Settings

Print version

7. Settings

Information provided in this chapter is identical with the content of Helps for individual menu. which will be gradually added on all screens.

7.1. Interfaces

7.1.1. Ethernet

RipEX2 provides 5 physical Ethernet ports ETH1, ETH2, ETH3, ETH4 and ETH5. First 4 ETH ports are metallic, the 5th port is a SFP port. There is a possibility to define an Ethernet bridge – a logical Network interface – by bridging (joining) together multiple physical Ethernet interfaces. All interfaces bridged together share the same traffic.

The Network interface (technically – an Ethernet bridge) is identified by a name. The name always begins with a “LAN-” prefix. Multiple Network interfaces can be defined. Multiple physical Ethernet interfaces can be bridged together by using single Network interface.

When unit is operating in Bridge mode – the default Network interface bridges together not only physical Ethernet ports, but also the Radio interface. All the ethernet traffic received by those Ethernet ports is transferred to the Radion interface and transmit by the Radio channel and vice versa.

When unit is operating in Router mode – the Radio channel transmits only the traffic, which is destined to the Radio interface by Routing rules.

The radio unit default setting bridges all Ethernet ports together. New Network interfaces can be defined to split the ethernet traffic of the individual ports. Any single Ethernet port can be detached from an existing Network interface and added to another Network interface.

Single or multiple Ethernet subnets can be defined within one Network interface. Each subnet is identified by its IP address&mask. Use the optional field. Note to keep your network configuration in human readable manner.

Enable / Disable: enables / disables specific Ethernet subnet

IP address: IP address&mask of the specific Ethernet subnet (in CIDR notation). IP address represents the Network interface in the Layer 3 Ethernet network.

Note Optional Ethernet subnet description

[Note]Note

VLAN (IEEE 802.1Q) settings are accessible via ADVANCED menu only in current FW version.

7.1.2. Radio

A. Radio parameters overview

  • TX frequency

    Transmitting frequency in Hz. Step 5 kHz (for 25 kHz channel spacing) or 6.25 kHz (for 12.5 or 6.25 kHz channel spacing).

    The value entered must be within the frequency tuning range of the product as follows:

    RipEX2-1A: 135-175 MHz

    RipEX2-3B: 335-400 MHz

    RipEX2-4A: 400-470 MHz

  • RX frequency

    Receiving frequency, the same format and rules apply as for TX frequency.

  • Antenna configuration

    List box {Single (Tx/Rx), Dual (Rx, Tx/Rx)}, default Dual (Rx, Tx/Rx)

    See chapter 1.2.1. Antenna for details

  • RF power PEP

    Setting of RF power in dBm (PEP) for the maximum power for individual modulations and the relationship between PEP and RMS see Table 9.2, “Maximal power for individual modulations” of this manual.

  • Channel spacing [kHz]

    List box {possible values}, default = 25 kHz

  • Occupied bandwidth limit [kHz]

    List box {possible values}, default = 25 kHz

    Occupied bandwidth is limited by granted radio channel. The standards supported by using individual OBW limits are in Section 9.1, “Detailed Radio parameters ” of this manual.

  • Modulation type

    List box {FSK, QAM}, default = FSK

    • FSK

      Suitable for difficult conditions – longer radio hops, non-line of sight, noise / interferences on Radio channel…

      [Note]Note

      FSK belongs to the continuous-phase frequency-shift keying family of non-linear modulations. Compared to QAM (linear modulations), FSK is characterized by narrower bandwidth, a lower symbol rate and higher sensitivity. As a result, the system gain is higher, power efficiency is higher, but spectral efficiency is lower.

    • QAM

      Suitable for normal conditions offering higher data throughput.

      [Note]Note

      QAM belongs to the phase shift keying family of linear modulations. Compared to FSK (non-linear modulations), QAM is characterized by wider bandwidth. The spectral efficiency is higher, power efficiency is lower and system gain is typically lower.

  • Modulation

  • FEC

    List box {2/3, 3/4, 5/6, Off}, default = Off

    FEC (Forward Error Correction) is a very effective method to minimize radio channel impairments. Basically, the sender inserts some redundant data into its messages. This redundancy allows the receiver to detect and correct errors; used is Trellis code with Viterbi soft-decoder. The improvement comes at the expense of the user data rate. The lower the FEC ratio, the better the capability of error correction and the lower the user data rate. The User data rate = Modulation rate × FEC ratio.

