September 11, 2009 Revision 0 Security: IPSec Board-B2...

54321

Security: IPSec Board-B2Service Manual

September 11, 2009Revision 0

0

00-2

0-2

ApplicationThis manual has been issued by Canon Inc. for qualified persons to learn technical theory, installation, maintenance, and repair of products. This manual covers all localities where the products are sold. For this reason, there may be information in this manual that does not apply to your locality.

CorrectionsThis manual may contain technical inaccuracies or typographical errors due to improvements or changes in products. When changes occur in applica0-2le products or in the contents of this manual, Canon will release technical information as the need arises. In the event of major changes in the contents of this manual over a long or short period, Canon will issue a new edition of this manual.

The following paragraph does not apply to any countries where such provisions are inconsistent with local law.

TrademarksThe product names and company names used in this manual are the registered trademarks of the individual companies.

CopyrightThis manual is copyrighted with all rights reserved. Under the copyright laws, this manual may not be copied, reproduced or translated into another language, in whole or in part, without the written consent of Canon Inc.

(C) CANON INC. 2009

CautionUse of this manual should be strictly supervised to avoid disclosure of confidential information.

0

00-3

0-3

ContentsIPSec Overview

IPSec Overview ---------------------------------------------------------------1-2What is IPSec? --------------------------------------------------------------------- 1-2Modes of operation ---------------------------------------------------------------- 1-4Protocol of authentication and cryptographic ------------------------------- 1-4Key exchange protocols ---------------------------------------------------------- 1-5

Specifications ------------------------------------------------------------------1-6Operating Conditions of IPSec ------------------------------------------------- 1-6

Supported Devices ------------------------------------------------------------------------ 1-6Supported Functions ------------------------------------------------------------- 1-6

Applicable Packets ------------------------------------------------------------------------ 1-6Specifications for Network Port --------------------------------------------------------- 1-6

Specifications for Security Policy --------------------------------------------- 1-7Menu Items in IPSec Setting Window ---------------------------------------- 1-8Other Specifications --------------------------------------------------------------1-10

Restrictions ------------------------------------------------------------------- 1-11Notification of Deletion of SAD ----------------------------------------------- 1-11Confliction with Sleep Function ------------------------------------------------ 1-11Link-Local Address -------------------------------------------------------------- 1-11Certificate Method --------------------------------------------------------------- 1-11Restrictions when Registering Multiple Policies---------------------------1-12

Internal processing when restricted patterns occur -------------------------------1-12

SettingsSettings Window --------------------------------------------------------------2-2

Path to IPSec Settings window ------------------------------------------------ 2-2IPSec Settings window ---------------------------------------------------------- 2-2

Registration/Edit Window --------------------------------------------------2-4Path to Registration/Edit Window --------------------------------------------- 2-4Policy Name ------------------------------------------------------------------------- 2-4Selector Settings ------------------------------------------------------------------- 2-4

IKE Settings ------------------------------------------------------------------------- 2-5IPSec Settings ---------------------------------------------------------------------- 2-5

Selector Settings Window --------------------------------------------------2-6Path to Selector Settings Window --------------------------------------------- 2-6Local Address Settings/Remote Address Settings ------------------------ 2-6Port Settings ------------------------------------------------------------------------ 2-7

IKE Settings --------------------------------------------------------------------2-8Path to IKE Settings Window -------------------------------------------------- 2-8Mode ---------------------------------------------------------------------------------- 2-8Authentication Method ------------------------------------------------------------ 2-9Auth./Encryption Algorithm ------------------------------------------------------ 2-9

IPSec Network Settings --------------------------------------------------- 2-10Validity -------------------------------------------------------------------------------2-10PFS -----------------------------------------------------------------------------------2-10Authentication/Encryption Algorithm ---------------------------------------- 2-11

Connection Mode --------------------------------------------------------------------------2-12

InstallationInstallation/Settings Procedure --------------------------------------------3-2

Flow of installation settings for basic IPSec --------------------------------- 3-2Review of security policy------------------------------------------------------------------ 3-2Security policy settings -------------------------------------------------------------------- 3-2Operation check ----------------------------------------------------------------------------- 3-2Points to note at installation -------------------------------------------------------------- 3-2

IPSec settings and operation check --------------------------------------3-3Setting procedure on device side ---------------------------------------------- 3-3Setting procedure on PC side -------------------------------------------------- 3-4Operation check -------------------------------------------------------------------3-13

MaintenanceFAQ -------------------------------------------------------------------------------4-2Troubleshooting ---------------------------------------------------------------4-2

Service ModeIPSec Security Board Status Check Test -------------------------------5-2

Procedure for IPSec Security Board Status Check Test ----------------- 5-2

0

00-4

0-4

Deletion of All Registered Policies ----------------------------------------5-4Procedure to Delete All Registered Policies -------------------------------- 5-4

Acquisition of Debug Logs --------------------------------------------------5-5Procedure to Obtain Debug Logs ---------------------------------------------- 5-5

0

00-5

0-5

Explanation of SymbolsThe following symbols are used throughout this Service Manual.

Symbols Explanation

Using it for general attention, warning, a notice of the danger that does not specify.

Using the possibility of the electric shock for notice to be careful to.

Mention about written item in the copier BASIC series to understand mention contents.

The following rules apply throughout this Service Manual:

1. Each chapter contains sections explaining the purpose of specific functions and the relationship between electrical and mechanical systems with reference to the timing of operation. In the diagrams, represents the path of mechanical drive; where a signal name accompanies the symbol, the arrow indicates the direction of the electric signal. The expression "turn on the power" means flipping on the power switch, closing the front door, and closing the delivery unit door, which results in supplying the machine with power.

2.In the digital circuits, '1' is used to indicate that the voltage level of a given signal is "High", while '0' is used to indicate "Low". (The voltage value, however, differs from circuit to circuit.) In addition, the asterisk (*) as in "DRMD*" indicates that the DRMD signal goes on when '0'.

In practically all cases, the internal mechanisms of a microprocessor cannot be checked in the field. Therefore, the operations of the microprocessors used in the machines are not discussed: they are explained in terms of from sensors to the input of the DC controller PCB and from the output of the DC controller PCB to the loads.

The descriptions in this Service Manual are subject to change without notice for product improvement or other purposes, and major changes will be communicated in the form of Service Information bulletins.All service persons are expected to have a good understanding of the contents of this Service Manual and all relevant Service Information bulletins and be able to identify and isolate faults in the machine.

