IPSec Board-B2 SM Rev0 091109

September 11, 2009
Revision 0
Security: IPSec Board-B2

Service Manual
IPSec Overview
Settings
Installation
Maintenance
Service Mode
0-2
Application
This manual has been issued by Canon Inc. for qualified persons to learn technical theory,
The following paragraph does not apply to any countries where such provisions are
installation, maintenance, and repair of products. This manual covers all localities where the
inconsistent with local law.
products are sold. For this reason, there may be information in this manual that does not
apply to your locality.
Trademarks
The product names and company names used in this manual are the registered trademarks
Corrections
of the individual companies.
This manual may contain technical inaccuracies or typographical errors due to improvements
or changes in products. When changes occur in applica0-2le products or in the contents of
Copyright
this manual, Canon will release technical information as the need arises. In the event of major
This manual is copyrighted with all rights reserved. Under the copyright laws, this manual may
changes in the contents of this manual over a long or short period, Canon will issue a new
not be copied, reproduced or translated into another language, in whole or in part, without the
edition of this manual.
written consent of Canon Inc.
(C) CANON INC. 2009
Caution
Use of this manual should be strictly supervised to avoid disclosure of confidential
information.
0-2

0-3
IKE Settings-------------------------------------------------------------------------- 2-5
IPSec Settings----------------------------------------------------------------------- 2-5
Contents
Selector Settings Window ---------------------------------------------------2-6
Path to Selector Settings Window---------------------------------------------- 2-6

Local Address Settings/Remote Address Settings------------------------- 2-6
Port Settings------------------------------------------------------------------------- 2-7
IPSec Overview
IPSec Overview----------------------------------------------------------------1-2
What is IPSec?---------------------------------------------------------------------Modes of operation----------------------------------------------------------------Protocol of authentication and cryptographic-------------------------------Key exchange protocols-----------------------------------------------------------
1-2
1-4
1-4
1-5
Path to IKE Settings Window --------------------------------------------------Mode----------------------------------------------------------------------------------Authentication Method------------------------------------------------------------Auth./Encryption Algorithm-------------------------------------------------------
2-8
2-8
2-9
2-9
Specifications-------------------------------------------------------------------1-6
IPSec Network Settings---------------------------------------------------- 2-10
Operating Conditions of IPSec-------------------------------------------------- 1-6
Validity--------------------------------------------------------------------------------2-10
PFS------------------------------------------------------------------------------------2-10
Authentication/Encryption Algorithm ----------------------------------------- 2-11
Supported Devices ------------------------------------------------------------------------- 1-6
Supported Functions -------------------------------------------------------------- 1-6

Applicable Packets ------------------------------------------------------------------------- 1-6
Specifications for Network Port --------------------------------------------------------- 1-6
Specifications for Security Policy ---------------------------------------------- 1-7

Menu Items in IPSec Setting Window----------------------------------------- 1-8
Other Specifications---------------------------------------------------------------1-10
Restrictions-------------------------------------------------------------------- 1-11
Notification of Deletion of SAD ------------------------------------------------ 1-11
Confliction with Sleep Function------------------------------------------------- 1-11
Link-Local Address --------------------------------------------------------------- 1-11
Certificate Method ---------------------------------------------------------------- 1-11
Restrictions when Registering Multiple Policies---------------------------1-12
Internal processing when restricted patterns occur--------------------------------1-12
Settings
Settings Window---------------------------------------------------------------2-2
Path to IPSec Settings window ------------------------------------------------- 2-2

IPSec Settings window ----------------------------------------------------------- 2-2
Registration/Edit Window ---------------------------------------------------2-4
Path to Registration/Edit Window ---------------------------------------------- 2-4

Policy Name-------------------------------------------------------------------------- 2-4
Selector Settings-------------------------------------------------------------------- 2-4
IKE Settings---------------------------------------------------------------------2-8
Connection Mode---------------------------------------------------------------------------2-12
Installation
Installation/Settings Procedure---------------------------------------------3-2
Flow of installation settings for basic IPSec---------------------------------- 3-2
Review of security policy------------------------------------------------------------------ 3-2
Security policy settings--------------------------------------------------------------------- 3-2
Operation check------------------------------------------------------------------------------ 3-2
Points to note at installation--------------------------------------------------------------- 3-2
IPSec settings and operation check---------------------------------------3-3

Setting procedure on device side----------------------------------------------- 3-3
Setting procedure on PC side--------------------------------------------------- 3-4
Operation check--------------------------------------------------------------------3-13
Maintenance
FAQ--------------------------------------------------------------------------------4-2
Troubleshooting----------------------------------------------------------------4-2
Service Mode
IPSec Security Board Status Check Test--------------------------------5-2
Procedure for IPSec Security Board Status Check Test------------------ 5-2
0-3

0-4
Deletion of All Registered Policies-----------------------------------------5-4
Procedure to Delete All Registered Policies--------------------------------- 5-4
Acquisition of Debug Logs---------------------------------------------------5-5

Procedure to Obtain Debug Logs----------------------------------------------- 5-5
0-4

0-5
The following rules apply throughout this Service Manual:
Explanation of Symbols
The following symbols are used throughout this Service Manual.
Symbols
Explanation
Using it for general attention, warning, a notice of the danger that does not specify.
1. Each chapter contains sections explaining the purpose of specific functions and the
relationship between electrical and mechanical systems with reference to the timing of
operation.
In the diagrams,
represents the path of mechanical drive; where a signal name
accompanies the symbol, the arrow

Using the possibility of the electric shock for notice to be careful to.
Mention about written item in the copier BASIC series to understand mention
contents.
indicates the direction of the electric signal.
The expression "turn on the power" means flipping on the power switch, closing the front
door, and closing the delivery unit door, which results in supplying the machine with power.
2.In the digital circuits, '1' is used to indicate that the voltage level of a given signal is "High",
while '0' is used to indicate "Low". (The voltage value, however, differs from circuit to
circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD signal goes on
when '0'.
In practically all cases, the internal mechanisms of a microprocessor cannot be checked in
the field. Therefore, the operations of the microprocessors used in the machines are not
discussed: they are explained in terms of from sensors to the input of the DC controller
PCB and from the output of the DC controller PCB to the loads.
The descriptions in this Service Manual are subject to change without notice for product
improvement or other purposes, and major changes will be communicated in the form of
Service Information bulletins.
All service persons are expected to have a good understanding of the contents of this Service
Manual and all relevant Service Information bulletins and be able to identify and isolate faults
in the machine.
0-5

IPSec Overview
IPSec Overview
Specifications
Restrictions
1
1-2
IPSec Overview
Example use cases of this product are provided below.

Case 1) Encrypt all print communications from a host computer with the IPSec settings.
What is IPSec?
Print
Print
IPSec is a function to provide secure IP communication to all packets at the IP level.