B. Transparent protocol (bridge mode)

Bridge mode with fully transparent Radio protocol is suitable for all polling (request-response) applications with star network topologies, however repeater(s) are possible.

A packet received through any interface is broadcasted to the appropriate interfaces of all units within the network.

Any unit can be configured as a repeater. A repeater relays all packets it receives through the radio channel. The network implements safety mechanisms which prevent cyclic loops in the radio channel (e.g. when a repeater receives a packet from another repeater) or duplicate packets delivered to the user interface (e.g. when RipEX2 receives a packet directly and then from a repeater).

Transparent protocol does not solve collisions on the radio channel protocol. There is a CRC check of data integrity, however, i.e. once a message is delivered, it is 100% error free.

  • Radio protocol

    List box {Transparent, Base driven}, default Transparent

  • Communication mode

    List box {Half Duplex, Full Duplex}, default Half Duplex

    Full duplex mode is intended to be used mainly for Point-to-Point communication. Full duplex operation is not possible in networks with repeaters.

  • Unit is repeater

    List box {On, Off}, default Off

    Each RipEX2 may work simultaneously as a Repeater (Relay) in addition to the standard Bridge operation mode.

    If “On”, every frame received from Radio channel is transmitted to the respective user interface (ETH, COM) and to the Radio channel again.

    The Bridge functionality is not affected, i.e. only frames whose recipients belong to the local LAN are transmitted from the ETH interface.

    It is possible to use more than one Repeater within a network. To eliminate the risk of creating a loop, the “Number of repeaters” has to be set in all units in the network, including the Repeater units themselves.

    Warning: Should Repeater mode be enabled “Modulation rate” and “FEC” must be set to the same value throughout the whole network to prevent frame collisions occurring.

  • No of repeaters

    Default = 0

    If there is a repeater (or more of them) in the network, the total number of repeaters within the network MUST be set in all units in the network, including the Repeater units themselves. After transmitting to or receiving from the Radio channel, further transmission (from this RipEX2) is blocked for a period calculated to prevent collision with a frame transmitted by a Repeater. Furthermore, a copy of every frame transmitted to or received from the Radio channel is stored (for a period). Whenever a duplicate of a stored frame is received, it is discarded to avoid possible looping. These measures are not taken when the parameter “Number of repeaters” is zero, i.e. in a network without repeaters.

  • Tx delay [B]

    This parameter should be used when all substations (RTU) reply to a broadcast query from the master station. In such case massive collisions would ensue because all substations (RTU) would reply at nearly the same time. To prevent such collision, TX delay should be set individually in each slave RipEX2. The length of responding frame, the length of Radio protocol overhead, modulation rate have to be taken into account.

C. Base driven protocol (router mode)

Router mode with Base driven protocol is suitable for a star network topology with up to 256 Remotes under one Base station. Each Remote can work as a Repeater for one or more additional Remotes. This protocol is optimized for TCP/IP traffic and/or ‘hidden’ Remotes in report-by-exception networks, when a Remote is not be heard by other Remotes and/or different Rx and Tx frequencies are used.

All traffic over the Radio channel is managed by the Base station. Radio channel access is granted by a deterministic algorithm resulting in collision free operation regardless of the network load. Uniform distribution of Radio channel capacity among all Remotes creates stable response times with minimum jitter in the network.

Frame acknowledgement, retransmissions and CRC check guarantee data delivery and integrity even under harsh interference conditions on the Radio channel.

[Note]Note

There is no need to set any routes in Routing table(s) for Remote stations located behind Repeater. Forwarding of frames from the Base station over the Repeater in either direction is serviced transparently by the Base driven protocol.

[Note]Note

When Remote to Remote communication is required, respective routes via Base station have to be set in Routing tables in Remotes.

a. Radio protocol – Base

  • Station type

    List box {Base, Remote}, default Base

    • Base

      Only one Base station should be present within one radio coverage when Base driven protocol is used.