1

1

IPSec OverviewIPSec OverviewSpecificationsRestrictions

■■■

1

11-2

1-2

IPSec Overview

What is IPSec? IPSec is a function to provide secure IP communication to all packets at the IP level. The IPSec function can be applied to all IP packets regardless of IPv6 and IPv4. Since the IPSec function is applied to each IP packet, applications do not need to support the function. Communication between the nodes to which IPSec settings are applied automatically becomes secure communication while applications are not aware. In IPSec, whether or not to apply encryption and other processing is determined according to the data in each communication packet. To be specifi c, any of the following operations is performed:

The IPSec settings are applied to a packet which satisfi es the conditions. (Authentication and encryption are performed.) The IPSec settings are not applied to a packet which does not satisfy the conditions, and the normal operation is performed. A packet which does not satisfy the conditions is discarded.

As the conditions mentioned above, the start-point addresses, end-point addresses, protocol, and destination port are used. These condition items used to sort out communication packets are generally called "selectors. " The concept of the "selector" is close to that of fi ltering in a router (the selector is called "IP Filter" in Windows), and multiple selectors can be defi ned. A selector including detailed processing to be actually applied in particular is called "security policy. " In security policy, the details of the IPSec protocol (AH, ESP, or IPComp) and mode (transport mode or tunnel mode) are also included.

•

•

•

Example use cases of this product are provided below. Case 1) Encrypt all print communications from a host computer with the IPSec settings.

Host computer with IPSec settings

Host computer without IPSec settings

IP Network

Print protocol:ipr,raw,ftp,IPP

Unencrypted data

PrintPrint

Print protocol:ipr,raw,ftp,IPP

Encrypted data

Print protocol:

Encrypted data

Case 2) Encrypt Send communications to the fi le server and host computer, and not encrypt print communications.

Print

SendIP Network

Scan Print1

Send

Scan

Print

Encrypted data

Send

Encrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted data

Confidentiality1Confidentiality1

Print1

Host computerHost computerFile ServerFile Server

Send Protocol:smb, ftp

Send Protocol:smb, ftp

Printntn

Print1

Unencrypted data

Print protocol:ipr, raw, ftp, IPPPrint protocol:

ipr, raw, ftp, IPP

dEncrypted dataSenddEncrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted data

Send protocol:smb, ftp

Send protocol:smb, ftp


Confidentiality2.tifConfidentiality2.tifConfidentiality1.tifConfidentiality1.tif

1

11-3

1-3

Case 3) Encrypt Internet FAX and Email transmission.*

IP Network

：

Scan

G3FAX.tif

Fax

Fax

PSTN

G3FAX.tif

G3Fax.tif


Host computerHost computerG3Fax.tifUnencrypted data

Encrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted data

Protocol: smtpProtocol: smtp


Mail Server

Encrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted dataEncrypted data

Protocol: smtpProtocol: smtp

PSTN

* In Case 3, it is assumed that IPSec is also functioning between the main server and host computer.

1

11-4

1-4

Modes of operation IPSec has two modes of operation: One is the transport mode, and the other is the tunnel mode. Overview of transport mode In the transport mode, 1-to-1 relationship is established between terminals, and only the data section excluding the IP header is authenticated and encrypted.

Data section

Data sectionData sectionIP header

Encryption

Data sectionIP header

IP header IP header

IP header

Decryption

Data section only is encrypted

Overview of tunnel mode In the tunnel mode, a whole packet exchanged on the LAN including the IP header is encrypted and encapsulated. This mode is often used to establish a VPN.

VPN Router

InternetVPN Router

Encryption Decryption

IP header Data sectionData section

Data sectionIP header New IP header Data sectionIP header New IP header

IP header Data sectionEncrypt whole packet including IP header

The operation mode of IPSec supported by this product is the transport mode only.

Protocol of authentication and cryptographic IPSec has two authentication and cryptographic protocols, ESP and AH. While ESP provides the encryption, sender authentication, and falsifi cation detection features, AH does not have the encryption feature. In this product, you need to specify either ESP or AH. However, you cannot specify the both protocols at the same time.

AH (Authentication Header) This is a protocol to guarantee authentication by detecting falsifi cation of communication data with the IP header. The communication data is not encrypted.

Data sectionIP header Data sectionIP headerAH AH

Scope of authentication

ESP (Encapsulating Security Payload) This is a protocol to guarantee consistency and authentication of only the pay load section of communication data and provide confi dentiality through encryption.

Scope of encryption

AH ESP Trailer ESP Authe dataData sectionIP header Data sectionIP header

Scope of authentication

ESP

1

11-5

1-5

Key exchange protocols IPSec has some key exchange protocols to execute authentication and encryption. This product supports IKEv1 (Internet Key Exchange version 1), which exchanges keys based on the standard protocol ISAKMP (Internet Security Association and Key Management Protocol). IKE has two processing phases: It creates SA (Security Association) used by IKE in the phase 1, and creates SA (IPSec SA) used by IPSec in the phase 2.

IKE

IKE Phase 1

IPSecEncrypted communication through IPSec

1. Proposal and selection of conditions

3. Exchange of key by DH

5. Authentication between devices

2. Determination of condition of SA

4. Creation of key

6. Verification that the other end is legitimate

Phase1:ISAKMP SA is generated, and the communication of IKE is encrypted.

7. Exchange of conditions and elements to create SA

8. Determination of conditions for SA.

Phase 2: IPSec SA is created, and communication through IPSec is started.

Sec

Phase 2: IPSec SA is created, and communication through IPSec is started.

IKE Phase 2

Proposes several conditions including the algorithm and lifetime of key, etc.

Creates and sends a numeric value which is used as a key element

Sends the ID and path phrase, etc.

Selects one of the conditions.

Creates and sends the numeral value which is used as a key element.


Encryption method, hash method, connection conditions such as lifetime of key, subnet, host, key element, etc

.

Accepted

Encryption method, hash method, connection conditions such as lifetime of key, subnet, host, key element, etc.

In this product, as an authentication method of IKE, either the pre-shared key method or the digital signature method can be used.

When you use the pre-shared key method, you need to determine a keyword (up to 24 characters) called a pre-shared key beforehand, which is shared with the devices sending and receiving data. After setting the pre-shared key of the connection end with which IPSec communication is made in the operation panel of this product, you can make authentication in the pre-shared key method. When you use a key in the electronic signature method, you need to install the key pair fi le and CA Certifi cate fi le created in the PC using UI, and then register the installed fi les in the operation panel of this product. Using the CA certifi cate, authentication is mutually performed with the connection end of the IPSec communication. The accepted key pair and CA certifi cate for the authentication in the electronic signature method are shown below:

RSA algorithm X.509 Certifi cate Key pair in PKCS#12 format

•••

1

11-6

1-6

Specifications

Operating Conditions of IPSecA device needs to satisfy all the following conditions to use the IPSec function.