The IPSec function can be applied to all IP packets regardless of IPv6 and IPv4.
Since the IPSec function is applied to each IP packet, applications do not need to support the
IP Network
function.
Encrypted data
Encrypted
data
Communication between the nodes to which IPSec settings are applied automatically
becomes secure communication while applications are not aware.
Host computer
with IPSec settings
In IPSec, whether or not to apply encryption and other processing is determined according
to the data in each communication packet. To be specific, any of the following operations is
performed:
The IPSec settings are applied to a packet which satisfies the conditions. (Authentication
Unencrypted data
Print protocol:
protocol:
Print
ipr,raw,ftp,IPP
ipr,raw,ftp,IPP
Host computer
without IPSec settings
Case 2) Encrypt Send communications to the file server and host computer, and not encrypt
print communications.
and encryption are performed.)
The IPSec settings are not applied to a packet which does not satisfy the conditions, and
Confidentiality1
Scan
Confidentiality2
Scan
Print
Print1
the normal operation is performed.
A packet which does not satisfy the conditions is discarded.

As the conditions mentioned above, the start-point addresses, end-point addresses, protocol,
and destination port are used. These condition items used to sort out communication packets
are generally called "selectors. " The concept of the "selector" is close to that of filtering in a
router (the selector is called "IP Filter" in Windows), and multiple selectors can be defined.
A selector including detailed processing to be actually applied in particular is called "security
policy. " In security policy, the details of the IPSec protocol (AH, ESP, or IPComp) and mode
IP Network
dd
nn
See
S
Encrypted data
Encrypted
data
Confidentiality2.tif
Send Protocol:
smb, ftp
File Server
Prr
P
iinntt
See
S
nndd
Encrypted data
Encrypted
data
Send protocol:
smb, ftp
Confidentiality1.tif
Unencrypted data
Print protocol:
ipr, raw, ftp, IPP
Print1
Print1
Host computer
(transport mode or tunnel mode) are also included.
1-2
1
1-3
Case 3) Encrypt Internet FAX and Email transmission.*
PSTN
Confidentiality1
Scan
Fax
G3FAX.tif
Fax
IP Network
Encrypted data
Encrypted
data
Encrypted data
Encrypted
data
Protocol: smtp
Protocol: smtp
G3FAX.tif
Confidentiality1
Unencrypted data
G3Fax.tif
G3Fax.tif
Host computer
Mail Server
* In Case 3, it is assumed that IPSec is also functioning between the main server and host
computer.
1-3
1
1-4
Modes of operation
IPSec has two modes of operation: One is the transport mode, and the other is the tunnel
mode.
Overview of transport mode
In the transport mode, 1-to-1 relationship is established between terminals, and only the data
section excluding the IP header is authenticated and encrypted.
AH (Authentication Header)
This is a protocol to guarantee authentication by detecting falsification of communication data
Decryption
Encryption
IP header
Data section
IP header
with the IP header. The communication data is not encrypted.
Data section
Scope of authentication
IP header
Data section only is encrypted
Data section
IP header
Data section
IP header
Data section
AH
IP header AH Data section
Overview of tunnel mode

In the tunnel mode, a whole packet exchanged on the LAN including the IP header is
ESP (Encapsulating Security Payload)
encrypted and encapsulated. This mode is often used to establish a VPN.
This is a protocol to guarantee consistency and authentication of only the pay load section of
communication data and provide confidentiality through encryption.
VPN Router
VPN Router
Internet
Encryption
Scope of authentication
Decryption
IP header Data section

IP header Data section New IP header
IP header Data
Data section
section
IP header
AH Data section ESP Trailer ESP Authe data

Scope of encryption
IP header Data section New IP header
Encrypt whole packet including IP header
ESP
IP header Data section
The operation mode of IPSec supported by this product is the transport mode only.
Protocol of authentication and cryptographic

IPSec has two authentication and cryptographic protocols, ESP and AH.
While ESP provides the encryption, sender authentication, and falsification detection features,
AH does not have the encryption feature.
In this product, you need to specify either ESP or AH. However, you cannot specify the both
protocols at the same time.
1-4
1
1-5
In this product, as an authentication method of IKE, either the pre-shared key method or the
Key exchange protocols
digital signature method can be used.
IPSec has some key exchange protocols to execute authentication and encryption. This
product supports IKEv1 (Internet Key Exchange version 1), which exchanges keys based on
the standard protocol ISAKMP (Internet Security Association and Key Management Protocol).
IKE has two processing phases: It creates SA (Security Association) used by IKE in the phase
1, and creates SA (IPSec SA) used by IPSec in the phase 2.
When you use the pre-shared key method, you need to determine a keyword (up to 24
characters) called a pre-shared key beforehand, which is shared with the devices sending
and receiving data. After setting the pre-shared key of the connection end with which IPSec
communication is made in the operation panel of this product, you can make authentication in
IKE
the pre-shared key method.
IKE Phase 1
Proposes several conditions
including the algorithm and
lifetime of key, etc.
Creates and sends a
numeric value which is used
as a key
element
Sends the ID and path
phrase, etc.
1. Proposal and selection of conditions

2. Determination of condition of SA
Selects one of the

conditions.
and CA Certificate file created in the PC using UI, and then register the installed files in the
operation panel of this product.
3. Exchange of key by DH
4. Creation of key
When you use a key in the electronic signature method, you need to install the key pair file
Creates and sends the

numeral value which is used
as a key element.
5. Authentication between devices

phrase, etc.
6. Verification that the other end is legitimate
Phase1:ISAKMP SA is generated, and the communication of IKE is encrypted.
Using the CA certificate, authentication is mutually performed with the connection end of the
IPSec communication.
The accepted key pair and CA certificate for the authentication in the electronic signature
method are shown below:
RSA algorithm
X.509 Certificate
Key pair in PKCS#12 format
IKE Phase 2
Encryption method, hash
method, connection
conditions such as lifetime
of key, subnet, host, key
element, etc
.
7. Exchange of conditions and elements to create SA
8. Determination
of conditions for SA
.
Encryption method, hash

method, connection
conditions such as lifetime
of key, subnet, host, key
element, etc.
Accepted
Phase 2:
Phase
2: IPSec
IPSec SA
SA is
is created,
created, and
and communication
communication through
through IPSec
IPSec is
is started.
started.
IPSec
Sec
Encrypted communication through IPSec
1-5
1-6
Specifications
Function
Operating Conditions of IPSec

A device needs to satisfy all the following conditions to use the IPSec function.
It is a supported device of IPSec.

