Professional Documents
Culture Documents
Revision 0
IPSec Overview
Settings
Installation
Maintenance
Service Mode
0-2
Application
This manual has been issued by Canon Inc. for qualified persons to learn technical theory,
The following paragraph does not apply to any countries where such provisions are
installation, maintenance, and repair of products. This manual covers all localities where the
products are sold. For this reason, there may be information in this manual that does not
apply to your locality.
Trademarks
The product names and company names used in this manual are the registered trademarks
Corrections
This manual may contain technical inaccuracies or typographical errors due to improvements
or changes in products. When changes occur in applica0-2le products or in the contents of
Copyright
this manual, Canon will release technical information as the need arises. In the event of major
This manual is copyrighted with all rights reserved. Under the copyright laws, this manual may
changes in the contents of this manual over a long or short period, Canon will issue a new
not be copied, reproduced or translated into another language, in whole or in part, without the
Caution
Use of this manual should be strictly supervised to avoid disclosure of confidential
information.
0-2
0-3
IKE Settings-------------------------------------------------------------------------- 2-5
IPSec Settings----------------------------------------------------------------------- 2-5
Contents
IPSec Overview
IPSec Overview----------------------------------------------------------------1-2
What is IPSec?---------------------------------------------------------------------Modes of operation----------------------------------------------------------------Protocol of authentication and cryptographic-------------------------------Key exchange protocols-----------------------------------------------------------
1-2
1-4
1-4
1-5
2-8
2-8
2-9
2-9
Specifications-------------------------------------------------------------------1-6
Validity--------------------------------------------------------------------------------2-10
PFS------------------------------------------------------------------------------------2-10
Authentication/Encryption Algorithm ----------------------------------------- 2-11
Restrictions-------------------------------------------------------------------- 1-11
Notification of Deletion of SAD ------------------------------------------------ 1-11
Confliction with Sleep Function------------------------------------------------- 1-11
Link-Local Address --------------------------------------------------------------- 1-11
Certificate Method ---------------------------------------------------------------- 1-11
Restrictions when Registering Multiple Policies---------------------------1-12
Internal processing when restricted patterns occur--------------------------------1-12
Settings
Settings Window---------------------------------------------------------------2-2
IKE Settings---------------------------------------------------------------------2-8
Connection Mode---------------------------------------------------------------------------2-12
Installation
Installation/Settings Procedure---------------------------------------------3-2
Flow of installation settings for basic IPSec---------------------------------- 3-2
Review of security policy------------------------------------------------------------------ 3-2
Security policy settings--------------------------------------------------------------------- 3-2
Operation check------------------------------------------------------------------------------ 3-2
Points to note at installation--------------------------------------------------------------- 3-2
Maintenance
FAQ--------------------------------------------------------------------------------4-2
Troubleshooting----------------------------------------------------------------4-2
Service Mode
IPSec Security Board Status Check Test--------------------------------5-2
Procedure for IPSec Security Board Status Check Test------------------ 5-2
0-3
0-4
Deletion of All Registered Policies-----------------------------------------5-4
Procedure to Delete All Registered Policies--------------------------------- 5-4
0-4
0-5
The following rules apply throughout this Service Manual:
Explanation of Symbols
The following symbols are used throughout this Service Manual.
Symbols
Explanation
Using it for general attention, warning, a notice of the danger that does not specify.
1. Each chapter contains sections explaining the purpose of specific functions and the
relationship between electrical and mechanical systems with reference to the timing of
operation.
In the diagrams,
Mention about written item in the copier BASIC series to understand mention
contents.
The expression "turn on the power" means flipping on the power switch, closing the front
door, and closing the delivery unit door, which results in supplying the machine with power.
2.In the digital circuits, '1' is used to indicate that the voltage level of a given signal is "High",
while '0' is used to indicate "Low". (The voltage value, however, differs from circuit to
circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD signal goes on
when '0'.
In practically all cases, the internal mechanisms of a microprocessor cannot be checked in
the field. Therefore, the operations of the microprocessors used in the machines are not
discussed: they are explained in terms of from sensors to the input of the DC controller
PCB and from the output of the DC controller PCB to the loads.
