ipsec board-b2 sm rev0 091109

7/21/2019 IPSec Board-B2 SM Rev0 091109

http://slidepdf.com/reader/full/ipsec-board-b2-sm-rev0-091109 1/52

54321

Security: IPSec Board-B2

Service Manual

September 11, 2009Revision 0

IPSec Overview

Settings

Installation

Maintenance

Service Mode



54321

0

00-2

0-2

Application

This manual has been issued by Canon Inc. for qualied persons to learn technical theory,

installation, maintenance, and repair of products. This manual covers all localities where the

products are sold. For this reason, there may be information in this manual that does not

apply to your locality.

Corrections

This manual may contain technical inaccuracies or typographical errors due to improvements

or changes in products. When changes occur in applica0-2le products or in the contents of

this manual, Canon will release technical information as the need arises. In the event of major

changes in the contents of this manual over a long or short period, Canon will issue a new

edition of this manual.

The following paragraph does not apply to any countries where such provisions are

inconsistent with local law.

Trademarks

The product names and company names used in this manual are the registered trademarks

of the individual companies.

Copyright

This manual is copyrighted with all rights reserved. Under the copyright laws, this manual may

not be copied, reproduced or translated into another language, in whole or in part, without the

written consent of Canon Inc.

(C) CANON INC. 2009

Caution

Use of this manual should be strictly supervised to avoid disclosure of condential

information.



0

00-3

0-3

ContentsIPSec Overview

IPSec Overview ---------------------------------------------------------------1-2

What is IPSec? --------------------------------------------------------------------- 1-2Modes of operation ---------------------------------------------------------------- 1-4

Protocol of authentication and cryptographic ------------------------------- 1-4

Key exchange protocols---------------------------------------------------------- 1-5

Specications ------------------------------------------------------------------1-6

Operating Conditions of IPSec ------------------------------------------------- 1-6

Supported Devices ------------------------------------------------------------------------ 1-6

Supported Functions ------------------------------------------------------------- 1-6

Applicable Packets ------------------------------------------------------------------------ 1-6

Specications for Network Port --------------------------------------------------------- 1-6

Specications for Security Policy --------------------------------------------- 1-7

Menu Items in IPSec Setting Window ---------------------------------------- 1-8

Other Specications--------------------------------------------------------------1-10

Restrictions ------------------------------------------------------------------- 1-11

Notication of Deletion of SAD -----------------------------------------------1-11

Coniction with Sleep Function ------------------------------------------------1-11

Link-Local Address --------------------------------------------------------------1-11

Certicate Method ---------------------------------------------------------------1-11

Restrictions when Registering Multiple Policies---------------------------1-12

Internal processing when restricted patterns occur -------------------------------1-12

Settings

Settings Window --------------------------------------------------------------2-2

Path to IPSec Settings window ------------------------------------------------ 2-2

IPSec Settings window ---------------------------------------------------------- 2-2

Registration/Edit Window --------------------------------------------------2-4

Path to Registration/Edit Window --------------------------------------------- 2-4

Policy Name ------------------------------------------------------------------------- 2-4

Selector Settings ------------------------------------------------------------------- 2-4

IKE Settings ------------------------------------------------------------------------- 2-5

IPSec Settings ---------------------------------------------------------------------- 2-5

Selector Settings Window --------------------------------------------------2-6

Path to Selector Settings Window --------------------------------------------- 2-6

Local Address Settings/Remote Address Settings ------------------------ 2-6

Port Settings ------------------------------------------------------------------------ 2-7

IKE Settings --------------------------------------------------------------------2-8

Path to IKE Settings Window -------------------------------------------------- 2-8Mode ---------------------------------------------------------------------------------- 2-8

Authentication Method ------------------------------------------------------------ 2-9

Auth./Encryption Algorithm ------------------------------------------------------ 2-9

IPSec Network Settings --------------------------------------------------- 2-10

Validity -------------------------------------------------------------------------------2-10

PFS -----------------------------------------------------------------------------------2-10

Authentication/Encryption Algorithm ---------------------------------------- 2-11

Connection Mode -------------------------------------------------------------------------- 2-12

Installation

Installation/Settings Procedure --------------------------------------------3-2

Flow of installation settings for basic IPSec --------------------------------- 3-2

Review of security policy------------------------------------------------------------------ 3-2

Security policy settings -------------------------------------------------------------------- 3-2

Operation check----------------------------------------------------------------------------- 3-2

Points to note at installation -------------------------------------------------------------- 3-2

IPSec settings and operation check --------------------------------------3-3

Setting procedure on device side ---------------------------------------------- 3-3

Setting procedure on PC side -------------------------------------------------- 3-4

Operation check -------------------------------------------------------------------3-13

Maintenance

FAQ -------------------------------------------------------------------------------4-2

Troubleshooting ---------------------------------------------------------------4-2

Service Mode

IPSec Security Board Status Check Test -------------------------------5-2

Procedure for IPSec Security Board Status Check Test ----------------- 5-2



0

00-4

0-4

Deletion of All Registered Policies ----------------------------------------5-4

Procedure to Delete All Registered Policies -------------------------------- 5-4

Acquisition of Debug Logs --------------------------------------------------5-5

Procedure to Obtain Debug Logs ---------------------------------------------- 5-5



0

00-5

0-5

Explanation of Symbols

The following symbols are used throughout this Service Manual.

Symbols Explanation

Using it for general attention, warning, a notice of the danger that does not specify.

Using the possibility of the electric shock for notice to be careful to.

Mention about written item in the copier BASIC series to understand mention

contents.

The following rules apply throughout this Service Manual:

1. Each chapter contains sections explaining the purpose of specic functions and the

relationship between electrical and mechanical systems with reference to the timing of

operation.

In the diagrams, represents the path of mechanical drive; where a signal name

accompanies the symbol, the arrow indicates the direction of the electric signal.

The expression "turn on the power" means ipping on the power switch, closing the front

door, and closing the delivery unit door, which results in supplying the machine with power.

2.In the digital circuits, '1' is used to indicate that the voltage level of a given signal is "High",

while '0' is used to indicate "Low". (The voltage value, however, differs from circuit to

circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD signal goes on

when '0'.

In practically all cases, the internal mechanisms of a microprocessor cannot be checked in

the eld. Therefore, the operations of the microprocessors used in the machines are not

discussed: they are explained in terms of from sensors to the input of the DC controller

PCB and from the output of the DC controller PCB to the loads.