The IPSec security board is installed.*
The IPSec function is enabled in the Local UI or remote UI. (It is disabled in the initial
setting upon shipment from the factory. See Users Manual or this manual regarding how to
enable the IPSec function.)
* To install the IPSec security board, PCI board Expansion Kit, which is available as an
option, needs to be installed.
Supported Devices
The devices supported by IPSec are multifunction machines after imageRUNNER
C5180/5185/4580 and printers after LBP3310.
IPSec Security Board, which is an option, needs to be purchased and installed in any of these
devices.
Supported Functions
Among major functions stipulated by IPSec, those supported by this product are shown
below:
Function
IPsec of IPv4
IPsec of IPv6
AH
NULL
HMAC-SHA-1-96
HMAC-MD5-96
AES-XCBC-MAC-96
ESP
NULL
DES-CBC
3DES-CBC
AES-CBC
AES-CTR
Other
Manual SA
IKEv1
Support
Support
Support
Support
Support
Support
Not Support
Support
Not Support
Support
Support
Not Support
Not Support
Not Support
Support
Remarks
Support
IKEv2
IKEv1 phase 1 Main Mode
Aggressive Mode
Authentication Pre-shared key
Method
Digital signature(RSA)
(IKEv1)
Public key encryption
Advanced public key
encryption
DH(IKEv1)
Group 0(not in use)
Group 1
Group 2
Group 5
Group 14
Group 15
Group 16
Group 17
Group 18
Other
Encryption
DES-CBC
(IKEv1)
3DES-CBC
AES-CBC
AES-CTR
Other
Authentication AUTH-HMAC-SHA1-96
(IKEv1)
AUTH-HMAC-MD5-96
AUTH-HMAC-XCBC-96
Remarks
Not Support
Support
Support
Support
Support
Not Support
Not Support
Not Support
Support
Support
Not Support
Support
Not Support
Not Support
Not Support
Not Support
Not Support
Not Support
Support
Support
Not Support
Not Support
Support
Support
Not Support
Applicable Packets
The packets to which this product applies the IPSec processing are those exchanged via the
following protocols.
TCP
UDP
ICMP
Specifications for Network Port

The network port used by the IPSec function is shown below:
Protocol
UDP
Port No.
500
Description
Used to receive and send keys when the ISAKMP protocol
exchanges keys.
1-6

1-7
Specifications for Security Policy

The specifications for security policy are shown below:
Item
Value
Policy name
1 to 24 characters in ASCII
Number of policies that 10
can be registered
Remarks
The table area which controls
policies is called security policy
database (SPD).
1-7

1-8
Menu Items in IPSec Setting Window

Menu name/ Item name
Use IPSec
ON
OFF
Receive Non-policy Packet
Allow
Reject
Policy On/Off
Regi.
Selector Settings
Local Address
All IP Address
All IPv4 Addresses
All IPv6 Addresses
IPv4 Manual
Settings
Single Address
Range Address
Subnet Settings
IPv6 Manual
Settings
Single Address
Range Address
Subnet Settings
Remote Address
All IP Address
All IPv4 Addresses
All IPv6 Addresses
IPv4 Manual
Settings
Single Address
Range Address
Subnet Settings
IPv6 Manual
Settings
Single Address
Range Address
Subnet Settings
Remarks
Enables the IPSec function.

Disables the IPSec function.

Initial
setting
available
Allows the packet which does not meet the policy.

available
Rejects the packet which does not meet the policy.
Enables or disables the selected policy.
Registers a new policy.
Sets the selector which works as a filter of IPSec.
Makes the filter setting of a packet when a local
address exists in the packet.
Targets IP addresses for all local addresses.
available
Targets all IPv4 addresses for its own local address.
Targets all IPv6 addresses for its own local address.
Targets specified IPv4 addresses for its own local
address.
Specifies a signal address.
Specifies the range of addresses.
Specifies addresses by the subnet.
Targets specified IPv6 addresses for its own local
address.
Specifies a prefix of addresses.
Makes the filter setting of a packet when a remote
address exists in the packet.
Targets IP addresses for all remote addresses.
available
Targets all IPv4 addresses for its own remote address.
Targets all IPv6 addresses for its own remote address.
Targets specified IPv4 addresses for its own remote
address.
Targets specified IPv6 addresses for its own remote
address.
Port
Specify by Port Number
Local Port
All Port
Single Settings
Remote Port
All Port
Single Settings
Specify by Service
Name
Service On/Off
IKE Settings
IKE Mode
Main
Aggressive
Authentication Method
Pre-shared Key Method
Shared Key
Digital Signature
Method
Key and Certificate.
Key Settings
Certificate Details
Remarks
Makes the filter setting of a packet when a port
number exists in the packet.
Makes the setting by manually specifying a port.
Specifies local ports.
Targets all local ports.
Specifies a target local port individually.
Specifies remote ports.
Targets all remote ports.
Specifies a target remote port individually.
Makes the filter setting of a packet by specifying a
service name.
Specifies On or Off for 7 services of "SMTP Receive",
"SMTP Send", "HTTP Client", "HTTP Server", "POP3",
"LDP", and "RAW. "
Makes the settings related to IKE (key exchange
protocol) of security policy.
Sets the ISAKMP message exchange protocol.
Sets the ISAKMP message exchange protocol to the
Main mode.
Sets the ISAKMP message exchange protocol to the
Aggressive mode.
Sets the authentication method of IKE.
Sets the authentication method of IKE to the preshared key method.
Sets the shared key which is used as the pre-shared
key of IKE.
Sets the authentication method of IKE to the digital
signature method.
Makes the settings related to digital signature.
Sets the key which is used for digital signature.
Checks the information about the registered
certificate.
Initial
setting
available
available
available
available
1-8

1-9
Authentication/Encryption Sets the authentication and encryption algorithms to
Algorithm
IKE.
Auto
Sets the authentication and encryption algorithms to
IKE automatically.
Manual Settings
Sets the authentication and encryption algorithms to
IKE manually.
Regi.
Registers the authentication and encryption
algorithms.
Authentication
Sets the authentication algorithm.
SHA 1
Sets the authentication algorithm to SHA 1.
MD 5
Sets the authentication algorithm to MD 5.
Encryption
Sets the encryption algorithm.
3 DES-CBC
Sets the encryption algorithm to 3 DES-CBC.
AES-CBC
Sets the encryption algorithm to AES-CBC.
DH Group
Sets the DH algorithm.
Group1 (762) Sets the DH algorithm to Group 1.

available
available
available
Remarks
Edits the already registered authentication and

encryption algorithms.
Delete
Deletes the already registered authentication and
encryption algorithms.
IPSec Setting
Sets how to process the packet which satisfies the
conditions specified by the selector.
Validity
Sets the update validity of SA of IPsec/IKE.
Time
Sets the update validity of SA of IPsec/IKE by time.
Size
Sets the update validity of SA of IPsec/IKE by the
file size.
Connection Mode
Sets the connection mode in which IPsec is applied.
Transport
Sets the connection mode of IPsec to the transport
mode.
IPv4 Tunnel
Not supported.
IPv6 Tunnel
Not supported.
PFS
Sets On/Off of Perfect Forward Secrecy (PFS) of
IPsec.
ON
Sets On to PFS of IPsec.
OFF
Sets Off to PFS of IPsec.
Auth./Encryption Algorithm Sets the authentication and encryption algorithms.
Auto
Sets the authentication and encryption algorithms
automatically.
Manual Settings
Sets the authentication and encryption algorithms
manually.
Regi.
Registers the authentication and encryption
algorithms.
ESP
Sets ESP as the authentication and encryption
algorithms.
AH
Sets AH as the authentication and encryption
algorithms.
Edit
Edits the already registered policies. The items that
can be edited are same as those for registration.
Delete
Deletes the already registered policies.
Initial
setting
Edit
480
Not
available
available
-
available
available
1-9

