Overview

Use actions to more specifically manage how IPsec controls dependent protocols Two actions are predefined You can create custom protocols. The following actions are predefined: Creating a New Action Use the Actions page to create and manage actions Use the New Action Step 1 of 2 page to name an action and select the keying method.   Configuring Internet Key Exchange Settings Use the Step 2 of 2 (IKEv1 Settings) page to configure Internet Key Exchange settings. Internet Key Exchange (IKE) is a keying protocol that allows automatic negotiation and authentication, anti-replay services, and Certificate Authority support IKE can change encryption keys during an IPsec session also IKE is used as part of virtual private networking. IKE Phase 1 authenticates the IPsec peers and sets up a secure channel between the peers to enable IKE exchanges IKE Phase 2 negotiates IPsec Security Associations to set up the IPsec tunnel. The device supports the following IKE Phase 1 values by default: Note : The System Administrator cannot configure the IKE Phase 1 default values. Configuring Manual Keying Settings Use the Step 2 of 2 (Manual Settings) page to configure manual keys. Use Manual Keying when client systems either do not support Internet Key Exchange (IKE) or are not configured for IKE. Editing or Deleting an Action To edit or delete an action, select the action from the list, then click Edit or Delete. Pass : This action allows unencrypted traffic. Block : This action blocks unencrypted traffic. Click Actions at the top of the IPsec page. Click Add New Action . For IP Action Details, in the Name field, type a name for the action. In the Description field, type a description for the action, if needed. For Keying Method, select an option. Internet Key Exchange (IKEv1) .  Manual Keying .   Note : If client devices are not configured for or do not support IKE, select Manual Keying . Internet Key Exchange (IKEv1) .  Manual Keying .   Note : If client devices are not configured for or do not support IKE, select Manual Keying . If you selected IKE, select an authentication mode: Pre-shared Key : This option instructs the device to authenticate with a pre-shared key For this method of authentication, each peer device needs to be configured with the same key Type the key in the Pre-shared Key field Note : For improved security, use a complex and long key: To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. Digital Certificates : This option instructs the device to authenticate with digital certificates. For this method of authentication, each peer device obtains a unique digital identity certificate from a Certificate Authority (CA) for authentication The CA issues a digital certificate that contains the public key of the applicant and other identification information The CA makes its own public key available through the CA certificate The recipient of the IKE message uses the public key from the CA to verify the digital identity certificate of the peer device To verify that the digital identity certificate of the peer device is the one that is issued by the CA, the printer verifies the signature of the certificate Important : To authenticate each other successfully, it is necessary for each peer device in the IPsec connection to possess a device certificate signed by a CA that the other peer device trusts When the required certificates are installed, do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note : Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page. Before you save the configuration, to view certificates do the following: To view the Xerox Device Certificate, click View Xerox Device Certificates . At the View/Save Certificates page, to export the certificate, click Export (Base-64 Encoded - PEM) . To exit the View/Save Certificates page, click Close . To view a Server Validation Certificate, click View Server Certificates Repeat steps b and c, as needed. Pre-shared Key : This option instructs the device to authenticate with a pre-shared key For this method of authentication, each peer device needs to be configured with the same key Type the key in the Pre-shared Key field Note : For improved security, use a complex and long key: To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. To meet updated security requirements, the minimum key length required is 14 bytes For example, 14 ASCII characters. The key length can have a maximum length of 248 bytes. You can enter characters from the Latin-1 or UTF-8 character sets. Digital Certificates : This option instructs the device to authenticate with digital certificates. For this method of authentication, each peer device obtains a unique digital identity certificate from a Certificate Authority (CA) for authentication The CA issues a digital certificate that contains the public key of the applicant and other identification information The CA makes its own public key available through the CA certificate The recipient of the IKE message uses the public key from the CA to verify the digital identity certificate of the peer device To verify that the digital identity certificate of the peer device is the one that is issued by the CA, the printer verifies the signature of the certificate Important : To authenticate each other successfully, it is necessary for each peer device in the IPsec connection to possess a device certificate signed by a CA that the other peer device trusts When the required certificates are