manualshive.com logo in svg

ETIC RAS-E, User Manual, Page: 89 / 132

Share
Download
ETIC RAS-E User Manual Download Page 89

ADVANCED SET-UP

 

Machine Access Box RAS 

DOC_DEV_RAS_User guide_A

 

Page 89

 

 

IPSec VPNs set-up 

7.1

 

Overview 

 
An IPSec VPN tunnel allows to connect two networks in a safe and transparent way : Each device of the first 
network can exchange data with any device of the other network. 

 
25 IPSec connections can be set by one ETIC router. 
 

 

Glossary  

The router which initiates the IPSec VPN is called the initiator; the other one is called the responder. 
 

 

Preshared key authentication 

Only one preshared key can be stored in one ETIC router; it is used by all the VPNs and also by the 
L2TP/IPSec remote user connection.  
 

 

Certificate authentication 

The authentication of the two participants to the VPN connection can also be carried-out with certificates. 
Coming from factory , a certificate produced by ETIC TELECOM is registered in the ETIC router. 
Other kinds of X509 certificates can be added. (see the Set-up>Security>X509 certificate). 
The certificate used by each participant to the VPN must be delivered by the same authority. 
 

 

Setting-up an  IPSec tunnel in the case where   the source IP address is modified along the way from the 
initiator to the responder router. 

To provide a strong mutual authentication, each router checks the source IP address of the frames it 
receives is the authentical IP address. 
 

It is why, the IPSec tunnel requires a particular setup when the IP address of the initiator or the responder is 
not fixed and / or when intermediate routers replace the source IP address by their own address (NAT).  
 
It is what happens, in particular, in the case of cellular networks. 
 
Two set-up solutions are possible : 
 
Solution 1 : Use a certificate for authentication  instead of a preshared key 
 
Solution 2 : if the preshared key  authentication method is used, an IKE code (IKE ID) needs to be assigned to 

each router. See the IPSec set-up paragraph hereafter. 
 

 

Summary of Contents for RAS-E

Page 1: ...Machine Access Box RAS DOC_DEV_RAS_User guide_A RAS E RAS EW RAS EC RAS ECW _________________ _________________ USER GUIDE ...

Page 2: ...S_User guide_A Machine Access Box RAS The RAS router is manufactured by ETIC TELECOM 13 Chemin du vieux chêne 38240 MEYLAN FRANCE TEL 33 4 76 04 20 05 FAX 33 4 76 04 20 01 E mail hotline etictelecom com web www etictelecom com ...

Page 3: ...ry network 22 5 2 Use case Nr 2 The machine belongs to the factory network 24 5 3 Use case Nr3 The machine is connected through a cellular network 25 5 4 Use case Nr4 The machine is connected through a Wi Fi network 26 5 5 Use case Nr 5 Connecting the machine through the factory a cellular ntwk 27 5 6 Use case Nr 6 Connecting the machine through the Wi Fi a cellular ntwk 29 PRODUCT INSTALLATION 31...

Page 4: ...r Signet non défini 8 4 Cellular service subscription 42 8 5 Installing the SIM card 42 8 6 Controlling the conformance of the connection 43 PREPARING THE PRODUCT SET UP 45 FIRST SET UP 45 PROTECTING THE ACCESS TO THE ADMINISTRATION WEB SERVER 46 SET UP MODIFICATIONS WITH HTTPS OR THROUGH THE WAN INTERFACE 46 RECOVERING THE FACTORY LAN IP ADDRESS 46 RETOUR À LA CONFIGURATION USINE 46 SETTING UP TH...

Page 5: ...ess point set up 75 2 4 Device list set up 76 2 5 DHCP server menu 77 M2ME_CONNECT CONNECTION SET UP 78 REMOTE ACCESS CONNECTION 79 4 1 Advantages of a remote access connection 79 4 2 Types of remote access connections 81 4 3 HTTPS connection and portal for smartphones tablets or PCs 82 4 3 1 Overview 82 4 3 2 Set up 83 4 3 3 Operation 83 4 4 OpenVPN remote user connection 84 4 5 OpenVPN connectio...

Page 6: ...4 Setting up an ingoing VPN connection 102 IP ROUTING 103 9 1 Basic routing function 103 9 2 Static routes 103 9 3 RIP protocol 105 NETWORK ADDRESS TRANSLATION NAT 106 PORT FORWARDING 106 11 1 Overview 106 11 2 Set up 107 ADVANCED NAT 108 12 1 Overview 108 12 2 Set up 109 DYNDNS OR NOIP SET UP 110 13 1 Overview 110 13 2 Set up 110 FIREWALL SET UP 112 14 1 Overview 112 14 2 Main filter 113 14 2 1 M...

Page 7: ...ateway 119 15 3 RAW TCP gateway 120 15 3 1 Raw client gateway 120 15 3 2 Raw server gateway 121 15 4 RAW UDP gateway 122 15 4 1 Overview 122 15 4 2 Set up 122 USB GATEWAY 123 16 1 Overview 123 16 2 Set up 123 ALARM EMAIL OR A SMS 124 SNMP TRAPS 125 ADDING A CERTIFICATE INTO THE ROUTER 125 MAINTENANCE 127 DIAGNOSTIC MENU 127 1 1 Logs 127 1 2 Network status 128 1 3 Serial gateways status 129 1 4 Pin...

Page 8: ......

Page 9: ...agnetic compatibility and Radio spectrum Matters Part 1 General requirements EN301489 7 Electromagnetic compatibility and Radio spectrum Matters Part 7 Specific conditions for mobile and portable radio and ancillary equipment of digital cellular radio EN61000 6 2 Ed 2001 Immunity EN60100 4 2 Electrostatic Discharge EN60100 4 3 Radiated Immunity EN60100 4 4 EFT Burst Immunity EN60100 4 5 Surge Immu...