The descriptions in this Service Manual are subject to change without notice for product
improvement or other purposes, and major changes will be communicated in the form of
Service Information bulletins.
All service persons are expected to have a good understanding of the contents of this Service
Manual and all relevant Service Information bulletins and be able to identify and isolate faults
in the machine.
0-5
IPSec Overview
IPSec Overview
Specifications
Restrictions
1
1-2
IPSec Overview
What is IPSec?
Print
Print
IP Network
function.
Encrypted data
Encrypted
data
Communication between the nodes to which IPSec settings are applied automatically
becomes secure communication while applications are not aware.
Host computer
with IPSec settings
In IPSec, whether or not to apply encryption and other processing is determined according
to the data in each communication packet. To be specific, any of the following operations is
performed:
The IPSec settings are applied to a packet which satisfies the conditions. (Authentication
Unencrypted data
Print protocol:
protocol:
Print
ipr,raw,ftp,IPP
ipr,raw,ftp,IPP
Host computer
without IPSec settings
Case 2) Encrypt Send communications to the file server and host computer, and not encrypt
print communications.
The IPSec settings are not applied to a packet which does not satisfy the conditions, and
Confidentiality1
Scan
Confidentiality2
Scan
Print1
IP Network
dd
nn
See
S
Encrypted data
Encrypted
data
Confidentiality2.tif
Send Protocol:
smb, ftp
File Server
Prr
P
iinntt
See
S
nndd
Encrypted data
Encrypted
data
Send protocol:
smb, ftp
Confidentiality1.tif
Unencrypted data
Print protocol:
ipr, raw, ftp, IPP
Print1
Print1
Host computer
1-2
1
1-3
Case 3) Encrypt Internet FAX and Email transmission.*
PSTN
Confidentiality1
Scan
Fax
G3FAX.tif
Fax
IP Network
Encrypted data
Encrypted
data
Encrypted data
Encrypted
data
Protocol: smtp
Protocol: smtp
G3FAX.tif
Confidentiality1
Unencrypted data
G3Fax.tif
G3Fax.tif
Host computer
Mail Server
* In Case 3, it is assumed that IPSec is also functioning between the main server and host
computer.
1-3
1
1-4
Modes of operation
IPSec has two modes of operation: One is the transport mode, and the other is the tunnel
mode.
Overview of transport mode
In the transport mode, 1-to-1 relationship is established between terminals, and only the data
section excluding the IP header is authenticated and encrypted.
AH (Authentication Header)
This is a protocol to guarantee authentication by detecting falsification of communication data
Decryption
Encryption
IP header
Data section
IP header
Data section
Scope of authentication
IP header
Data section
IP header
Data section
IP header
Data section
AH
This is a protocol to guarantee consistency and authentication of only the pay load section of
communication data and provide confidentiality through encryption.
VPN Router
VPN Router
Internet
Encryption
Scope of authentication
Decryption
IP header Data
Data section
section
IP header
ESP
The operation mode of IPSec supported by this product is the transport mode only.
1-4
1
1-5
In this product, as an authentication method of IKE, either the pre-shared key method or the
IPSec has some key exchange protocols to execute authentication and encryption. This
product supports IKEv1 (Internet Key Exchange version 1), which exchanges keys based on
the standard protocol ISAKMP (Internet Security Association and Key Management Protocol).
IKE has two processing phases: It creates SA (Security Association) used by IKE in the phase
1, and creates SA (IPSec SA) used by IPSec in the phase 2.
When you use the pre-shared key method, you need to determine a keyword (up to 24
characters) called a pre-shared key beforehand, which is shared with the devices sending
and receiving data. After setting the pre-shared key of the connection end with which IPSec
communication is made in the operation panel of this product, you can make authentication in
IKE
IKE Phase 1
Proposes several conditions
including the algorithm and
lifetime of key, etc.
Creates and sends a
numeric value which is used
as a key
element
Sends the ID and path
phrase, etc.
and CA Certificate file created in the PC using UI, and then register the installed files in the
operation panel of this product.
3. Exchange of key by DH
4. Creation of key
When you use a key in the electronic signature method, you need to install the key pair file
Using the CA certificate, authentication is mutually performed with the connection end of the
IPSec communication.