The descriptions in this Service Manual are subject to change without notice for productimprovement or other purposes, and major changes will be communicated in the form of

Service Information bulletins.

All service persons are expected to have a good understanding of the contents of this Service

Manual and all relevant Service Information bulletins and be able to identify and isolate faults

in the machine.



1

1

IPSec Overview

IPSec Overview

Specications

Restrictions



1

11-2

1-2

IPSec Overview

What is IPSec?

IPSec is a function to provide secure IP communication to all packets at the IP level.

The IPSec function can be applied to all IP packets regardless of IPv6 and IPv4.

Since the IPSec function is applied to each IP packet, applications do not need to support thefunction.

Communication between the nodes to which IPSec settings are applied automatically

becomes secure communication while applications are not aware.

In IPSec, whether or not to apply encryption and other processing is determined according

to the data in each communication packet. To be specic, any of the following operations is

performed:

The IPSec settings are applied to a packet which satises the conditions. (Authentication

and encryption are performed.)

The IPSec settings are not applied to a packet which does not satisfy the conditions, and

the normal operation is performed.

A packet which does not satisfy the conditions is discarded.

As the conditions mentioned above, the start-point addresses, end-point addresses, protocol,

and destination port are used. These condition items used to sort out communication packets

are generally called "selectors. " The concept of the "selector" is close to that of ltering in a

router (the selector is called "IP Filter" in Windows), and multiple selectors can be dened.

A selector including detailed processing to be actually applied in particular is called "security

policy. " In security policy, the details of the IPSec protocol (AH, ESP, or IPComp) and mode

(transport mode or tunnel mode) are also included.

•

•

•

Example use cases of this product are provided below.

Case 1) Encrypt all print communications from a host computer with the IPSec settings.

Host computerwith IPSec settings

Host computerwithout IPSec settings

IP Network

Print protocol:ipr,raw,ftp,IPP

Unencrypted data

Print

Print

Encrypted data

Case 2) Encrypt Send communications to the le server and host computer, and not encrypt

print communications.

P r i n t

S e n d

IP Network

Scan Print1

S e n d

Scan

Print

Encrypted data

Confidentiality1

Confidentiality1

Print1

Host computer

Host computer File Server

File Server

Sen

d Protocol:smb, ftp

Send Protocol:smb, ftp

Unencrypted data

Print protocol:ipr, raw, ftp, IPP

Print protocol:ipr, raw, ftp, IPP

Encrypted data

S

e

nd protocol:smb, ftp

Send protocol:smb, ftp

Confidentiality2

Confidentiality2

Confidentiality2.tif






1

11-3

1-3

Case 3) Encrypt Internet FAX and Email transmission.*

IP Network

：

Scan

G3FAX.tif

Fax

Fax

PSTN

G3FAX.tif

G3Fax.tif

Confidentiality1Confidentiality1

Host computer Host computer Unencrypted data

Encrypted data

Protocol: smtpProtocol: smtp

Confidentiality1Confidentiality1

Mail Server

Encrypted data

Protocol: smtpProtocol: smtp

PSTN

* In Case 3, it is assumed that IPSec is also functioning between the main server and host

computer.



1



1

11-5

1-5

Key exchange protocols

IPSec has some key exchange protocols to execute authentication and encryption. This

product supports IKEv1 (Internet Key Exchange version 1), which exchanges keys based on

the standard protocol ISAKMP (Internet Security Association and Key Management Protocol).

IKE has two processing phases: It creates SA (Security Association) used by IKE in the phase

1, and creates SA (IPSec SA) used by IPSec in the phase 2.

IKE

IKE Phase 1

IPSecEncrypted communication through IPSec

1. Proposal and selection of conditions

3. Exchange of key by DH

5. Authentication between devices

2. Determination of condition of SA

4. Creation of key

6. Verification that the other end is legitimate

Phase1:ISAKMP SA is generated, and the communication of IKE is encrypted.

7. Exchange of conditions and elements to create SA

8. Determination of conditions for SA.

Phase 2: IPSec SA is created, and communication through IPSec is started.

IKE Phase 2

Proposes several conditionsincluding the algorithm andlifetime of key, etc.

Creates and sends anumeric value which is usedas a keyelement

Sends the ID and path

phrase, etc.

Selects one of theconditions.

Creates and sends thenumeral value which is usedas a key element.

Sends the ID and pathphrase, etc.

Encryption method, hashmethod, connectionconditions such as lifetimeof key, subnet, host, keyelement, etc

.

Accepted

Encryption method, hashmethod, connectionconditions such as lifetimeof key, subnet, host, keyelement, etc.

In this product, as an authentication method of IKE, either the pre-shared key method or the

digital signature method can be used.

When you use the pre-shared key method, you need to determine a keyword (up to 24characters) called a pre-shared key beforehand, which is shared with the devices sending

and receiving data. After setting the pre-shared key of the connection end with which IPSec

communication is made in the operation panel of this product, you can make authentication in

the pre-shared key method.

When you use a key in the electronic signature method, you need to install the key pair le

and CA Certicate le created in the PC using UI, and then register the installed les in the

operation panel of this product.

Using the CA certicate, authentication is mutually performed with the connection end of the

IPSec communication.

The accepted key pair and CA certicate for the authentication in the electronic signature

method are shown below:

RSA algorithm

X.509 Certicate

Key pair in PKCS#12 format

•

•

•

1



1

11-6

1-6

Specications

Operating Conditions of IPSec

A device needs to satisfy all the following conditions to use the IPSec function.

It is a supported device of IPSec.

The IPSec security board is installed.*The IPSec function is enabled in the Local UI or remote UI. (It is disabled in the initial

setting upon shipment from the factory. See Users Manual or this manual regarding how to

enable the IPSec function.)

* To install the IPSec security board, PCI board Expansion Kit, which is available as an

option, needs to be installed.

Supported Devices

The devices supported by IPSec are multifunction machines after imageRUNNER

C5180/5185/4580 and printers after LBP3310.

IPSec Security Board, which is an option, needs to be purchased and installed in any of these

devices.

