Preface, Contents SIMATIC NET Applications and functions 1 EGPRS/GPRS-Router SINAUT MD741-1 Setup 2 Configuration 3 Local interface 4 External interface 5 Security functions 6 Remote access 7 Status, log and diagnosis 8 Additional functions 9 System manual C79000-G8976-C212 Release 4/2008 Technical Data 10 Applied Standards and Approvals 11 Glossary
Safety Guidelines This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.
General The product MD741-1 complies with European standard EN60950, 05.2003, Safety of Information Technology Equipment. Read the installation instructions carefully before using the device. Keep the device away from children, especially small children. The device must not be installed or operated outdoors or at damp locations. Do not operate the device if the connecting leads or the device itself are damaged. External power supply Use only an external power supply which also complies with EN60950.
Failure to observe the bending radius of the antenna cable results in the deterioration of the system's transmission and reception properties. The minimum bending radius static must not fall below 5 times the cable diameter and dynamic below 15 times the cable diameter. Radio device ! Warning Never use the device in places where the operation of radio devices is prohibited.
Requirements for compliance to Safety, Telecom, EMC and other standards Caution Observe the regulations listed in chapter 12 before putting the SINAUT MD741-1 into operation. Operating costs Caution: GPRS costs Note that data packets exchanged for setting up connections, reconnecting, connect attempts (e.g. Server switched off, wrong destination address, etc.) as well as keeping the connection alive are also subject to charge.
Firmware with Open Source GPL/LGPL The firmware of the SINAUT MD741-1 includes open Source Software under terms of GPL/LGPL. According to section 3b of GPL and of section 6b of LGPL we provide you the source code. Please write to s_opsource@gmx.net s_opsource@gmx.de Please enter 'Open Source MD741' as subject of your e-mail, that we can filter your e-mail easier. Firmware with OpenBSD The firmware of SINAUT MD741-1 contains sections from the OpenBSD software.
Preface Purpose of this documentation This documentation will support you on your way to successful application of GSM/GPRS modem SINAUT MD741-1. It will introduce you to the topic in clear and straightforward steps and provide you with an overview of the hardware of the SINAUT MD741-1 GSM/GPRS modem. This documentation will help you during installation and commissioning of SINAUT GSM/GPRS modem and explains the diagnostics and service options available.
You will find the latest version of this documentation under the entry ID 22550242. Do you still have questions relating to the use of the products described in the manual? If so, then please talk to your local Siemens contact. You will find the addresses in the following sources: • On the Internet at: http://www.siemens.com/automation/partner • On the Internet at http://www.siemens.
Contents 1 Applications and functions ......................................................................................... 11 2 Setup.............................................................................................................................. 15 2.1 Step by step....................................................................................................... 15 2.2 Preconditions for operation................................................................................ 16 2.
Contents 7.1 7.2 7.3 7.4 7.5 7.6 VPN Roadwarrior Mode..................................................................................... 69 VPN IPsec Standard Mode................................................................................ 76 Loading VPN certificates ................................................................................... 85 Firewall rules for VPN tunnel .............................................................................
Applications and functions 1 The SINAUT MD741-1 provides a wireless connection to the Internet or to a private network. The SINAUT MD741-1 can provide this connection in any location where a GSM network (Global System for Mobile Communication = mobile phone network) is available which provides the services EGPRS (Enhanced General Packet Radio Service = EDGE) or GPRS (General Packet Radio Service). A precondition for this is a SIM card of a GSM network operator with the appropriate services activated.
Applications and functions Application examples of the SINAUT MD741-1 S7-300 CPU Central Station ST7cc TIM MD741-1 DSL-Modem VPN-Router INTERNET (E-)GPRS APN VPN-Tunnel Figure 1-1 CPU Connection between CPU and Central Station Central Station ST7cc TIM MD741-1 VPN-Tunnel TIM DSL-Modem VPN-Router Logical connection INTERNET (E-)GPRS CPU TIM MD741-1 APN VPN-Tunnel Figure 1-2 Connection between two CPU Configuration The device can be configured via a Web user interface that can simply be
Applications and functions Connection via GSM-CSD PC with Web browser MD741-1 PC with Web browser Figure 1-3 Connection via (E-)GPRS PC with Web browser Configuration Firewall functions The SINAUT MD741-1 provides the following firewall functions in order to protect the local network and itself from external attacks: ● Stateful inspection firewall ● Anti-spoofing ● Port forwarding ● NAT Additional functions The SINAUT MD741-1 provides the following additional functions: ● DNS cache ● DHCP
Applications and functions 14 SINAUT MD741-1 C79000- G8976-C212
2 Setup 2.1 Step by step Set up the SINAUT MD741-1 in the following steps: Step 1. First familiarise yourself with the preconditions for operation of the SINAUT MD741-1. 2. Read the safety instructions and other instructions at the beginning of this document very carefully, and be sure to follow them. 3. Familiarise yourself with the control elements, connections and operating state indicators of the SINAUT MD741-1. 4.
Setup 2.2 Preconditions for operation In order to operate the SINAUT MD741-1, the following information must be on hand and the following preconditions must be fulfilled: Antenna An antenna, adapted to the frequency bands of the GSM network operator you have chosen: 850 MHz, 900 MHz, 1800 MHz or 1900 MHz. Use only antennas from the accessories for the SINAUT MD741-1. See Chapter 2.6. Power supply A power supply with a voltage between 12 VDC and 30 VDC that can provide sufficient current. See Chapter 2.
Setup 2.3 Device front Here are definitions of terms frequently used in this manual: A– B– Connection terminals for the power supply Set button C– Antenna jack type SMA D– Operating state indicators S, Q, X1 (Service; USB) – without function Connection terminals for the gate inputs and outputs E– F– G– H– Figure 2-1 2.
Setup 2.5 Operating state indicators The SINAUT MD741-1 has 7 indicator lamps (LEDs) to indicate the operating state.