The accepted key pair and CA certificate for the authentication in the electronic signature
method are shown below:
RSA algorithm
X.509 Certificate
Key pair in PKCS#12 format
IKE Phase 2
Encryption method, hash
method, connection
conditions such as lifetime
of key, subnet, host, key
element, etc
.
8. Determination
of conditions for SA
.
Accepted
Phase 2:
Phase
2: IPSec
IPSec SA
SA is
is created,
created, and
and communication
communication through
through IPSec
IPSec is
is started.
started.
IPSec
Sec
Encrypted communication through IPSec
1-5
1-6
Specifications
Function
Supported Devices
The devices supported by IPSec are multifunction machines after imageRUNNER
C5180/5185/4580 and printers after LBP3310.
IPSec Security Board, which is an option, needs to be purchased and installed in any of these
devices.
Supported Functions
Among major functions stipulated by IPSec, those supported by this product are shown
below:
Function
IPsec of IPv4
IPsec of IPv6
AH
NULL
HMAC-SHA-1-96
HMAC-MD5-96
AES-XCBC-MAC-96
ESP
NULL
DES-CBC
3DES-CBC
AES-CBC
AES-CTR
Other
Manual SA
IKEv1
Support
Support
Support
Support
Support
Support
Not Support
Support
Not Support
Support
Support
Not Support
Not Support
Not Support
Support
Remarks
Support
IKEv2
IKEv1 phase 1 Main Mode
Aggressive Mode
Authentication Pre-shared key
Method
Digital signature(RSA)
(IKEv1)
Public key encryption
Advanced public key
encryption
DH(IKEv1)
Group 0(not in use)
Group 1
Group 2
Group 5
Group 14
Group 15
Group 16
Group 17
Group 18
Other
Encryption
DES-CBC
(IKEv1)
3DES-CBC
AES-CBC
AES-CTR
Other
Authentication AUTH-HMAC-SHA1-96
(IKEv1)
AUTH-HMAC-MD5-96
AUTH-HMAC-XCBC-96
Remarks
Not Support
Support
Support
Support
Support
Not Support
Not Support
Not Support
Support
Support
Not Support
Support
Not Support
Not Support
Not Support
Not Support
Not Support
Not Support
Support
Support
Not Support
Not Support
Support
Support
Not Support
Applicable Packets
The packets to which this product applies the IPSec processing are those exchanged via the
following protocols.
TCP
UDP
ICMP
Port No.
500
Description
Used to receive and send keys when the ISAKMP protocol
exchanges keys.
1-6
1-7
Value
Policy name
1 to 24 characters in ASCII
Number of policies that 10
can be registered
Remarks
The table area which controls
policies is called security policy
database (SPD).
1-7
1-8
Remarks
available
Port
Specify by Port Number
Local Port
All Port
Single Settings
Remote Port
All Port
Single Settings
Specify by Service
Name
Service On/Off
IKE Settings
IKE Mode
Main
Aggressive
Authentication Method
Pre-shared Key Method
Shared Key
Digital Signature
Method
Key and Certificate.
Key Settings
Certificate Details
Remarks
Makes the filter setting of a packet when a port
number exists in the packet.
Makes the setting by manually specifying a port.
Specifies local ports.
Targets all local ports.
Specifies a target local port individually.
Specifies remote ports.
Targets all remote ports.
Specifies a target remote port individually.
Makes the filter setting of a packet by specifying a
service name.
Specifies On or Off for 7 services of "SMTP Receive",
"SMTP Send", "HTTP Client", "HTTP Server", "POP3",
"LDP", and "RAW. "
Makes the settings related to IKE (key exchange
protocol) of security policy.
Sets the ISAKMP message exchange protocol.
Sets the ISAKMP message exchange protocol to the
Main mode.
Sets the ISAKMP message exchange protocol to the
Aggressive mode.
Sets the authentication method of IKE.
Sets the authentication method of IKE to the preshared key method.
Sets the shared key which is used as the pre-shared
key of IKE.
Sets the authentication method of IKE to the digital
signature method.
Makes the settings related to digital signature.
Sets the key which is used for digital signature.