Supported Functions

Among major functions stipulated by IPSec, those supported by this product are shown

below:

Function Support Remarks

IPsec of IPv4 Support

IPsec of IPv6 Support

AH NULL Support

HMAC-SHA-1-96 Support

HMAC-MD5-96 Support

AES-XCBC-MAC-96 Not Support

ESP NULL Support

DES-CBC Not Support

3DES-CBC Support

AES-CBC Support

AES-CTR Not Support

Other Not Support

Manual SA Not Support

IKEv1 Support

•

••

Function Support Remarks

IKEv2 Not Support

IKEv1 phase 1 Main Mode Support

Aggressive Mode Support

Authentication

Method

(IKEv1)

Pre-shared key Support

Digital signature(RSA) Support

Public key encryption Not Support

Advanced public key

encryption

Not Support

DH(IKEv1) Group 0(not in use) Not Support

Group 1 Support

Group 2 Support

Group 5 Not Support

Group 14 Support

Group 15 Not Support




Other Not Support

Encryption

(IKEv1)

DES-CBC Not Support

3DES-CBC Support

AES-CBC Support

AES-CTR Not Support

Other Not Support

Authentication

(IKEv1)

AUTH-HMAC-SHA1-96 Support

AUTH-HMAC-MD5-96 Support

AUTH-HMAC-XCBC-96 Not Support

Applicable Packets

The packets to which this product applies the IPSec processing are those exchanged via the

following protocols.

TCP

UDP

ICMP

Specications for Network Port

The network port used by the IPSec function is shown below:

Protocol Port No. Description

UDP 500 Used to receive and send keys when the ISAKMP protocol

exchanges keys.

•

•

•

1



1

11-7

1-7

Specications for Security Policy

The specications for security policy are shown below:

Item Value Remarks

Policy name 1 to 24 characters in ASCII

Number of policies that

can be registered

10 The table area which controls

policies is called security policy

database (SPD).

1



1

11-8

1-8

Menu Items in IPSec Setting Window

Menu name/ Item name Remarks Initial

setting

Use IPSec

ON Enables the IPSec function.

OFF Disables the IPSec function. available

Receive Non-policy Packet

Allow Allows the packet which does not meet the policy. available

Reject Rejects the packet which does not meet the policy.Policy On/Off Enables or disables the selected policy.

Regi. Registers a new policy.

Selector Settings Sets the selector which works as a lter of IPSec.

Local Address Makes the lter setting of a packet when a local

address exists in the packet.

All IP Address Targets IP addresses for all local addresses. available

All IPv4 Addresses Targets all IPv4 addresses for its own local address.

All IPv6 Addresses Targets all IPv6 addresses for its own local address.

IPv4 Manual

Settings

Targets specied IPv4 addresses for its own local

address.

Single Address Species a signal address.

Range Address Species the range of addresses.

Subnet Settings Species addresses by the subnet.

IPv6 Manual

Settings

Targets specied IPv6 addresses for its own local

address.



Subnet Settings Species a prex of addresses.

Remote Address Makes the lter setting of a packet when a remote

address exists in the packet.

All IP Address Targets IP addresses for all remote addresses. available

All IPv4 Addresses Targets all IPv4 addresses for its own remote address.

All IPv6 Addresses Targets all IPv6 addresses for its own remote address.

IPv4 Manual

Settings

Targets specied IPv4 addresses for its own remote

address.




IPv6 Manual

Settings

Targets specied IPv6 addresses for its own remote

address.





setting

Port Makes the lter setting of a packet when a port

number exists in the packet.

Specify by Port Number Makes the setting by manually specifying a port.

Local Port Species local ports.

All Port Targets all local ports. available

Single Settings Species a target local port individually.

Remote Port Species remote ports.

All Port Targets all remote ports. availableSingle Settings Species a target remote port individually.

Specify by Service

Name

Makes the lter setting of a packet by specifying a

service name.

Service On/Off Species On or Off for 7 services of "SMTP Receive",

"SMTP Send", "HTTP Client", "HTTP Server", "POP3",

"LDP", and "RAW. "

IKE Settings Makes the settings related to IKE (key exchange

protocol) of security policy.

IKE Mode Sets the ISAKMP message exchange protocol.

Main Sets the ISAKMP message exchange protocol to the

Main mode.

available

Aggressive Sets the ISAKMP message exchange protocol to the

Aggressive mode.

Authentication Method Sets the authentication method of IKE.Pre-shared Key Method Sets the authentication method of IKE to the pre-

shared key method.

available

Shared Key Sets the shared key which is used as the pre-shared

key of IKE.

Digital Signature

Method

Sets the authentication method of IKE to the digital

signature method.

Key and Certicate. Makes the settings related to digital signature.

Key Settings Sets the key which is used for digital signature.

Certicate Details Checks the information about the registered

certicate.

1



1

11-9

1-9

Authentication/Encryption

Algorithm

Sets the authentication and encryption algorithms to

IKE.

Auto Sets the authentication and encryption algorithms to

IKE automatically.

available

Manual Settings Sets the authentication and encryption algorithms to

IKE manually.

Regi. Registers the authentication and encryption

algorithms.

Authentication Sets the authentication algorithm.

SHA 1 Sets the authentication algori thm to SHA 1.

MD 5 Sets the authent icat ion a lgori thm to MD 5.

Encryption Sets the encryption algori thm.

3 DES-CBC Sets the encrypt ion algorithm to 3 DES-CBC. availab le

AES-CBC Sets the encryption algorithm to AES-CBC.

DH Group Sets the DH algorithm.

Group1 (762) Sets the DH algorithm to Group 1.

Group2 (1024) Sets the DH algorithm to Group 2. available

Group3 (2048) Sets the DH algorithm to Group 3.


setting

Edit Edits the already registered authentication and

encryption algorithms.

Delete Deletes the already registered authentication and

encryption algorithms.

IPSec Setting Sets how to process the packet which satises the

conditions specied by the selector.

Validity Sets the update validity of SA of IPsec/IKE.

Time Sets the update validity of SA of IPsec/IKE by time. 480Size Sets the update validity of SA of IPsec/IKE by the

le size.

Not

available

Connection Mode Sets the connection mode in which IPsec is applied.

Transport Sets the connection mode of IPsec to the transport

mode.

available

IPv4 Tunnel Not supported. -

IPv6 Tunnel Not supported. -

PFS Sets On/Off of Perfect Forward Secrecy (PFS) of

IPsec.

ON Sets On to PFS of IPsec.

OFF Sets Off to PFS of IPsec. available

Auth./Encryption Algorithm Sets the authentication and encryption algorithms.

