Settings

Print version

7. Settings

Information provided in this chapter is identical with the content of Helps for individual menu.

7.1. Interfaces

7.1.1. Ethernet

RipEX2 provides 5 physical Ethernet ports ETH1, ETH2, ETH3, ETH4 and ETH5. First 4 ETH ports are metallic, the 5th port is a SFP port. There is a possibility to define an Ethernet bridge – a logical Network interface – by bridging (joining) together multiple physical Ethernet interfaces. All interfaces bridged together share the same traffic.

The Network interface (technically – an Ethernet bridge) is identified by a name. The name always begins with a “LAN-” prefix. Multiple Network interfaces can be defined. Multiple physical Ethernet interfaces can be bridged together by using single Network interface.

When unit is operating in Bridge mode – the default Network interface bridges together not only physical Ethernet ports, but also the Radio interface. All the ethernet traffic received by those Ethernet ports is transferred to the Radion interface and transmit by the Radio channel and vice versa.

When unit is operating in Router mode – the Radio channel transmits only the traffic, which is destinned to the Radio interface by Routing rules.

The radio unit default setting bridges all Ethernet ports together. New Network interfaces can be defined to split the ethernet traffic of the individual ports. Any single Ethernet port can be detached from an existing Network interface and added to another Network interface.

Single or multiple Ethernet subnets can be defined within one Network interface. Each subnet is identified by its IP address&mask. Use the optional field. Note to keep your network configuration in human readable manner.

Enable / Disable: enables / disables specific Ethernet subnet

IP address: IP address&mask of the specific Ethernet subnet (in CIDR notation). IP address represents the Network interface in the Layer 3 Ethernet network.

Note Optional Ethernet subnet description

7.1.2. Radio

a) Radio protocol

  • Radio protocol: type of the radio protocol

    • Transparent (bridge mode) default

    • Base driven (router mode)

  • Transparent (bridge mode)

    Bridge mode with fully transparent Radio protocol is suitable for all polling (request-response) applications with star network topologies, however repeater(s) are possible.

    A packet received through any interface is broadcasted to the appropriate interfaces of all units within the network.

    Any unit can be configured as a repeater. A repeater relays all packets it receives through the radio channel. The network implements safety mechanisms which prevent cyclic loops in the radio channel (e.g. when a repeater receives a packet from another repeater) or duplicate packets delivered to the user interface (e.g. when RipEX receives a packet directly and then from a repeater).

    Transparent protocol does not solve collisions on the radio channel protocol. There is a CRC check of data integrity, however, i.e. once a message is delivered, it is 100% error free.

    • Communication mode

      List box {Half Duplex, Full Duplex}, default Half Duplex

      Full duplex operation is available only for Point-to-Point communication.

    • Unit is repeater

      List box {On, Off}, default Off

      Each RipEX2 may work simultaneously as a Repeater (Relay) in addition to the standard Bridge operation mode.

      If “On”, every frame received from Radio channel is transmitted to the respective user interface (ETH,COM) and to the Radio channel again.

      The Bridge functionality is not affected, i.e. only frames whose recipients belong to the local LAN are transmitted from the ETH interface.

      It is possible to use more than one Repeater within a network. To eliminate the risk of creating a loop, the “Number of repeaters” has to be set in all units in the network, including the Repeater units themselves.

      Warning: Should Repeater mode be enabled “Modulation rate” and “FEC” must be set to the same value throughout the whole network to prevent frame collisions occurring.

    • No of repeaters

      Default = 0

      If there is a repeater (or more of them) in the network, the total number of repeaters within the network MUST be set in all units in the network, including the Repeater units themselves. After transmitting to or receiving from the Radio channel, further transmission (from this RipEX) is blocked for a period calculated to prevent collision with a frame transmitted by a Repeater. Furthermore, a copy of every frame transmitted to or received from the Radio channel is stored (for a period). Whenever a duplicate of a stored frame is received, it is discarded to avoid possible looping. These measures are not taken when the parameter “Number of repeaters” is zero, i.e. in a network without repeaters.

    • Tx delay [B]

      This parameter should be used when all substations (RTU) reply to a broadcast query from the master station. In such case massive collisions would ensue because all substations (RTU) would reply at nearly the same time. To prevent such collision, TX delay should be set individually in each slave RipEX. The length of responding frame, the length of Radio protocol overhead, modulation rate have to be taken into account.

