Eurogard ServiceRouter V2, Configuration Manual

Page 1: ... eurogard ServiceRouter V2 1 23 eurogard GmbH Kaiserstraße 100 D 52134 Herzogenrath T 49 2407 9516 0 F 49 2407 9516 23 www eurogard de eurogard ServiceRouter V2 Configuration Guide Version 4 0 eurogard GmbH January 2011 ...

Page 2: ...ore point to the configuration level Before use a restore point has to be saved in the Router The Status LED signalizes the VPN status OFF VPN terminated FLASHING VPN initializing ON VPN connection established The Error LED signalizes the status of the processor ON Error FLASHING Router initializing OFF Router in operation UMTS P Modem module supplied with voltage UMTS L Modem module logged into m...

Page 3: ...Since the public IP of our customers is normally dynamic the public IP of the ServiceRouters is also dynamic For external access to the ServiceRouter the local IP must be updated through the provider DynDNS com In order to do this the Router must be able to communicate via Port 80 The Router requires access to an NTP server in order to update its system clock If an internal NTP is not available Po...

Page 4: ...cessed via a static IP in the Internet Account My Services opens the page shown on the left The screen is self explanatory and allows for two free entries Access data saved here subsequently has to be entered into the Router In case you want to use the proxy functions for visualization purposes the wildcard function is required available with the commercial DynDNS Pro Version Router configuration ...

Page 5: ...lient is included as part of the scope of delivery Updates can be downloaded via http openvpn net howto html The key generated by the Router along with the certificate has to be saved in the directory config of the OpenVPN installation For an example please refer to the appendix The eurogard TeleService Software SRconnect eurogard provides the VPN connection tool ServiceRouter Connect free of char...

Page 6: ...ver list under Geräte Webweiterleitung As a standard communication with the WAN side of the Router takes place via a secure SSL connection chosen in the browser by entering https This is followed either by an IP number e g 192 168 10 100 as local WAN IP or the DynDNS name under which the Router can be accessed in the Internet After connection set up the user interface of the Router is displayed In...

Page 7: ...P of the Router In the User Area Shared Documents all registered users can share documents Set up and use a Proxy Server Before the user can use the proxy it has to be set up by the administrator in the admin area The menu item Geräte Devices Webweiterleitungen Web forwarding takes you to the device list of the proxy Here all required network subscribers in the LAN of the Router should be entered ...

Page 8: ...ation menu in in the order described below Please change the password see Access Creating User and Admin accounts at a later point in time The following parameters are set as default on initial power up WAN Internet Connection Ethernet DHCP Client waiting for IP from the customer network LAN DHCP Server on As soon as you connect a PC to the LAN side via ETHERNET the Router attempts to allocate an ...

Page 9: ...g your own specific user and administrator accounts As a general rule the following applies for any data entered in the http interface of the Router 1 enter parameter 2 press button Speichern Save 3 then start page functions eg Zertifikat generieren generate certificate Some functions eg the generation of the Router certificate will take up to 10 minutes Please do not enter any data during this pr...

Page 10: ...e Server is given the host name and the domain name as registered at dynDNS This entry is also required for the generation of the certificates If the Router is supposed to allocate IP addresses in your PLC network please activate the DCP server of the Router In this case please enter the available IP number range It must not overlap with the number range of the VPN network Router configuration WAN...

Page 11: ...nd configure the corresponding Server before setting up the UMTS clients Router configuration Time Setting the time update Prior to creating the server certificate and for validity checks during operations the Router requires the current time date We recommend the use of an NTP time server in the Internet Port 123 The default configuration already includes a choice of different time servers You ca...

Page 12: ... In this case please add pro DynDNS to your DynDNS account and activate the Wildcard function in the account Choose DynDNS on the Router and enter the account user name and the registered password for this Router After a short time lapse you can check in the Status Log area if the account has been updated Router configuration Certificates Creating the Server certificate ServiceRouters operated as ...

Page 13: ...son there is the possibility to personalize your certificates Enter the data which is then transferred into the certificate Additionally the name of the Router and the domain are automatically transferred for personalization Furthermore you can set the validity in days and the length of the key Please note that the server will no longer accept client connections after expiry of validity The certif...

Page 14: ...tting the Multi NAT Function The Router supports Multi NAT Normally the address range of the VPN connection is to be found in the same subnet as the LAN area of the Router Where the VPN is to use a different address range please enter the range in the VPN DHCP fields This opens the bridge from the VPN network to the LAN and the Router converts all telegrams from the VPN one to one into the LAN add...

Page 15: ...S to nicht benutzt not in use Router configuration certificates Please do not enter data in the heading Zertifikate Certificates the Router does not require a server certificate Router configuration OpenVPN Please select Client mode After loading the client certificate user server vpn tar Datei created by the Server and pressing the button Speichern Save the VPN system of the Client boots up and c...

Page 16: ... of the Router Here the personal certificate is also stored as tar This certificate can then be downloaded from the Router on the user level with the pre set password without having to enter the admin area See example SIMATIC at the back of this manual The field Online Status shows the connection status for each client Router configuration WLAN Parameterization of the WLAN Option If the WLAN optio...

Page 17: ...of the Firewall The Firewall has been pre set to ensure maximum security It only allows pre set access for the following services HTTPS eg TCP 443 VPN eg UDP 1194 SSH eg TCP 22 With the exception of the VPN function these can also be blocked by closing the corresponding ports in this menu at a later point in time Furthermore you can block any LAN and VPN network access to the WAN side of the Route...

Page 18: ... of the current WAN connections 1 Verification of the IP allocated in the target network 2 Verification of date and time Status Logs DHCP Display of the LAN addresses allocated by the Router With DHCP service activated a list of addresses allocated by the Router can be found on this screen Status Logs OpenVPN Control of connections in the VPN network Connections to all clients are displayed here A...

Page 19: ...n this screen the update of the public Router IP via the DynDNS Client can be checked When the entries for the last IP transmitted and the current IP are identical and the forwarding in your target network is enabled the ServiceRouter can be accessed via Internet Status Logs Diagnosis Connection test with PING and NSLOOKUP Using Ping and NSLOOKUP availability and access of the Router to the Intern...

Page 20: ...er upload restore points to the Router Once a restore point has been set it can also be activated by pressing the SETUP button approx 3 seconds The recessed RESET button resets the Router to the delivery status All settings and certificates are deleted and the flash drive is re formatted Please use this function with particular care This button has to be pressed for at least 3 seconds Firmware upd...

Page 21: ... a virtual network card TAP Win32 Adapter is set up After connection the DHC Server of the ServiceRouter allocates an IP to this virtual card corresponding to the IP range of the LAN side of the Router Standard 192 168 155 1xx access to the remote PLC network is established Access from the local target network to the PLC network The ServiceRouter blocks the PLC network on its LAN side safely again...

Page 22: ...nVPN connection All systems go All online functions are at your disposal NOTE With some Ethernet participants the function available participants can not be used All other functions are available In the case of MultiNAT connections the PLC s Ethernet address has to be set to the subnet of the VPN network in the hardware configurator Caution when transmitting system data Should this take place usin...

Page 23: ...cribed in this manual only apply to the current version The online documentation regarding the Router is intended for technically qualified personnel either those project planning personnel familiar with security concepts in the area of automation and network technology or those trained as operating personnel dealing with automation equipment and network technology and familiar with the terms used...