Checks the information about the registered
certificate.
Initial
setting
available
available
available
available
1-8
1-9
Authentication/Encryption Sets the authentication and encryption algorithms to
Algorithm
IKE.
Auto
Sets the authentication and encryption algorithms to
IKE automatically.
Manual Settings
Sets the authentication and encryption algorithms to
IKE manually.
Regi.
Registers the authentication and encryption
algorithms.
Authentication
Sets the authentication algorithm.
SHA 1
Sets the authentication algorithm to SHA 1.
MD 5
Sets the authentication algorithm to MD 5.
Encryption
Sets the encryption algorithm.
3 DES-CBC
Sets the encryption algorithm to 3 DES-CBC.
AES-CBC
Sets the encryption algorithm to AES-CBC.
DH Group
Sets the DH algorithm.
Group1 (762) Sets the DH algorithm to Group 1.
Group2 (1024) Sets the DH algorithm to Group 2.
Group3 (2048) Sets the DH algorithm to Group 3.
available
available
Remarks
Initial
setting
Edit
480
Not
available
available
-
available
available
1-9
1-10
Other Specifications
Retry intervals
In the IKE negotiation, when no response is returned from the connection end, a retry is
made. The first retry interval can be set in the Service Mode. The second and later retries are
made at the intervals twice as long as the previous retry interval. The maximum interval is 10
sec.
Example: Setting values of the retry intervals and actual retry intervals
0
Retry timing when
the first retry
interval is set to
1 sec
1sec
2sec
Twice
10
4sec
Twice
15
8sec
Twice
30
35
sec
10sec
Twice
Since the maximum interval is
10 sec, retries are made at
10sec intervals hereafter
.
10sec
6sec
7sec
25
10sec
20
10sec
10sec
10sec
10sec
10sec
1-10
1-11
Restrictions
Notification of Deletion of SAD
Certificate Method
When you select the certificate method in IKE, a specified key pair needs to be issued by
When Security Association (SA) of IPsec is established between an external device and this
the same root certificate authority which issued the certificate of the other end of IPsec
communication. Thus, a key pair with a self-signed certificate has a different root, and the
If any of the following operations is performed in this state, there is a need to notify deletion of
negotiation fails.
Since the certificate validity is checked, the devices need to preset the time using SNTP, etc.
However, this device does not support this policy deletion notification function, if any of the
aforementioned operations is performed, the policy needs to be manually deleted from SAD
in the other end.
Link-Local Address
When you make the selector settings including Link-Local Address, IPsec is not applied to the
packets addressed to link-local addresses, and they are discarded. For instance, when "IPv6
Address" is selected in Local Selector Settings, the packets addressed to link-local addresses
are discarded.
In the case of manually specified addresses, those with the prefix "fe80" are considered as
link-local addresses.
However, in the models after iRA C5030/iRA C9075 Series, IPsec can be applied to IPv6 link
local addresses.
Note that link-local addresses and global addresses cannot be specified at the same time.
For instance, all IPv6 addresses are considered as global addresses. Therefore, fe80::xxxx,
::/0, and 1111::xxxx, etc. cannot be assigned to them. If a local address is a link-local address,
a remote address needs to be also a link-local address.
When "IPv6 Address" is selected in Local Address, and "All IPv6 Address" in Remote
Address, IPsec is also applied to link-local addresses.
1-11
1-12
1
2
3
4
aaa
bbb
ccc
ddd
local port
All Port
All Port
9100
9100
policy policy
priority name
1
2
aaa
bbb
local address
local
port
All Port
9100
remote address
hoge
hoge2
Although the policy name "aaa" specifies a single address as the remote address, its priority
is higher than "bbb. "
are violations.)
Pattern 4: Combination which violates the aforementioned restriction 2). (The items in blue
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
Processing 3) When a policy is registered, if a single address is not specified as the remote
address, and the specified pre-shared key is different from the one specified to the group,
Pattern 2: Combination which violates the aforementioned restriction 1) (The items in blue are
the pre-shared key of the latest policy is applied to all the pre-shared keys.
violations.)
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge4
Although the policy names "ccc" and "ddd" do not specify a single address as the remote
address, different pre-shared keys are set.
