Overview

Internet Protocol Security (IPsec) is a group of protocols used to secure Internet Protocol (IP) communications by authenticating and encrypting each IP data packet It allows you to control IP communication by creating protocol groups, policies, and actions. IPsec is designed to provide the following security services: IPsec Configuration Components To configure IPsec, perform the following tasks.   Managing Security Policies IPsec security policies are sets of conditions, configuration options, and security settings that enable two systems to agree on how to secure traffic between them You can have multiple policies active at the same time, however, the scope and policy list order determines the overall policy behavior. The policy list order is important The policies are applied in order of priority Traffic that meets the criteria of a higher priority policy is handled according to that policy, ignoring any lower priority policy that governs the same traffic. Caution: Ensure that the IPsec security selections for your device match precisely to those on the IPsec security end-point client devices Mismatches result in communication failures. Defining a Security Policy Prioritizing a Security Policy To prioritize policies, under Saved Policies, select the policy you want to move, then click the Promote or Demote buttons. Editing or Deleting a Security Policy To delete a policy, under Saved Policies, select the policy and click Delete .   Managing Host Groups Host groups are groupings of computers, servers, or other devices that you want to control using security policies A host group is a set of addresses over which to apply the policy. Note : The host groups Any and Local Subnet are preconfigured. Creating a New Host Group Editing or Deleting a Host Group To edit or delete a host group, select the host group from the list, and click Edit or Delete .   Managing Protocol Groups Protocol groups are logical groupings of selected protocols To apply specific security policies for selected protocols, create a Protocol Group. Protocol groups define the upper layer protocols destined to become part of the security policy The upper layer protocols include All, FTP, HTTP, SMTP, and IPP, and other protocols You can configure custom protocols. The following protocol groups are predefined: Creating a Protocol Group Editing or Deleting a Protocol Group To edit or delete a protocol group, select the protocol group from the list, and click Edit or Delete .   Managing Actions Use actions to more specifically manage how IPsec controls dependent protocols Two actions are predefined You can create custom protocols. The following actions are predefined: Creating a New Action Use the Actions page to create and manage actions Use the New Action Step 1 of 2 page to name an action and select the keying method.   Configuring Internet Key Exchange Settings Use the Step 2 of 2 (IKEv1 Settings) page to configure Internet Key Exchange settings. Internet Key Exchange (IKE) is a keying protocol that allows automatic negotiation and authentication, anti-replay services, and Certificate Authority support IKE can change encryption keys during an IPsec session also IKE is used as part of virtual private networking. IKE Phase 1 authenticates the IPsec peers and sets up a secure channel between the peers to enable IKE exchanges IKE Phase 2 negotiates IPsec Security Associations to set up the IPsec tunnel. The device supports the following IKE Phase 1 values by default: Note : The System Administrator cannot configure the IKE Phase 1 default values. Configuring Manual Keying Settings Use the Step 2 of 2 (Manual Settings) page to configure manual keys. Use Manual Keying when client systems either do not support Internet Key Exchange (IKE) or are not configured for IKE. Editing or Deleting an Action To edit or delete an action, select the action from the list, then click Edit or Delete .   Enabling IPsec Disabling IPsec at the Control Panel Traffic encryption: This service prevents unintended recipients from reading private communications. Integrity validation: This service ensures that traffic has not been modified along its path. Peer authentication: This service ensures that traffic is coming from a trusted source. Anti-replay: This service protects against replay of the secure session Note : When FIPS mode is enabled on the device, it is possible to configure IPsec with FIPS complaint options only. Configure IPsec on the Xerox device. Configure and define the components of IPsec security policies.  Configure IPsec on the remote host. Send data over a secure connection. To access the IPsec page, in the Embedded Web Server, click Properties > Security > IPsec . Click Security Policies at the top of the IPsec page. For Define Policy, select a Host Group from the menu.  Select a Protocol Group from the menu. Select an Action from the menu.  