Setup 2.6 Connections X2 (10/100 Base-T) The local network is connected to the local applications at the 10/100 Base-T connection, e.g. a programmable controller, a machine with an Ethernet interface for remote monitoring, or a notebook or desktop PC. To set up the SINAUT MD741-1, connect the Admin PC with Web browser here. The interface supports autonegation. It is thus detected automatically whether a transmission speed of 10 Mbit/s or 100 Mbit/s is used on the Ethernet.
Setup Warning: When the antenna is installed outdoors it must be earthed for lightning protection. The outdoor antennas shield must be reliable connective to protective earth. The installation shall be done according the national installation codes (For US this is the National Electric Code NFPA 70, article 810). This work must be carried out by qualified personnel only.
Setup Field wiring instruction Use copper wires only. 2.7 Solid wire: 0,5...3mm2 (AWG 20...18) Strained wire: 0,5...2,5mm2 Torque of screw clamps: 0,6...0,8Nm Inserting the SIM card Caution: Before inserting the SIM card, enter the PIN of the SIM card in the SINAUT MD741-1 via the Web user interface. See Chapter 5.1. Figure 2-3 Inserting the SIM card 1. After you have entered the PIN of the SIM card, disconnect the SINAUT MD741-1 completely from the power supply. 2.
Setup Caution: Do not under any circumstances insert or remove the SIM card during operation. Doing so could damage the SIM card and the SINAUT MD741-1. 2.8 Top rail mounting The SINAUT MD741-1 is suitable for top-hat rail mounting on DIN EN 50022 rails. A corresponding bracket can be found at the rear of the device.
Configuration 3 Configuration of the router and firewall functions is carried out locally or remotely via the Web-based administration interface of the SINAUT MD741-1. Remote configuration Remote configuration via HTTPS or CSD access is only possible if the SINAUT MD741-1 is configured for remote access. In this case proceed exactly as described in Chapter 8.
Configuration 3.1 TCP/IP configuration of the network adapter in Windows XP Configure the LAN connection Click on Start, Connect To ..., Show All Connections… Then click on LAN Connection. In the dialog box Properties of LAN Connection, click on the General tab and select there the entry Internet Protocol (TCP/IP). Open Properties by clicking on the corresponding button. The window Properties of Internet Protocol (TCP/IP) appears (see illustration below).
Configuration Enter the following values in order to get to the Web user interface of the SINAUT MD741-1: IP address: 192.168.1.2 Subnet mask: 255.255.255.0 In addition, enter the following values if you want to use the Admin PC to access the external network via the SINAUT MD741-1: Standard gateway: 192.168.1.1 Preferred DNS server: 192.168.1.1 Preferred DNS server If you call up addresses via a domain name (e.g. www.neuhaus.
Configuration Calling up the start page of the SINAUT MD741-1 3. In the address line of the browser, enter the address of the SINAUT MD741-1 in full. In the factory settings this is: https://192.168.1.1 Result: A security message appears. In Internet Explorer 7, for example, this one: Figure 3-2 Confirming the security message 4.
Configuration Figure 3-3 Enter user name and password The factory setting is: User name: admin Password: sinaut Note You should change the password in any event. The factory setting is general knowledge and does not provide sufficient protection. Chapter 3.7 contains a description of how to change the password.
Configuration If a return receipt message for the 4 packets that were sent out does not appear within the specified time period, check the cable, the connections and the network card. ● Make sure that the browser does not use a proxy server. In MS Internet Explorer (Version 7.0), make this setting as follows: Menu Tools, Internet Options..., tab Connections: Under LAN Settings, click on the Settings...
Configuration Current system time Shows the current system time of the SINAUT MD741-1 in the format: Year – Month – Day, Hours – Minutes Connection Shows if a wireless connection exists, and which one: ● EDGE connection (IP connection via EGPRS) ● GPRS connection (IP connection via GPRS) ● CSD connection (service connection via CSD) External hostname Shows the hostname (e.g. md741.mydns.org) of the SINAUT MD741-1, if a DynDNS service is being used.
Configuration Remote HTTPS Shows whether remote access to the Web user interface of the SINAUT MD741-1 via EGPRS, GPRS or CSD is permitted (see Chapter 8.1). ● White check mark at green dot: Access is allowed. ● White cross at red dot: Access is not allowed. Remote SSH Shows whether remote access to the SSH console of the SINAUT MD741-1 via EGPRS, GPRS or CSD is permitted (see Chapter 8.2). ● White check mark at green dot: Access is allowed. ● White cross at red dot: Access is not allowed.
Configuration 3.4 Language selection The Web user interface of the SINAUT MD741-1 supports English and German language. Figure 3-5 Language selection Automatic The SINAUT MD741-1 selects the language of the Web user interface in accordance to the selected language of the used Web browser: ● German, if the Web browser uses the German language, ● English, in all other cases. Deutsch The SINAUT MD741-1 uses the German language, irrespective of the Web browser setting.
Configuration 3.5 Configuration procedure The procedure for configuration is as follows: Carrying out configuration 1. Use the menu to call up the desired settings area 2. Make the desired entries on the page concerned or use Reset to delete the current entry which has not been saved. 3. Use Save to confirm the entries so that they are accepted by the device.
Configuration 3.6 Configuration Profiles The settings of the SINAUT MD741-1 can be saved in configuration profiles (files) and re-loaded at any time. Figure 3-8 Maintenance > Configurations Profiles Upload Profile Loads to the SINAUT MD741-1 a configuration profile that was created before and saved on the Admin PC. Files with configuration profiles have the file extension *.epr.
Configuration Download Loads the profile to the Admin PC. Activate The SINAUT MD741-1 accepts the settings from the selected configuration profile and continues to work using them. Delete The configuration profile is deleted. The profile Default configuration contains the factory settings, and cannot be deleted. 3.7 Changing the password Access to the SINAUT MD741-1 is protected by an access password.