1-10
Other Specifications
Retry intervals
In the IKE negotiation, when no response is returned from the connection end, a retry is
made. The first retry interval can be set in the Service Mode. The second and later retries are
made at the intervals twice as long as the previous retry interval. The maximum interval is 10
sec.
Example: Setting values of the retry intervals and actual retry intervals
0
Retry timing when
the first retry
interval is set to
1 sec
Retry timing when

the first retry
interval is set to
3 sec
Retry timing when
the first retry
interval is set to
7 sec
1sec
2sec
Twice
10
4sec
Twice
15
8sec
Twice
30
35
sec
10sec
Twice
Since the maximum interval is
10 sec, retries are made at
10sec intervals hereafter
.
10sec
6sec
7sec
25
10sec
Retry is made at intervals

twice as long as the previous
interval
3sec
20
10sec
10sec
10sec
10sec
10sec
1-10

1-11
Restrictions
Notification of Deletion of SAD
Certificate Method
When you select the certificate method in IKE, a specified key pair needs to be issued by
When Security Association (SA) of IPsec is established between an external device and this
the same root certificate authority which issued the certificate of the other end of IPsec
device, Security Association Database (SAD) is established between them.
communication. Thus, a key pair with a self-signed certificate has a different root, and the
If any of the following operations is performed in this state, there is a need to notify deletion of
negotiation fails.
the policy to the other end.
One of the devices is shut down (the power is turned Off).
Since the certificate validity is checked, the devices need to preset the time using SNTP, etc.
The policy in question is disabled.

The policy in question is deleted.
The IPsec function is turned Off (disabled).
However, this device does not support this policy deletion notification function, if any of the
aforementioned operations is performed, the policy needs to be manually deleted from SAD
in the other end.
Confliction with Sleep Function

When the sleep function of the device is enabled, if "Use IPSec" in the IPsec settings is set to
"On" (enabled), the device does not go into the sleep mode (S3 mode).
Meanwhile, if the IPsec setting is set to "Off" (disabled), it goes into the sleep mode.
Link-Local Address
When you make the selector settings including Link-Local Address, IPsec is not applied to the
packets addressed to link-local addresses, and they are discarded. For instance, when "IPv6
Address" is selected in Local Selector Settings, the packets addressed to link-local addresses
are discarded.
In the case of manually specified addresses, those with the prefix "fe80" are considered as
link-local addresses.
However, in the models after iRA C5030/iRA C9075 Series, IPsec can be applied to IPv6 link
local addresses.
Note that link-local addresses and global addresses cannot be specified at the same time.
For instance, all IPv6 addresses are considered as global addresses. Therefore, fe80::xxxx,
::/0, and 1111::xxxx, etc. cannot be assigned to them. If a local address is a link-local address,
a remote address needs to be also a link-local address.
When "IPv6 Address" is selected in Local Address, and "All IPv6 Address" in Remote
Address, IPsec is also applied to link-local addresses.
1-11

1-12
Restrictions when Registering Multiple Policies

When the Mode Settings of IEKv1 is Main Mode, and multiple policies are registered with the
Pre-shared Key Method, there are the following restrictions due to the specification limits of
the IEKv1 protocol.
1) A same pre-shared key must be applied to all the policies in which a single address is
not specified as the remote address.
2) The policies in which a single address is not specified as a remote address must have
lower priority than those in which a single address is specified.
1
2
3
4
aaa
bbb
ccc
ddd
All IPv4 Address

All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
policy policy
priority name
1
2
aaa
bbb
local address
local
port
All IPv4 Address

All IPv4 Address
All Port
9100
remote address
remote port pre-shared

key
172.24.1.1/255.255.0.0 All Port

172.24.111.111
All Port
hoge
hoge2
Although the policy name "aaa" specifies a single address as the remote address, its priority
is higher than "bbb. "
that the above restricted patterns cannot be registered.
Pattern 1: Combination in which no restrictions occur

local address
are violations.)
imageRUNNER 3225/3235/3245 JE version internally performs the following processing so
The table below shows the registration patterns.

policy policy
priority name
Pattern 4: Combination which violates the aforementioned restriction 2). (The items in blue
remote address remote port pre-shared

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
Processing 1) Insert a policy at an appropriate priority when registering or editing it.

Processing 2) When a policy is registered, if a single address is not specified as the remote
address, and the specified pre-shared key is different from the one specified to the group,
the policy cannot be registered.
(imageRUNNER 3225/3235/3245 FIGS and later models)
Processing 3) When a policy is registered, if a single address is not specified as the remote
address, and the specified pre-shared key is different from the one specified to the group,
Pattern 2: Combination which violates the aforementioned restriction 1) (The items in blue are
the pre-shared key of the latest policy is applied to all the pre-shared keys.
violations.)
(imageRUNNER 3225/3235/3245 JE)
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge4
Although the policy names "ccc" and "ddd" do not specify a single address as the remote
address, different pre-shared keys are set.
Pattern 3: Combination which violates the aforementioned restriction 2). (The items in blue
are violations.)
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
Processing 4) When the policy priority order is changed, change of the order which does
not meet the restricted specifications cannot be made.
Internal processing when restricted patterns occur

The detailed operations of the aforementioned internal processing (Processing 1 to 4) are
explained below.
Automatic insertion of policy (Processing 1)
When a policy is newly registered or edited, check the Remote Address setting, and insert the
policy at an appropriate priority.
local address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv4 Address
local port
All Port
9100
9100
All Port

key
172.24.111.111
All IPv4 Address
All IPv6 Address
172.24.222.222
All Port
All Port
All Port
All Port
hoge
hoge2
hoge2
hoge3
For instance, when a new policy (policy name "eee" in the table below) is registered to a
device in which several policies have already been registered, it is normally added at the
bottom. However, the remote address setting violates the restrictions, it is registered not at
the bottom but at an appropriate priority.
Although the policy names "bbb" and "ccc" do not specify a single address as the remote
address, their priority is higher than "ddd. "
1-12

1-13
policy
name
eee
List of existing policies

policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv4 Address
local port
All Port
All Port
9100
9100
1
2
3
4
5
aaa
bbb
eee
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
hoge
hoge2
hoge3
hoge3
local port
All Port
All Port
All Port
9100
9100

key
172.24.111.111
172.24.222.222
172.24.133.133
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
All Port
hoge
hoge2
hoge4
hoge3
hoge3
the settings. When Pre-shared Key Method for AUTH Method is set to other than a single
Unification of pre-shared key (Processing 3)

