SINAUT MD740-1 User Manual File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
! Safety precautions General: The product SINAUT MD740-1 complies with European standard EN60950, 05.2003, Safety of Information Technology Equipment. Read the installation instructions carefully before using the device. Keep the device away from children, especially small children. The device must not be installed or operated outdoors or at damp locations. Do not operate the device if the connecting leads or the device itself are damaged.
Antenna: Use only the antenna of the SINAUT TELECONTROL accessory program being released for the SINAUT MD740-1. Other antennas may cause damages and the device will loose official approvals like FCC. Installing antennas: The emission limits as recommended by the Commission on Radiological Protection (13/14 September 2001) must be observed. Installing an external antenna: When installing an antenna outdoors it is essential that the antenna is fitted correctly by a qualified person.
Installation by qualified personnel only You may only use the SINAUT MD720-3 with an antenna of the SINAUT MD720-3 accessory program. The installation of the SINAUT MD720-3 and the antenna as well as servicing is to be performed by qualified technical personnel only. When servicing the antenna, or working at distances closer than those listed below, ensure the transmitter has been disabled.
Contents Contents 1 2 3 4 5 Introduction .........................................................................................................7 1.1 To be able to use the SINAUT MD740-1... ........................................9 1.2 IP address of the remote site.............................................................9 The LEDs of the SINAUT MD740-1 ...................................................................10 S (Status), Q (Quality), C (Connect) ......................................
Contents 6 7 8 Session Statistics and Total Statistics pages...................................90 PPP layer (PPP - Point-to-Point-Protocol) .......................................90 IP layer (IP - Internet Protocol) ........................................................91 Status Information page...................................................................92 Firmware update via the integrated FTP server..............................................93 Glossary 94 AES ...............................
Introduction 1 Introduction The SINAUT MD740-1 serves the following purpose: The device establishes secure IP data connections by radio • via the GPRS (General Packet Radio Service) of a GSM network (Global System for Mobile Communication = mobile radio network).
Introduction Scenario 1: Dedicated line to GPRS or Internet (with fixed, known IP address) GPRS Internet LAN Firewall Application TAINY IPSec tunnel Router with Firewall Server in company network GMOD-V2-IO The application is connected locally direct to the SINAUT MD740-1: e.g. statement printer, notebook or PC. This application uses the SINAUT MD740-1 in order to have secure access to a remote LAN as if it were connected direct to the LAN. The remote site is a computer in a corporate network.
Introduction 1.1 To be able to use the SINAUT MD740-1... you require... 1.2 • a subscriber contract with a GSM network operator (e.g.
The LEDs of the SINAUT MD740-1 2 The LEDs of the SINAUT MD740-1 LEDs Power Status LAN VPN LEDs S (Status) Q (Quality) C (Connect) S (Status), Q (Quality), C (Connect) LED S, Q, C in sequence S (Status) Q (Quality) C (Connect) Status Fast lighting in sequence Slowly lighting in sequence Synchronous fast blinking Blinks slowly Blinks fast OFF ON Blinks slowly 1 x intermittent blinking 2 x intermittent blinking 3 x intermittent blinking ON always OFF OFF ON Meaning Boot procedure Update* Error Device w
The LEDs of the SINAUT MD740-1 of signal, but not the signal quality. The field strength is then requested in a next check, 15 seconds later.
Putting the device into operation 3 Putting the device into operation To put the device into operation, perform the following steps in the order given: Page 1. 2. 3. 4. Connect the device Configure the PIN Insert or change the SIM card Perform further configuration 12 14 15 19 ! First tell the device the PIN of the SIM card. Then insert the SIM card. ! The device also supports SIM cards without a PIN. If your SIM card has no PIN you can also insert the SIM card before performing configuration.
Putting the device into operation Switching the device on/off The SINAUT MD740-1 switches on as soon as the operating voltage is supplied (see Connecting the device, page 12). The devices switches off when disconnected from the supply voltage. When switching on When the device is switched on the POWER LED comes on first. If the device has a valid configuration and the SIM card is inserted the device automatically books into the GPRS network.
Putting the device into operation 3.2 Configuring the PIN In order for the SINAUT MD740-1 to be able to communicate via the GPRS network of your network operator you must tell the device the PIN (Personal Identification Number) of the SIM card. Then you can insert the SIM card into the device. The device also supports SIM cards without a PIN. If your SIM card has no PIN it is not necessary to configure the PIN. You can then insert the SIM card immediately. To configure the PIN, proceed as follows: 1.