Page 10: ...0 220 Ethernet interfaces to Internet 1 1 1 M2Me ready User list Remote users firewall Firewall SPI VPN IPSEC OpenVPN Serial gateway Raw TCP et UDP Telnet Modbus Unitelway Ethernet 10 100 BT LAN 1 4 2 RS232 1 RS485 1 USB 1 1 1 Digital input emails SMS 1 1 1 HTTPS HTML SSH configuration Advanced IP router functions NAT port forwarding SNMP DHCP ...

Page 11: ...s to Internet 1 1 Wi Fi interface Access point client M2Me ready User list Remote users firewall Firewall SPI VPN IPSEC OpenVPN Serial gateway Raw TCP et UDP Telnet Modbus Unitelway Ethernet 10 100 BT LAN 4 2 RS232 1 RS485 1 USB 1 1 Digital input emails SMS 1 1 HTTPS HTML SSH configuration Advanced IP router functions NAT port forwarding SNMP DHCP ...

Page 12: ...S 3G GPRS EDGE XY HG LTE 4G UMTS 3G GPRS EDGE XY LE Ethernet interfaces to Internet 1 1 M2Me ready User list Remote users firewall Firewall SPI VPN IPSEC OpenVPN Serial gateway Raw TCP et UDP Telnet Modbus Unitelway Ethernet 10 100 BT LAN 4 2 RS232 1 RS485 1 USB 1 1 Digital input emails SMS 1 1 HTTPS HTML SSH configuration Advanced IP router functions NAT port forwarding SNMP DHCP ...

Page 13: ... XY HG LTE 4G UMTS 3G GPRS EDGE XY LE Ethernet interfaces to Internet 1 1 Wi Fi interface Access point client M2Me ready User list Remote users firewall Firewall SPI VPN IPSEC OpenVPN Serial gateway Raw TCP et UDP Telnet Modbus Unitelway Ethernet 10 100 BT LAN 4 2 RS232 1 RS485 1 USB 1 1 Digital input emails SMS 1 1 HTTPS HTML SSH configuration Advanced IP router functions NAT port forwarding SNMP...

Page 14: ...Supply voltage RAS 3G 1220 10 to 30 VDC 125 mA 24 VDC RAS 3G 1201 10 to 60 VDC 125 mA 24 VDC RAS 3G 1230 10 to 60 VDC 125 mA 24 VDC RAS 3G 1400 10 to 60 VDC 210mA 24 VDC Operating T 20 C 60 C Humidity 5 95 Cellular network Type 4G 3G GPRS EDGE RF connector SMA female Models LE LS LA HG LTE 4G Europe USA Asia UMTS 3G Yes 1 Yes 1 Yes 1 Yes 2 GPRS EDGE Yes 3 Yes 3 Yes 3 Yes 3 1 850 900 1900 2100 MHz ...

Page 15: ...n password Certificate X509 M2Me VPN Compliant with the M2Me_Secure VPN client Compliant with the M2Me_Connect mediation service Alarms 3 inputs emails Asynchronous serial interface Data rate 1200 to 115200 kb s parity N E O Gateway Raw client server Modbus master slave Multicast Telnet Unitelway USB 1 USB host port PPP client over the usb interface IP router Ethernet 10 100 BT 2 or 4 switched por...

Page 16: ...r can exchange any kind of data with each device of the machine network as if his PC was directly connected to the machine network Ethernet or serial devices The machine can consist of one or several devices connected through an Ethernet machine network or connected through a serial RS232 RS485 interface The router RAS can be connected to the Internet through a cellular network a Wi Fi network or ...

Page 17: ...WAN interfaces RAS E RAS EW RAS EC RAS ECW Ethernet Wi Fi Cellular The network connected to the WAN interface is called the WAN network or factory network LAN interface Depending on the model the router RAS provides 1 to 4 switched Ethernet ports to connect the devices of the machine That network is called the machine network 1 serial RS232 and 1 serial RS485 interfaces are provided optionally Fir...

Page 18: ...uter RAS settles a secured VPN connection onto the M2Me Connect cloud service The remote PC is authenticated by the M2Me Cloud service Assuming that the router RAS provides two WAN connections Cellular and Ethernet as an example it settles the best connection Through the Ethernet network if possible to the M2Me cloud service On the other hand the remote user launches its M2Me secure software and s...

Page 19: ...ation Server is delivered with a Wizard which gives an intuitive way of configuring the device Simple Operation M2Me Secure software offers e set of directories for the remote machines One click is enough to be connected Security of customer network Factory or WAN network Router RAS enables the remote operator to have access only to the machine network protecting the factory network from any intru...

Page 20: ...e_A Machine Access Box RAS Use cases There are different ways to connect the router RAS to the Internet and to the machine depending on the situation which is encountered and also on the router RAS model We describe hereafter six typical situations ...

Page 21: ... RAS EC RAS ECW Cellular network The machine is connected to the Internet through a cellular network 4 RAS EW RAS ECW Wi Fi The machine is connected to the Internet through a Wi Fi network 5 RAS EC RAS ECW Factory network cellular network The machine is connected to the Internet through the factory network and if it is not available through a cellular network 6 RAS ECW Wi Fi cellular network The m...

Page 22: ...ed according to the Use case Nr 2 described below Rule 2 The IP domain of the machine network and the IP domain of the remote PC must be different If both IP domains are identical the IP domain of the machine must be modified or the machine network translation option must be selected Examples Remote PC network Factory network Machine network OK 192 168 10 0 192 168 1 0 192 168 12 0 OK 192 168 10 0...

Page 23: ...ces belonging to the factory network towards devices belonging to the machine network Enabled by creating a firewall rule Setting an additional VPN towards a server Sending an email all models or a SMS RAS EC or RAS ECW Security The factory network and the machine network are separated by the router RAS This is why the firewall can operate to filter exchanges between these two networks the machine...