When a policy is registered, if a single address is not specified as the remote address, and
key of the latest policy is applied to all the pre-shared keys.
(imageRUNNER 3225/3235/3245 JE)
When a new policy is registered or an existing policy is edited, if any option other than "Single
Address" is specified in Remote Address, a message to ask whether or not to use a same
pre-shared key for all the registered policies appears. If you agree, the pre-shared key of
the last registered policy is applied to all the pre-shared keys of the policies of which remote
address is specified by group.
When registering a new policy or editing an existing policy, if any option other than "Single
Address" is selected in Remote Address, the policy cannot be registered if the specified preshared key is different from the registered one specified to the group.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, the policy violates the restrictions, and the registration fails.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, all the pre-shared keys of the policies of which remote
address is not a single address are standardized.
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
List of policies after registration
All IPv4 Address

All IPv4 Address
All IPv4 Address
All IPv6 Address
hoge4
the specified pre-shared key is different from the one specified to the group, the pre-shared
registered. (imageRUNNER 3225/3235/3245 FIGS or later)
aaa
bbb
ccc
ddd
All Port
address, the shared key characters must be the same when registering multiple policies. "
All Port
All Port
All Port
All Port
specified pre-shared key is different from the one specified to the group, the policy cannot be
1
2
3
4
172.24.133.133
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
When a policy is registered, if "Single Address" is specified in Remote Address, and the
local address
80

key
When you attempt to register the above policy, the following message appears: "Check
Prohibition of Registration (Processing 2)
policy policy
priority name
All IPv6 Address
local port

key
List of policies after registration

policy policy
priority name
local address
local port
All Port
All Port
9100
9100

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
policy policy
priority name
1
2
3
4
5
aaa
bbb
ccc
ddd
eee
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
80

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All IPv6 Address
All Port
All Port
All Port
All Port
All Port
hoge
hoge2
hoge4
hoge4
hoge4
Policy that you attempt to newly register
1-13

1-14
Prohibition of change of the policy order (Processing 4)
When you change the priority order of policies, change of the order which violates the
restricted specifications is prohibited.
For instance, when the policies given in the table below are already registered, if you
attempt to move the policy "bbb" to the lower position using "Lower Priority, " it violates the
restrictions, and the attempt fails.
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100

key
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
On imageRUNNER 3225/3235/3245 FIGS and later devices, if you attempt to change the
order of policies against the restrictions, the following message appears: "When Pre-shared
Key Method is set for AUTH Method, a policy with a single remote address cannot a lower
priority than other policies. "
1-14

Settings
Settings Window
Registration/Edit Window
Selector Settings Window
IKE Settings
IPSec Network Settings
2-2
Settings Window
The IPSec settings are made in the system control window in the operation panel of the
device.
IPSec Settings window

In the IPSec Settings window, you can set whether or not to use IPSec, policies to which
IPSec is applied, and their priority, etc.
Path to IPSec Settings window

The path to the registration/edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings
[Use IPSec]
This item is used to set whether or not to use the IPSec function. The default setting is "Off. "
[Receive Non-policy Packets]

This item is used to set whether to allow or reject a packet which does not meet any of the
registered policies. The default setting is "Allow. "
2-2

2-3
[Policy List]
[Delete]
With this product, up to 10-pattern policies can be registered in a device. The table area
Press this item to delete the policy selected in the list.
which controls policies in a device is called Security Policy Database (SPD).
For information on the policy registration window, see "Registration/Edit Window. "
[Print List]
This item is used to print out the settings of a registered policy.
Print sample
The policy list shows a list of the registered policies.
The specifications for the policy list are given below:
2009 03/16 MON 11:46
Up to 10 policies can be registered and displayed.

Even when no policy is registered, the priority numbers from 1 to 10 are displayed.
When a policy is registered, it is added at the bottom of the list.
When a packet is received, whether or not to apply policies in the ascending order of
priority is determined.
When a registered policy is deleted, the policies in the lower priority are moved up.
To set On/Off of a policy, select a policy and press "Policy On/Off. "
Although up to 24 characters in ASCII can be set as a policy name, a whole name might
not be displayed in the list.
To set the priority order of policies, select a policy and press "Raise Priority" or "Lower
iR-ADV C5051
Priority1
Policy Name
Selector Settings
Local Address
Remote Address
Port
Local Port
Remote Port
IKE Settings
IKE Mode
Auth./Encryption Algorithm
Validity
Time
PFS
Connect. Mode
[Policy On/Off]
This item is used to set "On" or "Off" to the status of the policy selected in the list.
[Regi.]
ON
Policy-1
All IPv4 Addresss
All IP Addresses
All Port
All Port
Main
Digital sig. Method
Auto
ON
480 min
ON
10 MB
OFF
Size
Priority. "
001
******************************
*** IPSec Policy List ***
******************************
Priority2
Policy Name
Selector Settings
Local Address
Auto
Transport
ON
Policy-2
All IP addresses
Press this item to create or register a new policy.

[Edit]
Press this item to edit the policy selected in the list.
2-3

2-4
Registration/Edit Window
In the registration/edit window, policies used by IPSec are registered or edited.
Path to Registration/Edit Window
Selector Settings
This item is used to set a selector.
When you press "Selector, " the Selector Settings window appears. For more details, see
Selector Setting Window.
The path to the registration/edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings >Regi. or > Edit
("Edit" must be pressed while a policy is selected.)
Policy Name
This item is use to set a policy name.
2-4

2-5
IKE Settings
IPSec Settings
In this window, the ISAKMP message exchange protocol (IKE mode) and authentication
In this window, the IPSec communication settings are made. For more details, see IPSec
method are set. For more details, see IKE Settings.
Network Settings.
2-5

2-6
Selector Settings Window

In the Selector Settings window, the settings of the conditions to determine the processing
applied to a packet are made.
point address or end-point address.
IPv4 Manual Settings

Select this option when you specify a specific IPv4 address or specify the range of IPv4
addresses. When you press this option, the setting window is opened.
The conditions are Start-point IP Address, End-point IP Address, protocol, and destination
port, etc. A communication packet which satisfies these conditions is selected.
Path to Selector Settings Window

The path to the selector edit window is shown below:
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >
Edit > Selector Settings
IPv6 Manual Settings

Select this option when you specify a specific IPv6 address or specify the range of IPv6
addresses. When you press this option, the setting window is opened.
Local Address Settings/Remote Address Settings

These items are used to set whether or not to target the start-point address and end-point
address in communication packets.
All IP Address
Select this option when you target all local addresses.
All IPv4 Addresses

Select this option when you target the packets which have a local IPv4 address at the startpoint address or end-point address.
All IPv6 Addresses

Select this option when you target the packets which have a local IPv6 address at the start-
2-6

