What is IPSec and how to configure this data encryption feature

Overview

This article summarizes the Internet Protocol Security (IPSec) configuration procedure. IPSec provides authentication and encryption at the network layer (Layer 3) of the OSI model. It allows for the connection of up to five hosts using IPv4 or IPv6.

IPSec provides data confidentiality via encryption of all data sent via the upper layer protocols. This encrypted data travels across the network, for example, from an MFP to a SMTP server or FTP server, and then down to a workstation.

NOTE: This form of data encryption can have performance consequences.

Before you begin

You will need to obtain the printer's IP address. You will also need to obtain the following security information:

• -IP addresses of computers (hosts) requiring access to the printer.
• -Case-sensitive pre-shared key value if AES - PSK is being implemented.
• -TCP/IP address or subnet information of computers utilizing Certificate Authentication.
• -Encryption type - DES, 3DES, and AES - supported.
• -Authentication type - MD5 or SHA1 - supported.
• -Proper DH group - modp768, 1024, 1536 and 2048 - supported.

Lastly, make sure certificates are downloaded and installed on the printer.

How to configure IPSec

1. Access the printer's web page. To do this, enterthe printer's TCP/IP address into the web address bar (i.e. http://printer_IP_address using the IP address of the printer).



2. Click on Configuration.



3. Click on Security.



4. Click on IPSec.



5. Enter the values obtained above.



6. Click on Submit. Click here for one example illustration.

NOTE: After a printer is configured for IPSec with a host, IPSec is required for any IP communications to take place.

Supported authentication types

Shared Key Authentication

This authenticates any ASCII phrase shared among all participating host computers. It is the easiest configuration method when only a few host computers on the network use IPSec.

Certificate Authentication

This authenticates any host computer or subnet of hosts for IPSec. Each host computer must have a public/private key pair.

Note:  The Validate Peer Certificate setting is enabled by default, requiring each host to have an installed signed authority certificate and an identifier in the Subject Alternate Name field of the signed certificate.

Still need help?

Please contact Lexmark Technical Support for additional assistance. NOTE: When calling for support, you will need to know the printer model type and serial number of your printer. Please call from near the printer and computer in case the technician asks you to perform a task involving one of these devices.

LEGACY ID: HO3292

• IP Sec Enable - Turns security protocol On or Off.
• Connections - TCP/IP address of remote authenticated members (domain server address or client) using Pre-Shared Key (PSK) authenticated connections or certificate authenticated connections. Settings include:
• DH Group - Named after Diffie & Hellman cryptographic protocol: modp* 1, 2, 5, and 14 are supported.
• Encryption - Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) are supported.
• Authentication - Message Digest Algorithm (MD5, uses 128-bit hash) and Secure Hash Algorithm (SHA1, uses 160-bit hash) are supported.
• Validate Peer Certificate - Turns certificate validation On and Off. * - More modular exponential DH groups.

• Is IPSec turned on?
• Confirm that IPSec is working on the rest of the network.
• Confirm proper case-sensitive entry of key or passphrase if using PSK.
• Verify AES is being used and not EAP (Extensible Authentication Protocol). EAP/802.1X will require 802.1X configuration.
• If the customer is not using a certificate, make sure validate peer certificate does not have a checkmark. The default On setting may be the problem.