  • IP / Mask

    poznamky

b. Radio parameters – Base

  • Modulation type

    List box {FSK, QAM}, default FSK

  • Modulation

    List box {2CPFSK, 4CPFSK}, default 2CPFSK

  • FEC

    List box {Off, 5/6, 3/4, 2/3}, default Off

c. Base driven remotes

  • BDP address (from)

    poznamky

  • BDP address (to)

    poznamky

  • Modulation type

    List box {2CPFSK, 4CPFSK, DPSK, pi/4DQPSK, D8PSK, 16DEQAM, 64QAM, 256QAM}, default 2CPFSK

  • FEC

    List box {Off, 2/3, 3/4, 5/6}, default Off

  • ACK

    List box {On, Off}, default On

  • Retries

    poznamky

  • CTS Retries

    poznamky

  • Connection

    List box {Direct, Direct & Repeater, Behind repeater}, default Direct

d. Radio protocol – Remote

  • IP / Mask

    poznamky

  • Automatic address mode

    List box {On, Off}, default On

  • BDP address

  • ACK

    List box {On, Off}, default On

  • Retries

    poznamky

e. Radio parameters – Remote

  • Modulation type

    List box {FSK, QAM}, default FSK

7.1.3. COM

Data incoming to the RipEX2 unit from the COM port are received by the Protocol module. The Protocol module behavior depends on the Protocol selected. In case of Transparent protocol (available in Bridge mode only), it is transparently transmitted to the RipEX2 network and send out through all COM ports with Transparent protocol selected. If any other protocol is selected, the incoming frame from the COM port is processed by the Protocol module, translated into UDP frame, forwarded to the RipEX2 router module and further processed according to router rules. Such UDP frames received by the RipEX2 unit from the RipEX2 network (based on the unit IP address and UDP port of the Protocol module) are translated into original frame format (by the Protocol module) and send out through the COM port.

The menu is divided to two parts:

A. COM port parameters

This settings of Data rate, Data bits, Parity and Stop bits of COM port and setting of connected device must match.

  • Type

    List box {possible values}, default = RS232

    COM port can be configured to either RS232 or RS485.

  • Baud rate [b/s]

    List box {standard series of rates from 300 to 1152000 b/s}, default = 19200.

    Select Baud rate from the list box: 300 to 1152000 b/s rates are available.

    Serial ports use two-level (binary) signaling, so the data rate in bits per second is equal to the symbol rate in bauds.

  • Data bits

    List box {8, 7}, default = 8

    The number of data bits in each character.

  • Parity

    List box: {None, Odd, Even}, default = None

    Wikipedia: Parity is a method of detecting errors in transmission. When parity is used with a serial port, an extra data bit is sent with each data character, arranged so that the number of 1-bits in each character, including the parity bit, is always odd or always even. If a byte is received with the wrong number of 1-bits, then it must have been corrupted. However, an even number of errors can pass the parity check.

  • Stop bits

    List box: {possible values}, default = 1

    Wikipedia: Stop bits send at the end of every character allow the receiving signal hardware to detect the end of a character and to resynchronize with the character stream.

  • Idle [B]

    Default = 5 [0 – 2000]

    This parameter defines the maximum gap (in bytes) in the received data stream. If the gap exceeds the value set, the link is considered idle, the received frame is closed and forwarded to the network.

  • MRU [B]

    Default = 1600 [1 – 1600]

    MRU (Maximum Reception Unit) — an incoming frame is closed at this size even if the stream of bytes continues. Consequently, a permanent data stream coming to a COM results in a sequence of MRU-sized frames sent over the network.

    [Note]Note

    1. Very long frames (>800 B) require good signal conditions on the Radio channel and the probability of a collision increases rapidly with the length of the frames. Hence if your application can work with smaller MTU, it is recommended to use values in 200 – 400 bytes range.

    [Note]Note

    2. This MRU and the MTU in Radio settings are independent, however MTU should be greater or equal to MRU.

  • Flow control

    List box: {None, RTS/CTS}, default = None

    RTS/CTS (Request To Send / Clear To Send) hardware flow control (handshake) between the DTE (Data Terminal Equipment) and RipEX2 (DCE – Data Communications Equipment) can be enabled in order to pause and resume the transmission of data. If RX buffer of RipEX2 is full, the CTS goes down.

    [Note]Note

    RTS/CTS Flow control requires a 5-wire connection to the COM port.