2-7
Port Settings
This item is used to set whether or not to apply IPSec to the packets which include a specific
port (or service).
Specify by Port Number
Specify by Service Name

Select this option when you specify packets not by a port number, but by a service name.
When you press this item, the setting window is opened.
Set On or Off to the seven services, "SMTP Receive", "SMTP Send", "HTTP Client", "HTTP
Server", "POP3", "LDP", and "RAW".
Select this option when you specify a specific port number. When you press this item, the
setting window is opened.
In Local Port or Remote Port, select "All Ports" or "Specify Port. "
When you specify a port (Specify Port), enter a port number.
2-7

2
2-8
IKE Settings
This item is used to make the settings related to Key exchange protocols.
The differences between the main mode and aggressive mode in the IKE Phase 1 are shown
in the table below.
Mode
Main mode
Path to IKE Settings Window

The path to the IKE edit window is shown below:
Description
The Phase 1 is finished after three sets of transmission and reception of
ISAKMP messages.
1st and 2nd messages (Negotiation of ISAKMP SA parameters)
3rd and 4th messages (Exchange of parameters for key calculation and
execution of key calculation)
5th and 6th messages (Authentication of IPSec communication end
(device))
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >
Edit > IKE Settings
IKE Phase 1
1. Proposal and selection of conditions
Proposes several conditions
including the algorithm and
lifetime of key, etc.
Creates and sends a
numeric value which is used
as a key element
phrase, etc.
2. Determination of condition of SA
3. Exchange of key by DH
4. Creation of key
5. Authentication between devices
Selects one of the

conditions.
Creates and sends the
numeral value which is used
as a key element.
phrase, etc.
6. Verification that the other end is legitimate
Phase 1 ISAKMP SA is generated, and exchange by IKE is encrypted.
Mode
This item is used to specify the mode to exchange ISAKMP messages when IKE SA is
created in the IKE Phase 1.
The available modes are the main mode and aggressive mode.
Aggressive mode
The encryption process upon authentication is omitted, and the Phase 1 is

finished after one and a half sets of transmission and reception of ISAKMP
messages. While this mode can finish the Phase 1 faster than the Main
mode, restrictions occur on negotiation of SA. On the other hand, it eases
the restrictions on the Main mode.
2-8
2-9
Select one DH group from Grouop1 (762), Grouop2 (1024), and Grouop3 (2048).
The IPSec function uses two authentication methods for the IKE Phase 1: One in the preshared key authentication, and the other is the digital signature authentication.
Pre-shared Key Method

Select this option when you make authentication using a pre-shared key. Input a key to be
shared in the input field of Shared Key.
Digital Sig. Method

Select this option when you make authentication not using a pre-shared key but using a
digital signature.
Auto Settings of authentication and encryption algorithms

When you select the Auto settings of the authentication and encryption algorithms for IKE,
IKE SA makes negotiations for algorithm patterns in accordance with the priority given below.
Priority
This item is used to set the authentication and encryption algorithms.
1
2
3
4
5
6
7
8
Authentication
SHA1
MD5
SHA1
MD5
SHA1
MD5
SHA1
MD5
DH
Encryption
AES(128)
AES(128)
AES(192)
AES(192)
AES(256)
AES(256)
3DES
3DES
2
2
2
2
2
2
2
2
Manual Settings of authentication and encryption algorithms

This option is used to manually set the authentication and encryption algorithms of IKE.
Select one or more authentication algorithms from SHA1 and MD5. You can select both.
Select one or more encryption algorithms from 3DEC-CBC and AES-CBC. You can select
both.
2-9

2
2-10
Host computer B
(Responder)
Host computer A
(Initiator)
This item is used to make the setting related to IPSec Network.
IKE Phase 1
A validity setting shorter than
the validity set in the host B
is proposed as the condition.
Proposes the condition.
Since the condition proposed by

the host A is shorter than the
validity set in the host B, the
host B rejects negotiations.
Rejects the condition.
In the communication between the devices which support this product, the validity at the
initiator* is used.
* The node which makes IKE communication is called the IKE peer, the side which issues
an IKE request is called the initiator, and the side which receives a request is called the
Validity
responder.
This item is used to set the update validity of Security Association (SA) of IPsec/IKE.
PFS
The validity specified in this setting is applied both to the update period for SA of IPsec and
that of IKE.
The validity is specified in minutes or in MB. The settable range is 1 to 65535 minutes or 1 to
65535MB. In the initial setting, Time is set to 480 minutes (8 hours), and Size is not specified.
You can not specify "0" to Time and Size.
When a shared key is leaked to any malicious third parties, there is a risk that they might be
able to forecast the keys to be generated. Enabling Perfect Forward Secrecy (PFS) prevents
third parties from forecasting the keys to be generated even if they obtain a shared secret
key.
Although load upon key exchange is increased if PFS is enabled, the confidentiality is
enhanced.
The initial setting of PFS is "Off".
A same PFS setting must be set to the hosts between which negotiations are made.
In Validity, either Size or Time needs to be specified.
Therefore, when the PFS setting is set to On, that of the other end must be set to On as well.
When the both are specified, SA is invalidated whichever reaches the validity fast. The IPsec
communication within the validity can exchange ESP packets without negotiations of key
exchange.
Negotiations of the validity vary according to the setting at the host of the other end. For
instance, if the validity shorter than the one set in a host is proposed during the IKE Phase 1,
the host may reject negotiations.
2-10
2-11
Authentication/Encryption Algorithm
1) When ESP is selected

The ESP authentication algorithm and ESP encryption algorithm are set.
This item is used to set the authentication and encryption algorithms in the IPSec network.
You can select Auto Settings or Manual Settings.
Manual Settings of Authentication/Encryption Algorithm

This option is used to set the authentication and encryption algorithms.
Select the authentication algorithm from MD5, SHA1, and NULL. You can select both MD5
and SHA1 at the same time. In the initial setting, SHA1 is selected.
Select the encryption algorithm from 3DES-CBC, AES-CBC, and NULL. You can select both
3DES-CBC and AES-CBC at the same time. In the initial setting, 3DES-CBC is selected.
You cannot set NULL to both ESP authentication and ESP encryption.
2) When AH is selected
Select one or more AH authentication algorithms from SHA 1 and MD5. If you do not select
either, the OK button is disabled (grayed out), and you cannot finish the setting.
First of all, select ESP which performs authentication and encryption of packets or AH which
performs only authentication of packets.
2-11

2-12
Auto Settings of authentication and encryption algorithms
When you select the Auto settings of the authentication and encryption algorithms for the
IPSec Network, IPSec SA makes negotiations for algorithm patterns in accordance with the
priority given below. Servers also wait in the same priority.
Priority
AH
ESP authentication
ESP encryption
1
2
3
4
5
6
7
8
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
SHA1
MD5
SHA1
MD5
SHA1
MD5
SHA1
MD5
AES (128)
AES (128)
AES (192)
AES (192)
AES (256)
AES (256)
3DES
3DES
Connection Mode
This item is used to display the IPSec connection mode.
This function supports the transport mode only, and therefore "Transport" is displayed.
2-12