Page 24: ...work must be different If both IP domains are identical it is possible to select the machine network translation option see the wizard configuration menu for detailed information the IP domain of the devices of the machine is virtually modified for the remote PC Available functions Connecting the remote PC to each device of the machine network through M2Me Individual rights for each the remote use...

Page 25: ...ine must be modified or the machine network translation option must be selected see the wizard configuration menu for detailed information Available functions Connecting the remote PC to each device of the machine network through M2Me Individual rights for each the remote user Setting an additional VPN towards a server Sending an email all models or a SMS RAS EC or RAS ECW Security The remote user...

Page 26: ... are identical the IP domain of the machine must be modified or the machine network translation option must be selected see the wizard configuration menu for detailed information Available functions Connecting the remote PC to each device of the machine network through M2Me Individual rights for each the remote user Setting an additional VPN towards a server Sending an email RAS EW or a SMS RAS EC...

Page 27: ...machine network and the IP domain of the factory network must be different If both domains are identical the IP domain of the machine must be modified or he RAS must be used according to the use case Nr 2 described above Rule 2 The IP domain of the machine network and the IP domain of the remote PC must be different If both IP domains are identical the IP domain of the machine must be modified or ...

Page 28: ...longing to the factory network Communication initiated by devices belonging to the factory network towards devices belonging to the machine network Enabled by creating a firewall rule Setting an additional VPN towards a server Sending an email or a SMS Security The remote user can only communicate with the authorized devices The availability and the quality of a cellular network is sometimes lower...

Page 29: ...low Rule 2 The IP domain of the machine network and the IP domain of the remote PC must be different If both IP domains are identical the IP domain of the machine must be modified or the machine network translation option must be selected Examples Remote PC network Factory network Machine network OK 192 168 10 0 192 168 1 0 192 168 12 0 OK 192 168 10 0 192 168 10 0 192 168 12 0 The IP domain of th...

Page 30: ...longing to the factory network Communication initiated by devices belonging to the factory network towards devices belonging to the machine network Enabled by creating a firewall rule Setting an additional VPN towards a server Sending an email or a SMS Security The remote user can only communicate with the authorized devices The availability and the quality of a cellular network is sometimes lower...

Page 31: ...Machine Access Box RAS DOC_DEV_RAS_User guide_A Page 31 PRODUCT INSTALLATION Product description 1 1 Dimensions ...

Page 32: ...ds 3 flashes The hotline of ETICTELECOM is authorised to connect remotely to the router administration server within a 1 hour delay During 10 seconds 5 flashes A remote user is authorised to connect remotely to the router administration server within a 10 mn delay without entering the login r password 1 3 Connectors Supply voltage connector C1 or C2 Position Signal Fonction 1 Power 1 Supply voltag...

Page 33: ...ction RJ45 1 DTR 108 OUT Data terminal ready 2 TD 103 OUT Data Emission 3 RD 104 IN Data Reception 4 DSR 107 IN Data set ready 5 SG 102 Ground 6 Inutilisé OUT 7 CTS 106 IN Clear to send 8 RTS 105 OUT Request to send Out Signal provided by the router RJ45 RS232 DTE interface Pos Signal Fonction RJ45 1 CD 109 OUT Carrier detect 2 RD 104 OUT Data Reception 3 TD 103 IN Data Emission 4 DTR 108 IN Data ...

Page 34: ...en The unit is ready Flashing red Hardware default Ethernet WAN M2Me Off M2Me_Connect not selected Flashing M2Me_Connect connection in progress Green The unit is connected to the M2Me_Connect service Ethernet WAN Off Ethernet interface not connected Green Ethernet interface connected Ethernet LAN Off Ethernet interface not connected Green Ethernet interface connected ...

Page 35: ...INSTALLATION Machine Access Box RAS DOC_DEV_RAS_User guide_A Page 35 1 5 RAS E or RAS EW Wi Fi option RAS E 400 RAS EW 400 RAS E 220 RAS EW 220 ...

Page 36: ...thernet interface not connected Green Ethernet interface connected Wi Fi connection Wi Fi Off Wi Fi Interface not enabled Green Wi Fi Interface enabled Wi Fi Signal quality Wi Fi Off Wi Fi not enabled or enabled as an access point 1 flash Faint not sufficient signal 2 flashes Sufficient signal 3 flashes Strong signal Ethernet LAN 1 to 4 Off Ethernet interface not connected Green Ethernet interface...

Page 37: ...INSTALLATION Machine Access Box RAS DOC_DEV_RAS_User guide_A Page 37 1 6 Cellular router RAS EC ou RAS ECW Wi Fi option RAS EC 400 RAS ECW 400 RAS EC 220 RAS ECW220 ...

Page 38: ... flashes Strong signal See detail below Ethernet WAN M2Me Off Not connected to M2Me_Connect Flashing Connection in progress Green Connected Ethernet WAN Voyant inférieur Off Ethernet interface not connected Green Ethernet interface connected Wi Fi Connection Wi Fi Off Wi Fi Interface not enabled Green Wi Fi Interface enabled Wi Fi signal level Wi Fi Off Wi Fi not enabled or enabled as an access po...

Page 39: ...DIN rail Removing the unit from the DIN rail Cooling To avoid obstructing the airflow around the unit the spacing must be at least 25 mm above and below and 10 mm left and right Supply voltage RAS E 400 RAS EW 400 RAS EC 400 RAS ECW 400 Vmin 10 V DC Vmax 60 V DC RAS E 220 RAS EW 220 RAS ECW 220 Vmin 10 V DC Vmax 30 V DC The power is lower than 7W ...

Page 40: ...connector RS485 connection The RS485 serial interface is provided on the front panel 2 positions screw block It is not isolated Long RS485 line or high data rate if the RS485 line is longer than10 meters or if the data rate is greater than 19200 b s it is necessary to connect one 120 Ohm matching resistor at each end of the line and two 390 Ohm polarisation resistors at one of the two extremities ...