Pattern 3: Combination which violates the aforementioned restriction 2). (The items in blue
are violations.)
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
Processing 4) When the policy priority order is changed, change of the order which does
not meet the restricted specifications cannot be made.
local address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv4 Address
local port
All Port
9100
9100
All Port
All Port
All Port
All Port
All Port
hoge
hoge2
hoge2
hoge3
For instance, when a new policy (policy name "eee" in the table below) is registered to a
device in which several policies have already been registered, it is normally added at the
bottom. However, the remote address setting violates the restrictions, it is registered not at
the bottom but at an appropriate priority.
Although the policy names "bbb" and "ccc" do not specify a single address as the remote
address, their priority is higher than "ddd. "
1-12
1-13
policy
name
eee
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv4 Address
local port
All Port
All Port
9100
9100
1
2
3
4
5
aaa
bbb
eee
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
hoge
hoge2
hoge3
hoge3
local port
All Port
All Port
All Port
9100
9100
All Port
All Port
All Port
All Port
All Port
hoge
hoge2
hoge4
hoge3
hoge3
the settings. When Pre-shared Key Method for AUTH Method is set to other than a single
When registering a new policy or editing an existing policy, if any option other than "Single
Address" is selected in Remote Address, the policy cannot be registered if the specified preshared key is different from the registered one specified to the group.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, the policy violates the restrictions, and the registration fails.
For example, when you register a new policy with the name "eee" and the pre-shared key
"hoge 4" to a registered device, all the pre-shared keys of the policies of which remote
address is not a single address are standardized.
List of existing policies
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
hoge4
the specified pre-shared key is different from the one specified to the group, the pre-shared
aaa
bbb
ccc
ddd
All Port
address, the shared key characters must be the same when registering multiple policies. "
All Port
All Port
All Port
All Port
specified pre-shared key is different from the one specified to the group, the policy cannot be
1
2
3
4
172.24.133.133
172.24.111.111
172.24.222.222
All IPv4 Address
All IPv6 Address
When a policy is registered, if "Single Address" is specified in Remote Address, and the
local address
80
When you attempt to register the above policy, the following message appears: "Check
policy policy
priority name
local port
local address
local port
All Port
All Port
9100
9100
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
policy policy
priority name
1
2
3
4
5
aaa
bbb
ccc
ddd
eee
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
80
All Port
All Port
All Port
All Port
All Port
hoge
hoge2
hoge4
hoge4
hoge4
1-13
1-14
Prohibition of change of the policy order (Processing 4)
When you change the priority order of policies, change of the order which violates the
restricted specifications is prohibited.
For instance, when the policies given in the table below are already registered, if you
attempt to move the policy "bbb" to the lower position using "Lower Priority, " it violates the
restrictions, and the attempt fails.
policy policy
priority name
1
2
3
4
aaa
bbb
ccc
ddd
local address
All IPv4 Address
All IPv4 Address
All IPv4 Address
All IPv6 Address
local port
All Port
All Port
9100
9100
All Port
All Port
All Port
All Port
hoge
hoge2
hoge3
hoge3
On imageRUNNER 3225/3235/3245 FIGS and later devices, if you attempt to change the
order of policies against the restrictions, the following message appears: "When Pre-shared
Key Method is set for AUTH Method, a policy with a single remote address cannot a lower
priority than other policies. "
1-14
Settings
Settings Window
Registration/Edit Window
Selector Settings Window
IKE Settings
IPSec Network Settings
2-2
Settings Window
The IPSec settings are made in the system control window in the operation panel of the
device.
[Use IPSec]
This item is used to set whether or not to use the IPSec function. The default setting is "Off. "
2-2
2-3
[Policy List]
[Delete]
With this product, up to 10-pattern policies can be registered in a device. The table area
For information on the policy registration window, see "Registration/Edit Window. "
[Print List]
This item is used to print out the settings of a registered policy.
Print sample
The policy list shows a list of the registered policies.
The specifications for the policy list are given below:
When a registered policy is deleted, the policies in the lower priority are moved up.
To set On/Off of a policy, select a policy and press "Policy On/Off. "
Although up to 24 characters in ASCII can be set as a policy name, a whole name might
not be displayed in the list.