  • Base driven protocol

    Router mode with Base driven protocol is suitable for a star network topology with up to 256 Remotes under one Base station. Each Remote can work as a Repeater for one or more additional Remotes. This protocol is optimized for TCP/IP traffic and/or ‘hidden’ Remotes in report-by-exception networks, when a Remote is not be heard by other Remotes and/or different Rx and Tx frequencies are used.

    All traffic over the Radio channel is managed by the Base station. Radio channel access is granted by a deterministic algorithm resulting in collision free operation regardless of the network load. Uniform distribution of Radio channel capacity among all Remotes creates stable response times with minimum jitter in the network.

    Frame acknowledgement, retransmissions and CRC check guarantee data delivery and integrity even under harsh interference conditions on the Radio channel.

    [Note]Note

    There is no need to set any routes in Routing table(s) for Remote stations located behind Repeater. Forwarding of frames from the Base station over the Repeater in either direction is serviced transparently by the Base driven protocol.

    [Note]Note

    When Remote to Remote communication is required, respective routes via Base station have to be set in Routing tables in Remotes.

  • Station type

    List box {Base, Remote}, default Base

    • Base

      Only one Base station should be present within one radio coverage when Base driven protocol is used.

    • Remotes

      Radio protocol parameters for every Remote station must be configured in this table.

  • Protocol address

    Protocol address [0 to 255] is the unique address assigned to each Remote and is used only by Base driven protocol. It is set in Remote unit in its Radio protocol settings. The default and recommended setting assigns Protocol address to be equal to the Radio IP last byte (Protocol address mode in Remote unit is then set to Automatic address mode).

    [Note]Note

    If you configure any Remote station protocol addresses, which are not present in the running network, radio channel access will be granted to them regularly resulting in lower total network throughput: Every address listed in this table will be taken into consideration, when configuring radio channel access. It is possible to prepare configuration for an additional radio unit in the network if needed. The “Active” parameter (see below) within such a table record can be marked as not active. In this case, the record is never granted radio channel access.

  • ACK

    Set value is used in one direction from Base to Remote (Remote to Base direction is configured in Remote unit in its Radio protocol settings). If the Remote station is behind Repeater, set value is used for both radio hops: Base station – Repeater and Repeater – Remote.

  • Retries

    Set value is used in one direction from Base to Remote (Remote to Base direction is configured in Remote unit in its Radio protocol settings). If the Remote station is behind Repeater, set value is used for both radio hops: Base station – Repeater and Repeater – Remote.

b) Radio parameters

  • TX frequency

    Transmitting frequency in Hz. Step 5 (for 25 kHz channel spacing) or 6.25 kHz (for 12.5 or 6.25 kHz channel spacing).

    The value entered must be within the frequency tuning range of the product as follows:

    RipEX2-1A: 135-175 MHz

    RipEX2-3B: 335-400 MHz

    RipEX2-4A: 400-470 MHz

  • RX frequency

    Receiving frequency, the same format and rules apply as for TX frequency.

  • Antenna configuration

    List box {Single (Tx/Rx), Dual (Rx, Tx/Rx)}, default Dual (Rx, Tx/Rx)

    See chapter 1.2.1. Antenna for details

  • RF power PEP

    Setting of RF power in dBm (PEP) for the maximum power for individual modulations and the relationship between PEP and RMS see Tab. 9.10 of this manual.

  • Channel spacing [kHz]

    List box {possible values}, default = 25 kHz

  • Occupied bandwidth limit [kHz]

    List box {possible values}, default = 25 kHz

    Occupied bandwidth is limited by granted radio channel. The standards supported by using individual OBW limits are in chapter 7.1.2. Detailed Radio parameters of this manual.

  • Modulation type

    List box {FSK, QAM}, default = FSK

    • FSK

      Suitable for difficult conditions – longer radio hops, non-line of sight, noise / interferences on Radio channel…

      [Note]Note

      FSK belongs to the continuous-phase frequency-shift keying family of non-linear modulations. Compared to QAM (linear modulations), FSK is characterized by narrower bandwidth, a lower symbol rate and higher sensitivity. As a result, the system gain is higher, power efficiency is higher, but spectral efficiency is lower.

    • QAM

      Suitable for normal conditions offering higher data throughput.