B. Common Protocol parameters

Each SCADA protocol used on serial interface is more or less unique. The COM port protocol module performs conversion to standard UDP datagrams to travel across RipEX2 Radio network.

  • Protocol

    List box: {None, Transparent, Async Link, DNP3, DF1, IEC101}, default = None

    Transparent protocol can be used when unit operates in Bridge mode only. All the traffic is bridged transparently to RipEX2 network.

  • Broadcast

    List box: {On, Off}, default = On

    Some Master SCADA units sends broadcast messages to all Slave units. SCADA application typically uses a specific address for such messages. RipEX2 (Protocol module) converts such message to a customized IP broadcast and broadcasts it to all RipEX2 units resp. to all SCADA units within the network.

  • Address translation

    List box: {Mask, Table}, default = Mask

    SCADA protocol address is translated to the IP address using either Mask (common rule for all addresses) or Table (specific rule per address) type of conversion

    • Mask

      [Note]Note

      − all IP addresses used have to be within the same subnet, which is defined by this Mask

      − the same UDP port is used for all the SCADA units, which results in the following limitations:

      • − SCADA devices on all sites have to be connected to the same interface

      • − only one SCADA device to one COM port can be connected, even if the RS485 interface is used.

    • Base IP / Mask

      A part of Base IP address defined by this Mask is replaced by ‘Protocol address’. The SCADA protocol address is typically 1 byte long, so Mask 24 (255.255.255.0) is most frequently used.

    • Destination UDP port

      list box {Manual, COM1 .. COM3, TS1 .. TS5}, default COM1

      The same UDP port will be used for all destination. This UDP port is used as the destination UDP port in UDP datagram in which serial SCADA packet received from COM is encapsulated. Default UDP ports for COM or Terminal servers can be used or UDP port can be set manually. If the destination IP address belongs to a RipEX2 and the UDP port is not assigned to COM or to a Terminal server or to any other special SW module running in the destination RipEX2, the packet is discarded.

    • Table

      The Address translation is defined in a table. There are no limitations such as when the “Mask” translation is used. If there are more SCADA units connected via the RS485 interface, their multiple “Protocol addresses” are translated to the same IP address and UDP port pair.

      [Note]Note

      You may add a note to each address with your comments (UTF8 is supported) for your convenience.

    • Protocol address (from)

      This is the address which is used by SCADA protocol.

      The typical Protocol address length is 1 Byte. Some protocols, e.g. DNP3 are using 2 Bytes long addresses.

    • Protocol address (to)

      Several consecutive SCADA addresses shall be tranlated using one rule.

    • IP address (base)

      IP address to which Protocol address will be translated. This IP address is used as destination IP address in UDP datagram into which serial SCADA packet received from COM is encapsulated. When several addresses are used, this will be the first IP address, the following one will have +1 etc.

    • Destination (UDP port)

      {MANUAL, COM1 .. COM3, TS1 .. TS5}, default COM1

      This is UDP port number which is used as destination UDP port into UDP datagram in which the serial SCADA message, received from COM, is encapsulated. Different Destination UDP ports can be used in different rules.

C. Individual protocol parameters

  • None

    The None protocol switches the COM port off. All incomming data will be thown away, No data will be send into the COM interface.

  • Async link

    Async link creates an asynchronous link between two COM ports on different RipEX2 units. Received frames from COM port or from a Terminal server are sent without any processing transparently to Radio channel to set IP destination and UDP port. Received frames from Radio channel are sent to COM or Terminal server according to Destination (UDP port) parameter.

    • Destination IP

      This is IP address of destination RipEX2, either ETH or Radio interface.

    • Transmit as broadcasts

      List box: {On, Offl}. default Off

      Allows sending of the packets incomming from COM port as broadcast.

    • Accept broadcasts

      List box: {On, Offl}. default Off

      On: Broadcast packets from the radio channel will be send to the COM port.

      Off: Only unicast packets will be send to the COM port.

  • DNP3

    Each frame in the DNP3 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in terms of the RipEX2 configuration. The DNP3 allows both Master-Slave polling as well as spontaneous communication from the remote units.

    The common parameters (e.g. address translation) shall be set.