It is a supported device of IPSec.The IPSec security board is installed.*The IPSec function is enabled in the Local UI or remote UI. (It is disabled in the initial setting upon shipment from the factory. See Users Manual or this manual regarding how to enable the IPSec function.)

* To install the IPSec security board, PCI board Expansion Kit, which is available as an option, needs to be installed.

Supported Devices The devices supported by IPSec are multifunction machines after imageRUNNER C5180/5185/4580 and printers after LBP3310.IPSec Security Board, which is an option, needs to be purchased and installed in any of these devices.

Supported Functions Among major functions stipulated by IPSec, those supported by this product are shown below:

Function Support RemarksIPsec of IPv4 SupportIPsec of IPv6 SupportAH NULL Support

HMAC-SHA-1-96 SupportHMAC-MD5-96 SupportAES-XCBC-MAC-96 Not Support

ESP NULL SupportDES-CBC Not Support3DES-CBC SupportAES-CBC SupportAES-CTR Not SupportOther Not Support

Manual SA Not SupportIKEv1 Support

•••

■

Function Support RemarksIKEv2 Not SupportIKEv1 phase 1 Main Mode Support

Aggressive Mode SupportAuthenticationMethod(IKEv1)

Pre-shared key SupportDigital signature(RSA) SupportPublic key encryption Not SupportAdvanced public key encryption

Not Support

DH(IKEv1) Group 0(not in use) Not SupportGroup 1 SupportGroup 2 SupportGroup 5 Not SupportGroup 14 SupportGroup 15 Not SupportGroup 16 Not SupportGroup 17 Not SupportGroup 18 Not SupportOther Not Support

Encryption(IKEv1)

DES-CBC Not Support3DES-CBC SupportAES-CBC SupportAES-CTR Not SupportOther Not Support

Authentication(IKEv1)

AUTH-HMAC-SHA1-96 SupportAUTH-HMAC-MD5-96 SupportAUTH-HMAC-XCBC-96 Not Support

Applicable Packets The packets to which this product applies the IPSec processing are those exchanged via the following protocols.

TCPUDPICMP

Specifications for Network Port The network port used by the IPSec function is shown below:

Protocol Port No. DescriptionUDP 500 Used to receive and send keys when the ISAKMP protocol

exchanges keys.

■

•••

■

1

11-7

1-7

Specifications for Security Policy The specifications for security policy are shown below:

Item Value RemarksPolicy name 1 to 24 characters in ASCIINumber of policies that can be registered

10 The table area which controls policies is called security policy database (SPD).

1

11-8

1-8

Menu Items in IPSec Setting WindowMenu name/ Item name Remarks Initial

settingUse IPSec

ON Enables the IPSec function. OFF Disables the IPSec function. available

Receive Non-policy PacketAllow Allows the packet which does not meet the policy. availableReject Rejects the packet which does not meet the policy.

Policy On/Off Enables or disables the selected policy. Regi. Registers a new policy.

Selector Settings Sets the selector which works as a filter of IPSec.Local Address Makes the filter setting of a packet when a local

address exists in the packet. All IP Address Targets IP addresses for all local addresses. availableAll IPv4 Addresses Targets all IPv4 addresses for its own local address. All IPv6 Addresses Targets all IPv6 addresses for its own local address.IPv4 Manual Settings

Targets specified IPv4 addresses for its own local address.

Single Address Specifies a signal address. Range Address Specifies the range of addresses. Subnet Settings Specifies addresses by the subnet.

IPv6 Manual Settings

Targets specified IPv6 addresses for its own local address.

Single Address Specifies a signal address. Range Address Specifies the range of addresses. Subnet Settings Specifies a prefix of addresses.

Remote Address Makes the filter setting of a packet when a remote address exists in the packet.

All IP Address Targets IP addresses for all remote addresses. availableAll IPv4 Addresses Targets all IPv4 addresses for its own remote address. All IPv6 Addresses Targets all IPv6 addresses for its own remote address.IPv4 Manual Settings

Targets specified IPv4 addresses for its own remote address.


IPv6 Manual Settings

Targets specified IPv6 addresses for its own remote address.


Menu name/ Item name Remarks Initial setting

Port Makes the filter setting of a packet when a port number exists in the packet.

Specify by Port Number Makes the setting by manually specifying a port. Local Port Specifies local ports.

All Port Targets all local ports. availableSingle Settings Specifies a target local port individually.

Remote Port Specifies remote ports.All Port Targets all remote ports. availableSingle Settings Specifies a target remote port individually.

Specify by Service Name

Makes the filter setting of a packet by specifying a service name.

Service On/Off Specifies On or Off for 7 services of "SMTP Receive", "SMTP Send", "HTTP Client", "HTTP Server", "POP3", "LDP", and "RAW. "

IKE Settings Makes the settings related to IKE (key exchange protocol) of security policy.

IKE Mode Sets the ISAKMP message exchange protocol. Main Sets the ISAKMP message exchange protocol to the

Main mode. available

Aggressive Sets the ISAKMP message exchange protocol to the Aggressive mode.

Authentication Method Sets the authentication method of IKE. Pre-shared Key Method Sets the authentication method of IKE to the pre-

shared key method. available

Shared Key Sets the shared key which is used as the pre-shared key of IKE.

Digital Signature Method

Sets the authentication method of IKE to the digital signature method.

Key and Certificate. Makes the settings related to digital signature.Key Settings Sets the key which is used for digital signature. Certificate Details Checks the information about the registered

certificate.

1

11-9

1-9

Authentication/Encryption Algorithm

Sets the authentication and encryption algorithms to IKE.

Auto Sets the authentication and encryption algorithms to IKE automatically.

available

Manual Settings Sets the authentication and encryption algorithms to IKE manually.

Regi. Registers the authentication and encryption algorithms.

Authentication Sets the authentication algorithm.SHA 1 Sets the authentication algorithm to SHA 1. ○MD 5 Sets the authentication algorithm to MD 5.

Encryption Sets the encryption algorithm.3 DES-CBC Sets the encryption algorithm to 3 DES-CBC. availableAES-CBC Sets the encryption algorithm to AES-CBC.

DH Group Sets the DH algorithm. Group1 (762) Sets the DH algorithm to Group 1. Group2 (1024) Sets the DH algorithm to Group 2. availableGroup3 (2048) Sets the DH algorithm to Group 3.

Menu name/ Item name Remarks Initial setting

Edit Edits the already registered authentication and encryption algorithms.

