background image

 

 

Copyright © 2013 Weidmüller Interface GmbH & Co. KG

   

 

 

 

 

 

 

 

 

 

 

 

85 / 103

   

All rights reserved. Reproduction without permission is prohibited.

 

 

B. Application scenarios (Uses cases) for VPN (Virtual private networks) 
 
B1 - OpenVPN based remote access application via “Meeting Point”  

 

Description of a remote access application to allow a communication be-
tween protected, not directly accessible machine networks and remote Ser-
vice-PC’s by using a public OpenVPN-Server as „Meeting-Point“ 

 

Please 

download

 this technical note from the Weidmüller website using the following path: 

1. Open http://www.weidmueller.com/IE 

2. Select 

section „Industrial Ethernet“ 

 

„Documents” 

3. Scroll down to section 

„Technical Notes“ 

4. Download the file 

„TechNote-RemoteAccess_via_Router_and_MeetingPoint_V1_??.pdf“ 

 
B2 - Configuring an OpenVPN remote access scenario using a Weid-

müller Router as OpenVPN-Server 

 

 

Please 

download

 this technical note from the Weidmüller website using the following path: 

1. Open http://www.weidmueller.com/IE 

2. Select 

section „Industrial Ethernet“ 

 

„Documents” 

3. 

Scroll down to section „Technical Notes“ 

4. Download the file 

„TechNote-RemoteAccess_via_Router_as_OpenVPN_Server_V1_??.pdf“ 

 
B3 - Configuring an IPsec scenario between 2 Routers (Client and 

Server) 

 

This document is currently in preparation. Please check if this technical note is available from the 
Weidmüller website using the following path: 

1. Open http://www.weidmueller.com/IE 

2. Select 

section „Industrial Ethernet“ 

 

„Documents” 

3. Scroll dow

n to section „Technical Notes“ 

 

 

 

 

 

 

 

 

 

 

Summary of Contents for IE-SR-2GT-LAN

Page 1: ...l be updated and completed step by step This version refers to Router firmware version 2 3 1 and above You may download a new version from the Weidm ller web site using the following path 1 Open http...

Page 2: ...or implied includ ing but not limited to its particular purpose Weidm ller reserves the right to make improvements and or changes to this manual or to the products and or the programs described in thi...

Page 3: ...arting the Web interface 15 8 Reset to factory default settings by external push button 17 Default factory settings of the Router 17 9 Using the Weidm ller Router Search Utility 18 10 Basic descriptio...

Page 4: ...by using a public OpenVPN Server as Meeting Point 85 B2 Configuring an OpenVPN remote access scenario using a Weidm ller Router as OpenVPN Server 85 B3 Configuring an IPsec scenario between 2 Routers...

Page 5: ...when needed The Router can be configured on site using an IP network on both Ethernet ports LAN or WAN The Router has implemented extensive security standards to enable different networks to work toge...

Page 6: ...The Security Router does not have an on off switch The operating voltage must be switched on by the facility in which the device is integrated Caution You should activate and synchronise the time serv...

Page 7: ...artition The Router is designed to be mounted on a top hat rail that is compliant with the EN 50022 standard This Router will not have a secure mount if any other type of rail is used Use a top hat ra...

Page 8: ...OSPF protocol Transparent Bridge 2 Port Switch with additional Layer 2 fil ter Network Services DHCPServer DHCPRelay DNS Relay NTP Client DynDNS DHCP Client nach RFC 2136 Firewall IPv4 Stateful inspe...

Page 9: ...CP The Modbus TCP interface enables the con trol of the Router by a PLC Following func tions are imaged in the registers Cut Alarm status request acknowl edgment IPsec on off switchable generally Open...

Page 10: ...mm with 3G antenna Mounting TS35 DIN rail Environmental conditions Operating Temperature 20 C to 70 C Storage Temperature 20 C to 85 C Ambient Humidity 6 to 90 noncondensing DSL and 3G HSDPA DSL DSL...

Page 11: ...d on the boot process is running green Device is turned on and ready to run Status off The device is not powered red Error after boot process or recovering an image Cut off CUT Input is not powered re...

Page 12: ...VDC input for initiating a VPN tunnel Predefined OpenVPN tunnel 24 VDC output for signaling an active VPN tunnel Note Corresponding socket connector is included RJ45 Connector WAN 10 100 1000BaseTX RJ...