Click Add Policy. Click Host Groups at the top of the IPsec page. Click Add New Host Group . Type a Name and a Description for the group. Under Address List, select IPv4 or IPv6 . Select an Address Type Options are Specific, All, or Subnet . Type the appropriately formatted IP address. To continue to add addresses to the group, click Add . To delete addresses, next to any address, click Delete . Click Save to apply the new settings or Undo to retain the previous settings. All : This group includes all protocols. System Services : This group includes all protocols necessary to start and configure the Xerox device, except ISAKMP, the IPsec port. Non-System Services : This group includes all protocols that are not included in Systems Services, except ISAKMP. On the IPsec page, click Protocol Groups . Click Add New Protocol Group . Type a Name and a Description for the group. For App Name, select the protocols that you want to add to the group. To control an app that is not listed, in the Custom Protocols area, for Service Name, select the check box Type a name for the app. For Protocol, select TCP or UDP . Type the port number, and specify if the printer is the server or client. To apply the new settings, click Save To retain the previous settings, click Undo To return to the previous page, click Cancel . Pass : This action allows unencrypted traffic. Block : This action blocks unencrypted traffic. Click Actions at the top of the IPsec page. Click Add New Action . For IP Action Details, in the Name field, type a name for the action. In the Description field, type a description for the action, if needed. For Keying Method, select an option. Internet Key Exchange (IKEv1).  Manual Keying.  Note: If client devices are not configured for or do not support IKE, select Manual Keying . Internet Key Exchange (IKEv1).  Manual Keying.  Note: If client devices are not configured for or do not support IKE, select Manual Keying . If you selected IKE, select an authentication mode: Pre-shared Key : This option instructs the device to authenticate with a pre-shared key For this method of authentication, each peer device needs to be configured with the same key Type the key in the Pre-shared Key field Note: For improved security, use a complex and long key: To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. Digital Certificates: This option instructs the device to authenticate with digital certificates. For this method of authentication, each peer device obtains a unique digital identity certificate from a Certificate Authority (CA) for authentication The CA issues a digital certificate that contains the public key of the applicant and other identification information The CA makes its own public key available through the CA certificate The recipient of the IKE message uses the public key from the CA to verify the digital identity certificate of the peer device To verify that the digital identity certificate of the peer device is the one that is issued by the CA, the printer verifies the signature of the certificate Important: To authenticate each other successfully, it is necessary for each peer device in the IPsec connection to possess a device certificate signed by a CA that the other peer device trusts When the required certificates are installed, do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note: Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page.  Before you save the configuration, to view certificates do the following: To view the Xerox Device Certificate, click View Xerox Device Certificates . At the View/Save Certificates page, to export the certificate, click Export (Base-64 Encoded -PEM) . To exit the View/Save Certificates page, click Close . To view a Server Validation Certificate, click View Server Certificates Repeat steps b and c,as needed. Pre-shared Key : This option instructs the device to authenticate with a pre-shared key For this method of authentication, each peer device needs to be configured with the same key Type the key in the Pre-shared Key field Note: For improved security, use a complex and long key: To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. Digital Certificates: This option instructs the device to authenticate with digital certificates. For this method of authentication, each peer device obtains a unique digital identity certificate from a Certificate Authority (CA) for authentication The CA issues a digital certificate that contains the public key of the applicant and other identification information The CA makes its own public key available through the CA certificate The recipient of the IKE message uses the public key from the CA to verify the digital identity certificate of the peer device To verify that the digital identity certificate of the peer device is the one that is issued by the CA, the printer verifies the signature of the certificate Important: To authenticate each other successfully, it is necessary for each peer device in the IPsec connection to possess a device certificate signed by a CA that the other peer device trusts When the required certificates are installed, do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note: Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page.  