    • Broadcast

      List box: {On, OFF}, default = On

      [Note]Note

      Broadcast

      There is not an option to set the Broadcast address, since DNP3 broadcast messages always have addresses in the range 0xFFFD – 0xFFFF. Hence when Broadcast is On, packets with these destinations are handled as broadcasts.

  • DF1

    Each frame in the Allen-Bradley DF1 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in the Full duplex mode in terms of RipEX2 configuration.

    • Duplex mode

      List box: {Full duplex, Half duplex}

      poznamky

    • Connected service mode

      List box {Master, Slave}, default=Slave

      SCADA application follows Master-Slave scheme, where the structure of the message is different for Master and Slave SCADA units. Because of that it is necessary to set which type of SCADA unit is connected to the RipEX2.

      [Note]Note

      For connected SCADA Master set Master, for connected SCADA Slave set Slave.

    • Block control mode

      List box: {BCC, CRC}, default = BCC

      According to the DF1 specification, either BCC or CRC for Block control mode (data integrity) can be used.

      [Note]Note

      Broadcast

      According to the DF1 specification, packets for the destination address 0xFF are considered broadcasts. Hence when Broadcast is On, packets with this destination are handled as broadcasts.

  • IEC101

    • ComProt_IECMode

      List box: {Primary, Secondary, Combined}, default = Primary

    • ComProt_IECAddrMode

      List box: {8bit,16 bit, 8bit w/o ctrl bytem 8bit swpctrl byte, No addr}, default = 8bit

    • Broadcast

      List box: {On, Off}, default = On

7.1.4. Terminal servers

Generally, a Terminal Server (also referred to as a Serial Server) enables connection of devices with serial interface to a RipEX2 over the local area network (LAN). It is a virtual substitute for devices used as serial-to-TCP(UDP) converters.

In some special cases, the Terminal server can be also used for reducing the network load from applications using TCP. A TCP session can be terminated locally at the Terminal server in RipEX2, user data extracted from TCP messages and processed like it comes from a COM port. When data reaches the destination RipEX2, it can be transferred to the RTU either via a serial interface or via TCP (UDP), using the Terminal server again.

Up to 5 independent Terminal servers can be set up. Each one can be either TCP or UDP Type, TCP Inactivity is the timeout in seconds for which the TCP socket in RipEX2 is kept active after the last data reception or transmission. As source IP address of a Terminal server will be used the IP address of the RipEX2 ETH interface (Local preferred source address if exists see chap. 7.2.1), Source (my) port can be set as required. Destination (peer) IP and Destination (peer) port values belong to the locally connected application (e.g. a virtual serial interface). In some cases, applications dynamically change the IP port with each datagram. In such a case set Destination port=0. RipEX2 will then send replies to the port from which the last response was received. This feature allows to extend the number of simultaneously opened TCP connections between a RipEX2 and locally connected application to any value up to 10 on each Terminal server. Protocol follows the same principles as a protocol on COM interface.

[Note]Note

Max. user data length in a single datagram processed by the Terminal server is 8192 bytes.

7.2. Routing

7.2.1. Static

Routing table is active only when Router mode (Settings/Device/Operating mode) is set. In such a case RipEX2 works as a standard IP router with multiple independent interfaces: Radio interface, Network interfaces (bridging physical Ethernet interfaces), COM ports, Terminal servers, optional Cellular interface etc. Each of the interfaces has its own IP addresses and Masks. Then IP packets are processed according to the Routing table.

Unlimited number of subnets can be defined on the Network interface. They are routed independently.

The COM ports are treated in the standard way as router devices, messages can be delivered to them as UDP datagrams to selected UDP port numbers. Destination IP address of COM port is either IP of a Network interface (bridging Ethernet interfaces) or IP of Radio interface. The IP address source of outgoing packets from COM ports is equal to IP address of interface (either Radio or Network interface) through which packet has been sent. The source address can also be assigned to Local preferred source address value – see description below. Outgoing interface is determined in Routing table according to the destination IP.

The IP addressing scheme can be chosen arbitrarily, only 127.0.0.0/8 and 192.0.2.233/30 and 192.0.2.228/30 restriction applies. It may happen that also the subsequent addresses from the 192.0.2.0/24 subnet according to RFC5737 may be reserved for internal usage in the future.