Page 13: ...NAME MDI 10 100Base T x 1000Base T 1 TX BI_DA 2 TX BI_DA 3 RX BI_DB 4 NC BI_DC 5 NC BI_DC 6 RX BI_DB 7 NC BI_DD 8 NC BI_DD Pin assignment of 4 pin connector for VPN initiate and VPN active Pin number...

Page 14: ...data 7 Initial start up Getting Started Configuration of the Router by using an Internet browser Note The configuration of the device can be done either via LAN or WAN RJ45 ports Connect the unit to...

Page 15: ...mportant note The Router s Web server partly is using Java script for parameter settings e g if you want to apply or deleting a configured Open VPN session Please ensure that the Web browser your a us...

Page 16: ...Note If the login prompt does not appear please check the network LED s if the devices are connected to the network correctly If problems still persist please check the proxy and firewall settings of...

Page 17: ...he Router is ready to run with factory default settings Default factory settings of the Router Language Englisch user interface Operation mode IP Router IP address LAN port 192 168 1 110 static value...

Page 18: ...r and displaying parameters like Device name MAC address and IP address with Subnet mask Change the IP address of a detected Router Open the web interface of a detected Router You may download the Wei...

Page 19: ...Default gateway Setting of firewall rules Packet filter and an additional auto learning feature called SecureNow to assist the creation of packet filtering rules Configuration of general system data n...

Page 20: ...s prohibited 11 Explanation of the menu items of web interface in chronological order Figure 1 Diagnostics Systemstatus Startup screen of the web interface after login Displays current configuration a...

Page 21: ...n is prohibited Figure 3 Diagnostics Eventlog Tab Configuration Event and error messages can be sent to a syslog server PC on the network and also sent as emails Figure 4 Diagnostics WAN Display of th...

Page 22: ...e 6 Diagnostics 3G Displays the current status of the 3G mobile connection Figure 7 Diagnostics Ping Test Allows sending of ICMP packets ping to test network connections between the Router and other E...

Page 23: ...iver of the diagnostic data is a PC which must have installed the tool Wireshark How to use please refer to application note in Appendix C3 Figure 9 Configuration IP Configuration This is the basic co...

Page 24: ...rding of data traffic By pressing the button Start Analysis button the Router begins to analyze the network traffic ports LAN WAN and possibly UMTS 3G As a result the Router will provide a table showi...

Page 25: ...ally so that e g wrong filter rules can be removed by a Router restart Then previous filter rules would be valid again Figure 13 Configuration Packet filter Tab Layer 3 This is the window for the manu...

Page 26: ...all settings as delivered with the 2 default rules Allow_L2 and ARP Address resolution protocol The rule Allow_L2 allows transmitting any Ethernet frame type and any traffic regardless the direction s...

Page 27: ...more information please refer to Appendix C2 Method 2 Figure 17 Configuration Cut Alarm Tab State Displays the current status of the events Internal Cut triggered eg by a special firewall rule Externa...

Page 28: ...nfiguration General settings Date time Tab Configuration Setting of date time and time zone Alternatively the date time setting can be configured via using the Net work Time Protocol and accessing an...

Page 29: ...configuration changes will be immediately activated but not saved If you chose the entry Save only and do not apply then the button named Apply in the configuration windows will be changed to a button...

Page 30: ...ation of the Router for online access to certificates which are stored on a centralized online certifica te server SCEP Simple Certification Enrollment Protocol When setting up certificate based VPN c...

Page 31: ...dividual rights for the created user accounts Note The Administrator account always has full access It cannot be deleted Figure 25 Configuration Access control Web access Tab Configuration Select the...

Page 32: ...nfiguration Registration of up to 3 DNS servers for name resolution The Router acts as a DNS relay server Figure 27 Configuration Network IP Routing Tab Configuration Registration of static IP routes...

Page 33: ...rding the feature SNAT Source network address translation can be activated to hide the original source IP address forwarding can be configured using an IP address and a wildcard port number instead of...

Page 34: ...rmation please refer to Appendix A2 Figure 32 Configuration Network Network groups Tab Configuration Creating groups with speaking names for ranges of IP addresses Layer 3 A network group always conta...