Delete Deletes the already registered authentication and encryption algorithms.

IPSec Setting Sets how to process the packet which satisfies the conditions specified by the selector.

Validity Sets the update validity of SA of IPsec/IKE. Time Sets the update validity of SA of IPsec/IKE by time. 480Size Sets the update validity of SA of IPsec/IKE by the

file size.Not

availableConnection Mode Sets the connection mode in which IPsec is applied.

Transport Sets the connection mode of IPsec to the transport mode.

available

IPv4 Tunnel Not supported. -IPv6 Tunnel Not supported. -

PFS Sets On/Off of Perfect Forward Secrecy (PFS) of IPsec.

ON Sets On to PFS of IPsec. OFF Sets Off to PFS of IPsec. available

Auth./Encryption Algorithm Sets the authentication and encryption algorithms. Auto Sets the authentication and encryption algorithms

automatically.Manual Settings Sets the authentication and encryption algorithms

manually.Regi. Registers the authentication and encryption

algorithms. ESP Sets ESP as the authentication and encryption

algorithms. available

AH Sets AH as the authentication and encryption algorithms.

Edit Edits the already registered policies. The items that can be edited are same as those for registration.

Delete Deletes the already registered policies.

1

11-10

1-10

Other SpecificationsRetry intervalsIn the IKE negotiation, when no response is returned from the connection end, a retry is made. The first retry interval can be set in the Service Mode. The second and later retries are made at the intervals twice as long as the previous retry interval. The maximum interval is 10 sec.

Example: Setting values of the retry intervals and actual retry intervals

sec

Retry timing whenthe first retryinterval is set to1 sec

0 5 10 15 20 25 30 35

2sec 4sec 8sec 10sec

6sec

10sec

3sec

7sec

1sec

10sec 10sec

10sec 10sec 10sec

10sec

Twice TwiceTwice Twice

Retry is made at intervalstwice as long as the previousinterval

Since the maximum interval is10 sec, retries are made at 10-sec intervals hereafter .Retry timing when

the first retryinterval is set to3 sec

Retry timing whenthe first retryinterval is set to7 sec

1

11-11

1-11

Restrictions

Notification of Deletion of SAD When Security Association (SA) of IPsec is established between an external device and this device, Security Association Database (SAD) is established between them.If any of the following operations is performed in this state, there is a need to notify deletion of the policy to the other end.

One of the devices is shut down (the power is turned Off).The policy in question is disabled.The policy in question is deleted.The IPsec function is turned Off (disabled).

However, this device does not support this policy deletion notification function, if any of the aforementioned operations is performed, the policy needs to be manually deleted from SAD in the other end.

Confliction with Sleep FunctionWhen the sleep function of the device is enabled, if "Use IPSec" in the IPsec settings is set to "On" (enabled), the device does not go into the sleep mode (S3 mode).Meanwhile, if the IPsec setting is set to "Off" (disabled), it goes into the sleep mode.

Link-Local Address When you make the selector settings including Link-Local Address, IPsec is not applied to the packets addressed to link-local addresses, and they are discarded. For instance, when "IPv6 Address" is selected in Local Selector Settings, the packets addressed to link-local addresses are discarded.In the case of manually specified addresses, those with the prefix "fe80" are considered as link-local addresses. However, in the models after iRA C5030/iRA C9075 Series, IPsec can be applied to IPv6 link local addresses.Note that link-local addresses and global addresses cannot be specified at the same time.For instance, all IPv6 addresses are considered as global addresses. Therefore, fe80::xxxx, ::/0, and 1111::xxxx, etc. cannot be assigned to them. If a local address is a link-local address, a remote address needs to be also a link-local address.When "IPv6 Address" is selected in Local Address, and "All IPv6 Address" in Remote Address, IPsec is also applied to link-local addresses.

••••

Certificate Method When you select the certificate method in IKE, a specified key pair needs to be issued by the same root certificate authority which issued the certificate of the other end of IPsec communication. Thus, a key pair with a self-signed certificate has a different root, and the negotiation fails.

Since the certificate validity is checked, the devices need to preset the time using SNTP, etc.

1

11-12

1-12

Restrictions when Registering Multiple PoliciesWhen the Mode Settings of IEKv1 is Main Mode, and multiple policies are registered with the Pre-shared Key Method, there are the following restrictions due to the specification limits of the IEKv1 protocol.

1) A same pre-shared key must be applied to all the policies in which a single address is not specified as the remote address.

2) The policies in which a single address is not specified as a remote address must have lower priority than those in which a single address is specified.

The table below shows the registration patterns. Pattern 1: Combination in which no restrictions occur policy priority

policy name

local address local port remote address remote port pre-shared key

1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge23 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge34 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3

Pattern 2: Combination which violates the aforementioned restriction 1) (The items in blue are violations.)policy priority

policy name



Although the policy names "ccc" and "ddd" do not specify a single address as the remote address, different pre-shared keys are set.

Pattern 3: Combination which violates the aforementioned restriction 2). (The items in blue are violations.)policy priority

policy name


1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge2 bbb All IPv4 Address 9100 All IPv4 Address All Port hoge23 ccc All IPv6 Address 9100 All IPv6 Address All Port hoge24 ddd All IPv4 Address All Port 172.24.222.222 All Port hoge3

Although the policy names "bbb" and "ccc" do not specify a single address as the remote address, their priority is higher than "ddd. "

Pattern 4: Combination which violates the aforementioned restriction 2). (The items in blue are violations.)policy priority

policy name

local address local port

remote address remote port pre-shared key

1 aaa All IPv4 Address All Port 172.24.1.1/255.255.0.0 All Port hoge2 bbb All IPv4 Address 9100 172.24.111.111 All Port hoge2Although the policy name "aaa" specifies a single address as the remote address, its priority is higher than "bbb. "

imageRUNNER 3225/3235/3245 JE version internally performs the following processing so that the above restricted patterns cannot be registered.

Processing 1) Insert a policy at an appropriate priority when registering or editing it.Processing 2) When a policy is registered, if a single address is not specified as the remote address, and the specified pre-shared key is different from the one specified to the group, the policy cannot be registered.

(imageRUNNER 3225/3235/3245 FIGS and later models)Processing 3) When a policy is registered, if a single address is not specified as the remote address, and the specified pre-shared key is different from the one specified to the group, the pre-shared key of the latest policy is applied to all the pre-shared keys.

(imageRUNNER 3225/3235/3245 JE)Processing 4) When the policy priority order is changed, change of the order which does not meet the restricted specifications cannot be made.