      [Note]Note

      QAM belongs to the phase shift keying family of linear modulations. Compared to FSK (non-linear modulations), QAM is characterized by wider bandwidth. The spectral efficiency is higher, power efficiency is lower and system gain is typically lower.

  • FEC

    List box {2/3, 3/4, 5/6, Off}, default = Off

    FEC (Forward Error Correction) is a very effective method to minimize radio channel impairments. Basically the sender inserts some redundant data into its messages. This redundancy allows the receiver to detect and correct errors; used is Trellis code with Viterbi soft-decoder. The improvement comes at the expense of the user data rate. The lower the FEC ratio, the better the capability of error correction and the lower the user data rate. The User data rate = Modulation rate × FEC ratio.

7.1.3. COM

The menu is divided to two parts:

  • COM port parameters

    This settings of Data rate, Data bits, Parity and Stop bits of COM port and setting of connected device must match.

  • Protocol parameters

    Each SCADA protocol used on serial interface is more or less unique. The COM port protocol module performs conversion to standard UDP datagrams to travel across RipEX2 Radio network.

  • Type

    List box {possible values}, default = RS232

    COM port can be configured to either RS232 or RS485.

  • Baud rate [b/s]

    List box {standard series of rates from 300 to 1152000 b/s}, default = 19200.

    Select Baud rate from the list box: 300 to 1152000 b/s rates are available.

    Serial ports use two-level (binary) signaling, so the data rate in bits per second is equal to the symbol rate in bauds.

  • Data bits

    List box {8, 7}, default = 8

    The number of data bits in each character.

  • Parity

    List box: {None, Odd, Even}, default = none

    Wikipedia: Parity is a method of detecting errors in transmission. When parity is used with a serial port, an extra data bit is sent with each data character, arranged so that the number of 1-bits in each character, including the parity bit, is always odd or always even. If a byte is received with the wrong number of 1-bits, then it must have been corrupted. However, an even number of errors can pass the parity check.

  • Stop bits

    List box: {possible values}, default = 1

    Wikipedia: Stop bits send at the end of every character allow the receiving signal hardware to detect the end of a character and to resynchronize with the character stream.

  • Idle [B]

    Default = 5 [0 – 2000]

    This parameter defines the maximum gap (in bytes) in the received data stream. If the gap exceeds the value set, the link is considered idle, the received frame is closed and forwarded to the network.

  • MRU [B]

    Default = 1600 [1 – 1600]

    MRU (Maximum Reception Unit) — an incoming frame is closed at this size even if the stream of bytes continues. Consequently, a permanent data stream coming to a COM results in a sequence of MRU-sized frames sent over the network.

    [Note]Note

    1. Very long frames (>800 B) require good signal conditions on the Radio channel and the probability of a collision increases rapidly with the length of the frames. Hence if your application can work with smaller MTU, it is recommended to use values in 200 – 400 bytes range.

    [Note]Note

    2. This MRU and the MTU in Radio settings are independent, however MTU should be greater or equal to MRU.

  • Flow control

    List box: {None, RTS/CTS}, default = none

    RTS/CTS (Request To Send / Clear To Send) hardware flow control (handshake) between the DTE (Data Terminal Equipment) and RipEX2 (DCE – Data Communications Equipment) can be enabled in order to pause and resume the transmission of data. If RX buffer of RipEX2 is full, the CTS goes down.

    [Note]Note

    RTS/CTS Flow control requires a 5-wire connection to the COM port.

  • Protocol

    List box: {None, Async Link, DNP3, DF1}, default = DNP3

    Common parameters:

    • Broadcast

      List box: {On, Off}, default = on

      Some Master SCADA units sends broadcast messages to all Slave units. SCADA application typically uses a specific address for such messages. RipEX2 (Protocol module) converts such message to a customized IP broadcast and broadcasts it to all RipEX2 units resp. to all SCADA units within the network.

  • Address translation

    SCADA protocol address is translated to the IP address using either Mask or Table type of conversion.

  • Mask

    • Base IP / Mask

      Default = IP address of ETH interface

      When the IP destination address of UDP datagram, in which serial SCADA message received from COM is encapsulated, is created, this Base IP is taken as the basis and only the part defined by Mask is replaced by ‘Protocol address’.