Putting the device into operation 3.3 ! ! Inserting or changing the SIM card SINAUT MD740-1 must be switched off when you insert or change the SIM card A plug-in SIM card (3 Volt) is used. 1. Make sure that the device is disconnected from the supply voltage. 2. The SINAUT MD740-1 must be opened to insert the SIM card. The housing is fastened with clamps, two each on top of the housing and on the bottom side. Clamps Clamps 3. Release the two clamps on the housing part with antenna socket.
Putting the device into operation 5. The SIM card holder is visible on the motherboard. SIM card holder 6. With a suitable object open the flap of the SIM card holder by moving it cautiously about 2mm to the left – in the direction of the arrow (see red arrow in the illustration) so that it can be raised. 7. Raise the flap of the SIM card holder so that you can insert the SIM card. In the illustration below, the compartment into which you can insert the SIM card is emphasized in white.
Putting the device into operation 8. Slide the SIM card into the flap of the SIM card holder, with the goldcoloured microchip pointing down. The flap has a groove for this purpose. The notched corner of the SIM card has to point towards the front of the device (see illustration). 9. Slide the SIM card down into the flap as far as possible. 10. Lower the flap paying attention to the notched corner of the SIM card (see illustration). SINAUT MD740-1 17 von 105 File 3172AD001_V1_1_060206.
Putting the device into operation 11. With your fingernail or a suitable object move the flap about 2 mm to the right (in the direction of the arrow) until you can feel it click into place. 12. Now the SIM card holder is locked into position. 13. Check the connection of the internal IO connection cable. Finally re-attach both housing parts: Slide the motherboard into the rails on top and bottom inside the rear section of the housing.
Configuration 4 Configuration Remote configuration ! Remote configuration is possible only if the SINAUT MD740-1 is configured for remote access (see page 64). In this case, proceed exactly as described as from section Establish configuration connection, page 20.
Configuration 2. Enter the following: IP address: 192.168.1.2 Subnet mask: 255.255.255.0 Default gateway: 192.168.1.1 Preferred DNS server: address of the Domain Name Server …under Windows 2000 ! Preferred DNS server Establish configuration connection Under Windows 2000, proceed accordingly. If you call up addresses via a domain name (e.g. www.neuhaus.de), a Domain Name Server (DNS) has to look up which IP address belongs to the name.
Configuration ! In case the Administrator website does not appear... If the browser still tells you after several attempts that the page cannot be displayed, try the following: • Check the hardware connection. To do so on a Windows computer, enter the following command via the DOS prompt (menu Start, Programs, Tools, Command Prompt): ping 192.168.1.1 If there is no message about the reception of the 4 sent packets within the prescribed time, check the cable, the connections and the network card.
Configuration When the connection is successfully established... 4. Following the successful establishment of the connection the following security alert appears: Explanation: As the device can only be administered via encrypted accesses it is supplied with a self-signed certificate. Acknowledge the security alert with Yes. 5. You are prompted to enter the user name and the password. The default setting is: User name: admin Password: tainy Start page of the Administrator website 6.
Configuration To perform the configuration, proceed as follows: Perform configuration 1. Call up the required setting area via the menu. 2. Make the required entries on the page concerned. 3. Confirm with OK or Apply, so that the settings are accepted by the device. If a page is not up to date when next displayed because the browser is loading it from the cache, refresh the page display. To do so, click on the Refresh icon in the browser's icon bar.
Configuration 4.1 Network menu Network # Local Internal IPs An internal IP is the IP address at which the SINAUT MD740-1 can be accessed by devices of the locally connected network. The default setting for the IP address is as follows: Local IP address of IP address: 192.168.1.1 the SINAUT MD740Local netmask: 255.255.255.0 1 according to default setting: You can determine further addresses at which the 192.168.1.1 SINAUT MD740-1 can be accessed by devices of the locally connected network.
Configuration Network # GPRS User (user name) Password When the SINAUT MD740-1 logs into the GPRS network it is generally asked for the user name and the password before it is given access to the network. Some GSM/GPRS network operators dispense with access control via user name and/or password. In this case, enter visitor in the appropriate field. INFO: Documentation from your network operator. ! Enter the password identically in both fields.
Configuration When putting the device into operation: 1. Tell the device the PIN of the SIM card 2. Insert the SIM card PIN of the SIM card inserted in the device In order for the SINAUT MD740-1 to be able to operate with the SIM card of your network operator you must tell the device the PIN (Personal Identification Number) of the SIM card, provided that the SIM card has a PIN. Only after this should you insert the SIM card into the switched off(!) device. To do so, enter the PIN and click on OK or Apply.
Configuration 4.2 Firewall menu The SINAUT MD740-1 comes with a Stateful Packet Inspection Firewall. The connection data of an active connection are collected in a database (connection tracking). This means that rules are only to be defined for one direction, while data from the other direction of a connection, and only these, are allowed through automatically.