Page 41: ...evel information parameters or diagnostic menu To carry out that control use mandatorily a SIM card subscribed with the mobile service provider selected for the router RAS Remark The router RAS itself provides the reception level information in two ways A reception level led indicator The diagnostic menu of the administration web server of the router 8 2 Cellular antenna We provide a complete cata...

Page 42: ...l take care to subscribe to a service authorizing the right volume of data per month MB month and to check the price of the MB exceeding the limit of the subscription plan if it exists The subscription must be preferably signed in the country where the machine is supposed to be installed to avoid roaming costs 8 5 Installing the SIM card The router provides two SIM card holders If you use only one...

Page 43: ...e an answer Network response delay to a PING request The response delay must be better than 500 ms If the delay is longer than one second it means the network is overloaded or that the signal level is weak If the connection is not conform change the position of the antenna or select an alternative service like UMTS instead of LTE for instance Cellular network reception level Led Reception level dB...

Page 44: ......

Page 45: ... to 4 of the router RAS Coming from factory the IP address of the router is 192 168 0 128 Step 1 Create or modify the PC IP connection Assign to the PC an IP in accordance with the router RAS IP address For the first configuration assign for instance 192 168 0 127 to the PC Step 2 Connect the PC directly to the LAN interface of the router RAS Step 3 Launch the HTML browser http 192 168 0 128 ...

Page 46: ...ou wish to access to the administration web server through the WAN interface Remark the port Nr used to access to the administration web server with HTTPS is 4433 Exemple https 192 168 38 191 4433 Recovering the factory LAN IP address Press the front panel push button The OPERATION led indicator will flash The factory IP address 192 168 0 128 will be restored but the current configuration remains ...

Page 47: ...server and click the Wizard button Use case 1 set up Le routeur RAS est connecté à un réseau d usine ou d entreprise par son interface Ethernet WAN Use case router RAS models Internet access Internet interface 1 All router RAS models Factory network Ethernet WAN STEP 1 USE CASE SELECTION Select the use case 1 STEP 2 M2Me CONNECTION The Ethernet WAN page is displayed Obtain an IP address automatica...

Page 48: ...er the IP addresses of the DNS primary and secondary servers Click Next The proxy server page is displayed Direct access to the Internet no proxy check box Leave that box not selected if no Proxy server exists on the WAN network Otherwise select that checkbox and enter the type of the proxy server HTTP SOCKS5 the proxy IP address and port number the type of required authentication None basic NTLM ...

Page 49: ...92 168 10 0 192 168 10 0 192 168 12 0 The IP domain of the machine ntwk and of the factory ntwk are the same The machine IP domain must be modified or the RAS must be used according to the use case 2 192 168 10 0 192 168 1 0 192 168 1 0 The IP domain of the machine ntwk and of the remote PC ntwk are the same The machine IP domain must be modified or the address translation option must be selected ...

Page 50: ...ccess to all the devices of the machine network it is not useful to complete the devices list Click next STEP 4 REMOTE USERS The Remote user page is displayed That page enables to store the authorized remote users list Remark Coming from factory the ID and password of the remote users are checked but not the certificate To add a remote user click the add button and enter the parameters of the remo...

Page 51: ...s Box RAS DOC_DEV_RAS_User guide_A Page 51 The Access rights page is displayed The table of the access rights is displayed To assign a new right to a user click the Add button select a user in the list select a device in the list Click the Apply button ...

Page 52: ...AN page is displayed IP address network mask Default gateway Primary DNS server Primary DNS server parameters Enter the IP address assigned to the router over the LAN interface That IP address will have to be entered to display the administration server of the router Enter the DNS servers IP addresses and the defaukt gateway IP address gateway to the Internet Are machine IP network LAN and remote ...

Page 53: ... Click next STEP 4 REMOTE USERS The Remote user page is displayed That page enables to store the authorized remote users list Remark Coming from factory the ID and password of the remote users are checked but not the certificate To add a remote user click the add button and enter the parameters of the remote user Full name company name Email address telephone number Remote user name password Remar...

Page 54: ...code Click Next STEP 3 MACHINE NETWORK The machine network page is displayed Remark The IP domain of the machine network must also be different form the IP domain of the remote PC Otherwise the translation option described hereafter must be selected Examples Remote PC network Machine network OK 192 168 10 0 192 168 12 0 The IP domain of the machine ntwk and of the remote PC ntwk are the same The m...

Page 55: ...ll the devices of the machine network it is not useful to complete the devices list Click next STEP 4 REMOTE USERS The Remote user page is displayed That page enables to store the authorized remote users list Remark Coming from factory the ID and password of the remote users are checked but not the certificate To add a remote user click the add button and enter the parameters of the remote user Fu...

Page 56: ...int Shared key parameter Enter the WEP or WPA key of the access point Click Next STEP 3 MACHINE NETWORK The machine network page is displayed Remark The IP domain of the machine network must also be different form the IP domain of the remote PC Otherwise the translation option described hereafter must be selected Examples Remote PC network Machine network OK 192 168 10 0 192 168 12 0 The IP domain...

Page 57: ...ll the devices of the machine network it is not useful to complete the devices list Click next STEP 4 REMOTE USERS The Remote user page is displayed That page enables to store the authorized remote users list Remark Coming from factory the ID and password of the remote users are checked but not the certificate To add a remote user click the add button and enter the parameters of the remote user Fu...

Page 58: ...he Main WAN page is displayed Obtain an IP address automatically checkbox Set that checkbox if the IP address is assigned automatically to the router RAS by a DHCP server Otherwise unselect the check box and enter The IP address assigned to the WAN interface of the router RAS The IP address of the default gateway on that IP network Obtain DNS IP addresses automatically checkbox Set that checkbox i...

Page 59: ...2 168 1 0 192 168 1 0 The IP domain of the machine ntwk and of the remote PC ntwk are the same The machine IP domain must be modified or the address translation option must be selected see the wizard menu 192 168 10 0 192 168 1 0 192 168 10 0 IP address Netmask parameters Enter the IP address assigned to the router over the LAN interface That IP address will have to be entered to display the admin...

Page 60: ...e To add a remote user click the add button and enter the parameters of the remote user Full name company name Email address telephone number Remote user name password Remark the email address and telephone number of the remote user are useful if the alarm SMS or mail function is required Click next The Access rights page is displayed The table of the access rights is displayed To assign a new rig...

Page 61: ...ernet Internet interface 6 RAS EC RAS ECW Wi Fi network Wi Fi antenna Cellular network Cellular antenna STEP 1 USE CASE SELECTION Select the use case 6 STEP 2 M2Me CONNECTION The Wi Fi connection Main WAN page is displayed SSID Parameter Enter the label of the access point Shared key parameter Enter the WEP or WPA key of the access point Click Next The cellular network Backup WAN page is displayed...

Page 62: ...92 168 10 0 192 168 10 0 192 168 12 0 The IP domain of the machine ntwk and of the factory ntwk are the same The machine IP domain must be modified or the RAS must be used according to the use case 2 192 168 10 0 192 168 1 0 192 168 1 0 The IP domain of the machine ntwk and of the remote PC ntwk are the same The machine IP domain must be modified or the address translation option must be selected ...

Page 63: ...STEP 4 REMOTE USERS The Remote user page is displayed That page enables to store the authorized remote users list Remark Coming from factory the ID and password of the remote users are checked but not the certificate To add a remote user click the add button and enter the parameters of the remote user Full name company name Email address telephone number Remote user name password Remark the email ...

Page 64: ......

Page 65: ...ete IP setup of the router RAS LAN interface The IP adrresses of the devices of the machine LAN Interface Remote access set up The M2Me connection The remote users Their access rights Remote access IP routing VPNs Static routes RIP Address translation Port forwarding DynDNS or NoIP Network Filtering the data flow between the LAN interface on one hand and the WAN and VPN interfaces on the other han...

Page 66: ...t Speed Duplex parameter Select 10 or 100 Mb s full or half duplex IP set up of the Ethernet WAN port Connection type list The Ethernet choice is the usual choice to set a connection to the Internet The PPPOE choice must be selected only in a particular situation It If it it selected the router RAS sets a PPP connection over Ethernet towards a service provider for instance It is useful when a mode...

Page 67: ...rface is assigned by a DHCP server Otherwise unselect that checkbox and enter the IP address the netwmask and the default gateway address Obtain the DNS server IP address automatically checkbox Leave that checkbox selected if the DNS servers IP address are assigned by a DHCP server Otherwise unselect that checkbox and enter the IP addresses of the DNS servers NAT checkbox If that option is selecte...

Page 68: ... the highest priority the other interface will be used as a backup path SIM card parameter It is possible to select the SIM card Nr1 or the SIM card Nr2 or both SIM card parameter Value SIM1 The SIM 1 is selected default value SIM2 The SIM 2 is selected default value SIM 1 backup to SIM2 The SIM 1 is used first the SIM 2 is used as backup 1 3 1 SIM 1 or SIM 2 set up Setting up the SIM card 1 or th...

Page 69: ...f the DNS servers NAT checkbox If that option is selected the source IP address of any IP frame coming from a device connected to the LAN interface and routed to the WAN interface is replaced by the router WAN IP address Remark Select that checkbox if a device of the LAN interface needs to set a connection with a device connected to the Internet FTP server 1 3 2 Using the SIM cards 1 and 2 Each SI...

Page 70: ...r infrastructure router However with particular mobile service providers or in particular situations that PPP connection is declared active while the data transmission service is not provided by the mobile service provider It is why the router RAS is able to ping a particular server to check if the data service is really provided If it is not the PPP connection is reset That function must be enabl...

Page 71: ...he access point set up Wi Fi WAN IP set up Wi Fi WAN priority parameter Saisir la valeur 10 Obtain an IP address automatically checkbox Leave that checkbox selected if the IP address on the WAN interface is assigned by a DHCP server Otherwise unselect that checkbox and enter the IP address the netwmask and the default gateway address Obtain the DNS server IP address automatically checkbox Leave th...

Page 72: ...d to other devices of the LAN network Example IP address Remark LAN network 192 168 12 0 24 From 192 168 12 1 to 192 168 12 254 Netmask 255 255 255 0 Router RAS IP addr 192 168 12 1 Remote users IP pool start 192 168 12 2 Two remote users can simultaneously connect to the LAN network one will receive the IP address 192 168 12 2 and the other 192 168 12 3 Remote users IP pool end 192 168 12 3 IP ad...

Page 73: ...LAN ports behaves like a hub LAN network IP address netsmask parameters Enter the IP address assigned to the router over the LAN interface That IP address is also the IP address of the administration server of the router Default gateway parameter If another router is connected to the LAN network giving access to other networks and acting as the default gateway for the router RAS enter the address ...

Page 74: ...ers checkbox If that checkbox is selected the router RAS allocates automatically an unused IP address of the LAN network to a remote user when he connects Unselect that checkbox to set up the pool of fixed IP addresses which can be allocated to the remote users That IP addresses must belong to the LAN domain Advanced parameters ...

Page 75: ...ey at least 8 characters Country code parameter The RF channels allocated to the Wi Fi service are not the same in all the countries It is why the country code has to be entered carefully Click the help menu to display the list of the country codes Wi Fi Mode parameter Select one of the possible Wi Fi modes Mode 802 11a 5 GHz OFDM Mode 802 11 b 2 4 GHz DSSS Mode 802 11 g 2 4 GHz OFDM Remark the se...

Page 76: ... set up To set up the device list Select the Set up LAN interface device list menu To add a device to the list Click the Add button Assign a name and an IP address to the device Remark it is possible to enter a subnet and only a device Example 192 168 38 8 29 192 168 38 8 to 192 168 38 15 ...

Page 77: ...ices Remark Many Wi Fi office devices like tablets or smartphones do not support a fixed IP address Select the Set up LAN interface DHCP server IP address pool start IP addresses pool end parameters Enter the first and the last IP address reserved to the DHCP server IP address netsmask parameters Enter the IP address assigned to the router over the LAN interface That IP address is also the IP addr...

Page 78: ...eters the type of the proxy server HTTP SOCKS5 the proxy IP address and port number the type of required authentication None basic NTLM if the proxy is http Test the M2Me connection Pour commander la connexion du routeur au service M2Me_Connect cliquer le bouton Connecter maintenant Pour vérifier que la connexion s effectue normalement sélectionner le menu Diagnostic puis Etat réseau puis M2Me Lor...

Page 79: ...d password are registered in the user list When he connects the login and password of the remote user and optionaly the certificate of his PC are checked The certificate can be delivered by ETIC TELECOM or by another authority Selective access rights Individual access rights can be assigned to each remote user according to his identity Transparent connection Once the remote connection has been lau...

Page 80: ...ADVANCED SET UP Page 80 DOC_DEV_RAS_User guide_A Machine Access Box RAS Select Set up Remote access Remote access servers ...

Page 81: ...ptionally a certificate Yes PPTP Login PWD Yes L2TP IPSec Login PWD and Preshared Key or certificate Yes HTTPS Login PWD Yes That four types of connection can be implemented in PCs tablets or smartphones They can be active at the same time The HTTPS connection is mainly dedicated to secure remote access to HTML pages embedded in supervision PCs HMIs or PLCs for instance When a remote user sets a r...

Page 82: ...teway to give a secure remote access to HTML HHTP pages embedded in devices It means that a simple HTML HTTP unsecure server can be used remotely through the internet in a safe way When a remote user connects to the ETIC router using an HTTPS secure connection the portal displays the list of the html servers to which he has the right to access That list can include as well HTTPS native servers or ...

Page 83: ...e administration server and to the HTTPS portal from the LAN or from the WAN are organised according to the table below From the Internet From the LAN HTTPS web portal https Internet IP address LAN IP address Administration web server https Internet IP address 4433 LAN IP address or https adr IP Internet 4433 4 3 3 Operation To access to the HTTPS internet portal from the Internet Launch the brows...

Page 84: ...In that case the certificate of the remote PC must be stored in the ETIC router see the table at the top of the page Encryption Algorithm Message digest allgorithm Leave the default values Blowfish et MD5 4 5 OpenVPN connection for smartphones It is possible to differentiate a remote user connection intended for PCs and another remote user connection intended for smartphones The protocol TCP or UD...

Page 85: ...uthentification parameter Select the Login password value or the Login password certificate value if the certificate of the remote PC must be checked In that case the certificate of the remote PC must be stored in the ETIC router see the table at the top of the User list page Encryption Algorithm Message digest allgorithm parameters Leave the default values 3DES MD5 Authentication method parameter...

Page 86: ... The users list is able to register 25 authorised remote users forms Each user form stores the identity of the user Login and password his email address to send alarm emails and his mobile telephone number to send alarm SMS to him To display the user list select the Set up Remote access User list menu Remark Coming from factory the user list is empty ...

Page 87: ...ccess Box RAS DOC_DEV_RAS_User guide_A Page 87 To register a remote user in the user list Click the ADD button located under the user list Enter the identity of the user Login and password his email address to send alarm emails ...

Page 88: ...of the LAN network must have been registered previously LAN interface menu To grant access rights to a remote user Select the set up remote access access rights menu Click the Add button Select a remote user in the list Select a device in the list to authorise the remote user to access to that device Remark A device ca be a subnet or an IP address refer to the Set up LAN interface Device list ...

Page 89: ...e ETIC router Other kinds of X509 certificates can be added see the Set up Security X509 certificate The certificate used by each participant to the VPN must be delivered by the same authority Setting up an IPSec tunnel in the case where the source IP address is modified along the way from the initiator to the responder router To provide a strong mutual authentication each router checks the source...

Page 90: ...ADVANCED SET UP Page 90 DOC_DEV_RAS_User guide_A Machine Access Box RAS 7 2 IPSec VPN connection set up Select the Set up Network IPSec VPN menu The IPSec VPN home page is displayed ...

Page 91: ...ADVANCED SET UP Machine Access Box RAS DOC_DEV_RAS_User guide_A Page 91 To add an IPSec VPN connection click Add The set up page of the new VPN connection is displayed ...

Page 92: ...ectAltName value of the active certificate of the current router If the active certificate is an ETIC TELECOM certificate that field is the email field Remote SubjectAlt name parameter Enter the SubjectAltName value of the active certificate of the remote router If the active certificate is an ETIC TELECOM certificate that field is the email field Authentication section Case 2 Use of a preshared k...

Page 93: ...hange Mode parameter Select Main or Agressive The Agressive mode is simpler and faster than the Main mode Encryption algorithm parameter Recommended value Auto Authentification algorithm parameter The Auto choice is advised SHA1 provides a better security than MD5 DH group parameter only if the advanced parameters option has been selected Recommended value group 2 The same value must be selected f...

Page 94: ...IKE negotiation In phase 2 of the IKE negotiation encryption and authentication session keys will be extracted from this initial keying material By using PFS Perfect Forwarding Secrecy completely new keying material will always be created upon re key Should one key be compromised no other key can be derived using that information DH group parameter only if the PFS option is enabled Recommended val...