Auto Sets the authentication and encryption algorithms

automatically.Manual Settings Sets the authentication and encryption algorithms

manually.

Regi. Registers the authentication and encryption

algorithms.

ESP Sets ESP as the authentication and encryption

algorithms.

available

AH Sets AH as the authentication and encryption

algorithms.

Edit Edits the already registered policies. The items that

can be edited are same as those for registration.

Delete Deletes the already registered policies.

1



1

11-10

1-10

Other Specications

Retry intervals

In the IKE negotiation, when no response is returned from the connection end, a retry is

made. The rst retry interval can be set in the Service Mode. The second and later retries are

made at the intervals twice as long as the previous retry interval. The maximum interval is 10

sec.

Example: Setting values of the retry intervals and actual retry intervals

sec

Retrytiming when

thefirst retry

intervalisset to1sec

0 5 10 15 20 25 30 35

2sec 4sec 8sec 10sec

6sec

10sec

3sec

7sec

1sec

10sec 10sec

10sec 10sec 10sec

10sec

Twice TwiceTwice Twice

Retry ismadeatintervalstwiceas long asthe previous

interval

Sincethe maximuminterval is

10sec, ret riesaremadeat 10-

secintervalshereafter .Retrytiming when

thefirst retry

intervalisset to

3 sec

Retrytiming when

thefirst retry

intervalisset to

7sec

1



1

11-11

1-11

Restrictions

Notication of Deletion of SAD

When Security Association (SA) of IPsec is established between an external device and this

device, Security Association Database (SAD) is established between them.

If any of the following operations is performed in this state, there is a need to notify deletion of

the policy to the other end.

One of the devices is shut down (the power is turned Off).

The policy in question is disabled.

The policy in question is deleted.

The IPsec function is turned Off (disabled).

However, this device does not support this policy deletion notication function, if any of the

aforementioned operations is performed, the policy needs to be manually deleted from SAD

in the other end.

Coniction with Sleep Function

When the sleep function of the device is enabled, if "Use IPSec" in the IPsec settings is set to

"On" (enabled), the device does not go into the sleep mode (S3 mode).

Meanwhile, if the IPsec setting is set to "Off" (disabled), it goes into the sleep mode.

Link-Local Address

When you make the selector settings including Link-Local Address, IPsec is not applied to the

packets addressed to link-local addresses, and they are discarded. For instance, when "IPv6

Address" is selected in Local Selector Settings, the packets addressed to link-local addresses

are discarded.

In the case of manually specied addresses, those with the prex "fe80" are considered as

link-local addresses.

However, in the models after iRA C5030/iRA C9075 Series, IPsec can be applied to IPv6 link

local addresses.

Note that link-local addresses and global addresses cannot be specied at the same time.

For instance, all IPv6 addresses are considered as global addresses. Therefore, fe80::xxxx,

::/0, and 1111::xxxx, etc. cannot be assigned to them. If a local address is a link-local address,

a remote address needs to be also a link-local address.

When "IPv6 Address" is selected in Local Address, and "All IPv6 Address" in Remote

Address, IPsec is also applied to link-local addresses.

•

•

•

•

Certicate Method

When you select the certicate method in IKE, a specied key pair needs to be issued by

the same root certicate authority which issued the certicate of the other end of IPsec

communication. Thus, a key pair with a self-signed certicate has a different root, and the

negotiation fails.

Since the certicate validity is checked, the devices need to preset the time using SNTP, etc.

1



1

11-12

1-12

Restrictions when Registering Multiple Policies

When the Mode Settings of IEKv1 is Main Mode, and multiple policies are registered with the

Pre-shared Key Method, there are the following restrictions due to the specication limits of

the IEKv1 protocol.

1) A same pre-shared key must be applied to all the policies in which a single address is

not specied as the remote address.

2) The policies in which a single address is not specied as a remote address must have

lower priority than those in which a single address is specied.

The table below shows the registration patterns.

Pattern 1: Combination in which no restrictions occur

policy

priority

policy

name

local address local port remote address remote port pre-shared

key

1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge

2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge2

3 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge3

4 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3

Pattern 2: Combination which violates the aforementioned restriction 1) (The items in blue are

violations.)

policy

priority

policy

name


key





Although the policy names "ccc" and "ddd" do not specify a single address as the remote

address, different pre-shared keys are set.

Pattern 3: Combination which violates the aforementioned restriction 2). (The items in blue

are violations.)

policy

priority

policy

name


key


2 bbb All IPv4 Address 9100 All IPv4 Address All Port hoge2


4 ddd All IPv4 Address All Port 172.24.222.222 All Port hoge3

Although the policy names "bbb" and "ccc" do not specify a single address as the remote

address, their priority is higher than "ddd. "

Pattern 4: Combination which violates the aforementioned restriction 2). (The items in blue

are violations.)

policy

priority

policy

name

local address local

port

remote address remote port pre-shared

key

1 aaa All IPv4 Address All Port 172.24.1.1/255.255.0.0 All Port hoge

2 bbb All IPv4 Address 9100 172.24.111.111 All Port hoge2

Although the policy name "aaa" species a single address as the remote address, its priority

is higher than "bbb. "

imageRUNNER 3225/3235/3245 JE version internally performs the following processing so

that the above restricted patterns cannot be registered.

Processing 1) Insert a policy at an appropriate priority when registering or editing it.

Processing 2) When a policy is registered, if a single address is not specied as the remote

address, and the specied pre-shared key is different from the one specied to the group,

the policy cannot be registered.

(imageRUNNER 3225/3235/3245 FIGS and later models)

Processing 3) When a policy is registered, if a single address is not specied as the remote

address, and the specied pre-shared key is different from the one specied to the group,

the pre-shared key of the latest policy is applied to all the pre-shared keys.

(imageRUNNER 3225/3235/3245 JE)

Processing 4) When the policy priority order is changed, change of the order which does

not meet the restricted specications cannot be made.

Internal processing when restricted patterns occur

The detailed operations of the aforementioned internal processing (Processing 1 to 4) are

explained below.

Automatic insertion of policy (Processing 1)

When a policy is newly registered or edited, check the Remote Address setting, and insert the

policy at an appropriate priority.

For instance, when a new policy (policy name "eee" in the table below) is registered to a

device in which several policies have already been registered, it is normally added at the

bottom. However, the remote address setting violates the restrictions, it is registered not at

the bottom but at an appropriate priority.