Page 35: ...s based on MAC addresses layer 2 A hardware group can contain any number of MAC addresses for example 00 15 7E D9 09 00 Hardware groups can be used for better readability than individual MAC addresses...

Page 36: ...um of 10 OpenVPN connections either as client or as server can be configured and started at the same time Each VPN connection can be configured individually at Tab s VPN1 VPN10 Note OpenVPN connection...

Page 37: ...penVPN Client session L3 VPN1 currently dis connected and an OpenVPN Server session L3 VPN2 currently no connected remote clients Figure 39 Configuration VPN OpenVPN Tab Configuration After configurat...

Page 38: ...hared key using user name and password as well as certificate based encryption Implemented IPsec features Key exchange IKE Internet Key Exchange basedon ISAKMP Internet Security Association and Key Ma...

Page 39: ...sed for allocating IP addresses on both LAN side and WAN side By default factory settings the DHCP server is switched off Note The range of the IP addresses which will be allocated to connecting DHCP...

Page 40: ...NS Tab Configuration This feature allows the Router if connected to the Internet using dynamic IP address allocation to be accessed by a speaking name via the public Dynamic DNS service of provider Dy...

Page 41: ...be requested using Standard MIB II Note Currently no SNMP traps are implemented Figure 45 Configuration Services Modbus TCP Tab Configuration Activation deactivation of the integrated ModbusTCP Serve...

Page 42: ...le an Alarm or a Cut event can be triggered Additionally the connection to a mail server and a target mail address can be configured to send the information about a lost connection of a monitored devi...

Page 43: ...can be configured on both Layer 2 based on MAC addresses and at Layer 3 IP addresses and protocols Figure 49 Configuration Prioritization 3G Tab Configuration With this feature outgoing traffic on the...

Page 44: ...h memory will be used Please save the configuration to Flash memory before creating a backup file Figure 51 System Software update Tab System With this menu item a firmware update can be carried out T...

Page 45: ...s LAN port 192 168 1 110 IP address WAN port 192 168 2 110 User name admin Password Detmold Figure 53 System Save Tab System Screenshot of Router with inserted SIM memory card Save the configuration i...

Page 46: ...ed Reproduction without permission is prohibited Figure 54 System Save Tab System Screenshot of Router without SIM memory card Figure 55 System Reboot Tab System Forcing a reboot of the Router The sta...

Page 47: ...xample the IP address ranges are set to 192 168 10 0 255 255 255 0 for Network 1 and 192 168 20 0 255 255 255 0 for Network 2 The Router interfaces will be set to 192 168 10 254 255 255 255 0 for LAN...

Page 48: ...er using the LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one of the range 192 168 1 0 24 e g IP add...

Page 49: ...meters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gateway Can be left blank because there exists no further target network Click button...

Page 50: ...4 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255 255 0 Standard Gateway 192 168 10 254 Again login into the Web interface of...

Page 51: ...ation Select menu System Save or Click on the Disk icon in the upper left corner of the web interface Figure A1 6 Menu System Save before saving the configuration Click on button Save settings to save...

Page 52: ...s members of network 2 ping 192 168 20 100 ping 192 168 20 101 ping 192 168 20 102 Result All sent pings should be answered by the requested IP addresses correctly 2 Run 3 Ping commands from a device...

Page 53: ...AN to WAN but does NOT block the access to this LAN IP address from WAN network This explicitly has to be done by a firewall rule In this example the IP address ranges are set to 192 168 10 0 255 255...

Page 54: ...nnect the configuration PC to the Router using the LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one...

Page 55: ...ameters WAN Port static 192 168 20 254 255 255 255 0 Class C Click and Set the checkbox NAT masquerading IP address parameters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not...

Page 56: ...ss of the configuration PC according to the connected network 192 168 10 0 24 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255...

Page 57: ...rwarding table of menu Forwarding Click icon to add a new line to enter IP forwarding values Select or fill the values as shown in the upper entry of figure 6 Ensure that each input will be completed...

Page 58: ...ults showing in the Wireshark window The original sender of the ping request with IP address 192 168 10 100 is displayed as IP address 192 168 20 254 which is translated masqueraded by the Router If y...

Page 59: ...re set to 192 168 10 0 255 255 255 0 for Network 1 and 192 168 20 0 255 255 255 0 for Network 2 The Router interfaces will be set to 192 168 10 254 255 255 255 0 for LAN interface and 192 168 20 254 2...