Page 95: ...ts to the VPN connection can also be carried out using certificates in addition to a Login and password Coming from factory a certificate produced by ETIC TELECOM is registered in the ETIC router Other kinds of X509 certificates can be added see the Set up Security X509 certificate The certificate used by each participant to the VPN must be delivered by the same authority NAT translation insensiti...

Page 96: ...ADVANCED SET UP Page 96 DOC_DEV_RAS_User guide_A Machine Access Box RAS ...

Page 97: ...n accept up to 25 ingoing connections from VPN clients VPN client set up If the ETIC router behaves only like a VPN client the set up consists only of configuring the outgoing connection one or several Set up rules Common parameters The following parameters are common for the server and for all the clients supposed to set a VPN to that server Transport protocol UDP or TCP and port number Encryptio...

Page 98: ...f time a VPN connection will stay established before being cleared if no response to the VPN control message is received from the remote router Remark The value of this parameter must be selected carefully If the VPN has been cleared for any reason the router will wait during that period of time before lauching the VPN again Packet retransmit time out parameter This parameters sets the amount of t...

Page 99: ...cast to all the VPN clients the route to each of them In that way each device of the network can exchange data with each other device Programming static routes is not necessary If that option is not selected a device connected to a VPN client ETIC router can exchange data with a device connected to the LAN network of the VPN server but not with a device connected to one other VPN client ETIC route...

Page 100: ...uter will have to use to authenticate Remark That login password must be registered in the ingoing connection VPN server IP address parameter Enter the IP address of the VPN server That address can be a public IP address or a domain name or a DynDNS or NoIP address Backup VPN server IP address parameter The client VPN ETIC router is able to set a backup VPN if the main VPN fails Port number protoc...

Page 101: ... the main WAN interface of a ETIC router for instance the cellular interface in the case of cellular router like IPL C or RAS EC However it can be useful to attach the VPN to one other interface of the ETIC router Select the interface to which the VPN must be attached Start on event checkbox The VPN is usually established at power up However it can e useful to establish the VPN when a particular e...

Page 102: ...ction table Select the Enable option and assign a name to the connection Login Password parameter Enter the login and password of the remote router Remote LAN IP address Remote LAN netmask parameters Enter the IP address and netmask of the remote LAN Ex 192 168 2 0 255 255 255 0 Common name parameter Enter the value of the field SubjectAltName of the active certificate of the remote ETIC router If...

Page 103: ...N transfer Remark 2 A default gateway address must be entered in each device of the different networks 9 2 Static routes However the router R2 is not able to route frames between a device like L1 belonging to the LAN network and a device connected to network 6 see the drawing hereafter In that case it is necessary to enter the route to that hidden network 6 that route is called a static route A st...

Page 104: ...o the remote LAN network that routes have been automatically created by the router respectively when the WAN IP address has been entered and when the VPN has been configured The same type of static routes must be entered in the other routers To set a static route Select the Configuration menu the network menu the Routing menu and then Static routes click the Add a route button Destination IP addre...

Page 105: ...ng table Each router holds a routing table Each entry of the table consists in the destination subnet address and the adjacent router address leading to that subnet Routing table broadcasting Each router broadcasts its table Routing table update Each router updates its own table using the tables received from the other ones To enable RIP select the Setup Network Routing RIP menu Select the Enable ...

Page 106: ...ded for the IP router WAN interface to a particular device of the LAN interface using the destination port number The transfer criteria is the port number the port number is used as an additional destination address field Example Let us suppose the PC named W1 connected to the WAN network has to send frames to the device PLC1 connected to one Ethernet port of the ETIC router If routing tables cann...

Page 107: ...192 168 0 17 80 11 2 Set up To set up a port forwarding rule Select Network Routing Port forwarding menu Click the Add button Enter the characteristics of the frames which must be forwarded Source IP address Port number destination Enter the characteristics of the device to which that IP frames must be forwarded Destination IP address Port number destination ...

Page 108: ...ned in a remote user connections One brings out the DNAT function which consists in replacing the destination port and IP address the SNAT function which consists in replacing the source IP address Because the DNAT and SNAT functions modify the IP addresses of the IP packets processed by the RAS 3G router and because the firewall filters that frames it is very important to understand in which orde...

Page 109: ...tics of the IP frames which must be modified by the DNAT rule Source IP address Destination IP address Protocol TCP UDP Source port Destination port Enter the new destination port number and IP address To create a new SNAT rule click Add a SNAT rule Select Yes to enable the rule Enter the characteristics of the IP frames which must be modified by the SNAT rule Source Destination IP address and tra...

Page 110: ...machine dyndns org Step 2 Router set up Select the Set up Network DynDNS menu Select the Enable option Dynamic DNS service provider parameter Select DynDNS or NoIP DNS account login parameter Enter the login assigned by dyndns DNS account password parameter Enter the password assigned by dyndns Hostname parameter Enter the DynDNS domain name for instance mymachine dyndns org Remark If the IP addre...

Page 111: ...ess Box RAS DOC_DEV_RAS_User guide_A Page 111 Enable checkbox Select that checkbox When you wish to set a connection toward the RAS 3G PPTP TLS VPN enter the DynDNS host name instead of the antenna IP address of the RAS 3G router ...

Page 112: ... IP packets whether carried inside one of the VPNs or outside a VPN The main filter checks source and destination IP addresses and the source and destination ports The main filter does not check the IP packets included in a remote user connection That packets are checked by the remote users filter The main filter does not check the IP packets defined in the Port forwarding table That packed are di...

Page 113: ...site for a packet coming from the WAN or coming from the LAN WAN to LAN The default policy can be Accept or drop LAN to WAN The default policy can also be Accept or drop For instance if the default policy assigned the WAN to LAN traffic is drop it means that an IP packet which does not match any of the rules of the main filter will be rejected Main filter table The main filter is a table each line...