To set the priority order of policies, select a policy and press "Raise Priority" or "Lower
iR-ADV C5051
Priority1
Policy Name
Selector Settings
Local Address
Remote Address
Port
Local Port
Remote Port
IKE Settings
IKE Mode
Authentication Method
Auth./Encryption Algorithm
IPSec Network Settings
Validity
Time
PFS
Auth./Encryption Algorithm
Connect. Mode
[Policy On/Off]
This item is used to set "On" or "Off" to the status of the policy selected in the list.
[Regi.]
ON
Policy-1
All IPv4 Addresss
All IP Addresses
All Port
All Port
Main
Digital sig. Method
Auto
ON
480 min
ON
10 MB
OFF
Size
Priority. "
001
******************************
*** IPSec Policy List ***
******************************
Priority2
Policy Name
Selector Settings
Local Address
Auto
Transport
ON
Policy-2
All IP addresses
2-3
2-4
Registration/Edit Window
In the registration/edit window, policies used by IPSec are registered or edited.
Selector Settings
This item is used to set a selector.
When you press "Selector, " the Selector Settings window appears. For more details, see
Selector Setting Window.
Policy Name
This item is use to set a policy name.
2-4
2-5
IKE Settings
IPSec Settings
In this window, the ISAKMP message exchange protocol (IKE mode) and authentication
In this window, the IPSec communication settings are made. For more details, see IPSec
Network Settings.
2-5
2-6
The conditions are Start-point IP Address, End-point IP Address, protocol, and destination
port, etc. A communication packet which satisfies these conditions is selected.
All IP Address
Select this option when you target all local addresses.
2-6
2-7
Port Settings
This item is used to set whether or not to apply IPSec to the packets which include a specific
port (or service).
Select this option when you specify a specific port number. When you press this item, the
setting window is opened.
In Local Port or Remote Port, select "All Ports" or "Specify Port. "
When you specify a port (Specify Port), enter a port number.
2-7
2
2-8
IKE Settings
This item is used to make the settings related to Key exchange protocols.
The differences between the main mode and aggressive mode in the IKE Phase 1 are shown
in the table below.
Mode
Main mode
Description
The Phase 1 is finished after three sets of transmission and reception of
ISAKMP messages.
1st and 2nd messages (Negotiation of ISAKMP SA parameters)
3rd and 4th messages (Exchange of parameters for key calculation and
execution of key calculation)
5th and 6th messages (Authentication of IPSec communication end
(device))
User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or >
Edit > IKE Settings
IKE Phase 1
1. Proposal and selection of conditions
Proposes several conditions
including the algorithm and
lifetime of key, etc.
Creates and sends a
numeric value which is used
as a key element
Sends the ID and path
phrase, etc.
2. Determination of condition of SA
3. Exchange of key by DH
4. Creation of key
5. Authentication between devices
Mode
This item is used to specify the mode to exchange ISAKMP messages when IKE SA is
created in the IKE Phase 1.
The available modes are the main mode and aggressive mode.
Aggressive mode
2-8
2-9
Authentication Method
Select one DH group from Grouop1 (762), Grouop2 (1024), and Grouop3 (2048).
The IPSec function uses two authentication methods for the IKE Phase 1: One in the preshared key authentication, and the other is the digital signature authentication.
Auth./Encryption Algorithm
This item is used to set the authentication and encryption algorithms.
1
2
3
4
5
6
7
8
Authentication
SHA1
MD5
SHA1
MD5
SHA1
MD5
SHA1
MD5
DH
Encryption
AES(128)
AES(128)
AES(192)
AES(192)
AES(256)
AES(256)
3DES
3DES
2
2
2
2
2
2
2
2
2-9
2
2-10
Host computer B
(Responder)
Host computer A
(Initiator)
IKE Phase 1
A validity setting shorter than
the validity set in the host B
is proposed as the condition.
In the communication between the devices which support this product, the validity at the
initiator* is used.
* The node which makes IKE communication is called the IKE peer, the side which issues
an IKE request is called the initiator, and the side which receives a request is called the
Validity
responder.