Internal processing when restricted patterns occurThe detailed operations of the aforementioned internal processing (Processing 1 to 4) are explained below.

Automatic insertion of policy (Processing 1) When a policy is newly registered or edited, check the Remote Address setting, and insert the policy at an appropriate priority.

For instance, when a new policy (policy name "eee" in the table below) is registered to a device in which several policies have already been registered, it is normally added at the bottom. However, the remote address setting violates the restrictions, it is registered not at the bottom but at an appropriate priority.

••

•

•

■

1

11-13

1-13

List of existing policies policy priority

policy name



List of policies after registration policy priority

policy name


1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge23 eee All IPv4 Address All Port 172.24.133.133 All Port hoge44 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge35 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge3

Prohibition of Registration (Processing 2) When a policy is registered, if "Single Address" is specified in Remote Address, and the specified pre-shared key is different from the one specified to the group, the policy cannot be registered. (imageRUNNER 3225/3235/3245 FIGS or later)

When registering a new policy or editing an existing policy, if any option other than "Single Address" is selected in Remote Address, the policy cannot be registered if the specified pre-shared key is different from the registered one specified to the group.

For example, when you register a new policy with the name "eee" and the pre-shared key "hoge 4" to a registered device, the policy violates the restrictions, and the registration fails.

List of existing policiespolicy priority

policy name



Policy that you attempt to newly register

policy name


eee All IPv6 Address 80 172.24.133.133 All Port hoge4When you attempt to register the above policy, the following message appears: "Check the settings. When Pre-shared Key Method for AUTH Method is set to other than a single address, the shared key characters must be the same when registering multiple policies. "

Unification of pre-shared key (Processing 3)When a policy is registered, if a single address is not specified as the remote address, and the specified pre-shared key is different from the one specified to the group, the pre-shared key of the latest policy is applied to all the pre-shared keys.(imageRUNNER 3225/3235/3245 JE)

When a new policy is registered or an existing policy is edited, if any option other than "Single Address" is specified in Remote Address, a message to ask whether or not to use a same pre-shared key for all the registered policies appears. If you agree, the pre-shared key of the last registered policy is applied to all the pre-shared keys of the policies of which remote address is specified by group. For example, when you register a new policy with the name "eee" and the pre-shared key "hoge 4" to a registered device, all the pre-shared keys of the policies of which remote address is not a single address are standardized.

List of existing policiespolicy priority

policy name



List of policies after registrationpolicy priority

policy name


1 aaa All IPv4 Address All Port 172.24.111.111 All Port hoge2 bbb All IPv4 Address All Port 172.24.222.222 All Port hoge23 ccc All IPv4 Address 9100 All IPv4 Address All Port hoge44 ddd All IPv6 Address 9100 All IPv6 Address All Port hoge45 eee All IPv6 Address 80 All IPv6 Address All Port hoge4

1

11-14

1-14

Prohibition of change of the policy order (Processing 4)When you change the priority order of policies, change of the order which violates the restricted specifications is prohibited.

For instance, when the policies given in the table below are already registered, if you attempt to move the policy "bbb" to the lower position using "Lower Priority, " it violates the restrictions, and the attempt fails.policy priority

policy name



On imageRUNNER 3225/3235/3245 FIGS and later devices, if you attempt to change the order of policies against the restrictions, the following message appears: "When Pre-shared Key Method is set for AUTH Method, a policy with a single remote address cannot a lower priority than other policies. "

2

2

SettingsSettings WindowRegistration/Edit WindowSelector Settings WindowIKE SettingsIPSec Network Settings

■■■■■

2

22-2

2-2

Settings WindowThe IPSec settings are made in the system control window in the operation panel of the device.

Path to IPSec Settings window The path to the registration/edit window is shown below:User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings

IPSec Settings window In the IPSec Settings window, you can set whether or not to use IPSec, policies to which IPSec is applied, and their priority, etc.

[Use IPSec]This item is used to set whether or not to use the IPSec function. The default setting is "Off. "

[Receive Non-policy Packets]This item is used to set whether to allow or reject a packet which does not meet any of the registered policies. The default setting is "Allow. "

2

22-3

2-3

[Policy List]With this product, up to 10-pattern policies can be registered in a device. The table area which controls policies in a device is called Security Policy Database (SPD).

The policy list shows a list of the registered policies.The specifications for the policy list are given below:

Up to 10 policies can be registered and displayed.Even when no policy is registered, the priority numbers from 1 to 10 are displayed.When a policy is registered, it is added at the bottom of the list.When a packet is received, whether or not to apply policies in the ascending order of priority is determined.When a registered policy is deleted, the policies in the lower priority are moved up. To set On/Off of a policy, select a policy and press "Policy On/Off. " Although up to 24 characters in ASCII can be set as a policy name, a whole name might not be displayed in the list. To set the priority order of policies, select a policy and press "Raise Priority" or "Lower Priority. "

[Policy On/Off]This item is used to set "On" or "Off" to the status of the policy selected in the list.

[Regi.]Press this item to create or register a new policy.For information on the policy registration window, see "Registration/Edit Window. "

[Edit]Press this item to edit the policy selected in the list.For information on the policy registration window, see "Registration/Edit Window. "

••••

•••

•

[Delete]Press this item to delete the policy selected in the list.For information on the policy registration window, see "Registration/Edit Window. "

[Print List]This item is used to print out the settings of a registered policy.

Print sample

********************************* 　IPSec Policy List　 *********************************

Priority：1 ON Policy Name Policy-1 Selector Settings Local Address All IPv4 Addresss Remote Address All IP Addresses Port Local Port All Port Remote Port All Port IKE Settings IKE Mode Main Authentication Method Digital sig. Method Auth./Encryption Algorithm Auto IPSec Network Settings Validity Time ON 480 min Size ON 10 MB PFS OFF Auth./Encryption Algorithm Auto Connect. Mode Transport

Priority：2 ON Policy Name Policy-2 Selector Settings Local Address All IP addresses

2009 03/16 MON 11:46 iR-ADV C5051 001 .

2

22-4

2-4

Registration/Edit Window In the registration/edit window, policies used by IPSec are registered or edited.

Path to Registration/Edit Window The path to the registration/edit window is shown below: User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings >Regi. or > Edit("Edit" must be pressed while a policy is selected.)

Policy NameThis item is use to set a policy name.

Selector SettingsThis item is used to set a selector.When you press "Selector, " the Selector Settings window appears. For more details, see Selector Setting Window.

2

22-5

2-5

IKE SettingsIn this window, the ISAKMP message exchange protocol (IKE mode) and authentication method are set. For more details, see IKE Settings.