Configuration Setting a new rule If you want to set a new rule, click on New. Set the required rule (see below), then click on OK or Apply. You receive a system message as confirmation. You can make the following possible entries: Protocol: All means: TCP, UDP, ICMP and others. IP address: 0.0.0.0/0 means all addresses. To denote a range, use CIDR syntax - see CIDR (Classless InterDomain Routing), page 79. Port: (is evaluated only with TCP and UDP protocols) any means any port. startport:endport (e.g.
Configuration Firewall # Outgoing This lists the fixed firewall rules. These apply to outgoing data packets which belong to GPRS connections initiated by the SINAUT MD740-1 to communicate with a remote site. ! If no rule is set, all outgoing connections are prohibited (except VPN). ! Default setting: outgoing connections prohibited (except VPN and connections to the integrated website which provides information about devices and connection data).
Configuration sender is informed of the refusal. Reject means that data packets are not allowed to pass. They are swallowed so that the sender is not informed of their whereabouts. Log: For each individual firewall rule you can determine whether, when the rule is applied, - the event is to be logged - set Log to Yes - or not - set Log to No (default setting) Log entries for unknown connection attempts: This logs all connection attempts which are not recorded by the prevalent rules.
Configuration If you want to set a new rule, click on New. Set the required rule (see below), then click on OK or Apply. Protocol Here you enter the protocol to which the rule is to apply. Incoming on IP Here you enter the external IP address (or one of the external IP addresses) of the SINAUT MD740-1. OR Should a dynamic change of the external IP address of the SINAUT MD740-1 take place, so that it cannot be given, use the following variable: %extern.
Configuration Firewall # NAT This lists the fixed rules for NAT (Network Address Translation) and allows rules to be set or deleted. For outgoing data packets the device can translate the given sender IP addresses from its internal network to its own external address, a technique known as NAT (Network Address Translation). This method is used when the internal addresses cannot or should not be routed, e.g. because a private address range such as 192.168.x.
Configuration Firewall # Extended Settings These settings determine the basic behaviour of the firewall. Standard settings All Modes Maximum number ... These 5 entries determine upper limits. They are selected in such a way that they are never reached in normal practical operation. In the event of attacks, however, they can easily be reached, therefore the limitation represents built-in, additional protection. Should special requirements exist in your operating environment, you can increase the values.
Configuration connection to the server for data transmission. In order for the additional connections to be allowed through by the firewall, Enable "FTP" NAT/Connection Tracking support must be set to Yes (standard). Enable "IRC" NAT/Connection Tracking support Similar to FTP: when chatting on the Internet via IRC, incoming connections must be allowed following the active establishment of a connection if chatting is to work smoothly.
Configuration Firewall # Logs Display only: If the logging of events (Log = Yes) has been determined during the setting of firewall rules you can then view all the log of all logged events here. The format corresponds to that commonly used under Linux. There are special evaluation programs which present the information from the logged data in a more easily legible format. SINAUT MD740-1 35 von 105 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
Configuration 4.3 VPN menu The general prerequisite for a VPN connection is that the IP addresses of the VPN partners are known and accessible. See IP address of the remote site, page 9. • In order for an IPSec connection to be established successfully the VPN remote site must support IPsec with the following configuration: - Authentication via Pre-Shared Key (PSK) or X.
Configuration VPN # Connections This lists the VPN connections already set up. ! You can enable (Enabled = Yes) or disable (Enabled = No) each individual connection. Deleting a VPN connection Click on Delete next to the entry concerned. Then click on OK or Apply. Setting up a new VPN connection Click on New. Give the connection a name and click on Edit. Perform the desired or necessary settings (see below). Then click on OK or Apply.
Configuration A descriptive name for the connection You can name or rename the connection as you wish. Enabled Determine whether the connection is to be enabled (= Yes) or not (= No). 38 von 105 SINAUT MD740-1 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
Configuration Address of the remote site's VPN gateway • This denotes the address of the gateway to the private network in which the remote communication partner is located - see illustration below. Devices and addresses of remote site GPRS Internet IPsec tunnel SINAUT MD740-1 Remote VPN gateway address • Router with firewall LAN Tunnel: the address of the opposite network (can also be individual computer.
Configuration Connection type There are four options: • Tunnel (network $ # network) • Transport (host $ # host) • Transport (L2TP Microsoft Windows) • Transport (L2TP SSH Sentinel) Tunnel (network $ # network) This connection type is suitable in every case and it is also the safest. In this mode the IP datagrams to be transferred are completely encrypted and sent with a new header to the remote site's VPN gateway, the "end of the tunnel".