Before you save the configuration, to view certificates do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note: Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page.  Before you save the configuration, to view certificates do the following: To view the Xerox Device Certificate, click View Xerox Device Certificates . At the View/Save Certificates page, to export the certificate, click Export (Base-64 Encoded -PEM) . To exit the View/Save Certificates page, click Close . To view a Server Validation Certificate, click View Server Certificates Repeat steps b and c,as needed. Click Next . DH Groups: DH Group 20 (EC P-384) DH Group 19 (EC P-256) DH Group 14 (2048-bit MODP) DH Group 20 (EC P-384) DH Group 19 (EC P-256) DH Group 14 (2048-bit MODP) Hashes: SHA-384 SHA-256 SHA-384 SHA-256 Encryptions: AES-CBC-256 AES-CBC-128 AES-CBC-256 AES-CBC-128 In the IKE Phase 1 area, for Key Lifetime, type the length of time until the key expires in Seconds, Minutes, or Hours When a key reaches this lifetime, the Security Association is renegotiated and the key is regenerated or refreshed. In the IKE Phase 2 area, for IPsec Mode, select an option. Transport Mode: This option encrypts the IP payload only. Tunnel Mode: This option encrypts the IP header and the IP payload Note: Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. Transport Mode: This option encrypts the IP payload only. Tunnel Mode: This option encrypts the IP header and the IP payload Note: Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. If you selected Tunnel Mode , for Enable Security End Point Address, select an address type Options are Disabled, IPv4 Address , or IPv6 Address . For IPsec Security, select ESP, AH , or BOTH . For Perfect Forward Secrecy (PFS), select an option Options are Group 20 (EC P-384), Group 19 (EC P-256), Group 14 (2048-bit MODP) , or None Note: If FIPS is enabled, you cannot select None for PFS. For Hash, select an option Options are SHA-256, SHA-1 , or None . If you selected ESP or BOTH for the IPsec Security type, for Encryption, select AES-CBC-128/256 or None Note : If FIPS is enabled, you cannot select None for Encryption. For Key Lifetime, type the length of time until the key expires in Seconds, Minutes, or Hours When a key reaches this lifetime, the Security Association is renegotiated and the key is regenerated or refreshed. Click Save . In the Mode Selections area, for IPsec Mode, select an option. Transport Mode : This option encrypts the IP payload only. Tunnel Mode: This option encrypts the IP header and the IP payload Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. Transport Mode : This option encrypts the IP payload only. Tunnel Mode: This option encrypts the IP header and the IP payload Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. If you selected Tunnel Mode , for Enable Security End Point Address, select the address type Options are Disabled, IPv4 Address, or IPv6 Address . In the Security Selections area, for IPsec Security, select ESP , AH , or BOTH . Depending on the IPsec Security setting, do the following: To define the inbound Security Association, enter the Security Parameter Index (SPI) inbound value for ESP or AH, or both For ESP Security Parameter Index: IN or AH Security Parameter Index: IN, type a 32-bit number greater than or equal to 256. To define the outbound Security Association, enter the Security Parameter Index (SPI) outbound value for ESP or AH, or both For ESP Security Parameter Index: OUTor AH Security Parameter Index: OUT, type a 32-bit number greater than or equal to 256. To define the inbound Security Association, enter the Security Parameter Index (SPI) inbound value for ESP or AH, or both For ESP Security Parameter Index: IN or AH Security Parameter Index: IN, type a 32-bit number greater than or equal to 256. To define the outbound Security Association, enter the Security Parameter Index (SPI) outbound value for ESP or AH, or both For ESP Security Parameter Index: OUTor AH Security Parameter Index: OUT, type a 32-bit number greater than or equal to 256. For Hash, select an option Options are SHA-256, SHA-1 , or None . For Enter Keys as, select ASCII format or Hexadecimal number . For Hash Key: IN and Hash Key: OUT, type keys in the appropriate format Ensure that string lengths meet requirements detailed on the page. If you selected ESP or BOTH for the IPsec Security type, for Encryption, select an option Options are AES-CBC-128/256 , or None Note : If FIPS is enabled, you cannot select None for Encryption. For Encryption Key: IN and Encryption Key: OUT, type keys in the appropriate format Ensure that string lengths meet requirements detailed on the page. Click Save . In the Embedded Web Server, click Properties > Security . Click IPsec . For Enablement, select Enabled . To save the new settings, click Apply To retain the previous settings, click Undo . At the control panel touch screen, touch Device , then touch Tools . Touch Security Settings > IPsec . Touch Disable IPsec.  Note: IPsec can be enabled only in the Embedded Web Server.