  • Active {On / Off}

    Switches the rule on / off

  • Destination IP / mask

    Each IP packet, received by RipEX2 through any interface (Radio, ETH, COM, …), has got a destination IP address. RipEX2 (router) forwards the received packet either directly to the destination IP address or to the respective Gateway, according to the Routing table. Any Gateway has to be within the network defined by IP and Mask of one of the interfaces, otherwise the packet is discarded.

    Each item in the routing table defines a Gateway (the route, the next hop) for the network (group of addresses) defined by Destination IP and Mask. When the Gateway for the respective destination IP address is not found in the Routing table, the packet is forwarded to the Default gateway, when Default gateway (0.0.0.0/0) is not defined, the packet is discarded.

    The network (Destination and Mask) is written in CIDR format, e.g. 10.11.12.13/24.

    [Note]Note

    Networks defined by IP and Mask for Radio and other interfaces must not overlap.

  • Mode {Static}

    Used for static IP routing rules. If the next hop on the specific route is over the radio channel, the Radio IP is used as a Gateway. If Base driven protocol is used and the destination Remote is behind a Repeater, the destination Remote Radio IP is used as a Gateway (not the Repeater address).

  • Name: You may add a name to each route with your comments up to 16 characters (UTF8 is supported) for your convenience.

  • Menu ADVANCED / Routing / Static allows to set additional parameter:

    Local preferred source address: (Routing_LocalUseSrcAddr) Local IP address used as a source address for packets originating in the local RipEX2 unit being routed by this routing rule. It might be for example packets originating from the COM port or from the Terminal Server. If the address is set to 0.0.0.0 it is not considered active. The IP address has to belong to some of the following interfaces: Radio interface, Network interfaces.

7.3. Firewall

7.3.1. L2

  • Filter mode list box {Blacklist, Whitelist}, default Blacklist

    • Blacklist

      The MAC addresses listed in the table are blocked, i.e. all packets to/from them are discarded. The traffic to/from other MAC addresses is allowed.

    • Whitelist

      Only the MAC addresses listed in the table are allowed, i.e. only packets to/from them are allowed. The traffic to/from other MAC addresses is blocked.

  • Active list box {Off, On}, default On

    If “On” and when in the Router mode, Layer 2 Linux firewall is activated:

  • Interface list box {All, ETH1..ETH5}, default All

    MAC IPv4 MAC address

7.3.2. L3

Firewall L3 active switches L3 firewall Off, On; default is Off

Each individual firewall rule is described by the following items:

  • Protocol

    List box {All, ICMP, UDP, TCP, GRE, ESP, Other}. default All

  • Source IP/Mask source IP address and mask.

    The rule with narrower mask has higher priority. The rule’s order does not affect priority.

  • Source port (from) and (to) interval of source ports

  • Input interface list box {All, Radio, All ETH, ETH1..ETH5, Other}, default All

  • Action list box {Deny, Allow}, default Deny

  • Destination IP/Mask

  • Destination port (from) and (to) interval of destination ports

  • Output interface list box {All, Radio, All ETH, Other}, default All

  • Connection state New list box {Off, On}, default Off – active only for TCP protocol

    Relates to the first packet when a TCP connection starts (Request from TCP client to TCP server for opening a new TCP connection). Used e.g. for allowing to open TCP only from RipEX2 network to outside.

  • Connection state Established list box {Off, On}, default Off – active only for TCP protocol

    Relates to an already existing TCP connection. Used e.g. for allowing to get replies for TCP connections created from RipEX2 network to outside.

  • Connection state Related list box {Off, On} default Off, active only for TCP protocol

    A connection related to the “Established” one. e.g. FTP typically uses 2 TCP connections control and data, where data connection is created automatically by using dynamic ports.

    [Note]Note

    L2/L3 firewall settings do not impact the local ETH access, i.e. settings never deny access to a locally connected RipEX2 (web interface, ping, …).

    [Note]Note

    Ports 443 and 8889 are used (by default, can be overridden) internally for service access. Exercise caution when making rules which may affect datagrams to/from these ports in L3 Firewall settings. Management connection to a remote RipEX2 may be lost, when another RipEX2 acts as a router along the management packets route and port 443 (or 8889) is disabled in firewall settings of that routing RipEX2 (RipEX2 units uses iptables “forward”).