Configuration Access password (factory setting) The factory setting for the SINAUT MD741-1 is: ● Password: sinaut ● User name: admin (cannot be changed) Note Change the password immediately after initial start-up. The factory setting is general knowledge and does not provide sufficient protection. Note The user name for the SSH access is different from the user name for the WebInterface. User name: root (cannot be changed) The password for the SSH access is the same as for the Web-Interface.
Configuration Figure 3-10 Maintenance > Reboot Enable daily reboot The reboot is carried out automatically once a day if you switch the function on with Yes. Specify the Time of the daily reboot. The reboot will be carried out at the specified system time. Existing connections will be interrupted.
Configuration 3.9 Load factory settings The factory settings of the SINAUT MD741-1 can be restored by the following means: Figure 3-11 Maintenance > Factory Reset Reset to factory settings A click on the push button Reset loads the factory settings, resets the passwords and deletes the stored certificates, the configuration profiles and the archived log files. Service button (SET) The load of the factory settings can also be activated by pushing the service button (see chapter 2.4).
Configuration 38 SINAUT MD741-1 C79000- G8976-C212
4 Local interface The local interface is the interface of the SINAUT MD741-1 for connecting the local network. The interface is labeled X2 on the device. This is an Ethernet interface with a data rate of 10Mbit/s or 100Mbit/s. The Local network is the Network connected to the local interface of the SINAUT MD741-1. The local network contains at least one local application.
Local interface The factory settings for the SINAUT MD741-1 are as follows: IP 192.168.1.1 Netmask 255.255.255.0 These factory-set IP addresses and netmasks can be changed freely, but should follow the applicable recommendations (RFC 1918). Local application Local application Local application MD741-1 Admin PC Figure 4-2 Local IP and netmask Local interface You can define additional addresses at which the SINAUT MD741-1 can be reached by local applications.
Local interface 4.2 DHCP server to local network The SINAUT MD741-1 contains a DHCP server (DHCP = Dynamic Host Configuration Protocol). If the DHCP server is switched on, it automatically assigns to the applications that are connected to the local interface of the SINAUT MD7411 the IP addresses, netmasks, the gateway and the DNS server. This is only possible the setting for obtaining the IP address and the configuration parameter automatically via DHCP is activated for the local applications.
Local interface Local netmask Here enter the local netmask that should be assigned to the local applications. Default gateway Here enter the default gateway that should be assigned to the local applications. DNS server Here enter the DNS server that should be assigned to the local applications. Enable dynamic IP address pool With Yes the IO addresses that the DHCP server of the SINAUT MD741-1 assigns are drawn from a dynamic address pool.
Local interface Factory setting The factory settings for the SINAUT MD741-1 are as follows: 4.3 Start DHCP server No Local netmask 255.255.255.0 Default gateway 192.168.1.1 DNS server 192.168.1.1 Enable dynamic IP address pool No DHCP range start 192.168.1.100 DHCP range end 192.168.1.199 DNS to local network The SINAUT MD741-1 provides a domain name server (DNS) to the local network.
Local interface The external domain name server (DNS) used can be a server of the network operator, a server on the Internet, or a server in a private external network. Figure 4-6 Local Network > Basic Settings > DNS Selected nameserver Select which domain name server (DNS) the SINAUT MD741-1 should query. Provider Defined When a connection is established to EGPRS or GPRS the network operator automatically communicates one or more DNS addresses. These are then used.
Local interface Factory setting The factory settings for the SINAUT MD741-1 are as follows: Selected nameserver Provider Defined User defined nameserver - for new entry 4.4 0.0.0.0 Local hostname The SINAUT MD741-1 can also be addressed from the local network using a host name. To do this, define a host name, e.g. MD741. Figure 4-7 Local Network > Basic Settings > DNS The SINAUT MD741-1 can then be called up, for example from a Web browser as MD741.
Local interface 4.5 System Time/NTP This is where you set the system time for the SINAUT MD741-1. This system time is: ● used as a time stamp for all log entries, and ● serves as a time basis for all time-controlled functions. Select the year, month, day, hour and minute. Figure 4-8 System > System Time/NTP Activate NTP synchronization The SINAUT MD741-1 can also obtain the system time from a time server via NTP (= Network Time Protocol).
Local interface NTP server Click on New to add an NTP server, and enter the IP address of such an NTP server, or use the NTP server preset at the factory. You can specify multiple NTP servers at the same time. It is not possible to enter the NTP address as a hostname (e.g. timeserver.org). Poll interval The time synchronization is carried out cyclically. The interval at which synchronization is performed is determined by the SINAUT MD741-1 automatically.
Local interface 4.6 Additional Internal Routes If the local network is subdivided into subnetworks, you can define additional routes. See also the Glossary. To define an additional route to a subnetwork, click on New. Specify the following: ● the IP address of the subnetwork (network), and also ● the IP address of the gateway via which the subnet is connected. You can define any desired number of internal routes. To delete an internal route, click on Delete.
5 External interface The external interface of the SINAUT MD741-1 connects the SINAUT MD741-1 to the external network. EGPRS, GPRS or GSM are used for the communication at this interface. External networks are the Internet or a private intranet. External remote stations are network components in an external network, e.g. Web servers on the Internet, routers on an intranet, a central company server, an Admin PC, and much more.
External interface The PIN protects the SIM card against unauthorised use. The user name and password protect the access to EGPRS and GPRS and the APN (Access Point Name) defines the transition from EGPRS or GPRS to additional connected IP networks, for example a public APN to the Internet or a private APN to a virtual private network (VPN). Figure 5-2 External Network > EDGE/GPRS PIN Enter the PIN for your SIM card here. You will receive the PIN from your network operator.