This item is used to set the update validity of Security Association (SA) of IPsec/IKE.
PFS
The validity specified in this setting is applied both to the update period for SA of IPsec and
that of IKE.
The validity is specified in minutes or in MB. The settable range is 1 to 65535 minutes or 1 to
65535MB. In the initial setting, Time is set to 480 minutes (8 hours), and Size is not specified.
You can not specify "0" to Time and Size.
When a shared key is leaked to any malicious third parties, there is a risk that they might be
able to forecast the keys to be generated. Enabling Perfect Forward Secrecy (PFS) prevents
third parties from forecasting the keys to be generated even if they obtain a shared secret
key.
Although load upon key exchange is increased if PFS is enabled, the confidentiality is
enhanced.
The initial setting of PFS is "Off".
A same PFS setting must be set to the hosts between which negotiations are made.
Therefore, when the PFS setting is set to On, that of the other end must be set to On as well.
When the both are specified, SA is invalidated whichever reaches the validity fast. The IPsec
communication within the validity can exchange ESP packets without negotiations of key
exchange.
Negotiations of the validity vary according to the setting at the host of the other end. For
instance, if the validity shorter than the one set in a host is proposed during the IKE Phase 1,
the host may reject negotiations.
2-10
2-11
Authentication/Encryption Algorithm
This item is used to set the authentication and encryption algorithms in the IPSec network.
You can select Auto Settings or Manual Settings.
Select the authentication algorithm from MD5, SHA1, and NULL. You can select both MD5
and SHA1 at the same time. In the initial setting, SHA1 is selected.
Select the encryption algorithm from 3DES-CBC, AES-CBC, and NULL. You can select both
3DES-CBC and AES-CBC at the same time. In the initial setting, 3DES-CBC is selected.
You cannot set NULL to both ESP authentication and ESP encryption.
2) When AH is selected
Select one or more AH authentication algorithms from SHA 1 and MD5. If you do not select
either, the OK button is disabled (grayed out), and you cannot finish the setting.
First of all, select ESP which performs authentication and encryption of packets or AH which
performs only authentication of packets.
2-11
2-12
Auto Settings of authentication and encryption algorithms
When you select the Auto settings of the authentication and encryption algorithms for the
IPSec Network, IPSec SA makes negotiations for algorithm patterns in accordance with the
priority given below. Servers also wait in the same priority.
Priority
AH
ESP authentication
ESP encryption
1
2
3
4
5
6
7
8
NULL
NULL
NULL
NULL
NULL
NULL
NULL
NULL
SHA1
MD5
SHA1
MD5
SHA1
MD5
SHA1
MD5
AES (128)
AES (128)
AES (192)
AES (192)
AES (256)
AES (256)
3DES
3DES
Connection Mode
This item is used to display the IPSec connection mode.
This function supports the transport mode only, and therefore "Transport" is displayed.
2-12
Installation
Installation/Settings
Procedure
IPSec settings and
operation check
3-2
Installation/Settings Procedure
negotiation will fail. (This means negotiation will fail even if "From any port" is specified, "all
port" etc. is specified for address port.)
Operation check
Establish a communication and check whether the specified IPSec function operates properly
or not.
3-2
3
3-3
2) Register the Policy Name.
Example of configuration
IPSec settings are specified for 1 PC and 1 iR device, and check the operation.
Encrypted data
Encrypted
data
Document
3)Selector Settings
Local Address
: All IP addresses
Remote Address
: All IP addresses
: ON
3-3
3-4
4) IKE Settings
IKE Mode
: Main
Authentication Method
Shared Key
: canon (any)
Validity
: 0MB (default)
PFS
Connect. Mode
: OFF
: Transport (fixed)
3-4
3-5
2) When the console is displayed, select [Add/Remove Snap-in...] from a file menu.
3-5
3-6
6) Click [Close] button.
3-6
3-7
3) Enter the IP Security Policy name and click [Next] button.
4) Untick [Activate the default response rule..] and click [Next] button.
3-7
3-8
7) When Security Rule Wizard is started, click [Next] button.
8) Select [This rule does not specify a tunnel] and click [Next] button.
3-8
3-9
11) Put a name to filter and click [Edit..] button.