      [Note]Note

      -all IP addresses used have to be within the same subnet, which is defined by this Mask

      − the same UDP port is used for all the SCADA units, which results in the following limitations:

      • − SCADA devices on all sites have to be connected to the same interface

      • − only one SCADA device to one COM port can be connected, even if the RS485 interface is used.

    • /Mask

      Default = 24 (i.e. 255.255.255.0)

      A part of Base IP address defined by this Mask is replaced by ‘Protocol address’. The SCADA protocol address is typically 1 byte long, so Mask 24 (255.255.255.0) is most frequently used.

    • Destination (UPD port)

      List box: {COM, TS1-TS5, Manual}

      This UDP port is used as the destination UDP port in UDP datagram in which serial SCADA packet received from COM is encapsulated. Default UDP ports for COM or Terminal servers can be used or UDP port can be set manually. If the destination IP address belongs to a RipEX2 and the UDP port is not assigned to COM or to a Terminal server or to any other special SW module running in the destination RipEX2, the packet is discarded.

  • Table

    The Address translation is defined in a table. There are no limitations such as when the “Mask” translation is used. If there are more SCADA units connected via the RS485 interface, their multiple “Protocol addresses” are translated to the same IP address and UDP port pair.

    [Note]Note

    You may add a note to each address with your comments (UTF8 is supported) for your convenience.

  • Protocol address

    This is the address which is used by SCADA protocol.

    Protocol address length can be 1 byte, only for some protocols, e.g. DNP3 can also be 2 bytes.

  • IP address

    IP address to which Protocol address will be translated. This IP address is used as destination IP address in UDP datagram in which serial SCADA packet received from COM is encapsulated.

  • Destination (UDP port)

    This is UDP port number which is used as destination UDP port in UDP datagram in which the serial SCADA message, received from COM, is encapsulated.

Individual parameters

  • Async link

    Async link creates an asynchronous link between two COM ports on different RipEX2 units. Received frames from COM port or from a Terminal server are sent without any processing transparently to Radio channel to set IP destination and UDP port. Received frames from Radio channel are sent to COM or Terminal server according to Destination (UDP port) parameter.

    • Destination IP

      This is IP address of destination RipEX2, either ETH or Radio interface.

    • Destination (UDP port)

      This is UDP port number, which is used as a destination UDP port in UDP datagram, in which packet received from COM (or TS) is encapsulated.

  • DNP3

    Each frame in the DNP3 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in terms of the RipEX2 configuration. The DNP3 allows both Master-Slave polling as well as spontaneous communication from the remote units.

    The common parameters (e.g. address translation) shall be set.

    [Note]Note

    Broadcast

    There is not an option to set the Broadcast address, since DNP3 broadcast messages always have addresses in the range 0xFFFD – 0xFFFF. Hence when Broadcast is On, packets with these destinations are handled as broadcasts.

  • DF1

    Each frame in the Allen-Bradley DF1 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in the Full duplex mode in terms of RipEX2 configuration.

    • Duplex mode

      List box: {Full duplex, Half duplex}

    • Connected service mode

      List box {Master, Slave}, default=Slave

      SCADA application follows Master-Slave scheme, where the structure of the message is different for Master and Slave SCADA units. Because of that it is necessary to set which type of SCADA unit is connected to the RipEX2.

      [Note]Note

      For connected SCADA Master set Master, for connected SCADA Slave set Slave.

    • Block control mode

      List box: {BCC, CRC}, default = BCC

      According to the DF1 specification, either BCC or CRC for Block control mode (data integrity) can be used.

      [Note]Note

      Broadcast

      According to the DF1 specification, packets for the destination address 0xFF are considered broadcasts. Hence when Broadcast is On, packets with this destination are handled as broadcasts.

7.1.4. Terminal servers

Generally, a Terminal Server (also referred to as a Serial Server) enables connection of devices with serial interface to a RipEX2 over the local area network (LAN). It is a virtual substitute for devices used as serial-to-TCP(UDP) converters.

In some special cases, the Terminal server can be also used for reducing the network load from applications using TCP. A TCP session can be terminated locally at the Terminal server in RipEX2, user data extracted from TCP messages and processed like it comes from a COM port. When data reaches the destination RipEX2, it can be transferred to the RTU either via a serial interface or via TCP (UDP), using the Terminal server again.