•

•

•

•

1



11-13

1-13

List of existing policies

policy

priority

policy

name


key





List of policies after registration

policy

priority

policy

name


key



3 eee All IPv4 Address All Port 172.24.133.133 All Port hoge4



Prohibition of Registration (Processing 2)

When a policy is registered, if "Single Address" is specied in Remote Address, and the

specied pre-shared key is different from the one specied to the group, the policy cannot be

registered. (imageRUNNER 3225/3235/3245 FIGS or later)

When registering a new policy or editing an existing policy, if any option other than "Single

Address" is selected in Remote Address, the policy cannot be registered if the specied pre-

shared key is different from the registered one specied to the group.

For example, when you register a new policy with the name "eee" and the pre-shared key

"hoge 4" to a registered device, the policy violates the restrictions, and the registration fails.


policypriority

policyname

local address local port remote address remote port pre-sharedkey





Policy that you attempt to newly register

policy

name


key

eee All IPv6 Address 80 172.24.133.133 All Port hoge4

When you attempt to register the above policy, the following message appears: "Check

the settings. When Pre-shared Key Method for AUTH Method is set to other than a single

address, the shared key characters must be the same when registering multiple policies. "

Unication of pre-shared key (Processing 3)

When a policy is registered, if a single address is not specied as the remote address, and

the specied pre-shared key is different from the one specied to the group, the pre-shared

key of the latest policy is applied to all the pre-shared keys.

(imageRUNNER 3225/3235/3245 JE)

When a new policy is registered or an existing policy is edited, if any option other than "Single

Address" is specied in Remote Address, a message to ask whether or not to use a same

pre-shared key for all the registered policies appears. If you agree, the pre-shared key of

the last registered policy is applied to all the pre-shared keys of the policies of which remote

address is specied by group.

For example, when you register a new policy with the name "eee" and the pre-shared key

"hoge 4" to a registered device, all the pre-shared keys of the policies of which remoteaddress is not a single address are standardized.


policy

priority

policy

name


key





List of policies after registration

policypriority

policyname

local address local port remote address remote port pre-sharedkey





5 eee All IPv6 Address 80 All IPv6 Address All Port hoge4

1



11-14

1-14

Prohibition of change of the policy order (Processing 4)

When you change the priority order of policies, change of the order which violates the

restricted specications is prohibited.

For instance, when the policies given in the table below are already registered, if you

attempt to move the policy "bbb" to the lower position using "Lower Priority, " it violates the

restrictions, and the attempt fails.

policy

priority

policy

name


key





On imageRUNNER 3225/3235/3245 FIGS and later devices, if you attempt to change the

order of policies against the restrictions, the following message appears: "When Pre-shared

Key Method is set for AUTH Method, a policy with a single remote address cannot a lower

priority than other policies. "



2

2

Settings

Settings WindowRegistration/Edit Window

Selector Settings Window

IKE Settings

IPSec Network Settings

2



22-2

2-2

Settings Window

The IPSec settings are made in the system control window in the operation panel of the

device.

Path to IPSec Settings window

The path to the registration/edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings

IPSec Settings window

In the IPSec Settings window, you can set whether or not to use IPSec, policies to which

IPSec is applied, and their priority, etc.

[Use IPSec]

This item is used to set whether or not to use the IPSec function. The default setting is "Off. "

[Receive Non-policy Packets]This item is used to set whether to allow or reject a packet which does not meet any of the

registered policies. The default setting is "Allow. "

2



22-3

2-3

[Policy List]

With this product, up to 10-pattern policies can be registered in a device. The table area

which controls policies in a device is called Security Policy Database (SPD).

The policy list shows a list of the registered policies.

The specications for the policy list are given below:

Up to 10 policies can be registered and displayed.

Even when no policy is registered, the priority numbers from 1 to 10 are displayed.

When a policy is registered, it is added at the bottom of the list.

When a packet is received, whether or not to apply policies in the ascending order of

priority is determined.When a registered policy is deleted, the policies in the lower priority are moved up.

To set On/Off of a policy, select a policy and press "Policy On/Off. "

Although up to 24 characters in ASCII can be set as a policy name, a whole name might

not be displayed in the list.

To set the priority order of policies, select a policy and press "Raise Priority" or "Lower

Priority. "

[Policy On/Off]

This item is used to set "On" or "Off" to the status of the policy selected in the list.

[Regi.]

Press this item to create or register a new policy.

For information on the policy registration window, see "Registration/Edit Window. "

[Edit]

Press this item to edit the policy selected in the list.


•

•

•

•

•

•

•

•

[Delete]

Press this item to delete the policy selected in the list.


[Print List]

This item is used to print out the settings of a registered policy.

Print sample

********************************* IPSec Policy List *********************************

Priority：1 ON Policy Name Policy-1 Selector Settings Local Address All IPv4 Addresss Remote Address All IP Addresses

Port Local Port All Port Remote Port All Port IKE Settings IKE Mode Main Authentication Method Digital sig. Method Auth./Encryption Algorithm Auto IPSec Network Settings Validity Time ON 480 min Size ON 10 MB PFS OFF Auth./Encryption Algorithm Auto Connect. Mode Transport

Priority：2 ON Policy Name Policy-2 Selector Settings Local Address All IP addresses

2009 03/16 MON 11:46 iR-ADV C5051 001 .

2



22-4

2-4

Registration/Edit Window

In the registration/edit window, policies used by IPSec are registered or edited.

Path to Registration/Edit Window

The path to the registration/edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings >Regi. or > Edit

("Edit" must be pressed while a policy is selected.)

Policy Name

This item is use to set a policy name.

Selector Settings

This item is used to set a selector.

When you press "Selector, " the Selector Settings window appears. For more details, see

Selector Setting Window.

2



22-5

2-5

IKE Settings

In this window, the ISAKMP message exchange protocol (IKE mode) and authentication

method are set. For more details, see IKE Settings.

IPSec Settings

In this window, the IPSec communication settings are made. For more details, see IPSec

Network Settings.

2



22-6

2-6

Selector Settings Window

In the Selector Settings window, the settings of the conditions to determine the processing

applied to a packet are made.

The conditions are Start-point IP Address, End-point IP Address, protocol, and destination

port, etc. A communication packet which satises these conditions is selected.