installed, do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note : Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page. Before you save the configuration, to view certificates do the following: For Device Authentication Certificate, select a certificate from the list. For Server Validation Certificate, select a certificate from the list Note : Before you can configure the IPsec Action, install the certificates for IKE digital authentication through the Security Certificates page. Before you save the configuration, to view certificates do the following: To view the Xerox Device Certificate, click View Xerox Device Certificates . At the View/Save Certificates page, to export the certificate, click Export (Base-64 Encoded - PEM) . To exit the View/Save Certificates page, click Close . To view a Server Validation Certificate, click View Server Certificates Repeat steps b and c, as needed. To view the Xerox Device Certificate, click View Xerox Device Certificates . At the View/Save Certificates page, to export the certificate, click Export (Base-64 Encoded - PEM) . To exit the View/Save Certificates page, click Close . To view a Server Validation Certificate, click View Server Certificates Repeat steps b and c, as needed. Click Next . DH Groups: DH Group 20 (EC P-384) DH Group 19 (EC P-256) DH Group 14 (2048-bit MODP) DH Group 20 (EC P-384) DH Group 19 (EC P-256) DH Group 14 (2048-bit MODP) Hashes: SHA-384 SHA-256 SHA-384 SHA-256 Encryptions: AES-CBC-256 AES-CBC-128 AES-CBC-256 AES-CBC-128 In the IKE Phase 1 area, for Key Lifetime, type the length of time until the key expires in Seconds, Minutes, or Hours When a key reaches this lifetime, the Security Association is renegotiated and the key is regenerated or refreshed. In the IKE Phase 2 area, for IPsec Mode, select an option. Transport Mode : This option encrypts the IP payload only. Tunnel Mode : This option encrypts the IP header and the IP payload.  Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. Transport Mode : This option encrypts the IP payload only. Tunnel Mode : This option encrypts the IP header and the IP payload.  Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. If you selected Tunnel Mode , for Enable Security End Point Address, select an address type Options are Disabled , IPv4 Address , or IPv6 Address . For IPsec Security, select ESP , AH , or BOTH . For Perfect Forward Secrecy (PFS), select an option Options are Group 20 (EC P-384) , Group 19 (EC P-256) , Group 14 (2048-bit MODP) , or None .  Note : If FIPS 140 is enabled, you cannot select None for PFS. For Hash, select an option Options are SHA-256, SHA-1 , or None . If you selected ESP or BOTH for the IPsec Security type, for Encryption, select AES-CBC-128/256 or None .  Note : If FIPS 140 is enabled, you cannot select None for Encryption. For Key Lifetime, type the length of time until the key expires in Seconds, Minutes, or Hours When a key reaches this lifetime, the Security Association is renegotiated and the key is regenerated or refreshed. Click Save . In the Mode Selections area, for IPsec Mode, select an option. Transport Mode : This option encrypts the IP payload only. Tunnel Mode : This option encrypts the IP header and the IP payload Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. Transport Mode : This option encrypts the IP payload only. Tunnel Mode : This option encrypts the IP header and the IP payload Note : Tunnel mode treats the entire IP packet as an Authentication Header (AH) or Encapsulating Security Payload (ESP), which provides protection for the entire packet. If you selected Tunnel Mode , for Enable Security End Point Address, select the address type Options are Disabled , IPv4 Address , or IPv6 Address . In the Security Selections area, for IPsec Security, select ESP , AH , or BOTH . Depending on the IPsec Security setting, do the following: To define the inbound Security Association, enter the Security Parameter Index (SPI) inbound value for ESP or AH, or both For ESP Security Parameter Index: IN or AH Security Parameter Index: IN, type a 32-bit number greater than or equal to 256. To define the outbound Security Association, enter the Security Parameter Index (SPI) outbound value for ESP or AH, or both For ESP Security Parameter Index: OUTor AH Security Parameter Index: OUT, type a 32- bit number greater than or equal to 256. To define the inbound Security Association, enter the Security Parameter Index (SPI) inbound value for ESP or AH, or both For ESP Security Parameter Index: IN or AH Security Parameter Index: IN, type a 32-bit number greater than or equal to 256. To define the outbound Security Association, enter the Security Parameter Index (SPI) outbound value for ESP or AH, or both For ESP Security Parameter Index: OUTor AH Security Parameter Index: OUT, type a 32- bit number greater than or equal to 256. For Hash, select an option Options are SHA-256 , SHA-1 , or None . For Enter Keys as, select ASCII format or Hexadecimal number . For Hash Key: IN and Hash Key: OUT, type keys in the appropriate format Ensure that string lengths meet requirements detailed on the page. If you selected ESP or BOTH for the IPsec Security type, for Encryption, select an option Options are AES-CBC- 128/256 , or None Note : If FIPS 140 is enabled, you cannot select None for Encryption. For Encryption Key: IN and Encryption Key: OUT, type keys in the appropriate format Ensure that string lengths meet requirements detailed on the page. Click Save .