IPSec SettingsIn this window, the IPSec communication settings are made. For more details, see IPSec Network Settings.

2

22-6

2-6

Selector Settings Window In the Selector Settings window, the settings of the conditions to determine the processing applied to a packet are made. The conditions are Start-point IP Address, End-point IP Address, protocol, and destination port, etc. A communication packet which satisfies these conditions is selected.

Path to Selector Settings WindowThe path to the selector edit window is shown below:

User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or > Edit > Selector Settings

Local Address Settings/Remote Address SettingsThese items are used to set whether or not to target the start-point address and end-point address in communication packets.

All IP AddressSelect this option when you target all local addresses.

All IPv4 AddressesSelect this option when you target the packets which have a local IPv4 address at the start-point address or end-point address.

All IPv6 AddressesSelect this option when you target the packets which have a local IPv6 address at the start-

●

●

●

point address or end-point address.

IPv4 Manual SettingsSelect this option when you specify a specific IPv4 address or specify the range of IPv4 addresses. When you press this option, the setting window is opened.

IPv6 Manual SettingsSelect this option when you specify a specific IPv6 address or specify the range of IPv6 addresses. When you press this option, the setting window is opened.

●

●

2

22-7

2-7

Port SettingsThis item is used to set whether or not to apply IPSec to the packets which include a specific port (or service).

Specify by Port NumberSelect this option when you specify a specific port number. When you press this item, the setting window is opened.In Local Port or Remote Port, select "All Ports" or "Specify Port. "When you specify a port (Specify Port), enter a port number.

●

Specify by Service NameSelect this option when you specify packets not by a port number, but by a service name. When you press this item, the setting window is opened.Set On or Off to the seven services, "SMTP Receive", "SMTP Send", "HTTP Client", "HTTP Server", "POP3", "LDP", and "RAW".

●

2

22-8

2-8

IKE Settings This item is used to make the settings related to Key exchange protocols.

Path to IKE Settings Window The path to the IKE edit window is shown below: User Mode (Top) > Preference > Network > TCP/IP Settings > IPSec Settings > Regi. or > Edit > IKE Settings

Mode This item is used to specify the mode to exchange ISAKMP messages when IKE SA is created in the IKE Phase 1. The available modes are the main mode and aggressive mode.

The differences between the main mode and aggressive mode in the IKE Phase 1 are shown in the table below.

Mode DescriptionMain mode The Phase 1 is fi nished after three sets of transmission and reception of

ISAKMP messages. 1st and 2nd messages (Negotiation of ISAKMP SA parameters)3rd and 4th messages (Exchange of parameters for key calculation and execution of key calculation)5th and 6th messages (Authentication of IPSec communication end (device))

IKE Phase 11. Proposal and selection of conditions

3. Exchange of key by DH

5. Authentication between devices

2. Determination of condition of SA

4. Creation of key

6. Verification that the other end is legitimate

Phase 1 ISAKMP SA is generated, and exchange by IKE is encrypted.

Proposes several conditions including the algorithm and lifetime of key, etc.

Creates and sends a numeric value which is used as a key element


Selects one of the conditions.

Creates and sends the numeral value which is used as a key element.


Aggressive mode The encryption process upon authentication is omitted, and the Phase 1 is fi nished after one and a half sets of transmission and reception of ISAKMP messages. While this mode can fi nish the Phase 1 faster than the Main mode, restrictions occur on negotiation of SA. On the other hand, it eases the restrictions on the Main mode.

2

22-9

2-9

Authentication MethodThe IPSec function uses two authentication methods for the IKE Phase 1: One in the pre-shared key authentication, and the other is the digital signature authentication.

Pre-shared Key MethodSelect this option when you make authentication using a pre-shared key. Input a key to be shared in the input field of Shared Key.

Digital Sig. MethodSelect this option when you make authentication not using a pre-shared key but using a digital signature.

Auth./Encryption AlgorithmThis item is used to set the authentication and encryption algorithms.

Manual Settings of authentication and encryption algorithmsThis option is used to manually set the authentication and encryption algorithms of IKE.

Select one or more authentication algorithms from SHA1 and MD5. You can select both.Select one or more encryption algorithms from 3DEC-CBC and AES-CBC. You can select both.

●

●

●

Select one DH group from Grouop1 (762), Grouop2 (1024), and Grouop3 (2048).

Auto Settings of authentication and encryption algorithmsWhen you select the Auto settings of the authentication and encryption algorithms for IKE, IKE SA makes negotiations for algorithm patterns in accordance with the priority given below.

Priority Authentication Encryption DH1 SHA1 AES(128) 22 MD5 AES(128) 23 SHA1 AES(192) 24 MD5 AES(192) 25 SHA1 AES(256) 26 MD5 AES(256) 27 SHA1 3DES 28 MD5 3DES 2

●

2

22-10

2-10

IPSec Network Settings This item is used to make the setting related to IPSec Network.

Validity This item is used to set the update validity of Security Association (SA) of IPsec/IKE. The validity specifi ed in this setting is applied both to the update period for SA of IPsec and that of IKE. The validity is specifi ed in minutes or in MB. The settable range is 1 to 65535 minutes or 1 to 65535MB. In the initial setting, Time is set to 480 minutes (8 hours), and Size is not specifi ed. You can not specify "0" to Time and Size.

In Validity, either Size or Time needs to be specifi ed. When the both are specifi ed, SA is invalidated whichever reaches the validity fast. The IPsec communication within the validity can exchange ESP packets without negotiations of key exchange. Negotiations of the validity vary according to the setting at the host of the other end. For instance, if the validity shorter than the one set in a host is proposed during the IKE Phase 1, the host may reject negotiations.

IKE Phase 1

Proposes the condition.

Host computer B(Responder)

Host computer A(Initiator)

Rejects the condition.

Since the condition proposed bythe host A is shorter than thevalidity set in the host B, thehost B rejects negotiations.

A validity setting shorter thanthe validity set in the host Bis proposed as the condition.

In the communication between the devices which support this product, the validity at the initiator* is used. * The node which makes IKE communication is called the IKE peer, the side which issues an IKE request is called the initiator, and the side which receives a request is called the responder.

PFS When a shared key is leaked to any malicious third parties, there is a risk that they might be able to forecast the keys to be generated. Enabling Perfect Forward Secrecy (PFS) prevents third parties from forecasting the keys to be generated even if they obtain a shared secret key. Although load upon key exchange is increased if PFS is enabled, the confi dentiality is enhanced. The initial setting of PFS is "Off". A same PFS setting must be set to the hosts between which negotiations are made. Therefore, when the PFS setting is set to On, that of the other end must be set to On as well.