External interface APN Enter the name of the transition from EGPRS and GPRS to other networks here. You can find the APN in your GSM/GPRS network operator's documentation, on your operator's Website, or ask your operator's hotline. Factory setting The factory settings for the SINAUT MD741-1 are as follows: 5.
External interface Warning Sending ping packets (ICMPs) increases the amount of data sent and received via EGPRS or GPRS. This can lead to increased costs. Figure 5-4 External Network > Connection Check Enable connection check Yes activates the function. Ping Targets – Hostname Select up to four remote stations that the SINAUT MD741-1 can ping. The remote stations must be available continuously and must answer pings. Note Make sure that the selected remote stations will not be disturbed.
External interface Allowable number of failures Specifies how many times it is allowed for all ping packets of an interval not to receive an answer, i.e. for none of four pinged remote stations to answer, before the specified action is carried out. Activity on faulty connection Renew Connection The SINAUT MD741-1 re-establishes the connection to EGPRS or GPRS if the ping packets sent were not answered. Reboot MD741 The SINAUT MD741-1 carries out a reboot if the ping packets sent were not answered.
External interface External network DynDNS INFO: IP address + hostname Local application Question: IP for the hostname MD741-1 Response: IP INTERNET (E-)GPRS APN Router/ Firewall User data connection Figure 5-5 DynDNS Function Figure 5-6 External Network > DynDNS Log this SINAUT MD741-1 on to a DynDNS server Select Yes if you want to use a DynDNS service. DynDNS provider The SINAUT MD741-1 is compatible to dyndns.org.
External interface DynDNS hostname Here enter the hostname that you have agreed with your DynDNS provider for the SINAUT MD741-1, e.g. myMD741.dyndns.org. Factory setting The factory settings for the SINAUT MD741-1 are as follows: Log the MD741-1 on to DynDNS server No (switched off) DynDNS username guest DynDNS password guest DynDNS hostname myname.dyndns.
External interface 56 SINAUT MD741-1 C79000- G8976-C212
Security functions 6.1 6 Packet Filter The SINAUT MD741-1 contains a stateful inspection firewall. A stateful inspection firewall is a packet filtering method. Packet filters only let IP packets through if this has been defined previously using firewall rules.
Security functions Figure 6-1 Security > Packet Filter Firewall Rules (Incoming) The Firewall Rules (Incoming) are used to define how to handle IP packets that are received from external networks (e.g. the Internet) via EGPRS or GPRS. The source is the sender of this IP packet. The destination is the local applications on the SINAUT MD741-1. In the factory setting, no incoming firewall rule is set initially, i.e. no IP packets can go through.
Security functions To IP Enter the IP address in the local network to which IP packets may be sent. Do this by specifying the IP address or an IP range of the application in the local network. 0.0.0.0/0 means all addresses. To specify a range, use the CIDR notation - see the Glossary. To port Enter the port to which the external remote station is allowed to send IP packets.
Security functions From port Enter the port from which the local network is allowed to send IP packets. Do this by specifying the port number. (is only evaluated for the protocols TCP and UDP) To IP Enter the IP address in the external network to which IP packets may be sent. Do this by specifying the IP address or an IP range of the application in the network. 0.0.0.0/0 means all addresses. To specify a range, use the CIDR notation - see the Glossary.
Security functions Factory setting The factory settings for the SINAUT MD741-1 are as follows: Incoming firewall Firewall Rules (Incoming) - (Everything blocked) Protocol All From IP 0.0.0.0/0 From port Any To IP 0.0.0.0/0 To port Any Action Accept Log No (switched off) Log Unknown Connection Attempts No (switched off) Outgoing firewall Firewall Rules (Outgoing) - (Everything blocked) Protocol All From IP 0.0.0.0/0 From port Any To IP 0.0.0.
Security functions 6.2 Port Forwarding If a rule has been created for port forwarding, then data packets received at a defined IP port of the SINAUT MD741-1 from the external network will be forwarded. The incoming data packets are then forwarded to a specified IP address and port number in the local network. The port forwarding can be configured for TCP or UDP.
Security functions Destination port Specify here the port number (e.g. 80) at which the data packets which are to be forwarded arrive from the external network. Forward to IP Specify here the IP address in the local network to which the incoming data packets should be forwarded. Forward to port Specify here the port number (e.g.) for the IP address in the local network to which the incoming data packets should be forwarded.
Security functions 6.3 Advanced security functions The advanced security functions serve to protect the SINAUT MD741-1 and the local applications against attacks. For protective purposes it is assumed that only a certain number of connections or received PING packets are permissible and desirable in normal operation, and that a sudden burst represents an attack.
Security functions External ICMP to the SINAUT MD741-1 You can use this option to affect the response when ICMP packets are received that are sent from the external network in the direction of the SINAUT MD741-1. You have the following options: ● Drop: All ICMP packets to the SINAUT MD741-1 are discarded. ● Allow Ping: Only ping packets (ICMP type 8) to the SINAUT MD741-1 are accepted. ● Accept: All types of ICMP packets to the SINAUT MD741-1 are accepted.
Security functions 6.4 Firewall Log The application of individual firewall rules is recorded in the firewall log. To do this, the LOG function must be activated for the various firewall functions. Figure 6-4 Security > Firewall Log Caution The firewall log is lost in the event of a reboot.
7 VPN connection The SINAUT MD741-1 can connect the local network to a friendly remote network via a VPN tunnel. The IP data packets that are exchanged between the two networks are encrypted, and are protected against unauthorised tampering by the VPN tunnel. This means that even unprotected public networks like the Internet can be used to transfer data without endangering the confidentiality or integrity of the data.
VPN connection For the VPN tunnel, the SINAUT MD741-1 uses the IPsec method in tunnel mode. In this method the IP data packets to be transmitted are completely encrypted and provided with a new header before they are sent to the remote station's VPN gateway. There the data packets are received, decrypted, and used to reconstruct the original data packets. These are then forwarded to their destination in the remote network.