Installation
Installation/Settings
Procedure
IPSec settings and
operation check
3-2
Installation/Settings Procedure
negotiation will fail. (This means negotiation will fail even if "From any port" is specified, "all
port" etc. is specified for address port.)
Flow of installation settings for basic IPSec

Following is the flow of basic IPSec settings.
Review of security policy

To install the IPSec on the network, review to decide which packet to apply IPSec.
1) Decide to adopt the IPSec process to the communication between which host and which
host.
2) Decide to adopt the IPSec process to which protocol and which port.
3) Decide how to handle the packets other than the foregoing packets.
4) Decide whether to execute packet authentication only or execute authentication and
encryption.
5) Decide what to use as an authentication method and encryption algorithm.
Etc.
In principle, users to review the security policy on the network of user site.
Security policy settings

According to the security policy reviewed as above, make the IPSec settings on the device
and the host that will be the device's IPSec communication partner.
Operation check
Establish a communication and check whether the specified IPSec function operates properly
or not.
Points to note at installation

When specifying IPSec settings, note that IPSec negotiates each other to decide how to
establish the IPSec communication such as port number etc. Thus, the common selector
setting should be specified to each host.
Take the case of IPSec communication between Windows PC and this device for instance,
if remote UI (local port is number 80 and remote port is all port) is specified on this device,
on Windows side, "TCP" protocol must be selected and also "From any port" must be
specified as transmission port and number "80" must be specified as address port; otherwise,
3-2

3
3-3
2) Register the Policy Name.
IPSec settings and operation check

Make the IPSec settings on the PC that will be the communication partner of the device with
IPSec specified.
At this time, installation procedure in the simple configuration is outlined.
Example of configuration
IPSec settings are specified for 1 PC and 1 iR device, and check the operation.
Encrypted data
Encrypted
data
Print
Document
3)Selector Settings
Local Address
: All IP addresses
Remote Address
: All IP addresses
Port > Specify by Port Number: All Ports
Setting procedure on device side

Following is the procedure of device IPSec settings
1. Create a security policy.
Create a security policy with the following contents.
1) Enable IPSec and register the policy.
Use IPSec
: ON
Receive Non-policy Packets : Allow
3-3
3-4
4) IKE Settings
2. Enable the security policy.
IKE Mode
: Main
: Pre-shared Key Method
Shared Key
: canon (any)
Auth/Encryption Algorithm: Auto
Setting procedure on PC side
5) IPSec Network Settings

Validity
: 480 mins (default)
: 0MB (default)

PFS
Auth./Encryption Algorithm: Auto
Connect. Mode
Enable the security policy (Policy-1) created in step 1.
: OFF
Following is the PC settings (Windows Server 2003).

1. Console registration
1) Select [Run...] from a start menu and input mmc in [Open] and then, click [OK] button.
: Transport (fixed)
3-4

3-5
2) When the console is displayed, select [Add/Remove Snap-in...] from a file menu.
4) Select [IP Security Policy Management] and click [Add] button.
3) Click [Add...] button.
5) Select [Local Computer] and click [Finish] button.
3-5

3-6
6) Click [Close] button.
2. Registration of IP Security Policy

1) Right click [IP Security Policy on Local Computer] on the console and select [Create IP
Security Policy].
2) When IP Security Policy Wizard is started, click [Next] button.

7) Make sure that "IP Security Policy on Local Computer" is displayed and click [OK] button.
3-6

3-7
3) Enter the IP Security Policy name and click [Next] button.
5) When a wizard is completed, click [Finish] button.
6) When IP Security Policy properties is displayed, click [Add..] button.
4) Untick [Activate the default response rule..] and click [Next] button.
3-7

3-8
7) When Security Rule Wizard is started, click [Next] button.
9) Select [All network connections] and click [Next] button.
8) Select [This rule does not specify a tunnel] and click [Next] button.
10) Select [All IP traffic..] and click [Edit..] button.
3-8

3-9
11) Put a name to filter and click [Edit..] button.
13) Display [Protocol] tab and select [Any] in [Select a protocol type].
14) Display [Description] tab and input a comment for identification (arbitrary), and click [OK]
12) Display [Addresses] tab and select [Ant IP Address] for both [Source address] and
button.
[Destination address].
3-9

3-10
15) Click [OK] button.
17) Select [Require Security] and click [Next] button.
16) Click [Next] button.
18) Select [Use this string to protect the key exchange (pre-shared key)] and enter the Preshared key specified on the device side into entry field, and click [Next] button.
3-10

3-11
19) Click [Finish] button.
3. Application of the security policy.

1) Right click the created policy and select [Assign].
3-11

3-12
MEMO
If the setting of currently applied policy has been changed, it is necessary to un-assign
the application and assign it again.
3-12

3-13
Operation check
2) Start Wireshark.
1. Send ping from a PC to a device.

If IPSec is enabled, [Negotiating IP Security] is displayed at the first time of sending a ping
and there will be a reply at the second time or later.
Example of success
If key exchange of IPSec has been failed, all results are [Negotiating IP Security] (including
3) Click [Show the Capture Options] button.
the case that the receiver does not support IPSec.).

Example of failure
2. Check with a network capture software.

Here, described is the operation check method with using free software [Wireshark].
1) Install Wireshark.
Source of installer or installation method is omitted.
3-13

3-14
4) Select a PC network card on [Interface] and click [Start] button.
5) Establish a communication by either submitting a print instruction from a PC to a device or

by displaying a ping command or device's remote UI etc.
If ESP is displayed on [Protocol], it means the encrypted packet has been operated in ESP.
3-14

Maintenance
FAQ
Troubleshooting
Troubleshooting
4-2
FAQ
Troubleshooting
About the connection mode
Q. Negotiation fails.
Q. Does this product support the tunnel mode as a connection mode in which IPSec is
A. Check if the port setting of the security policy is same in the both devices.
applied?
In IPSec, the port setting in the security policy settings must be same.
A. No. The tunnel mode is not supported.
For instance, negotiation fails if Protocol is set to TCP, and Port is set to All Port in the
This product supports the transport mode only, which makes peer-to-peer IPSec
settings of this device, whereas Protocol is set to TCP, and Port is set to 80 in the settings of
communication.
the other device.
About IPSec network settings
Q. No debug log file is found.
Q. What does the validity refer to?
Although I made the setting to obtain debug logs in the Service Mode, I found no log file when
A. It refers to the update validity of SA of IPSec and IKE.
I accessed the specified path.

