping command or device's remote UI etc.
If ESP is displayed on [Protocol], it means the encrypted packet has been operated in ESP.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 46/52
4
4
Maintenance
FAQTroubleshooting
44-2
Troubleshooting
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 47/52
44-2
Troubleshooting
FAQ
About the connection mode
Q. Does this product support the tunnel mode as a connection mode in which IPSec is
applied?
A. No. The tunnel mode is not supported.
This product supports the transport mode only, which makes peer-to-peer IPSec
communication.
About IPSec network settings
Q. What does the validity refer to?
A. It refers to the update validity of SA of IPSec and IKE.
About protocols
Q. In what environment is unencrypted AH used?
A. It is used in the environment where encryption cannot be used.
In some environments, encryption of data is not permitted. In such a case, AH is used.
Coniction with IP lter
Q. What operation is performed when coniction with the settings of the IP lter, which is the
original function, occur?
A. There is a setting that IPsec discards the packets to which IPsec is not applied. The IP
lter, which is the original function, also discards the packets which do not satisfy the lter
settings.
Q. When the IPsec settings and IP lter settings are overlapped, which settings have priority?
A. When IPSec and both IP lters were set, it is applied in order of IPSec, IP lter at the time
of the reception. At the time of the transmission, it is applied in order of IP lter, IPSec.
Troubleshooting
Q. Negotiation fails.
A. Check if the port setting of the security policy is same in the both devices.
In IPSec, the port setting in the security policy settings must be same.
For instance, negotiation fails if Protocol is set to TCP, and Port is set to All Port in the
settings of this device, whereas Protocol is set to TCP, and Port is set to 80 in the settings of
the other device.
Q. No debug log le is found.
Although I made the setting to obtain debug logs in the Service Mode, I found no log le when
I accessed the specied path.
A. Debug logs are deleted when the device is turned Off and On.
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 48/52
5
5Troubleshooting
Service Mode
IPSec Security BoardStatus Check Test
Deletion of All Registered
Policies
Acquisition of Debug Logs
55-2
Troubleshooting > Procedure for IPSec Security Board Status Check Test
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 49/52
55-2
Troubleshooting > Procedure for IPSec Security Board Status Check Test
IPSec Security Board Status Check Test
You can execute the tests to check the IPSec security board status from the Service Mode.
The following two tests are available:
Interrupt mode test: Creates pseudo packets and tests the chip processing.
Poll mode test: Tests the performance of the chip.
Procedure for IPSec Security Board Status Check TestThe procedure to execute the tests to check the status of the IPSec security board is
explained below.
1)Press copier > test > network in the Service Mode (Level 1).
2)Select (press) IPSECINT (Interrupt mode test) or IPSECPOL (Poll mode test) and press the
"OK" button.
•
•
While the test is being executed, "ACTIVE" is blinking on the display.
Be sure to execute the both tests. Each test takes approx. 3 minutes.
3) Check the test result when it is displayed.
Normal completion: "OK! "
Failed: "NG"
55-3
Troubleshooting > Procedure for IPSec Security Board Status Check Test
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 50/52
55-3
Troubleshooting > Procedure for IPSec Security Board Status Check Test
If either of the tests fails, the IPsec function does not work. When the result of either test is
NG (failed), check if the accelerator is connected properly, and execute the test again.
If the result of the retry is also NG (failed), it is considered as a chip failure.
55-4
Troubleshooting > Procedure to Delete All Registered Policies
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 51/52
55-4
Troubleshooting > Procedure to Delete All Registered Policies
Deletion of All Registered Policies
You can delete all the policies registered in a device and initialize it.
This function should be used in emergency cases, such as when there is inconsistency
between registered policies.
Procedure to Delete All Registered Policies
1)Press copier > option > body in the Service Mode (Level 2).
2)Input 1 in the SPDALDEL eld and press "OK".
3)Restart the device.
When the device is restarted, all the registered policies are deleted, and the device is
initialized.
4)Open the IPSec settings window and check that all the registered policies are deleted.
5)Log in the Service Mode again and reset the value of SPDALDEL to "0".
55-5
Troubleshooting > Procedure to Obtain Debug Logs
7/21/2019 IPSec Board-B2 SM Rev0 091109
http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 52/52
Acquisition of Debug Logs
Debug logs are prepared for those who are in charge of product development, and the
information on the logs is not disclosed to the users.
Acquisition of debug logs is made at the direction of a support division of Sales Companies
or a development division of Canon Inc. when a failure which cannot be dealt with on site
occurs.
There is no need that a service person should check and evaluate debug logs at a user site.
Since IPSec operates in a process separately from a bootable process, its log information
does not remain in the sub log.
Therefore, there is a need to make the setting in the Service Mode to keep the logs of IPSec.
Procedure to Obtain Debug Logs
1)Press copier > option > body in the Service Mode (Level 2).
2) Input the level of logs that you want to obtain in the IPSDEBLV eld and press "OK". (The
initial setting is "0".)
3) Restart the device.
4) Perform the operation of which log you want to obtain.
5) Connect a PC on which SST is activated to the device, and obtain the log le in the
following path:
/APL_LOG/ipsec/ipseclog.txt
6) Restart the device again and check if the IPSDEBLV setting in the Service Mode isreturned to the initial value (0).
While the settable range of the log level is 0 to 10, 8 is the highest log level. (9 and 10 are the
same level as 8.)
The setting is enabled after the device is restarted. The setting value is automatically returned
to 0 by internal processing after the device is restarted again.
When the log acquisition function is enabled, a le with the name of ipseclog.txt is created
under /APL_LOG/ipsec, and the log information is stored in the le. This le is deleted after
the device is turned Off and On.
Log level 1 FATAL level: Displays fatal error information.
Log level 2 FATAL level: Displays fatal error information.
Log level 3 FATAL level: Displays fatal error information.
Log level 4 WARN level: Displays warning information.
Log level 5 WARN level: Displays warning information.
Log level 6 WARN level: Displays warning information
Log level 7 LOG level: Displays important log information
Log level 8 INFO level: Displays all logs.
Log level 9: Same as level 8.
Log level 10: Same as level 8.