Up to 5 independent Terminal servers can be set up. Each one can be either TCP or UDP Type, TCP Inactivity is the timeout in seconds for which the TCP socket in RipEX2 is kept active after the last data reception or transmission. As source IP address of a Terminal server will be used the IP address of the RipEX2 ETH interface (Local preferred source address if exists see chap. 7.2.1), Source (my) port can be set as required. Destination (peer) IP and Destination (peer) port values belong to the locally connected application (e.g. a virtual serial interface). In some cases, applications dynamically change the IP port with each datagram. In such a case set Destination port=0. RipEX2 will then send replies to the port from which the last response was received. This feature allows to extend the number of simultaneously opened TCP connections between a RipEX2 and locally connected application to any value up to 10 on each Terminal server. Protocol follows the same principles as a protocol on COM interface.

[Note]Note

Max. user data length in a single datagram processed by the Terminal server is 8192 bytes.

7.2. Routing

7.2.1. Static

Routing table is active only when Router mode (Settings/Device/Operating mode) is set. In such a case RipEX2 works as a standard IP router with multiple independent interfaces: Radio interface, Network interfaces (bridging physical Ethernet interfaces), COM ports, Terminal servers, optional Cellular interface etc. Each of the interfaces has its own IP addresses and Masks. Then IP packets are processed according to the Routing table.

Unlimited number of subnets can be defined on the Network interface. They are routed independently.

The COM ports are treated in the standard way as router devices, messages can be delivered to them as UDP datagrams to selected UDP port numbers. Destination IP address of COM port is either IP of a Network interface (bridging Ethernet interfaces) or IP of Radio interface. The IP address source of outgoing packets from COM ports is equal to IP address of interface (either Radio or Network interface) through which packet has been sent. The source address can also be assigned to Local preferred source address value – see description below. Outgoing interface is determined in Routing table according to the destination IP.

The IP addressing scheme can be chosen arbitrarily, only 127.0.0.0/8 and 192.0.2.233/30 and 192.0.2.228/30 restriction applies. It may happen that also the subsequent addresses from the 192.0.2.0/24 subnet according to RFC5737 may be reserved for internal usage in the future.

  • Active {On / Off}

    Switches the rule on / off

  • Destination IP / mask

    Each IP packet, received by RipEX2 through any interface (Radio, ETH, COM, …), has got a destination IP address. RipEX2 (router) forwards the received packet either directly to the destination IP address or to the respective Gateway, according to the Routing table. Any Gateway has to be within the network defined by IP and Mask of one of the interfaces, otherwise the packet is discarded.

    Each item in the routing table defines a Gateway (the route, the next hop) for the network (group of addresses) defined by Destination IP and Mask. When the Gateway for the respective destination IP address is not found in the Routing table, the packet is forwarded to the Default gateway, when Default gateway is not defined, the packet is discarded.

    The network (Destination and Mask) is written in CIDR format, e.g. 10.11.12.13/24.

    [Note]Note

    Networks defined by IP and Mask for Radio and other interfaces must not overlap.

  • Mode {Static}

    Used for static IP routing rules. If the next hop on the specific route is over the radio channel, the Radio IP is used as a Gateway. If Base driven protocol is used and the destination Remote is behind a Repeater, the destination Remote Radio IP is used as a Gateway (not the Repeater address).

  • Name: You may add a name to each route with your comments up to 16 characters (UTF8 is supported) for your convenience.

  • Menu ADVANCED / Routing / Static allows to set additional parameter:

    Local preferred source address: (Routing_LocalUseSrcAddr) Local IP address used as a source address for packets originating in the local RipEX2 unit being routed by this routing rule. The local source preferred address is not used, if it is set to 0.0.0.0. The IP address has to belong to one of the following existing interfaces: Radio interface, Network interfaces.

7.3. Firewall

7.3.1. L3

Firewall L3 active switches L3 firewall Off, On; default is Off

Each individual firewall rule is described by the following items:

  • Protocol

    List box {All, ICMP, UDP, TCP, GRE, ESP, Other}

  • Source IP/Mask source IP address and mask.

    The rule with narrower mask has higher priority. The rule’s order meaning does not affect priority.