VPN connection If the remote station is a computer running under Windows 2000, then the Microsoft Windows 2000 High Encryption Pack or at least Service Pack 2 must also be installed. If the remote station is on the other side of a NAT router, then the remote station must support NAT-T. Or else the NAT router must know the IPsec protocol (IPsec/VPN passthrough). 7.
VPN connection Roadwarrior Mode Edit Settings Figure 7-4 IPsec VPN > Connection Settings Function Set the SINAUT MD741-1 up in accordance with what has been agreed with the system administrator of the remote station. Authentication method Select the authentication method in accordance with what you have agreed with the system administrator of the remote station. The SINAUT MD741-1 supports three methods: ● X.509 certificate ● CA certificate ● Pre-shared key X.
VPN connection The CA creates a certificate file (PKCS12) with the file extension *p12 for each of the two remote stations. This certificate file contains the public and private keys for the own station, the signed certificate from the CA, and the public key of the CA. For the authentication method X.509 there is additionally a key file (*.pem, *cer or *.crt) for each of the two remote stations with the public key of the own station. X.509 certificate The public keys (files with extension *.pem, *cer or *.
VPN connection For authentication with pre-shared secret key (PSK): ● In Roadwarrior Mode the Remote ID must be entered manually. The Remote ID must have the format of a hostname (e.g. RemoteStation.de) or the format of an e-mail address (remote@station.de), and must be the same as the Local ID of the remote station. The Local ID can be left on NONE. In this case the IP address is used as the local IP address. If you enter a Local ID; then it must have the format of a hostname (e.g. RemoteStation.
VPN connection ISAKMP-SA encryption, IPsec-SA encryption Agree with the administrator of the remote station which encryption method will be used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the following methods: ● 3DES-168 ● AES-128 ● AES-192 ● AES-256 3DES-168 is a commonly used method and is therefore set as the default. The method can be defined differently for ISAKMP-SA and IPsec-SA.
VPN connection Note: When the authentication method Pre-Shared Key is used, Aggressive mode must be set in Roadwarrior mode. ISAKMP-SA lifetime, IPsec-SA lifetime The keys for an IPsec connection are renewed at certain intervals in order to increase the effort required to attack an IPsec connection. Specify the lifetime (in seconds) of the keys agreed on for the ISAKMP-SA and IPsec-SA. The lifetime can be defined differently for ISAKMP-SA and IPsec-SA.
VPN connection Dead peer detection is switched on. Independently of the transmission of user data, the SINAUT MD741-1 detects if the connection is lost, in which case it waits for the connection to be re-established by the remote stations. No Dead peer detection is switched off. DPD - delay (seconds) Time period in seconds after which DPD requests will be sent. These requests test whether the remote station is still available.
VPN connection 7.2 IPsec-SA lifetime (seconds) 86400 NAT-T On Enable dead peer detection Yes DPD - delay (seconds) 150 DPD – timeout (seconds) 60 DPD – maximum failures 5 VPN IPsec Standard Mode The VPN connections already created are shown. You can enable (Enabled = Yes) or disable (Enabled = No) each individual connection. You can use New to add additional VPN connections, Edit Settings and Advanced Settings to set them up, and Delete to remove a connection.
VPN connection VPN Standard Mode - Edit Settings Figure 7-7 IPsec VPN > Connection Settings Connection name Give the new connection a connection name here. Remote host Specify the address of the remote station here, either as a hostname (e.g. myadress.com) or as an IP address.
VPN connection Local network Remote network Admin PC Address of the remote network MD741-1 Admin PC VPN gateway Local application INTERNET (E-)GPRS External remote stations APN Local application VPN tunnel Figure 7-8 Address of the remote host X.509 certificate, CA certificate In the authentication methods X.509 certificate and CA certificate, the keys used for authentication have first been signed by a Certification Authority (CA). This method is considered especially secure.
VPN connection Remote ID, Local ID The Local ID and the Remote ID are used by IPsec to identify the remote stations uniquely when establishing the VPN connection. For authentication with X.509 certificate or CA certificate: ● If you keep the factory setting NONE, then the Distinguished Names from the own certificate and from the certificate communicated by the remote station are automatically applied and used as the Local ID and Remote ID.
VPN connection Remote net address Here enter the IP address (e.g. 123.123.123.123) of the remote network. The remote network can also be only a single computer. Local network Gegenüberliegendes Netz Address of the local network Admin PC Address of the remote network Admin PC MD741-1 VPN gateway Local applikation INTERNET (E-)GPRS External remote stations APN Local application VPN tunnel Figure 7-9 Remote net address Remote subnet mask Here enter the subnet mask (e.g. 255.255.255.
VPN connection Figure 7-10 IPsec > IKE Settings ISAKMP-SA encryption, IPsec-SA encryption Agree with the administrator of the remote station which encryption method will be used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the following methods: ● 3DES-168 ● AES-128 ● AES-192 ● AES-256 3DES-168 is a commonly used, and is therefore set as the default. The method can be defined differently for ISAKMP-SA and IPsec-SA.
VPN connection Note: The more bits in the encryption algorithm - indicated by the appended number - the more secure it is. The method AES-256 is therefore considered the most secure. However, the longer the key, the more time the encryption process takes and the more computing power is required. ISAKMP-SA hash, IPsec-SA hash Agree with the administrator of the remote station which method will be used for computing checksums/hashes during the ISAKMP phase and the IPsec phase.
VPN connection NAT-T There may be a NAT router between the SINAUT MD741-1 and the VPN gateway of the remote network. Not all NAT routers allow IPsec data packets to go through. It may therefore be necessary to encapsulate the IPsec data packets in UDP packets so that they can go through the NAT router. On: If the SINAUT MD741-1 detects a NAT router that does not let the IPsec data packets through, then UDP encapsulation is started automatically.