2

22-11

2-11

Authentication/Encryption Algorithm This item is used to set the authentication and encryption algorithms in the IPSec network.You can select Auto Settings or Manual Settings.

Manual Settings of Authentication/Encryption AlgorithmThis option is used to set the authentication and encryption algorithms.

First of all, select ESP which performs authentication and encryption of packets or AH which performs only authentication of packets.

●

1) When ESP is selectedThe ESP authentication algorithm and ESP encryption algorithm are set.

Select the authentication algorithm from MD5, SHA1, and NULL. You can select both MD5 and SHA1 at the same time. In the initial setting, SHA1 is selected.Select the encryption algorithm from 3DES-CBC, AES-CBC, and NULL. You can select both 3DES-CBC and AES-CBC at the same time. In the initial setting, 3DES-CBC is selected.You cannot set NULL to both ESP authentication and ESP encryption.

2) When AH is selectedSelect one or more AH authentication algorithms from SHA 1 and MD5. If you do not select either, the OK button is disabled (grayed out), and you cannot finish the setting.

2

22-12

2-12

Auto Settings of authentication and encryption algorithmsWhen you select the Auto settings of the authentication and encryption algorithms for the IPSec Network, IPSec SA makes negotiations for algorithm patterns in accordance with the priority given below. Servers also wait in the same priority.

Priority AH ESP authentication ESP encryption1 NULL SHA1 AES (128)2 NULL MD5 AES (128)3 NULL SHA1 AES (192)4 NULL MD5 AES (192)5 NULL SHA1 AES (256)6 NULL MD5 AES (256)7 NULL SHA1 3DES8 NULL MD5 3DES

Connection ModeThis item is used to display the IPSec connection mode.This function supports the transport mode only, and therefore "Transport" is displayed.

●

■

3

3

InstallationInstallation/Settings ProcedureIPSec settings and operation check

■

■

3

33-2

3-2

Installation/Settings Procedure

Flow of installation settings for basic IPSecFollowing is the flow of basic IPSec settings.

Review of security policyTo install the IPSec on the network, review to decide which packet to apply IPSec.

1) Decide to adopt the IPSec process to the communication between which host and which host.2) Decide to adopt the IPSec process to which protocol and which port.3) Decide how to handle the packets other than the foregoing packets.4) Decide whether to execute packet authentication only or execute authentication and encryption.5) Decide what to use as an authentication method and encryption algorithm.Etc.In principle, users to review the security policy on the network of user site.

Security policy settingsAccording to the security policy reviewed as above, make the IPSec settings on the device and the host that will be the device's IPSec communication partner.

Operation checkEstablish a communication and check whether the specified IPSec function operates properly or not.

Points to note at installationWhen specifying IPSec settings, note that IPSec negotiates each other to decide how to establish the IPSec communication such as port number etc. Thus, the common selector setting should be specified to each host.

Take the case of IPSec communication between Windows PC and this device for instance, if remote UI (local port is number 80 and remote port is all port) is specified on this device, on Windows side, "TCP" protocol must be selected and also "From any port" must be specified as transmission port and number "80" must be specified as address port; otherwise,

■

■

■

■

negotiation will fail. (This means negotiation will fail even if "From any port" is specified, "all port" etc. is specified for address port.)

3

33-3

3-3

IPSec settings and operation check Make the IPSec settings on the PC that will be the communication partner of the device with IPSec specifi ed. At this time, installation procedure in the simple confi guration is outlined.

Example of confi guration IPSec settings are specifi ed for 1 PC and 1 iR device, and check the operation.

Encrypted dataPrintPrint

DocumentEncrypted data

Setting procedure on device side Following is the procedure of device IPSec settings 1. Create a security policy. Create a security policy with the following contents. 1) Enable IPSec and register the policy. Use IPSec : ON Receive Non-policy Packets : Allow

●

2) Register the Policy Name.

3)Selector Settings Local Address : All IP addresses Remote Address : All IP addresses Port > Specify by Port Number: All Ports

3

33-4

3-4

4) IKE Settings IKE Mode : Main Authentication Method : Pre-shared Key Method Shared Key : canon (any) Auth/Encryption Algorithm: Auto

5) IPSec Network Settings Validity : 480 mins (default): 0MB (default) PFS : OFF Auth./Encryption Algorithm: Auto Connect. Mode : Transport (fixed)

2. Enable the security policy.Enable the security policy (Policy-1) created in step 1.

Setting procedure on PC sideFollowing is the PC settings (Windows Server 2003).1. Console registration1) Select [Run...] from a start menu and input mmc in [Open] and then, click [OK] button.

3

33-5

3-5

2) When the console is displayed, select [Add/Remove Snap-in...] from a file menu.

3) Click [Add...] button.

4) Select [IP Security Policy Management] and click [Add] button.

5) Select [Local Computer] and click [Finish] button.

3

33-6

3-6

6) Click [Close] button.

7) Make sure that "IP Security Policy on Local Computer" is displayed and click [OK] button.

2. Registration of IP Security Policy1) Right click [IP Security Policy on Local Computer] on the console and select [Create IP Security Policy…].

2) When IP Security Policy Wizard is started, click [Next] button.

3

33-7

3-7

3) Enter the IP Security Policy name and click [Next] button.

4) Untick [Activate the default response rule..] and click [Next] button.

5) When a wizard is completed, click [Finish] button.

6) When IP Security Policy properties is displayed, click [Add..] button.

3

33-8

3-8

7) When Security Rule Wizard is started, click [Next] button.

8) Select [This rule does not specify a tunnel] and click [Next] button.

9) Select [All network connections] and click [Next] button.

10) Select [All IP traffic..] and click [Edit..] button.

3

33-9

3-9

11) Put a name to filter and click [Edit..] button.

12) Display [Addresses] tab and select [Ant IP Address] for both [Source address] and [Destination address].

13) Display [Protocol] tab and select [Any] in [Select a protocol type].

14) Display [Description] tab and input a comment for identification (arbitrary), and click [OK] button.

3

33-10

3-10

15) Click [OK] button.

16) Click [Next] button.

17) Select [Require Security] and click [Next] button.

18) Select [Use this string to protect the key exchange (pre-shared key)] and enter the Pre-shared key specified on the device side into entry field, and click [Next] button.

3

33-11

3-11

19) Click [Finish] button.



3. Application of the security policy.1) Right click the created policy and select [Assign].

3

33-12

3-12

MEMOIf the setting of currently applied policy has been changed, it is necessary to un-assign the application and assign it again.

3

33-13

3-13

Operation check1. Send ping from a PC to a device.If IPSec is enabled, [Negotiating IP Security] is displayed at the first time of sending a ping and there will be a reply at the second time or later.

Example of success

If key exchange of IPSec has been failed, all results are [Negotiating IP Security] (including the case that the receiver does not support IPSec.).

Example of failure

2. Check with a network capture software.Here, described is the operation check method with using free software [Wireshark].1) Install Wireshark.Source of installer or installation method is omitted.

2) Start Wireshark.

3) Click [Show the Capture Options] button.

3

33-14

3-14

4) Select a PC network card on [Interface] and click [Start] button.

5) Establish a communication by either submitting a print instruction from a PC to a device or by displaying a ping command or device's remote UI etc.If ESP is displayed on [Protocol], it means the encrypted packet has been operated in ESP.

4

4

MaintenanceFAQTroubleshooting

■■

4

44-2

4-2

Troubleshooting

Troubleshooting

FAQ

About the connection modeQ. Does this product support the tunnel mode as a connection mode in which IPSec is applied?A. No. The tunnel mode is not supported.This product supports the transport mode only, which makes peer-to-peer IPSec communication.

About IPSec network settingsQ. What does the validity refer to? A. It refers to the update validity of SA of IPSec and IKE.

About protocolsQ. In what environment is unencrypted AH used?A. It is used in the environment where encryption cannot be used.In some environments, encryption of data is not permitted. In such a case, AH is used.

Confliction with IP filterQ. What operation is performed when confliction with the settings of the IP filter, which is the original function, occur?A. There is a setting that IPsec discards the packets to which IPsec is not applied. The IP filter, which is the original function, also discards the packets which do not satisfy the filter settings.

Q. When the IPsec settings and IP filter settings are overlapped, which settings have priority? A. When IPSec and both IP filters were set, it is applied in order of IPSec, IP filter at the time of the reception. At the time of the transmission, it is applied in order of IP filter, IPSec.

Troubleshooting

Q. Negotiation fails.A. Check if the port setting of the security policy is same in the both devices.In IPSec, the port setting in the security policy settings must be same. For instance, negotiation fails if Protocol is set to TCP, and Port is set to All Port in the settings of this device, whereas Protocol is set to TCP, and Port is set to 80 in the settings of the other device.

Q. No debug log file is found.Although I made the setting to obtain debug logs in the Service Mode, I found no log file when I accessed the specified path. A. Debug logs are deleted when the device is turned Off and On.

5

5 Troubleshooting

Service ModeIPSec Security Board Status Check TestDeletion of All Registered PoliciesAcquisition of Debug Logs

■

■

■

5

55-2

5-2

Troubleshooting > Procedure for IPSec Security Board Status Check Test


IPSec Security Board Status Check TestYou can execute the tests to check the IPSec security board status from the Service Mode. The following two tests are available:

Interrupt mode test: Creates pseudo packets and tests the chip processing. Poll mode test: Tests the performance of the chip.

Procedure for IPSec Security Board Status Check TestThe procedure to execute the tests to check the status of the IPSec security board is explained below.1)Press copier > test > network in the Service Mode (Level 1).

2)Select (press) IPSECINT (Interrupt mode test) or IPSECPOL (Poll mode test) and press the "OK" button.

••

While the test is being executed, "ACTIVE" is blinking on the display.

Be sure to execute the both tests. Each test takes approx. 3 minutes.

3) Check the test result when it is displayed. Normal completion: "OK! " Failed: "NG"

5

55-3

5-3



If either of the tests fails, the IPsec function does not work. When the result of either test is NG (failed), check if the accelerator is connected properly, and execute the test again.If the result of the retry is also NG (failed), it is considered as a chip failure.

5

55-4

5-4

Troubleshooting > Procedure to Delete All Registered Policies

Troubleshooting > Procedure to Delete All Registered Policies

Deletion of All Registered PoliciesYou can delete all the policies registered in a device and initialize it.This function should be used in emergency cases, such as when there is inconsistency between registered policies.

Procedure to Delete All Registered Policies1)Press copier > option > body in the Service Mode (Level 2).

2)Input 1 in the SPDALDEL field and press "OK".

3)Restart the device.When the device is restarted, all the registered policies are deleted, and the device is initialized.

4)Open the IPSec settings window and check that all the registered policies are deleted.

5)Log in the Service Mode again and reset the value of SPDALDEL to "0".

5

55-5

5-5

Troubleshooting > Procedure to Obtain Debug Logs

Troubleshooting > Procedure to Obtain Debug Logs

Acquisition of Debug LogsDebug logs are prepared for those who are in charge of product development, and the information on the logs is not disclosed to the users.Acquisition of debug logs is made at the direction of a support division of Sales Companies or a development division of Canon Inc. when a failure which cannot be dealt with on site occurs.There is no need that a service person should check and evaluate debug logs at a user site.

Since IPSec operates in a process separately from a bootable process, its log information does not remain in the sub log. Therefore, there is a need to make the setting in the Service Mode to keep the logs of IPSec.

Procedure to Obtain Debug Logs1)Press copier > option > body in the Service Mode (Level 2).

2) Input the level of logs that you want to obtain in the IPSDEBLV field and press "OK". (The initial setting is "0".)

3) Restart the device.

4) Perform the operation of which log you want to obtain.

5) Connect a PC on which SST is activated to the device, and obtain the log file in the following path: /APL_LOG/ipsec/ipseclog.txt

6) Restart the device again and check if the IPSDEBLV setting in the Service Mode is returned to the initial value (0).

While the settable range of the log level is 0 to 10, 8 is the highest log level. (9 and 10 are the same level as 8.)The setting is enabled after the device is restarted. The setting value is automatically returned to 0 by internal processing after the device is restarted again.

When the log acquisition function is enabled, a file with the name of ipseclog.txt is created under /APL_LOG/ipsec, and the log information is stored in the file. This file is deleted after the device is turned Off and On.

Log level 1 FATAL level: Displays fatal error information.Log level 2 FATAL level: Displays fatal error information.Log level 3 FATAL level: Displays fatal error information.Log level 4 WARN level: Displays warning information.Log level 5 WARN level: Displays warning information.Log level 6 WARN level: Displays warning informationLog level 7 LOG level: Displays important log informationLog level 8 INFO level: Displays all logs.Log level 9: Same as level 8.Log level 10: Same as level 8.

September 11, 2009 Revision 0 Security: IPSec Board-B2...

Documents

Transcript of September 11, 2009 Revision 0 Security: IPSec Board-B2...