Page 60: ...LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one of the range 192 168 1 0 24 e g IP address 192 168...

Page 61: ...meters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gateway Can be left blank because there exists no further target network Click button...

Page 62: ...4 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255 255 0 Standard Gateway 192 168 10 254 Again login into the Web interface of...

Page 63: ...ayed By default the Router contains 1 rule set called Allow_L3 which is acting as a general permission to allow inbound and outbound traffic without any limitation Application method of defined rule s...

Page 64: ...Co KG 64 103 All rights reserved Reproduction without permission is prohibited Figure A3 6 Define a new rule set according described steps 1 to 4 Figure A3 7 Define additional parameters of the new r...

Page 65: ...ithout permission is prohibited Figure A3 8 Define the first rule according described steps 8 to 12 Figure A3 9 Define additional parameters of the first rule according described steps 13 to 15 Figure...

Page 66: ...eserved Reproduction without permission is prohibited Figure A3 11 Creation of first rule completed Figure A3 12 Define of second rule according described steps 24 to 28 Figure A3 13 Define additional...

Page 67: ...served Reproduction without permission is prohibited Figure A3 14 Define additional parameters of the second rule according described steps 32 to 38 Figure A3 15 Creation of second rule completed Figu...

Page 68: ...reserved Reproduction without permission is prohibited Figure A3 17 Creation of new rule set is completed and added to the rule set list Move the new rule set to top position Figure A3 18 Activate the...

Page 69: ...92 168 10 101 Device B ping 192 168 10 102 Device C Results 1 Sent Ping to IP address 192 168 10 100 should be answered by the requested IP addresses correctly 2 Sent Ping to IP addresses 192 168 10 1...

Page 70: ...16 Class B WAN Port 172 16 1 252 255 255 0 0 GW 172 16 1 254 Router 1 Switched Corporate network 10 1 1 0 16 Class B Machine network 2 192 168 1 0 24 Class C LAN Port 172 16 1 254 255 255 0 0 These s...

Page 71: ...is defined as local network IP range for devices connected to the LAN port 1 1 NAT means that for each communication between devices of LAN and WAN network the public IP addresses of LAN devices have...

Page 72: ...his document in chapter A5 Starting situation All Routers have the factory default configuration and can be accessed either using the LAN port by IP address 192 168 1 110 or using the WAN port by IP a...

Page 73: ...2 255 255 0 0 Class B NAT masquerading not set leave checkbox empty IP address parameters LAN Port static 192 168 20 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gat...

Page 74: ...y in this example Click button Apply settings to activate the new settings Now the configured parameters will be activated but not saved After a few seconds the web interface displays the new IP addre...

Page 75: ...ou have to use an IP address of the WAN port range 10 1 0 0 Again login into the web interface of the Router using a web browser Only for Router 1 Use IP address 172 16 1 252 http 172 16 1 252 on WAN...

Page 76: ...permission is prohibited Figure A4 5 New values of menu IP configuration 6 Configuring 1 1 NAT address translation Do this only for Routers 1 and 2 Select menu Configuration Network 1 1 NAT Figure A4...

Page 77: ...with subnet mask 255 255 255 0 The 1 1 NAT address translation is working in that way that every address of the private Class C network will be changed to the corresponding public address Exemplary re...

Page 78: ...behind LAN port of Routers 1 and 2 can get access to each other Select menu Configuration Network IP routing Tab Configuration Figure A4 8 Default values of menu IP routing Tab Configuration Configur...

Page 79: ...Metric Can be left blank only one route therefore no need for prioritization Interface LAN Router 2 can be reached by LAN port Click button Add entry to add the new static route to the routing table...

Page 80: ...he SIM memory card Figure A4 12 Menu System Save after saving the configuration Additionally the configuration can be stored on the file system of the PC Select menu System Backup settings Figure A4 1...

Page 81: ...1 20 to machine 1 192 168 1 100 of network 1 by using the public IP address 192 168 20 100 Result Machine 1 of network 2 should reply the ping request with reply IP address 192 168 20 100 due to conf...

Page 82: ...s and the production network should participate this can be done by assigning additionally a password to the used Router information protocol RIP or OSPF The result is that only the Routers with the s...