VPN connection DPD - timeout (seconds) Time period in seconds after which the connection to the remote station will be declared dead if no response has been made to the DPD requests. DPD – maximum failures Number of failed attempts permitted before the IPsec connection is considered to be interrupted.
VPN connection 7.3 Enable dead peer detection Yes DPD - delay (seconds) 150 DPD – timeout (seconds) 60 DPD – maximum failures 5 Loading VPN certificates Loading and administering certificates and keys. Figure 7-11 IPsec > Certificates Upload remote certificate Here load key files (*.pem, *.cer or *.crt) with remote certificates and public key from remote stations into the SINAUT MD741-1. To do this, the files must be saved on the Admin PC.
VPN connection Caution If there is already a certificate file in the device, then it must be deleted before loading a new file. Password The certificate file (PKCS12 file) is password-protected. Here enter the password that you received with the certificate file. Remote certificates (*.pem, *cer, .crt,) A list with all of the loaded remote certificates is shown here. You can use Delete to remove a remote certificates that is no longer needed. Device certificates (.
VPN connection 7.
VPN connection Function The IPsec VPN connection is viewed as fundamentally secure. Thus data traffic over this connection is not limited by default. It is possible, however, to create firewall rules for the VPN connection To set up firewall rules for the VPN connection, proceed in the same way as for setting up the packet filter function of the general firewall (see Chapter 6.1). However, the rules defined here apply only to the specific VPN connection.
VPN connection Phase 1 timeout (seconds) The Phase 1 timeout determines how long the SINAUT MD741-1 waits for completion of an authentication process of the ISAKMP-SA. If the set timeout is exceeded, the authentication will be aborted and restarted. Here you change the timeout. Phase 2 timeout (seconds) The Phase 2 timeout determines how long the SINAUT MD741-1 waits for completion of an authentication process of the IPsec-SA.
VPN connection 7.6 Status of the VPN connections Indicates the status of the enabled VPN connections and the option for loading a protocol file to the Admin PC. Figure 7-15 IPsec > Status Enabled VPN Connections A white check mark on a green dot indicates that the specific Security Association (SA) has been successfully established- A white cross on a red dot indicates that the Security Association does not exist.
8 Remote access 8.1 HTTPS remote access The HTTPS remote access (= HyperText Transfer Protocol Secure) allows secure access to the Web user interface of the SINAUT MD741-1 from an external network via EGPRS, GPRS or CSD. Configuration of the SINAUT MD741-1 via the HTTPS remote access then takes place exactly like configuration via a Web browser via the local interface (see chapter 3).
Remote access HTTPS remote access port Default: 443 (factory setting) You can define a different port. However, if you have defined a different port, then the external remote station conducting the remote access must specify the port number after the IP address when specifying the address. Example: If this SINAUT MD741-1 can be accessed via the Internet using the address 192.144.112.
Remote access Factory setting The factory settings for the SINAUT MD741-1 are as follows: Enable HTTPS remote access No (switched off) HTTPS remote access port 443 Default for new rules: 8.2 From IP (External) 0.0.0.0/0 Action Accept Log No (switched off) SSH remote access The SSH remote access (= Secured SHell) allows secure access to the file system of the SINAUT MD741-1 from an external network via EGPRS, GPRS or CSD.
Remote access Enable SSH remote access Yes Access to the file system of the SINAUT MD741-1 from the external network via SSH is allowed. No Access via SSH is not allowed. SSH remote access port Default: 22 (factory setting) You can define a different port. However, if you have defined a different port, then the external remote station conducting the remote access must specify the port number defined here in front of the IP address when specifying the address.
Remote access Reject means that the data packets are rejected, and the sender receives a message about the rejection. Drop means that the data packets are not allowed through. They are discarded without the sender receiving any information about where they went. Log For each individual firewall rule you can define whether the event should be logged when the rule takes effect - set Log to Yes, or not - set Log to No (factory setting). The log is kept in the firewall log, see Chapter 6.4.
Remote access Figure 8-3 Access > CSD Dial-In Enable CSD dial-in Yes Access to the Web user interface of the SINAUT MD741-1 from a dial-in data connection is allowed. No Access via dial-in data connection is not allowed. PPP username / password Select a username and a password that must be used by a PPP client (e.g. a Windows dial-up connection) to log on to the SINAUT MD741-1. The same username and the same password must be entered in the PPP client.
Remote access Note Firewall rules entered for HTTPS and SSH access also apply for CSD access. The source IP address ("From IP") for CSD access is defined as 10.99.99.2. New Adds a new approved call number for CSD remote access that you can then fill out. Delete Removes a firewall rule for CSD remote access.
Remote access 98 SINAUT MD741-1 C79000- G8976-C212
9 Status, log and diagnosis 9.1 System status display The System-Status gives an overview about the current operating status of the SINAUT MD741-1. Figure 9-1 System > Status Note Use the Refresh function of the Web browser to update the displayed values.
Status, log and diagnosis Current system time Shows the current system time of the SINAUT MD741-1 in the format: Year – Month – Day, Hours – Minutes Connection Shows if a wireless connection exists, and which one: ● EDGE connection (IP connection via EGPRS) ● GPRS connection (IP connection via GPRS) ● CSD connection (service connection via CSD) Note It may occur that an EDGE (EGPRS) or GPRS connection and an assigned IP address are both shown, but the connection quality is still not good enough to t
Status, log and diagnosis Assigned IP address Shoes the IP address at which the SINAUT MD741-1 can be reached in EGPRS or GPRS. This IP address is assigned to the SINAUT MD741-1 by the EGPRS or GPRS service. Signal (CSQ level) Indicates the strength of the GSM signal as a CSQ value. ● CSQ < 6: Poor signal strength ● CSQ= 6..