Configuration Transport (L2TP SSH Sentinel) If this connection is enabled on the remote computer, you should also set the SINAUT MD740-1 to Transport (L2TP SSH Sentinel). The SINAUT MD740-1 will then work accordingly. The L2TP/PPP protocol creates a tunnel within the IPsec Transport connection. The locally connected L2TP computer is assigned its IP address dynamically by the SINAUT MD740-1. Also enable the L2TP server.
Configuration X.509 Certificate This method is supported by most newer IPSec implementations. The SINAUT MD740-1 encrypts the authentication datagrams that it sends to the remote site the "end of the tunnel" - with the remote site's public key (file name *.cer or *.pem). (You received this *.cer or *.pem file from the operator of the remote site, e.g. on a disk or by email). To make this public key available to the SINAUT MD740-1, proceed as follows: Prerequisite: You have stored the *.cer or *.
Configuration Consequence: the screen illustrated below appears: 2. Enter the agreed sequence of characters in the field PreShared Secret Key (PSK). To obtain security comparable to 3DES, the sequence of characters should consists of approx. 30 randomly selected lower and upper case characters and numerals. 3. Click on Back. ! Pre-Shared Secret Key cannot be used with dynamic (%any) IP addresses; only fixed IP addresses or hostnames on both sides are supported.
Configuration for data exchange is determined here. This may differ from that of the Key Exchange, but not necessarily. Encryption algorithm See above. Checksum algorithm/Hash See above. Perfect Forward Secrecy (PFS) A method for the additional improvement of security during data transfer. With IPsec, the keys for data exchange are renewed at certain intervals. With PFS, new random numbers are negotiated with the remote site instead of deriving them from previously agreed random numbers.
Configuration Local devices and addresses Tunnel: the address of the local network (can also be an individual computer) LAN GPRS Internet IPsec tunnel SINAUT MD740-1 To the remote site Devices and addresses of remote site Tunnel: the address of the opposite network (can also be an individual computer) GPRS LAN Internet IPsec tunnel SINAUT MD740-1 SINAUT MD740-1 Router w. firewall Remote VPN gateway address 45 von 105 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
Configuration Remote network address The appropriate netmask With these two entries you give the address of the network in which the remote communication partner is located. This address can also be that of a computer which is connected direct to the VPN gateway. Firewall incoming, Firewall outgoing While the settings performed under the menu item Firewall apply only to non-VPN connections (see above under Firewall # Incoming, page 27), the settings here apply only to the VPN connection defined here.
Configuration Port: (is evaluated only with TCP and UPD protocols) any means any port. startport:endport (e.g. 110:120) denotes the port area. Individual ports can be entered either with the port number or with the corresponding service name (e.g. 110 for pop3 or pop3 for 110). Action: Accept means that the data packets may pass. Refuse means that the data packets are turned away so that the sender is informed of the refusal. Reject means that data packets are not allowed to pass.
Configuration VPN # Machine Certificate Certificate This denotes the currently imported X.509 certificate with which the SINAUT MD740-1 identifies itself to other VPN gateways. After a certificate has been imported the following information is displayed: subject The owner to whom the certificate has been issued. issuer The certification office which has signed the certificate.
Configuration The imported certificate file (filename extension *.p12 or *.pfx) contains the information given above, as well the two keys: the public key for encryption, the private key for decryption. The appropriate public key can be assigned any number of connection partners, enabling them to send encrypted data. In agreement with the remote site, the certificate must be made available to the operator of the remote site as a .cer or .pem file, e.g. handed over personally or by e-mail.
Configuration VPN # L2TP Start L2TP Server for IPsec/L2TP? Yes / No If you want to enable an L2TP connection, set this switch to Yes. Within the IPsec transport connection the L2TP in turn contains a PPP connection. Consequently, a kind of tunnel is created between 2 networks. The SINAUT MD740-1 informs the remote site via PPP as to which addresses are being used: for itself and the remote site.
Configuration VPN # IPsec Status Display only: Provides information on the status of the IPSec connections. The names of the VPN connections are on the left, their current status on the right. GATEWAY denotes the communicating VPN gateways TRAFFIC denotes computers or networks communicating via the VPN gateways. ID denotes the Distinguished Name (DN) of an X.509 certificate.
Configuration ISAKMP SA established, IPsec State: WAITING means: Authentication was successful, but the other parameters were not correct. Does the connection type (tunnel, transport) correspond? If tunnel was selected, do the network areas on both sides correspond? The message IPsec State: IPsec SA established means: The VPN has been successfully established and can be used. However, if this is not the case, then there are problems with the remote site's VPN gateway.
Configuration VPN # VPN Logs Display only: This lists all VPN events. The format corresponds to that commonly used under Linux. There are special evaluation programs which present the information from the logged data in a more easily legible format. SINAUT MD740-1 53 von 105 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
Configuration 4.4 Services menu Services # DNS If the SINAUT MD740-1 is to establish a connection to a remote site (e.g. VPN gateway or NTP server), it must know the die IP address of the remote site in question. If it is given the address in the form of a domain address (i.e. www.abc.xyz.de), then the device must consult a Domain Name Server (DNS) to see which IP address is behind the domain address.