Path to Selector Settings Window

The path to the selector edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >

Edit > Selector Settings

Local Address Settings/Remote Address Settings

These items are used to set whether or not to target the start-point address and end-point

address in communication packets.

All IP Address

Select this option when you target all local addresses.

All IPv4 Addresses

Select this option when you target the packets which have a local IPv4 address at the start-

point address or end-point address.

All IPv6 Addresses

Select this option when you target the packets which have a local IPv6 address at the start-

point address or end-point address.

IPv4 Manual Settings

Select this option when you specify a specic IPv4 address or specify the range of IPv4

addresses. When you press this option, the setting window is opened.

IPv6 Manual Settings

Select this option when you specify a specic IPv6 address or specify the range of IPv6

addresses. When you press this option, the setting window is opened.

2



22-7

2-7

Port Settings

This item is used to set whether or not to apply IPSec to the packets which include a specic

port (or service).

Specify by Port Number

Select this option when you specify a specic port number. When you press this item, the

setting window is opened.

In Local Port or Remote Port, select "All Ports" or "Specify Port. "

When you specify a port (Specify Port), enter a port number.

Specify by Service Name

Select this option when you specify packets not by a port number, but by a service name.

When you press this item, the setting window is opened.

Set On or Off to the seven services, "SMTP Receive", "SMTP Send", "HTTP Client", "HTTP

Server", "POP3", "LDP", and "RAW".

2



2

2-8

2-8

IKE Settings

This item is used to make the settings related to Key exchange protocols.

Path to IKE Settings Window

The path to the IKE edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >

Edit > IKE Settings

Mode

This item is used to specify the mode to exchange ISAKMP messages when IKE SA is

created in the IKE Phase 1.

The available modes are the main mode and aggressive mode.

The differences between the main mode and aggressive mode in the IKE Phase 1 are shown

in the table below.

Mode Description

Main mode The Phase 1 is nished after three sets of transmission and reception of

ISAKMP messages.

1st and 2nd messages (Negotiation of ISAKMP SA parameters)

3rd and 4th messages (Exchange of parameters for key calculation and

execution of key calculation)

5th and 6th messages (Authentication of IPSec communication end

(device))

IKE Phase 1

1. Proposal and selection of conditions

3. Exchange of key by DH

5. Authentication between devices

2. Determination of condition of SA

4. Creation of key

6. Verification that the other end is legitimate

Phase 1 ISAKMP SA is generated, and exchange by IKE is encrypted.

Proposes several conditions

including the algorithm and

lifetime of key, etc.

Creates and sends a

numeric value which is used

as a key element


phrase, etc.

Selects one of the

conditions.

Creates and sends the

numeral value which is used

as a key element.


phrase, etc.

Aggressive mode The encryption process upon authentication is omitted, and the Phase 1 is

nished after one and a half sets of transmission and reception of ISAKMP

messages. While this mode can nish the Phase 1 faster than the Main

mode, restrictions occur on negotiation of SA. On the other hand, it eases

the restrictions on the Main mode.

2



2

2-9

2-9

Authentication Method

The IPSec function uses two authentication methods for the IKE Phase 1: One in the pre-

shared key authentication, and the other is the digital signature authentication.

Pre-shared Key Method

Select this option when you make authentication using a pre-shared key. Input a key to be

shared in the input eld of Shared Key.

Digital Sig. Method

Select this option when you make authentication not using a pre-shared key but using a

digital signature.

Auth./Encryption Algorithm

This item is used to set the authentication and encryption algorithms.

Manual Settings of authentication and encryption algorithms

This option is used to manually set the authentication and encryption algorithms of IKE.

Select one or more authentication algorithms from SHA1 and MD5. You can select both.

Select one or more encryption algorithms from 3DEC-CBC and AES-CBC. You can select

both.

Select one DH group from Grouop1 (762), Grouop2 (1024), and Grouop3 (2048).

Auto Settings of authentication and encryption algorithms

When you select the Auto settings of the authentication and encryption algorithms for IKE,

IKE SA makes negotiations for algorithm patterns in accordance with the priority given below.

Priority Authentication Encryption DH

1 SHA1 AES(128) 2

2 MD5 AES(128) 2

3 SHA1 AES(192) 2

4 MD5 AES(192) 2

5 SHA1 AES(256) 2

6 MD5 AES(256) 2

7 SHA1 3DES 2

8 MD5 3DES 2

2



2

2-10

2-10

IPSec Network Settings

This item is used to make the setting related to IPSec Network.

Validity

This item is used to set the update validity of Security Association (SA) of IPsec/IKE.

The validity specied in this setting is applied both to the update period for SA of IPsec and

that of IKE.

The validity is specied in minutes or in MB. The settable range is 1 to 65535 minutes or 1 to

65535MB. In the initial setting, Time is set to 480 minutes (8 hours), and Size is not specied.

You can not specify "0" to Time and Size.

In Validity, either Size or Time needs to be specied.

When the both are specied, SA is invalidated whichever reaches the validity fast. The IPsec

communication within the validity can exchange ESP packets without negotiations of key

exchange.

Negotiations of the validity vary according to the setting at the host of the other end. For

instance, if the validity shorter than the one set in a host is proposed during the IKE Phase 1,

the host may reject negotiations.

IKE Phase 1

Proposes the condition.

Host computer B

(Responder)Host computer A

(Initiator)

Rejects the condition.

Since the condition proposed bythe host A is shorter than the

validity set in the host B, thehost B rejects negotiations.

A validity setting shorter than

the validity set in the host Bis proposed as the condition.

In the communication between the devices which support this product, the validity at the

initiator* is used.

* The node which makes IKE communication is called the IKE peer, the side which issues

an IKE request is called the initiator, and the side which receives a request is called the

responder.

PFS

When a shared key is leaked to any malicious third parties, there is a risk that they might beable to forecast the keys to be generated. Enabling Perfect Forward Secrecy (PFS) prevents

third parties from forecasting the keys to be generated even if they obtain a shared secret

key.

Although load upon key exchange is increased if PFS is enabled, the condentiality is

enhanced.

The initial setting of PFS is "Off".

A same PFS setting must be set to the hosts between which negotiations are made.

Therefore, when the PFS setting is set to On, that of the other end must be set to On as well.

2



2

2-11

2-11

Authentication/Encryption Algorithm

This item is used to set the authentication and encryption algorithms in the IPSec network.

You can select Auto Settings or Manual Settings.

Manual Settings of Authentication/Encryption AlgorithmThis option is used to set the authentication and encryption algorithms.

First of all, select ESP which performs authentication and encryption of packets or AH which

performs only authentication of packets.

1) When ESP is selected

The ESP authentication algorithm and ESP encryption algorithm are set.

Select the authentication algorithm from MD5, SHA1, and NULL. You can select both MD5

and SHA1 at the same time. In the initial setting, SHA1 is selected.

Select the encryption a lgorithm from 3DES-CBC, AES-CBC, and NULL. You can select both

3DES-CBC and AES-CBC at the same time. In the initial setting, 3DES-CBC is selected.

You cannot set NULL to both ESP authentication and ESP encryption.

2) When AH is selectedSelect one or more AH authentication algorithms from SHA 1 and MD5. If you do not select

either, the OK button is disabled (grayed out), and you cannot nish the setting.

2



2

2-12

2-12

Auto Settings of authentication and encryption algorithms

When you select the Auto settings of the authentication and encryption algorithms for the

IPSec Network, IPSec SA makes negotiations for algorithm patterns in accordance with the

priority given below. Servers also wait in the same priority.

Priority AH ESP authenticat ion ESP encrypt ion

1 NULL SHA1 AES (128)

2 NULL MD5 AES (128)





7 NULL SHA1 3DES

8 NULL MD5 3DES

Connection Mode

This item is used to display the IPSec connection mode.

This function supports the transport mode only, and therefore "Transport" is displayed.



3

3

Installation

Installation/SettingsProcedure

IPSec settings and

operation check

3



3

3-2

3-2

Installation/Settings Procedure

Flow of installation settings for basic IPSec

Following is the ow of basic IPSec settings.

Review of security policy

To install the IPSec on the network, review to decide which packet to apply IPSec.

1) Decide to adopt the IPSec process to the communication between which host and which

host.

2) Decide to adopt the IPSec process to which protocol and which port.

3) Decide how to handle the packets other than the foregoing packets.

4) Decide whether to execute packet authentication only or execute authentication and

encryption.

5) Decide what to use as an authentication method and encryption algorithm.

Etc.

In principle, users to review the security policy on the network of user site.

Security policy settings

According to the security policy reviewed as above, make the IPSec settings on the device

and the host that will be the device's IPSec communication partner.

Operation check

Establish a communication and check whether the specied IPSec function operates properly

or not.

Points to note at installation

When specifying IPSec settings, note that IPSec negotiates each other to decide how to

establish the IPSec communication such as port number etc. Thus, the common selector

setting should be specied to each host.

Take the case of IPSec communication between Windows PC and this device for instance,

if remote UI (local port is number 80 and remote port is all port) is specied on this device,

on Windows side, "TCP" protocol must be selected and also "From any port" must be

specied as transmission port and number "80" must be specied as address port; otherwise,

negotiation will fail. (This means negotiation will fail even if "From any port" is specied, "all

port" etc. is specied for address port.)

3



3

3-3

3-3

IPSec settings and operation check

Make the IPSec settings on the PC that will be the communication partner of the device with

IPSec specied.

At this time, installation procedure in the simple conguration is outlined.

Example of conguration

IPSec settings are specied for 1 PC and 1 iR device, and check the operation.

Encrypted dataPrintPrint

Document

Setting procedure on device side

Following is the procedure of device IPSec settings

1. Create a security policy.

Create a security policy with the following contents.

1) Enable IPSec and register the policy.

Use IPSec : ON

Receive Non-policy Packets : Allow

2) Register the Policy Name.

3)Selector Settings

Local Address : All IP addresses

Remote Address : All IP addresses

Port > Specify by Port Number: All Ports

3



3

3-4

3-4

4) IKE Settings

IKE Mode : Main

Authentication Method : Pre-shared Key Method

Shared Key : canon (any)

Auth/Encryption Algorithm: Auto

5) IPSec Network Settings

Validity : 480 mins (default)

: 0MB (default)

PFS : OFF

Auth./Encryption Algorithm: Auto

Connect. Mode : Transport (xed)

2. Enable the security policy.

Enable the security policy (Policy-1) created in step 1.

Setting procedure on PC side

Following is the PC settings (Windows Server 2003).

1. Console registration

1) Select [Run...] from a start menu and input mmc in [Open] and then, click [OK] button.

33 5



3

3-5

3-5

2) When the console is displayed, select [Add/Remove Snap-in...] from a le menu.

3) Click [Add...] button.

4) Select [IP Security Policy Management] and click [Add] button.

5) Select [Local Computer] and click [Finish] button.

33 6



3

3-6

3-6

6) Click [Close] button.

7) Make sure that "IP Security Policy on Local Computer" is displayed and click [OK] button.

2. Registration of IP Security Policy

1) Right click [IP Security Policy on Local Computer] on the console and select [Create IP

Security Policy…].

2) When IP Security Policy Wizard is started, click [Next] button.

33 7



3

3-7

3-7

3) Enter the IP Security Policy name and click [Next] button.

4) Untick [Activate the default response rule..] and click [Next] button.

5) When a wizard is completed, click [Finish] button.

6) When IP Security Policy properties is displayed, click [Add..] button.

33 8



3

3-8

3-8

7) When Security Rule Wizard is started, click [Next] button.

8) Select [This rule does not specify a tunnel] and click [Next] button.

9) Select [All network connections] and click [Next] button.

10) Select [All IP trafc..] and click [Edit..] button.

33 9



3

3-9

3-9

11) Put a name to lter and click [Edit..] button.

12) Display [Addresses] tab and select [Ant IP Address] for both [Source address] and

[Destination address].

13) Display [Protocol] tab and select [Any] in [Select a protocol type].

14) Display [Description] tab and input a comment for identication (arbitrary), and click [OK]

button.

33 10



3

3-10

3-10

15) Click [OK] button.

16) Click [Next] button.

17) Select [Require Security] and click [Next] button.

18) Select [Use this string to protect the key exchange (pre-shared key)] and enter the Pre-

shared key specied on the device side into entry eld, and click [Next] button.

33-11



3

3-11

3-11

19) Click [Finish] button.



3. Application of the security policy.

1) Right click the created policy and select [Assign].

33-12



3

3-12

3-12

MEMOIf the setting of currently applied policy has been changed, it is necessary to un-assign

the application and assign it again.

33-13



3

3 13

3-13

Operation check

1. Send ping from a PC to a device.

If IPSec is enabled, [Negotiating IP Security] is displayed at the rst time of sending a ping

and there will be a reply at the second time or later.

Example of success

If key exchange of IPSec has been failed, all results are [Negotiating IP Security] (including

the case that the receiver does not support IPSec.).

Example of failure

2. Check with a network capture software.

Here, described is the operation check method with using free software [Wireshark].

1) Install Wireshark.

Source of installer or installation method is omitted.

2) Start Wireshark.

3) Click [Show the Capture Options] button.

33-14



3

3 14

3-14

4) Select a PC network card on [Interface] and click [Start] button.

5) Establish a communication by either submitting a print instruction from a PC to a device or

by displaying a ping command or device's remote UI etc.

If ESP is displayed on [Protocol], it means the encrypted packet has been operated in ESP.



4

4

Maintenance

FAQTroubleshooting

44-2

Troubleshooting



44-2

Troubleshooting

FAQ

About the connection mode

Q. Does this product support the tunnel mode as a connection mode in which IPSec is

applied?

A. No. The tunnel mode is not supported.

This product supports the transport mode only, which makes peer-to-peer IPSec

communication.

About IPSec network settings

Q. What does the validity refer to?

A. It refers to the update validity of SA of IPSec and IKE.

About protocols

Q. In what environment is unencrypted AH used?

A. It is used in the environment where encryption cannot be used.

In some environments, encryption of data is not permitted. In such a case, AH is used.

Coniction with IP lter

Q. What operation is performed when coniction with the settings of the IP lter, which is the

original function, occur?

A. There is a setting that IPsec discards the packets to which IPsec is not applied. The IP

lter, which is the original function, also discards the packets which do not satisfy the lter

settings.

Q. When the IPsec settings and IP lter settings are overlapped, which settings have priority?

A. When IPSec and both IP lters were set, it is applied in order of IPSec, IP lter at the time

of the reception. At the time of the transmission, it is applied in order of IP lter, IPSec.

Troubleshooting

Q. Negotiation fails.

A. Check if the port setting of the security policy is same in the both devices.

In IPSec, the port setting in the security policy settings must be same.

For instance, negotiation fails if Protocol is set to TCP, and Port is set to All Port in the

settings of this device, whereas Protocol is set to TCP, and Port is set to 80 in the settings of

the other device.

Q. No debug log le is found.

Although I made the setting to obtain debug logs in the Service Mode, I found no log le when

I accessed the specied path.

A. Debug logs are deleted when the device is turned Off and On.



5

5Troubleshooting

Service Mode

IPSec Security BoardStatus Check Test

Deletion of All Registered

Policies

Acquisition of Debug Logs

55-2

Troubleshooting > Procedure for IPSec Security Board Status Check Test



55-2


IPSec Security Board Status Check Test

You can execute the tests to check the IPSec security board status from the Service Mode.

The following two tests are available:

Interrupt mode test: Creates pseudo packets and tests the chip processing.

Poll mode test: Tests the performance of the chip.

Procedure for IPSec Security Board Status Check TestThe procedure to execute the tests to check the status of the IPSec security board is

explained below.

1)Press copier > test > network in the Service Mode (Level 1).

2)Select (press) IPSECINT (Interrupt mode test) or IPSECPOL (Poll mode test) and press the

"OK" button.

•

•

While the test is being executed, "ACTIVE" is blinking on the display.

Be sure to execute the both tests. Each test takes approx. 3 minutes.

3) Check the test result when it is displayed.

Normal completion: "OK! "

Failed: "NG"

55-3




55-3


If either of the tests fails, the IPsec function does not work. When the result of either test is

NG (failed), check if the accelerator is connected properly, and execute the test again.

If the result of the retry is also NG (failed), it is considered as a chip failure.

55-4

Troubleshooting > Procedure to Delete All Registered Policies



55-4

Troubleshooting > Procedure to Delete All Registered Policies

Deletion of All Registered Policies

You can delete all the policies registered in a device and initialize it.

This function should be used in emergency cases, such as when there is inconsistency

between registered policies.

Procedure to Delete All Registered Policies

1)Press copier > option > body in the Service Mode (Level 2).

2)Input 1 in the SPDALDEL eld and press "OK".

3)Restart the device.

When the device is restarted, all the registered policies are deleted, and the device is

initialized.

4)Open the IPSec settings window and check that all the registered policies are deleted.

5)Log in the Service Mode again and reset the value of SPDALDEL to "0".

55-5

Troubleshooting > Procedure to Obtain Debug Logs



Acquisition of Debug Logs

Debug logs are prepared for those who are in charge of product development, and the

information on the logs is not disclosed to the users.

Acquisition of debug logs is made at the direction of a support division of Sales Companies

or a development division of Canon Inc. when a failure which cannot be dealt with on site

occurs.

There is no need that a service person should check and evaluate debug logs at a user site.

Since IPSec operates in a process separately from a bootable process, its log information

does not remain in the sub log.

Therefore, there is a need to make the setting in the Service Mode to keep the logs of IPSec.

Procedure to Obtain Debug Logs

1)Press copier > option > body in the Service Mode (Level 2).

2) Input the level of logs that you want to obtain in the IPSDEBLV eld and press "OK". (The

initial setting is "0".)

3) Restart the device.

4) Perform the operation of which log you want to obtain.

5) Connect a PC on which SST is activated to the device, and obtain the log le in the

following path:

/APL_LOG/ipsec/ipseclog.txt

6) Restart the device again and check if the IPSDEBLV setting in the Service Mode isreturned to the initial value (0).

While the settable range of the log level is 0 to 10, 8 is the highest log level. (9 and 10 are the

same level as 8.)

The setting is enabled after the device is restarted. The setting value is automatically returned

to 0 by internal processing after the device is restarted again.

When the log acquisition function is enabled, a le with the name of ipseclog.txt is created

under /APL_LOG/ipsec, and the log information is stored in the le. This le is deleted after

the device is turned Off and On.

Log level 1 FATAL level: Displays fatal error information.



Log level 4 WARN level: Displays warning information.

Log level 5 WARN level: Displays warning information.

Log level 6 WARN level: Displays warning information

Log level 7 LOG level: Displays important log information

Log level 8 INFO level: Displays all logs.

Log level 9: Same as level 8.

Log level 10: Same as level 8.

ipsec board-b2 sm rev0 091109

Documents