Status, log and diagnosis Bytes sent / Bytes received since initial operation Shows the number of bytes that have been sent via GPRS or received since the last time the factory settings were loaded. The counter is reset when the factory settings are loaded. Remote HTTPS Shows whether remote access to the Web user interface of the SINAUT MD741-1 via EGPRS or GPRS is permitted. ● White check mark at green dot: Access is allowed. ● White cross at red dot: Access is not allowed.
Status, log and diagnosis 9.2 Log Figure 9-2 System > Log Logfile Important events in the operation of the SINAUT MD741-1 are saved in the log. ● Reboot ● Changes to the configuration ● Establishing of connections ● Interruption of connections ● Signal strength ● and operating messages The log is saved to the log archive of the SINAUT MD741-1 when a file size 1 MByte, is reached, but after 24 hours at the latest.
Status, log and diagnosis Example: Entries in log Column A: Time stamp Column B: Product number Column C: Signal quality (CSQ value) Column D: GSM login status STAT = --- = Function not activated yet STAT = 1 = Logged in to home network STAT = 2 = Not logged in; searching for network STAT = 3 = Login rejected STAT = 5 = Logged in to third-party network (roaming) Column E: Indication of the network operator identification with the 3-digit country code (MCC) and the 2-3-digit network operator code (MNC).
Status, log and diagnosis Example: 26201 (262 = country code / 01 = network operator code) Column F: Coded operating status (for Hotline) Column G: Category of the log report (for Hotline) Column H: Internal source of the log report (for Hotline) Column I: Internal report number (for Hotline) Column J: Log report in plain text Columns K-P: Additional information on the plain text report, such as: 9.
Status, log and diagnosis Figure 9-3 Maintenance > Remote Logging Enable remote logging (FTP upload) Yes activates the function. Time Specifies the address of the FTP server to which the log files are to be transferred. The address can be specified as a hostname (e.g. ftp.server.de) or as an IP address. Username Specifies the username for logging in to the FTP server. Password Specifies the password for logging in to the FTP server.
Status, log and diagnosis Factory setting The factory settings for the SINAUT MD741-1 are as follows: 9.4 Enable remote logging (FTP upload) No (switched off) Time 00:00 FTP Server NONE Username guest Password guest Snapshot This function is used for support purposes. The service snapshot downloads important log files and current device settings that could be important for fault diagnosis and saves them in a file.
Status, log and diagnosis The service snapshot downloads important log files and current device settings that could be important for fault diagnosis and saves them in a file. If you contact our Hotline in the event of a problem with the SINAUT MD741-1, in many cases they will ask you for the snapshot file. Note This file contains the access parameters for EGPRS and GPRS and the addresses of the remote station. It does not contain the username and password for access to the SINAUT MD741-1.
Status, log and diagnosis 9.5 Hardware information Shows important information for hardware identification. This information is often needed in the event of queries to our Hotline.
Status, log and diagnosis 9.6 Software information Shows important information for software identification. This information is often needed in the event of queries to our Hotline. Planned updates are additionally shown. See also Chapter 10.2.
Additional functions 10.1 10 Alarm SMS The SINAUT MD741-1 can transmit short alarm messages via the SMS (= Short Message Service) of the GSM network. Two events can trigger transmission of an alarm message via SMS: ● Event 1: No GPRS connection A separate call number for sending the alarm message to can be specified for each of these two events. The text of the alarm message can also be freely defined.
Additional functions SMS service center call number So that the SMS function will function reliably, enter the call number of the service center here. Without an entry in this location the default SMS service center of your network operator will be used. Settings Enable With Yes the alarm message is sent when the event occurs, with No it is not. Call number Here enter the call number of the end device to which the alarm message is to be sent via SMS.
Additional functions Figure 10-2 Maintenance > Update Define the update time No Immediate update - The new operating software is activated immediately after you load the software and click on Submit. Yes Time-controlled update - The new operating software is activated at the defined update time. The software must have been loaded already. Define the update time If you want to have the update carried out with time control, specify the time when the new operating software is to be activated.
Additional functions Submit With Submit the operating software is either activated immediately or the operating software is activated at the specified time.
11 Technical Data Interfaces Application interface Service interface 10/100 Base-T (RJ45 plug) Ethernet IEEE802 10/100 Mbit/s USB-A (reserved for later applications) EDGE / GPRS Stateful inspection firewall Anti-spoofing Port forwarding DNS cache, DHCP server, NTP, remote logging, connection monitoring, alarm-SMS Web-based administration user interface, ssh console EDGE Multislot class 12 / EDGE Multislot class 12 Security functions Additional functions Management Wireless connection Coding schemes
Technical Data Ambient conditions Housing DE Power supply Max. transmitting Class 4 (+33dBm ±2dB) for EGSM850 power (acc.
Technical Data Current consumption (3) Input voltage Connected, no data transfer Continuous data transfer with low signal quality (1) Continuous data transfer with medium signal quality (2) Burst Operating mode [V] [mA] [mA] [mA] [mA] GSM-CSD 12 174 315 263 1000 24 97 168 137 450 30 82 137 116 360 12 174 365 282 1260 24 97 182 147 550 30 82 150 121 420 EGPRS / GPRS (1) Measured at GSM900 Power Level 5 (33dBm transmitting power) (2) Measured at GSM900 Power Level
Technical Data 118 SINAUT MD741-1 C79000- G8976-C212
Applied Standards and Approvals Applied Standards and Approvals 12.1 12 Equipment Product name SINAUT MD741-1 Manufacturer Siemens Aktiengesellschaft, Industry Automation Intended purpose (E-)GPRS-VPN-Router for industrial application 12.
Applied Standards and Approvals ● Directive 1999/5/EC (R&TTE) of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity, ● Directive 2006/95/EC (LVD) of the European Parliament and of the Council of 12 December 2006 on the harmonization of the laws of Member States relating to electrical equipment designed for use within certain voltage limits, ● Directive 2004/108/EC (EMC) of the European P
Applied Standards and Approvals Warning The SINAUT MD741-1 is a Class A device. This device can cause radio interference in residential areas; in this case the user may be required to take appropriate measures.