Configuration Makes it easier for the user to enter a domain name: if the user enters the domain name in abbreviated form, the SINAUT MD740-1 supplements his entry with the given domain suffix which is fixed here under domain search path. Servers to query Possibilities: DNS Root Servers / Provider defined / User defined DNS Root Servers Queries are directed to the DNS root servers on the Internet whose IP addresses are stored in the SINAUT MD740-1. These addresses rarely change.
Configuration Services # DynDNS Monitoring Watch hostname of remote VPN Gateways? Yes / No If the address of the remote VPN Gateway has been given to the SINAUT MD740-1 as a hostname (see VPN # Connections, page 37), and if this Domain Name has been issued by a DynDNS service, then the SINAUT MD740-1 can check regularly whether any changes have been made to the DynDNS concerned. If so, the VPN connection is established to the new IP address.
Configuration Standard: 420 (sec). Whenever the IP address of the device's own Internet connection is or has been changed, the SINAUT MD740-1 informs the DynDNS service of the new IP address. For reliability reasons this message is also sent at the time intervals fixed here. DynDNS Provider The selectable providers support the same protocol that is also supported by the SINAUT MD740-1. Enter the name of the provider with whom you are registered, e.g. DynDNS.
Configuration Start DHCP Server Set this switch to Yes if you want to enable this function. Enable dynamic IP address pool Set this switch to Yes if you want to use the IP address pool selected by DHCP range start and DHCP range end. Set this switch to No if only static assignments based on the MAC address are to be performed (see below).
Configuration Client IP address The static IP that is to be assigned to the client's MAC address. ! The static assignments take priority over the dynamic IP address pool. ! Static assignments must not overlap with the dynamic IP address pool. ! An IP must not be used in several static assignments, otherwise this IP will be assigned to several MAC addresses. ! ! Only one DHCP server per subnet must be used.
Configuration Displays the current system time in Universal Time Coordinates (UTC). If NTP time synchronization is not yet enabled (see below) and Time stamps in file system are disabled, the clock begins with 1 January 2000. Current system time (local) If the possibly deviating current local time is to be displayed you must make the corresponding entry under Time zone in POSIX.1 Notation... (see below).
Configuration automatic switching to summer or winter time, enter: CET-1CEST,M3.5.0,M10.5.0/3 Time stamp in file system (2h granularity): Yes / No If this switch is set to Yes, the SINAUT MD740-1 writes the current system into its memory every 2 hours. Consequence: If the SINAUT MD740-1 is switched off and then back on, after being switched on a time in this 2-hour time window will be displayed and not a time on 1 January 2000.
Configuration 4.5 Access menu Access # Passwords The SINAUT MD740-1 offers 3 levels of user rights. To log in at a particular level the user must enter the password which is allocated to the privilege level in question. Privilege level Root Provides extended rights for the parameters of the SINAUT MD740-1. ! With SSH access at this privilege level it is possible to misconfigure the device in such a way that it has to be sent in for servicing. In this case, please contact your dealer or distributor.
Configuration If you want to use this option, determine a user password in the corresponding entry field. Root Password Default setting: root If you want to change the root password, enter the old password in the field Old Password, then enter the new password in the two fields below. (unalterable user name: admin) Administrator Password (Account: admin) Default setting: tainy (unalterable user name: admin) Enable User Password: Yes / No User password protection is switched off as default.
Configuration Access # HTTPS When HTTPS remote access is switched on, the SINAUT MD740-1 can be configured via its web-based administrator interface from a remote computer. This means that the browser on the remote computer is used to configure the local SINAUT MD740-1. This option is switched off as default. ! N.B.: When you enable remote access, make sure that a secure root and administrator password have been determined.
Configuration following must be entered at the remote site in the web browser: 192.144.112.5:442 Firewall rules to accept HTTPS access This lists the fixed firewall rules. They apply to the incoming data packet of a HTTPS remote access. Delete rule ! Click on Delete next to the entry concerned. Set new rule ! If you want to set a new rule, click on New. Set the required new rule (see below) and click on OK or Apply.
Configuration Access # SSH When SSH remote access is switched on, the SINAUT MD740-1 can be configured from a remote computer. To do so, a connection must first be established from the remote site to the SINAUT MD740-1 using an SSH-capable program. To perform settings in the SINAUT MD740-1 enter the command "gaiconfig" via the SSH console. This option is switched off as default. ! N.B.: When you enable remote access, make sure that a secure root and administrator password have been determined. ! N.B.
Configuration If this SINAUT MD740-1 can be reached via the Internet using the address 192.144.112.5, and if a different port number has been set for remote access, then this number must be entered at the remote site in the SSH client (e.g. web browser), e.g. ssh -p 22222 192.144.112.5 Firewall rules to accept SSH access This lists the fixed firewall rules. These apply to the incoming data packets of an SSH remote access. Delete rule ! Click on Delete next to the entry concerned.
Configuration 4.6 Features menu Features # Install Update Prerequisite: you have either • stored a current software package locally on your configuration computer OR • been provided with a current software package via a remote server. Ask your dealer or distributor whether and how you can obtain a software update. ! Under no circumstances should you disconnect the power supply of the SINAUT MD740-1 during the update. The device could be damaged and can only be reactivated by the manufacturer.
Configuration 2. Click on Install Package Set to load it into the device. Depending on the size of the update, this procedure can take several minutes. If a reboot should be necessary following the system update, a corresponding message will appear. Features # Update Server If you are provided with a software update (Features # Install Update, page 68) for the SINAUT MD740-1 on a remote server, enter the server's address here. This must always come before the protocol used. Examples: http://123.456.789.
Configuration Features # Software Information Display only: This lists the software modules contained in the device. These are described as packets. Serves update purposes: compare the displayed version numbers with the current version numbers of the appropriate packets. To do so, please contact your distributor. Should new versions be available you can update the software in the device. See Features # Install Update, page 68. 70 von 105 SINAUT MD740-1 File 3172AD001_V1_1_060206.doc File saved 06.
Configuration Features # Hardware Information Display only: For experienced system administrators / support. SINAUT MD740-1 71 von 105 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
Configuration 4.7 Support menu Support # Snapshot This function serves support purposes. It creates a compressed file (in tar format) containing all the current configuration settings and log entries which could be relevant for a fault diagnosis. (This file contains no private information such as the private machine certificate or the passwords. However, any used Pre-Shared Keys from VPN connections are contained in the snapshots.) To create a snapshot, proceed as follows: 1. Click on Download. 2.
Configuration Support # Status Display only: Displays a summary of different status information for support purposes: Network mode Operating mode of the SINAUT MD740-1: modem External IP The IP address of the SINAUT MD740-1 at its connection for the external network (WAN or Internet). Default gateway via external IP The external IP address of the SINAUT MD740-1.
Configuration trying : the SINAUT MD740-1 is trying to connect to the DynDNS server. HTTPS remote access Possibilities: no / yes SSH remote access Possibilities: no / yes NTP state Possibilities: synchronized / not synchronized synchronized : the SINAUT MD740-1 is receiving the current time (Greenwich Mean Time) from a time server via the Network Time Protocol. not synchronized : the SINAUT MD740-1 is not connected to a time server and therefore cannot provide the current time.
Configuration 4.8 System menu System # Configuration Profiles You have the possibility to save the settings of the SINAUT MD740-1 as a configuration profile under any name in the SINAUT MD740-1. You can create several such configuration profiles. You can then activate whichever configuration profile you require when using the SINAUT MD740-1 in different operating environments. Furthermore, you can save configuration profiles as files on the hard disk of the configuration computer.
Configuration Display / activate / delete a configuration profile saved in the SINAUT MD740-1 Names of configuration profiles created (examples) Prerequisite: At least one configuration profile has been created and saved in the SINAUT MD740-1 (see above). Display configuration profile Click on the name of the configuration profile. Activate configuration profile Click on the Restore button to the right of the configuration profile concerned.
Configuration Upload configuration profile from hard disk to the SINAUT MD740-1 Prerequisite: Following the procedure described above, you have saved a configuration profile as a file on the hard disk of the configuration computer. 1. In the field Name for the new profile, enter the name for the configuration profile to be uploaded. 2. Click on the Browse button and then select the file. 3. Click on the button Upload Configuration to Profile.
Configuration System # Logs Display only: Displayed all recorded log entries (total log). The format corresponds to that commonly used under Linux. There are special evaluation programs which present the information from the logged data in a more easily legible format. You can transfer the log entries to an external server. See Services # Remote Logging, page 61. ! Following a reboot of the device, entries are already made in the log file before the device can synchronize the system time.
Configuration 4.9 CIDR (Classless InterDomain Routing) IP netmasks and CIDR are notations which aggregates several IP addresses to form one address range. A range of consecutive addresses is treated as a network. The CIDR scheme reduces, for example, the routing tables stored in routers by means of a postfix in the IP address. With this postfix, a network and the networks lying below it can be denoted in a summarized form. The method is described in RFC 1518.
Configuration IP netmask binary CIDR 255.255.255.255 255.255.255.254 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 32 31 30 29 28 27 26 25 255.255.255.0 255.255.
Configuration 4.10 Network example diagram The following diagram shows how the IP addresses could be distributed in a local network with subnets, which network addresses result and what the specification of an additional internal route could be in the SINAUT MD740-1. GPRS/Internet Address from outside: 80.81.192.37 (allocated by Provider) TAINY GMOD-V2-IO Internal address: 192.168.11.1 Net A Netw. address: 192.168.11.0/24 Network mask: 255.255.255.0 Router External IP: 192.168.11.2 Internal IP: 192.168.
Configuration Network A Computer A2 A3 A4 A5 IP address A1 internal routes = Additional 192.168.11.3 192.168.11.4 192.168.11.5 192.168.11.6 192.168.11.7 Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Computer B1 B2 B3 B4 IP address 192.168.15.2 192.168.15.3 192.168.15.4 192.168.15.5 Network mask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Computer C1 C2 C3 C4 IP address 192.168.27.1 192.168.27.2 192.168.27.3 192.168.
Integrated website showing device and connection data 5 Integrated website showing device and connection data The SINAUT MD740-1 has an integrated Web server. The Web server provides a website with information on device and connection data.
Integrated website showing device and connection data Determine that you will select the modem yourself, i.e. that automatic recognition does not take place. When choosing the modem, select the file TAINY_GMODService.inf. This is located in the Drivers folder on the data carrier supplied. ! If this dialogue box is displayed... Click on Continue Anyway.
Integrated website showing device and connection data Windows XP: 1. Click on Start - Control Panel: in classic view, double-click on Network and Internet connections, then click on Create a New Connection to launch the New Connections Wizard. 2. Select Connect to the Internet, Set up my connection manually, Connect using a dial-up modem. Follow the instructions in the dialogue boxes. Make sure that no area codes or local access numbers are entered. 1.
Integrated website showing device and connection data 5.2 Accessing the Web server locally via the application interface (10/100 BASE-T connector) Prerequisites • A GPRS connection must be active, i.e. the LED C of the SINAUT MD740-1 is lit and indicates that an IP address has been assigned by the GPRS network. • NAT must take place for the address of the locally connected computer that is to access the internal website (see Firewall # NAT, page27).
Integrated website showing device and connection data 5.3 Accessing the Web Server of the SINAUT MD740-1 from a remote computer via the GPRS network Prerequisites • Access is dependent on the configuration of the GPRS network and on how your LAN is linked to the GPRS. • A GPRS connection to the remote SINAUT MD740-1 must be active, i.e. the LED C of the SINAUT MD740-1 is lit and indicates that an IP address has been assigned by the GPRS network. 1. Start your Web browser, e.g. MS Internet Explorer.
Integrated website showing device and connection data 5.4 The website of the SINAUT MD740-1 To be able to view the website of the SINAUT MD740-1 with a Web browser the appropriate preparatory measures must be taken, depending on whether you want to access the website with your Web browser • locally via the service interface (see page 83) • • locally via the application interface (10/100 BASE-T connector) (see page 86) OR from a remote computer via the GPRS network (networkdependent) (see page 87).
Integrated website showing device and connection data Device Information page If you wish to view this page click on the Device Information hyperlink on the start page.
Integrated website showing device and connection data Session Statistics and Total Statistics pages If you wish to view these pages click on the Session Statistics or Total Statistics hyperlink on the start page. Then perform the Refresh command in the browser to load the current data. Information on the PPP layer is displayed on the left, for the IP layer on the right.
Integrated website showing device and connection data IP layer (IP - Internet Protocol) Packets: Received: Number of IP frames received Sent: Number of IP frames sent Total: Sum total of all IP packets sent and received during the online connection Invalid: Number of incorrect (invalid) IP frames Bytes: Received: Number of data bytes received within an IP frame Sent: Number of bytes sent in an IP frame Total: Sum total of all bytes sent and received at IP level during the online connection Invalid: Number
Integrated website showing device and connection data Status Information page If you wish to view this page click on the Status Information hyperlink on the start page. This page provides information on the GSM network and the network operator. Explanation of terms: GSM information: Cell ID: The Cell ID is a unique identification number for a cell. APN: Access Point Name. A logical, defined interface on the GGSN which establishes a connection to the desired service (e.g.
Firmware update via the integrated FTP server 6 Firmware update via the integrated FTP server The SINAUT MD740-1 has an integrated FTP server (FTP = File Transfer Protocol). This can be used to load an update - if available - of the communication software into the SINAUT MD740-1. We recommend using an FTP program (downloadable as Freeware from the Internet) to establish a connection with the FTP server of the SINAUT MD740-1.
Glossary 7 Glossary AES The NIST (National Institute of Standards and Technology) has been developing the AES encryption standard jointly with industrial companies for years. This # symmetrical encryption is designed to replace the previous DES standard. The AES standard specifies three different key sizes with 128, 192 and 256 bits. In 1997, the NIST launched the AES initiative and announced its conditions for the algorithm.
Glossary Asymmetrical encryption In asymmetrical encryption, data are encrypted with one key and decrypted with a second key. Both keys are suitable for encryption and decryption. One of the keys is kept secret by its owner (Private Key), the other is issued to the public (Public Key), i.e. possible communication partners. A message encrypted with a Public Key can only be decrypted and read by the recipient who has the corresponding Private Key.
Glossary address. This establishes a connection to the responsible DNS (Domain Name Server), where a scan is made for the IP address which is currently allocated to this hostname. The IP address is transferred back to the remote computer which now uses it as the destination address. This now leads to exactly the desired local computer. Basically, all Internet addresses are based on this system: first, a connection is established to the DNS in order to ascertain the IP address assigned to this hostname.
Glossary Protocol, transmission protocol Devices which communicate with one another must use the same rules for this communication. They must "speak the same language". Such rules and standards are collectively referred to as a protocol or transmission protocol. Frequently used protocols are, for example, IP, TCP, PPP, HTTP or SMTP. TCP/IP is the generic term for all protocols based on IP.
Glossary DES / 3DES The symmetrical encryption algorithm (# symmetrical encryption) DES, originally developed by IBM and checked by the NSA, was determined in 1977 by the American National Bureau of Standards, the predecessor of today's National Institute of Standards and Technology (NIST), as the standard for American government institutions. As this was the first standardized encryption algorithm of all, it quickly established itself in industry and hence outside the USA.
Glossary NAT (Network Address Translation) In Network Address Translation (NAT) - often also referred to as IP Masquerading - an entire network is "hidden" behind a single device, the NAT router. This device is usually a router. The internal computers in the local network remain hidden with their IP addresses when they communicate to the outside via the NAT router. For the external communication partners only the NAT router with its own IP address appears.
Glossary IPSec IP Security (IPSec) is a standard that makes it possible to ensure the authenticity of the sender, the confidentiality and the integrity of the data in IP datagrams by means of encryption. The components of IPSec are the Authentication Header (AH), the Encapsulating Security Payload (ESP), the Security Association (SA), the Security Parameter Index (SPI) and the Internet Key Exchange (IKE). When communication starts the computers involved clarify the method used and its implications, e.g.
Glossary IP address Each host or router on the Internet / Intranet has a unique IP address (IP = Internet Protocol). The IP address is 32 bits (= 4 bytes) long and is written as 4 numbers (each in the region from 0 to 255) separated by dots. An IP address consists of 2 parts: the network address and the host address. Network address Host address All hosts in a network have the same network address, but different host addresses.
Glossary Such a huge network makes little sense. It becomes necessary to form subnets. The subnet mask serves this purpose. Like an IP address, this a field 4 bytes long. The value 255 is assigned to each of the bytes representing the network address. This serves mainly to "borrow" a part from the host address area in order to use it to address subnets.
Technical Data 8 Technical Data Application Interface 10/100 Base-T (RJ45 plug) Ethernet IEEE802 10/100 Mbit/s Service Interface DSUB-9 plug, PIN assignment RS232 Virtual Private Network Protocol: IPSec (tunnel and transport mode) Encryption: 3DES, AES, DES Packet authentication: MD5, SHA-1 Internet Key Exchange (IKE), authentication: Pre-Shared Key (PSK), X.
Technical Data Pin assignment interface Service Signals (Signal direction DTE) Pin1 DCD Pin2 RXD Output Pin3 TXD Input Pin4 DTR Input Pin5 GND Signal ground Pin6 DSR Output Pin7 RTS Input Pin8 CTS Output Pin9 RI Output SUB-D9 socket, Pin assignment RS232 Output Pin assignment interface 10/100 BASE-T Signals (Signal direction DTE) Pin1 RD+ Pin2 RD- Pin3 TD+ Pin4 Not connected Pin5 Not connected Pin6 TD- Pin7 Not connected Pin8 Not connected RJ45 socket - Ethernet
Copyright Statement The information contained in this publication is protected by copyright. Translations, reproduction, copying and storage in data processing systems require the explicit approval of SIEMENS AG. © 2005 SIEMENS AG All rights reserved. SIEMENS Automation and Drives www.siemens.de Specifications are subject to change without notice. Product no. 3172 Doc. no. 3172AD001 Rev. 1.1 SINAUT MD740-1 105 von 105 File 3172AD001_V1_1_060206.doc File saved 06.02.2006 File printed 06.02.