Page 114: ...to the packet Allow or Deny Remark Coming from factory the main filter is set up as follows The traffic carried inside the VPNs is authorized The traffic carried outside the VPNs is authorized when it is initiated by a device belonging to the LAN network The traffic carried outside the VPNs is denied when it is initiated by a device belonging to the WAN network ...

Page 115: ...ial gateway makes possible to use the IP network to transport serial data between two or several serial devices or directly with devices connected to the Ethernet network Communication between serial devices Communication between a serial deice and a COM port emulation software Communication between serial devices and a PC software application able to encapsulate the serial data into UDP or TCP li...

Page 116: ...l modbus master to an IP modbus server RAW TCP server or client To connect 2 serial devices through an IP network Telnet To connect a Telnet terminal to the IPL RAW UDP To exchange serial data between several serial and IP devices through an IP network using a table of IP addresses Unitelway slave To connect a serial unitelway master to an IP network Remark If the same type of gateway is assigned ...

Page 117: ...e Modbus TCP server A Modbus TCP server is a device connected to the Ethernet network and able to reply to Modbus requests to a coming from Modbus TCP client devices A TCP server can reply to several TCP clients A Modbus master device is a device connected to a serial asynchronous link and able to send requests to a Modbus slave device connected to the same serial network A Modbus slave device is ...

Page 118: ... timeout the gateway has to wait for the answer of the modbus slave answer Local retry parameter Set up the number of times the gateway will repeat a request before declaring a failure Inter character gap parameter Set up the maximum delay the gateway will have to wait between a received character of a modbus answer packet and the following character of the same packet Modbus slave address paramet...

Page 119: ...ateway will have to wait between a received character of a modbus answer packet and the following character of the same packet TCP inactivity Timeout parameter Set the time the gateway will wait before disconnecting the TCP link if no characters are detected TCP port number parameter Set the TCP port number the gateway has to use IP address parameter The modbus client gateway allows to transmit mo...

Page 120: ...ring the gateway will store before transmitting it to the IP network Timeout of RS232 485 end of packet parameter Set up the delay the gateway will wait before declaring complete a string received from the asynchronous device Once declared complete the gateway will transmit the string to the IP network TCP inactivity Timeout parameter Set the time the gateway will wait before disconnecting the TCP...

Page 121: ...aximum length of an asynchronous string the gateway will store before transmitting it to the IP network Timeout of RS232 485 end of frame parameter Set up the delay the gateway will wait before declaring complete a string received from the asynchronous device Once declared complete the gateway will transmit the string to the IP network TCP inactivity Timeout parameter Set up the time the gateway w...

Page 122: ...red in the table 15 4 2 Set up Select the gateway menu and then the Transparent menu and then click RAW UDP Select the Activate option Serial input buffer size parameter value 1 to 1024 Sets the maximum size of an UDP datagram End of frame time out parameter value 10 ms to 5 sec Sets the delay the gateway will wait before sending the UDP datagram towards the IP network when no characters are recei...

Page 123: ...e the LAN IP address of the RAS 3G router 16 2 Set up Select the Setup menu and then the USB menu Activate checkbox Select the Activate checkbox Use a specific IP address checkbox If modbus TCP traffic only has to be forwarded to the USB device that checkbox must not be selected If other kinds of traffic have to be forwarded that checkbox has to be selected Specific IP address parameter If modbus ...

Page 124: ...Phone number parameter SMS choice Enter the mobile telephone number Email sender parameter email choice Enter the sender email address Email Destination parameter email choice Enter the email destination address Subject parameter email choice Enter the subjectof the alarm mail Text parameter Enter the alarm text SMTP client section Use the M2Mail service parameter email choice ETIC TELECOM provide...

Page 125: ... TELECOM acting as a certification authority That certificate can be used to set a VPN between two routers An ETIC router can set a VPN with another one only if the certificates of both routers have been provided by the same authority Additional X509 certificates provided by ETIC TEECOM or not can be registered into the ETIC router To import a new certificate the file extension can be PKCS 12 with...

Page 126: ......

Page 127: ...rd status WAN interface connection disconnection VPNs connection disconnection Remote users connection disconnection Router power up or reset OpenVPN IPSec Logs These logs registers the detail of the VPN connections Advanced logs That logs registers details about the following events Cellular events M2Me RIP DHCP VRRP Telnet gateway Alarm emails Filter checkbox make easier to use the information ...

Page 128: ...us IP address and remote IP address Reception level Cellular network information Wi Fi interface Wi Fi mode client or base station Connection status SSID RF Frequency To display the M2Me page Select The Diagnostic Network status M2Me menu The M2Me page summarizes the current status of the M2Me connection and also displays the M2Me logs To display the remote users page Select The Diagnostic Network...

Page 129: ...ate etc number of characters received or sent Number of TCP frames or UDP datagrams received or sent Number of TCP connections enabled The View link displays a window which shows the hexadecimal received and transmitted traffic over each serial COM port It can be a great help for trouble shooting 1 4 Ping tool Select the Diagnostic Tool Ping menu Enter the PING destination IP address 1 5 Wi Fi sca...

Page 130: ...ons table Assign a name for the current set of parameters configuration name field and click the Save button The updated Configurations table is displayed with an additional line To save a stored set of parameters as an editable file Select the set of parameters name in the Configurations table Click the Export to the PC button The set_of_parameters txt file is created To import an editable txt fi...

Page 131: ...ceed for instance if the connection fails the ETIC router restarts with the current firmware Once the firmware update has been carried out the ETIC router restores the previous current set of parameters To update the firmware Select Maintenance Firmware update menu Click the Select the firmware file button Click Upgrade now When the firmware is updated the product automatically reboots ...

Page 132: ...ETIC TELECOM 13 chemin du vieux Chêne 38240 Meylan France contact etictelecom com ...

Reviews:

No comments