Applied Standards and Approvals UL/CSA Certification Marking Applied standards 12.4 • UL 60950, 1st edition • CSA C22.2 No.60950 Compliance to FCC Approval pending – applied for approval Marking SINAUT MD741-1 FCC ID: LYHMD741-1 contains MC75 FCC ID: QIPMC75 Applied standards ● FCC Part 15 ● FCC Part 15.19 ● FCC Part 15.
Applied Standards and Approvals ● Reorient or relocate the receiving antenna. ● Increase the separation between the equipment and receiver. ● Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. ● Consult the dealer / installer or an experienced radio/TV technician for help. FCC Part 15.19 This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1.
Applied Standards and Approvals Contains FCC ID: QIPMC75 This device contains GSM, GPRS Class12 and EGPRS Class 10 functions in the 900 and 1800 MHz Band which are not operational in U.S. Territories. This device is to be used only for mobile and fixed applications. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 20cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter.
Glossary AES Advanced Encryption Standard. The NIST (National Institute of Standards and Technology) has been developing the AES encryption standard jointly with industrial companies for years. This Æ symmetrical encryption is designed to replace the previous DES standard. The AES standard specifies three different key sizes with 128, 192 and 256 bits. In 1997, the NIST launched the AES initiative and announced its conditions for the algorithm.
Glossary Additional Internal Routes The following sketch shows how the IP addresses could be distributed in a local network with subnetworks, what network addresses result from this, and what the specification for an additional internal route could look like. MD741-1 external address: (assigned by provider) e.g. 80.81.192.37 MD741-1 MD741-1 internal address: 192.168.11.1 (E-)GPRS APN Switch Network A Network address: 192.168.11.0 / 24 Netmask: 255.255.255.0 Router IP external: 192.168.11.
Glossary Network A Computer A1 IP address 192.168.11.3 Network mask 255.255.255.0 Network B A2 192.168.11.4 255.255.255.0 A3 192.168.11.5 255.255.255.0 A4 A5 192.168.11.6 192.168.11.7 255.255.255.0 255.255.255.0 Computer B1 IP address 192.168.15.3 Network mask 255.255.255.0 Network C B2 192.168.15.4 255.255.255.0 B3 192.168.15.5 255.255.255.0 B4 192.168.15.6 255.255.255.0 Computer C1 IP address 192.168.27.3 Network mask 255.255.255.0 C2 192.168.27.4 255.255.255.0 C3 192.168.27.5 255.255.255.
Glossary IP netmask binary CIDR 255.255.255.255 255.255.255.254 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111110 11111100 11111000 11110000 11100000 11000000 10000000 32 31 30 29 28 27 26 25 255.255.255.0 255.255.254.
Glossary CSD 9600 CSD (9600) stands for Circuit Switched Data or dial-in data connection. Here a connection is created between two users (end points of the connection), similar to a telephone call over a public telephone network. User 1 dials the telephone number of user 2. The network signals to user 2 that there is a call, user 2 accepts the call and the network establishes the connection until one of the users terminates the connection again.
Glossary DES/3DES The symmetrical encryption algorithm (Æ symmetrical encryption) DES, originally developed by IBM and checked by the NSA, was determined in 1977 by the American National Bureau of Standards, the predecessor of today's National Institute of Standards and Technology (NIST), as the standard for American government institutions. As this was the first standardized encryption algorithm of all, it quickly established itself in industry and hence outside the USA.
Glossary local computer which is registered with the DynamicDNS provider, the external computer uses the hostname of the local computer as the address. In this way a connection is established with the responsible DNS (Domain Name Server) in order to look up there the IP address which is currently assigned to this hostname. The IP address is transmitted back to the external computer, and then used by it as the destination address. This now leads precisely to the desired local computer.
Glossary distinction is made between networks of Class A, B and C - the two address components may be of different sizes: 1st byte 2nd byte 3rd byte 4th byte Netw. addr. Host addr. Netw. addr. Host addr. Netw. addr. Host addr. Class A Class B Class C It can be seen from the first byte of the IP address whether the IP address designates a network of Class A, B or C.
Glossary NAT (Network Address In Network Address Translation (NAT) - often also referred to as IP Translation) Masquerading - an entire network is "hidden" behind a single device, the NAT router. This device is usually a router. The internal computers in the local network remain hidden with their IP addresses when they communicate to the outside via the NAT router. For the external communication partners only the NAT router with its own IP address appears.
Glossary PPPoE Acronym for Point-to-Point Protocol over Ethernet. It is based on the standards PPP and Ethernet. PPPoE is a specification for connecting users to the Internet via Ethernet using a jointly used broadband medium such as DSL, Wireless LAN or cable modem. PPTP Acronym for Point-to-Point Tunneling Protocol. This protocol was developed by Microsoft, U.S. Robotics and others in order to transmit data securely between two VPN nodes (Æ VPN) over a public network.
Glossary Stateful inspection firewall A stateful inspection firewall is a packet filtering method. Packet filters only let IP packets through if this has been defined previously using firewall rules.
Glossary TCP/IP (Transmission Control Protocol/Internet Protocol Network protocol that is used to connect two computers on the Internet. IP is the basic protocol. UDP builds on IP, and sends individual packets. These can arrive at the recipient in a different sequence from the one they were sent in, or they can even get lost. TCP serves to secure the connection, and ensures, for example, that the data packets are forwarded to the application in the right sequence.
Glossary X.509 SINAUT MD741-1 C79000- G8976-C212 A kind of "seal" which proves the authenticity of a Public Key (Æ asymmetrical encryption) and appendant data. So that the user of the public key for encryption can be certain that the public key conveyed to him really does come from its issuer and hence from the entity that is to receive the data to be sent, certification can be used.