Page 83: ...other Routers WAN Type Select RIP Simple password see explanation above Active interface Activate the checkbox if the Router shall send the routing table to the WAN port to other Routers Note You shou...

Page 84: ...m 192 168 1 100 to from 192 168 21 100 1 Send a ping request from Machine 1 of Network 2 to Machine 1 of Network 1 Send ping 192 168 20 100 this ist the public IP address of Machine 1 of Network 1 tra...

Page 85: ...down to section Technical Notes 4 Download the file TechNote RemoteAccess_via_Router_and_MeetingPoint_V1_ pdf B2 Configuring an OpenVPN remote access scenario using a Weid m ller Router as OpenVPN Se...

Page 86: ...3 Disable Clear checkbox Permanent connection Now the OpenVPN Client configuration will not automatically try to connect an OpenVPN Server but it will start a connection by external 24 VDC input conn...

Page 87: ...permission is prohibited C1 6 Click Apply settings C1 7 To activate the not permanent configured OpenVPN connection provide 2 pins of the 4 pin con nector named VPN initiate VPN active with 24 VDC If...

Page 88: ...sconnection Cut by external digital input Method 2 Software based disconnection by a Firewall rule Method 3 Software based disconnection by feature Client monitoring Method 1 Hardware based disconnect...

Page 89: ...rule it can be configured that the WAN port will be disconnected if this Firewall rule matches As an example below we create a Firewall rule which will deactivate the WAN port if a device is sending a...

Page 90: ...C2 4 Click button Next C2 5 Select Inbound Interface WAN C2 6 Click button Add to create the first rule of the rule set Disconnect_WAN C2 7 Enter in both fields Source IP address and Destination IP a...

Page 91: ...s Log and Alarm to signalize a CUT in the Event Log and to switch on the Alarm LED at frontside of the Router C2 14 Enter the name of the rule max 15 characters C2 15 Click button Next Now the rule Li...

Page 92: ...rule set creation Now the new rule set Disconnect_WAN will be displayed in the Layer3 Filter table We need to change the position of the new rule set to top most cause the Packet filter Firewall chec...

Page 93: ...have to determine how to re activate a disconnected WAN port This has to be done in the menu Cut Alarm C2 21 Select menu Configuration Cut Alarm By default a triggered CUT or Alarm event has to be re...

Page 94: ...eature Client monitoring The Router has a builtin feature named Client monitoring which can be used to test if a connected device is still alive This will be done by periodically sending a block of 5...

Page 95: ...ote The behaviour of re setting a triggered CUT or Alarm depends on the configuration of the menu Configuration Cut Alarm Additionally if the parameter Enable automatic client monitoring recovery ackn...

Page 96: ...f the Router Step by step guidance C3 1 Activate the Remote capture feature of the Router as shown below Menu Diagnostics Remote Capture Note Only one Wireshark Client PC here 172 16 1 10 can be used...

Page 97: ...2013 Weidm ller Interface GmbH Co KG 97 103 All rights reserved Reproduction without permission is prohibited C3 4 Click button Options C3 5 Click button Manage Interfaces and change to tab Remote In...

Page 98: ...her the IP address of LAN or WAN port The import fact is that the Routers IP ad dress is accessible by the Wireshark PC C3 8 Enter into field Port the value 2002 will be filled automatically if you en...

Page 99: ...rohibited In this example we want to capture the traffic at WAN port C3 11 Double Click the line rpcap 172 16 1 20 2002 WAN C3 12 Click button Remote Settings C3 13 Clear the checkbox Do not capture o...

Page 100: ...Interface GmbH Co KG 100 103 All rights reserved Reproduction without permission is prohibited C3 16 Activate the checkbox in line rpcap 172 16 1 20 2002 WAN C3 17 Click button Start to record the tr...

Page 101: ...C4 2 Change the IP address of the PC to one out of the range 192 168 1 0 e g IP address 192 168 1 88 Subnet mask 255 255 255 0 Standardgateway 192 168 1 110 Preferred DNS Server 192 168 1 110 Do not...

Page 102: ...3G connection according to the data provided by Internet provider normally PIN and APN Note In many cases you don t need to fill values into fields username and password If your provider does not use...

Page 103: ...signed dynamically by the Internet provider If you use standard SIM cards with Internet flatrate like typically used in smart phones then no one of these diplayed IP addresses can be used to access th...

Reviews: