Using IPSec

Use IP Security Protocol (IPSec) to prevent eavesdropping and tampering of IP packets sent and received over an IP network. This performs encryption at the IP protocol level to ensure security without relying on an application or network configuration.

IPSec Applicable Conditions and Supported Modes

Packets where IPSec does not apply
Packets specifying a loopback, multicast, or broadcast address
IKE packets sent from UDP port 500
ICMPv6 Neighbor Solicitation and Neighbor Advertisement packets
Operation mode of key exchange protocol (IKE mode)
The IKE mode supported by the machine is only the main mode that is used to encrypt packets. The non-encrypting aggressive mode is not supported.
Communication mode
The communication mode supported by the machine is only the transport mode, which encrypts only the part excluding the IP header. Tunnel mode, which encrypts the entire IP packet, is not supported.
Using IPSec together with IP address filtering
The IP address filter settings are applied first. Setting the Firewall

IPSec Policy Configuration

To perform IPSec communication on the machine, you must create an IPSec policy that includes the applicable range and algorithms for authentication and encryption. The policy is mainly made up of the following items.
Selector
Specify which IP packets to apply IPSec communication. In addition to specifying the IP address of the machine and communicating devices, you can also specify their port numbers.
IKE
The key exchange protocol supports Internet Key Exchange Version 1 (IKEv1). For the authentication method, select the pre-shared key method or digital signature method.
Pre-shared Key Method:
This authentication method uses a common key word, called Shared Key, for communication between the machine and other devices.
Digital Signature Method
The machine and the other devices authenticate each other by mutually verifying their digital signatures.
ESP/AH
Specify the settings for ESP/AH, which is the protocol used for IPSec communication. ESP and AH can be used at the same time. Use Perfect Forward Secrecy (PFS) for even greater security.

Setting IPSec

Enable the use of IPSec, and then create and register the IPSec policy. If multiple policies have been created, specify the order in which they are applied.
This section describes how to configure the settings using Remote UI from a computer.
On the control panel, select [Menu] in the [Home] screen, and then select [Preferences] to configure the settings. However, the control panel can only be used to enable or disable IPSec. [Use IPSec]
Administrator privileges are required. The machine must be restarted to apply the settings.
Required Preparations
Connect the machine directly to a computer on the same virtual private network (VPN) as the machine. Confirm the operation conditions, and finish the settings on the computer in advance. IPSec
Prepare the following according to the IKE authentication method:
When using the pre-shared key method, enable TLS for Remote UI communication. Using TLS
When using the digital signature method, prepare the key and certificate to use. Managing and Verifying a Key and Certificate
When using PFS, check that PFS is enabled on the communicating device.
1
Log in to Remote UI in System Manager Mode. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Portal Page of Remote UI
3
Click [Network Settings] [IPSec Settings] [Edit].
The [Edit IPSec Settings] screen is displayed.
4
Select the [Use IPSec] checkbox, and click [OK].
To only receive packets that meet the policy, clear the [Receive Non-Policy Packets] checkbox.
5
Click [Register New Policy].
The [Register New IPSec Policy] screen is displayed.
6
In [Policy Settings], enter the policy name, and select the [Enable Policy] checkbox.
For the policy name, enter a name to identify the policy using single-byte alphanumeric characters.
7
In [Selector Settings], set the selector.
[Local Address Settings]
Select the type of IP address of the machine to which the policy is applied.
To apply IPSec to all IP packets, select [All IP Addresses].
To apply IPSec to IP packets sent and received using an IPv4 or IPv6 address, select [IPv4 Address] or [IPv6 Address].
[Remote Address Settings]
Select the type of IP address of the communicating device to which the policy is applied.
To apply IPSec to all IP packets, select [All IP Addresses].
To apply IPSec to IP packets sent and received using an IPv4 or IPv6 address, select [All IPv4 Addresses] or [All IPv6 Addresses].
To specify an IPv4 or IPv6 address to which IPSec is applied, select [IPv4 Manual Settings] or [IPv6 Manual Settings].
[Addresses to Set Manually]
When [IPv4 Manual Settings] or [IPv6 Manual Settings] is selected, enter the IP address. You can also specify a range of IP addresses by using a hyphen (-).
Input example:
One IPv4 address
192.168.0.10
One IPv6 address
fe80::10
Range specification
192.168.0.10-192.168.0.20
[Subnet Settings]
When [IPv4 Manual Settings] is selected, you can use a subnet mask to specify the range of IPv4 addresses.
Input example:
255.255.255.240
[Prefix Length]
When [IPv6 Manual Settings] is selected, you can use a prefix length to specify the range of IPv6 addresses. Enter the prefix length with a range of 0 to 128.
[Port Settings]
Set the port to which IPSec is applied in [Local Port] on the machine and [Remote Port] on the communicating device.
To apply IPSec to all port numbers, select [All Ports].
To apply IPSec to a specific protocol such as HTTP or WSD, select [Single Port], and enter the port number of the protocol.
8
In [IKE Settings], set IKE.
[IKE Mode]
The machine only supports the main mode.
[Authentication Method]
Select the authentication method of the machine.
When [Pre-Shared Key Method] is selected, click [Shared Key Settings] enter the string to use as the shared key using single-byte alphanumeric characters click [OK].
When [Digital Signature Method] is selected, click [Key and Certificate] [Register Default Key] to the right of the key and certificate to use.
[Validity]
Enter the valid period of IKE SA (ISAKMP SA) to use as the control communication path in minutes.
[Authentication/Encryption Algorithm]
Select the algorithm to use for key exchange.
9
In [IPSec Network Settings], configure the IPSec network settings.
[Use PFS]
Select this checkbox to configure PFS for the session key.
[Validity]
Specify the valid period of IPSec SA to use as the data communication path by time, size, or both.
When the [Specify by Time] checkbox is selected, enter the valid period in minutes.
When the [Specify by Size] checkbox is selected, enter the valid period in megabytes.
When both are selected, the item whose specified value is reached first is applied.
[Authentication/Encryption Algorithm]
Select this checkbox according to the IPSec header (ESP and AH) to be used and its algorithm.
[ESP Authentication]
When [ESP] is selected, select the authentication algorithm. To perform ESP authentication, select [SHA1]. Otherwise, select [Do Not Use].
[ESP Encryption]
When [ESP] is selected, select the encryption algorithm. If you do not want to specify the algorithm, select [NULL]. To disable encryption, select [Do Not Use].
[Connection Mode]
The machine only supports the transport mode.
10
Click [OK].
The newly registered policy is added to [Registered IPSec Policies] on the [IPSec Settings] screen.
When multiple policies are registered
Click [Up] or [Down] to the right of the policy name to set the priority. Higher level policies have priority in application to IPSec communication.
11
Restart the machine. Restarting the Machine
The settings are applied.
Editing Registered Policies
To edit the registered information, click the policy name you want to edit in [Registered IPSec Policies] on the [IPSec Settings] screen.
965L-082