13) Display [Protocol] tab and select [Any] in [Select a protocol type].
14) Display [Description] tab and input a comment for identification (arbitrary), and click [OK]
12) Display [Addresses] tab and select [Ant IP Address] for both [Source address] and
button.
[Destination address].
3-9
3-10
15) Click [OK] button.
18) Select [Use this string to protect the key exchange (pre-shared key)] and enter the Preshared key specified on the device side into entry field, and click [Next] button.
3-10
3-11
19) Click [Finish] button.
3-11
3-12
MEMO
If the setting of currently applied policy has been changed, it is necessary to un-assign
the application and assign it again.
3-12
3-13
Operation check
2) Start Wireshark.
If key exchange of IPSec has been failed, all results are [Negotiating IP Security] (including
3-13
3-14
4) Select a PC network card on [Interface] and click [Start] button.
3-14
Maintenance
FAQ
Troubleshooting
Troubleshooting
4-2
FAQ
Troubleshooting
Q. Negotiation fails.
Q. Does this product support the tunnel mode as a connection mode in which IPSec is
A. Check if the port setting of the security policy is same in the both devices.
applied?
In IPSec, the port setting in the security policy settings must be same.
For instance, negotiation fails if Protocol is set to TCP, and Port is set to All Port in the
This product supports the transport mode only, which makes peer-to-peer IPSec
settings of this device, whereas Protocol is set to TCP, and Port is set to 80 in the settings of
communication.
Although I made the setting to obtain debug logs in the Service Mode, I found no log file when
About protocols
Q. In what environment is unencrypted AH used?
A. It is used in the environment where encryption cannot be used.
In some environments, encryption of data is not permitted. In such a case, AH is used.
Confliction with IP filter
Q. What operation is performed when confliction with the settings of the IP filter, which is the
original function, occur?
A. There is a setting that IPsec discards the packets to which IPsec is not applied. The IP
filter, which is the original function, also discards the packets which do not satisfy the filter
settings.
Q. When the IPsec settings and IP filter settings are overlapped, which settings have priority?
A. When IPSec and both IP filters were set, it is applied in order of IPSec, IP filter at the time
of the reception. At the time of the transmission, it is applied in order of IP filter, IPSec.
4-2
Troubleshooting
Service Mode
Troubleshooting
Troubleshooting > Procedure for IPSec Security Board Status Check Test
5-2
You can execute the tests to check the IPSec security board status from the Service Mode.
The following two tests are available:
Be sure to execute the both tests. Each test takes approx. 3 minutes.
3)
2)Select (press) IPSECINT (Interrupt mode test) or IPSECPOL (Poll mode test) and press the
"OK" button.
Failed: "NG"
Troubleshooting > Procedure for IPSec Security Board Status Check Test
5-2
Troubleshooting > Procedure for IPSec Security Board Status Check Test
5-3
If either of the tests fails, the IPsec function does not work. When the result of either test is
NG (failed), check if the accelerator is connected properly, and execute the test again.
If the result of the retry is also NG (failed), it is considered as a chip failure.
Troubleshooting > Procedure for IPSec Security Board Status Check Test
5-3
5-4
4)Open the IPSec settings window and check that all the registered policies are deleted.
You can delete all the policies registered in a device and initialize it.
This function should be used in emergency cases, such as when there is inconsistency
between registered policies.
5-4
5-5
Debug logs are prepared for those who are in charge of product development, and the
5) Connect a PC on which SST is activated to the device, and obtain the log file in the
or a development division of Canon Inc. when a failure which cannot be dealt with on site
following path:
/APL_LOG/ipsec/ipseclog.txt
occurs.
There is no need that a service person should check and evaluate debug logs at a user site.
6) Restart the device again and check if the IPSDEBLV setting in the Service Mode is
Since IPSec operates in a process separately from a bootable process, its log information
While the settable range of the log level is 0 to 10, 8 is the highest log level. (9 and 10 are the
same level as 8.)
The setting is enabled after the device is restarted. The setting value is automatically returned
2) Input the level of logs that you want to obtain in the IPSDEBLV field and press "OK". (The
initial setting is "0".)
5-5