  • Source port (from) and (to) interval of source ports

  • Input interface list box {All, Radio, All ETH, ETH1..ETH5, Other}

  • Action list box {Deny, Allow}, default Deny

  • Destination IP/Mask

  • Destination port (from) and (to) interval of destination ports

  • Output interface list box {All, Radio, All ETH, Other}

  • Connection state New list box {Off, On} active only for TCP protocol

    Relates to the first packet when a TCP connection starts (Request from TCP client to TCP server for opening a new TCP connection). Used e.g. for allowing to open TCP only from RipEX2 network to outside.

  • Connection state Established list box {Off, On} active only for TCP protocol

    Relates to an already existing TCP connection. Used e.g. for allowing to get replies for TCP connections created from RipEX2 network to outside.

  • Connection state Related list box {Off, On} active only for TCP protocol

    A connection related to the “Established” one. e.g. FTP typically uses 2 TCP connections control and data, where data connection is created automatically by using dynamic ports.

    [Note]Note

    L2/L3 firewall settings do not impact the local ETH access, i.e. settings never deny access to a locally connected RipEX2 (web interface, ping, …).

    [Note]Note

    Ports 443 and 8889 are used (by default, can be overridden) internally for service access. Exercise caution when making rules which may affect datagrams to/from these ports in L3 Firewall settings. Management connection to a remote RipEX2 may be lost, when another RipEX2 acts as a router along the management packets route and port 443 (or 8889) is disabled in firewall settings of that routing RipEX2 (RipEX2 uses iptables “forward”).

    [Note]Note

    L3 Firewall settings do not impact packets received and redirected from/to Radio channel. The problem described in NOTE 2 will not happen, if the affected RipEX2 router is a radio repeater, i.e. when it uses solely the radio channel for input and output.

7.3.2. L2

  • Active list box {Off, On}

    If “On” and when in the Router mode, Layer 2 Linux firewall is activated:

  • Filter mode list box {Blacklist, Whitelist}, default Blacklist

    • Blacklist

      The MAC addresses listed in the table are blocked, i.e. all packets to/from them are discarded. The traffic to/from other MAC addresses is allowed.

    • Whitelist

      Only the MAC addresses listed in the table are allowed, i.e. only packets to/from them are allowed. The traffic to/from other MAC addresses is blocked.

  • Interface list box {All, ETH1..ETH5}, default All

    MAC IPv4 MAC address

7.4. VPN

VPN (Virtual Private Network) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

7.4.1. Basic Description

Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating within the Internet Layer of the Internet Protocol Suite. IPsec is recognized as a secure, standardized and well-proven solution by the professional public.

Although there are 2 modes of operation RipEX2 only offers Tunnel mode. In Tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encapsulating Security Payloads) with a new IP header.

Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged. The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and the newer version 2 are available in RipEX2.

IKE protocol communication with the peer is established using UDP frames on port 500. However, if NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.

[Note]Note

NAT-T is automatically recognized by IPsec implementation in RipEX2.

The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:

  • IKE SA: IKE Security Association providing SA keys exchange with the peer.

  • CHILD SA: IPsec Security Association providing packet encryption.

Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.

Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication method: Both link partners share the same key (password).

As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.

As and when the IKE SA version IKEv1 expires – new authentication and key exchange occurs and a new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.

As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:

  • If the re-authentication is required – the behavior is similar to IKEv1 (see above).

  • It the re-authentication is not required – only new IKE SA keys are generated and exchanged.

  • Configuration

    Active {On, Off}

    IPsec system turning On/Off

  • Make-before-break {On, Off}, default Off

    This parameter is valid for all IKE SA using IKEv2 with re-authentication. A temporary connection breaks during IKE_SA re-authentication is suppressed by this parameter. This function may not operate correctly with some IPsec implementations (on peer side).

  • Peer Address

    Default = 0.0.0.0

    IKE peer IP address.

  • Local ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the Local side identification. It must be same as “Peer ID” of the IKE peer.

  • Peer ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the IKE peer identification. It must be same as “Local ID” of the IKE peer. The “Peer ID” must be unique in the whole table.

  • Add / Edit IPsec associations

    Every item in the table represents one IKE SA. There can be a maximum of 8 active IKE SA (limited by system resources).

    • Start state

      List box {Passive, On demand, Start}, default Passive

    • MOBIKE

      List box {On, Off}, default On

      Enables MOBIKE for IKEv2 supporting mobility or migration of the tunnels. Please note IKE is moved from port 500 to port 4500 when MOBIKE is enabled. The peer configuration must match.