A. Debug logs are deleted when the device is turned Off and On.
About protocols
Q. In what environment is unencrypted AH used?
A. It is used in the environment where encryption cannot be used.
In some environments, encryption of data is not permitted. In such a case, AH is used.
Confliction with IP filter
Q. What operation is performed when confliction with the settings of the IP filter, which is the
original function, occur?
A. There is a setting that IPsec discards the packets to which IPsec is not applied. The IP
filter, which is the original function, also discards the packets which do not satisfy the filter
settings.
Q. When the IPsec settings and IP filter settings are overlapped, which settings have priority?
A. When IPSec and both IP filters were set, it is applied in order of IPSec, IP filter at the time
of the reception. At the time of the transmission, it is applied in order of IP filter, IPSec.
4-2
Troubleshooting
Service Mode
IPSec Security Board

Status Check Test
Deletion of All Registered
Policies
Acquisition of Debug Logs
Troubleshooting
Troubleshooting > Procedure for IPSec Security Board Status Check Test
5-2
IPSec Security Board Status Check Test
While the test is being executed, "ACTIVE" is blinking on the display.
You can execute the tests to check the IPSec security board status from the Service Mode.
The following two tests are available:
Interrupt mode test:

Poll mode test:
Creates pseudo packets and tests the chip processing.

Tests the performance of the chip.
Procedure for IPSec Security Board Status Check Test

The procedure to execute the tests to check the status of the IPSec security board is
explained below.
1)Press copier > test > network in the Service Mode (Level 1).
Be sure to execute the both tests. Each test takes approx. 3 minutes.
3)
Check the test result when it is displayed.
2)Select (press) IPSECINT (Interrupt mode test) or IPSECPOL (Poll mode test) and press the
Normal completion: "OK! "
"OK" button.
Failed: "NG"
5-2
5-3
If either of the tests fails, the IPsec function does not work. When the result of either test is
NG (failed), check if the accelerator is connected properly, and execute the test again.
If the result of the retry is also NG (failed), it is considered as a chip failure.
5-3
Troubleshooting > Procedure to Delete All Registered Policies
5-4
Deletion of All Registered Policies
4)Open the IPSec settings window and check that all the registered policies are deleted.
You can delete all the policies registered in a device and initialize it.
This function should be used in emergency cases, such as when there is inconsistency
between registered policies.
Procedure to Delete All Registered Policies

1)Press copier > option > body in the Service Mode (Level 2).
2)Input 1 in the SPDALDEL field and press "OK".

5)Log in the Service Mode again and reset the value of SPDALDEL to "0".
3)Restart the device.

When the device is restarted, all the registered policies are deleted, and the device is
initialized.
Troubleshooting > Procedure to Delete All Registered Policies
5-4
Troubleshooting > Procedure to Obtain Debug Logs
5-5
Acquisition of Debug Logs
3) Restart the device.
Debug logs are prepared for those who are in charge of product development, and the
4) Perform the operation of which log you want to obtain.
information on the logs is not disclosed to the users.

Acquisition of debug logs is made at the direction of a support division of Sales Companies
5) Connect a PC on which SST is activated to the device, and obtain the log file in the
or a development division of Canon Inc. when a failure which cannot be dealt with on site
following path:
/APL_LOG/ipsec/ipseclog.txt
occurs.
There is no need that a service person should check and evaluate debug logs at a user site.
6) Restart the device again and check if the IPSDEBLV setting in the Service Mode is
Since IPSec operates in a process separately from a bootable process, its log information
returned to the initial value (0).
does not remain in the sub log.

Therefore, there is a need to make the setting in the Service Mode to keep the logs of IPSec.
While the settable range of the log level is 0 to 10, 8 is the highest log level. (9 and 10 are the
same level as 8.)
The setting is enabled after the device is restarted. The setting value is automatically returned
Procedure to Obtain Debug Logs

1)Press copier > option > body in the Service Mode (Level 2).
to 0 by internal processing after the device is restarted again.

When the log acquisition function is enabled, a file with the name of ipseclog.txt is created
under /APL_LOG/ipsec, and the log information is stored in the file. This file is deleted after
the device is turned Off and On.
Log level 1 FATAL level: Displays fatal error information.
2) Input the level of logs that you want to obtain in the IPSDEBLV field and press "OK". (The
initial setting is "0".)
Log level 4 WARN level: Displays warning information.

Log level 5 WARN level: Displays warning information.
Log level 6 WARN level: Displays warning information
Log level 7 LOG level: Displays important log information
Log level 8 INFO level: Displays all logs.
Log level 9: Same as level 8.
Log level 10: Same as level 8.
Troubleshooting > Procedure to Obtain Debug Logs
5-5

IPSec Board-B2 SM Rev0 091109

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPSec Board-B2 SM Rev0 091109

Uploaded by

Copyright:

Available Formats

September 11, 2009

Security: IPSec Board-B2

inconsistent with local law.

of the individual companies.

edition of this manual.

written consent of Canon Inc.

(C) CANON INC. 2009

Selector Settings Window ---------------------------------------------------2-6

Path to Selector Settings Window---------------------------------------------- 2-6

IPSec Network Settings---------------------------------------------------- 2-10

Operating Conditions of IPSec-------------------------------------------------- 1-6

Supported Devices ------------------------------------------------------------------------- 1-6

Supported Functions -------------------------------------------------------------- 1-6

Specifications for Security Policy ---------------------------------------------- 1-7

Path to IPSec Settings window ------------------------------------------------- 2-2

Registration/Edit Window ---------------------------------------------------2-4

Path to Registration/Edit Window ---------------------------------------------- 2-4

IPSec settings and operation check---------------------------------------3-3

Acquisition of Debug Logs---------------------------------------------------5-5

represents the path of mechanical drive; where a signal name

accompanies the symbol, the arrow

indicates the direction of the electric signal.

Example use cases of this product are provided below.

IPSec is a function to provide secure IP communication to all packets at the IP level.

and encryption are performed.)

the normal operation is performed.

A packet which does not satisfy the conditions is discarded.

(transport mode or tunnel mode) are also included.

with the IP header. The communication data is not encrypted.

Data section only is encrypted

IP header AH Data section

Overview of tunnel mode

ESP (Encapsulating Security Payload)

encrypted and encapsulated. This mode is often used to establish a VPN.

IP header Data section

AH Data section ESP Trailer ESP Authe data

IP header Data section New IP header

Encrypt whole packet including IP header

IP header Data section

Protocol of authentication and cryptographic

Key exchange protocols

digital signature method can be used.

the pre-shared key method.

1. Proposal and selection of conditions

Selects one of the

Creates and sends the

5. Authentication between devices

Phase1:ISAKMP SA is generated, and the communication of IKE is encrypted.

7. Exchange of conditions and elements to create SA

Encryption method, hash

Operating Conditions of IPSec

It is a supported device of IPSec.

Specifications for Network Port

Specifications for Security Policy

Menu Items in IPSec Setting Window

Enables the IPSec function.

Menu name/ Item name

Allows the packet which does not meet the policy.

Menu name/ Item name

Edits the already registered authentication and

Retry timing when

Retry is made at intervals

device, Security Association Database (SAD) is established between them.

the policy to the other end.