    • Dead Peer Detection

      List box {On, Off}, default = On

      Detection of lost connection with the peer. IKE test packets are sent periodically. When packets are not acknowledged after several attempts, the connection is closed (corresponding actions are initialized). In the case when Detection is not enabled, a connection loss is discovered when regular key exchange process is initiated.

    • Phase 1 IKE

      Parameters related to IKE SA (IKE Security Association) provide SA keys exchange with the peer.

      • IKE version

        List box {IKEv1, IKEv2}, default = IKEv2

        IKE version selection. The IKE peer must use the same version.

      • Authentication method

        List box {PSK}

        Peer authentication method. Peer configuration must match.

        The “main mode” negotiation is the only option supported. The “aggressive mode” is not supported; it is recognized as unsafe when combined with PSK type of authentication

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15

        (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Reauthentication

        List box {On, Off}, default = Off

        This parameter is valid if IKEv2 is used. It determines the next action after IKE SA has expired. When enabled: the new IKE SA is negotiated including new peer authentication. When disabled: only the new keys are exchanged.

      • SA lifetime [s]

        Default = 14400 s (4 hours). Range [180 – 86400] s

        Time of SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        Unfortunately, the more frequent the key exchange, the higher the network and CPU load.

    • Phase 2 – IPsec

      Certain parameters are shared by all subordinate CHILD SA. IPsec Security Association provides packet encryption (user traffic encryption).

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE CHILD SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE CHILD SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15 (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE CHILD SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Payload compression

        List box {On, Off}. default = Off

        This parameter enables payload compression. This takes place before encryption. Peer configuration must match

      • SA lifetime [s]

        Default = 3600 s (1 hour). Range [180 – 86400 s]

        Time of CHILD SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        The SA lifetime for CHILD SA is normally much shorter than SA lifetime for IKE SA because the CHILD SA normally transfers much more data than IKE SA (key exchange only). Changing the keys serves as protection against breaking the cypher by analyzing big amounts of data encrypted by the same cypher.

    • PSK

      PSK (Pre-shared key) authentication is used for IKE SA authentication. The relevant peer is identified using it’s “Peer ID”. The key must be the same for both local and peer side of the IPsec.

      • Passphrase

        The PSK key is entered as a password. Empty password is not allowed. In ADVANCED / VPN / IPsec menu is possible instead of Passphrase set 256 bits long Key.

  • Traffic selector

    The PSK key is entered as a password. Empty password is not allowed.

  • Basic rules:

    Each line contains the configuration settings of one CHILD SA and indicates its association to a specific IKE SA

    There can be a maximum of 16 active CHILD SA (in total over all Active IKE SA)

    Every “Active” line must have an equivalent on the peer side with reversed “Local network” and “Remote network” fields

    “Local network” and “Remote network” fields must contain different address ranges and must not interfere with the USB service connection (10.9.8.7/28) or internal connection to FPGA (192.0.2.233/30)

    Each “Active” Traffic selector in the configuration table must be unique.

  • Local network address / Mask

    Source IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Remote network address / Mask

    Destination IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Active { On, Off }, default On

    Relevant CHILD SA can be enabled/disabled.

Advanced menu

ADVANCED / VPN / IPsec

  • DPD check period [s]

    Default = 30 s. Range [5 – 28800 s]

    Dead Peer Detection check period

  • Dead Peer Detection

    List box {Clear, Hold, Restart}, default = Hold

    One of three connection states automatically activated when connection loss is detected:

    • Clear: Connection is closed and waiting

    • Hold: Connection is closed. Connection is established when first packet transmission through tunnel is attempted

    • Restart: Connection is established immediately

7.5. Device

7.5.1. Unit

The general settings which will be used by all settings. It shall be set as a first menu.

  • Unit name

    This name is used as a real name of the Linux router, so the allowed characters are strictly limited to:

    _a..zA..Z0..9

  • Mode list box (Bridge, Router)

    The selector of the mode of radio channel access type.

7.5.2. Configuration

You can back up the actual configuration into a file or download existing configuration file into the unit.

7.5.3. Firmware

The firmware update has two phases:

  • Upload new firmware into archive

  • Update firmware from archive

[Warning]Warning

Do not power down unit during the process of updating of the firmware.