    [Note]Note

    L3 Firewall settings do not impact packets received and redirected from/to Radio channel. The problem described in NOTE 2 will not happen, if the affected RipEX2 router is a radio repeater, i.e. when it uses solely the radio channel for input and output.

7.4. VPN

VPN (Virtual Private Network) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

7.4.1. IPsec

Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating within the Internet Layer of the Internet Protocol Suite. IPsec is recognized as a secure, standardized and well-proven solution by the professional public.

Although there are 2 modes of operation RipEX2 only offers Tunnel mode. In Tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encapsulating Security Payloads) with a new IP header.

Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged. The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and the newer version 2 are available in RipEX2.

IKE protocol communication with the peer is established using UDP frames on port 500. However, if NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.

[Note]Note

NAT-T is automatically recognized by IPsec implementation in RipEX2.

The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:

  • IKE SA: IKE Security Association providing SA keys exchange with the peer.

  • CHILD SA: IPsec Security Association providing packet encryption.

Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.

Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication method: Both link partners share the same key (password).

As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.

As and when the IKE SA version IKEv1 expires – new authentication and key exchange occurs and a new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.

As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:

  • If the re-authentication is required – the behavior is similar to IKEv1 (see above).

  • It the re-authentication is not required – only new IKE SA keys are generated and exchanged.

  • Configuration

    Active {On, Off}

    IPsec system turning On/Off

  • Make-before-break {On, Off}, default Off

    This parameter is valid for all IKE SA using IKEv2 with re-authentication. A temporary connection breaks during IKE_SA re-authentication is suppressed by this parameter. This function may not operate correctly with some IPsec implementations (on peer side).

  • Peer Address

    Default = 0.0.0.0

    IKE peer IP address.

  • Local ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the Local side identification. It must be the same as “Peer ID” of the IKE peer.

  • Peer ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the IKE peer identification. It must be the same as “Local ID” of the IKE peer. The “Peer ID” must be unique in the whole table.

  • Add / Edit IPsec associations

    Every item in the table represents one IKE SA. There can be a maximum of 8 active IKE SA (limited by system resources).

    • Start state

      List box {Passive, On demand, Start}, default Passive

    • MOBIKE

      List box {On, Off}, default On

      Enables MOBIKE for IKEv2 supporting mobility or migration of the tunnels. Please note IKE is moved from port 500 to port 4500 when MOBIKE is enabled. The peer configuration must match.

    • Dead Peer Detection

      List box {On, Off}, default = On

      Detection of lost connection with the peer. IKE test packets are sent periodically. When packets are not acknowledged after several attempts, the connection is closed (corresponding actions are initialized). In the case when Detection is not enabled, a connection loss is discovered when regular key exchange process is initiated.

    • Phase 1 IKE

      Parameters related to IKE SA (IKE Security Association) provide SA keys exchange with the peer.

      • IKE version

        List box {IKEv1, IKEv2}, default = IKEv2

        IKE version selection. The IKE peer must use the same version.

      • Authentication method

        List box {PSK}

        Peer authentication method. Peer configuration must match.

        The “main mode” negotiation is the only option supported. The “aggressive mode” is not supported; it is recognized as unsafe when combined with PSK type of authentication

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15

        (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Reauthentication

        List box {On, Off}, default = Off

        This parameter is valid if IKEv2 is used. It determines the next action after IKE SA has expired. When enabled: the new IKE SA is negotiated including new peer authentication. When disabled: only the new keys are exchanged.

      • SA lifetime [s]

        Default = 14400 s (4 hours). Range [180 – 86400] s

        Time of SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        Unfortunately, the more frequent the key exchange, the higher the network and CPU load.

    • Phase 2 – IPsec

      Certain parameters are shared by all subordinate CHILD SA. IPsec Security Association provides packet encryption (user traffic encryption).

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE CHILD SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE CHILD SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15 (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE CHILD SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Payload compression

        List box {On, Off}. default = Off

        This parameter enables payload compression. This takes place before encryption. Peer configuration must match

      • SA lifetime [s]

        Default = 3600 s (1 hour). Range [180 – 86400 s]

        Time of CHILD SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        The SA lifetime for CHILD SA is normally much shorter than SA lifetime for IKE SA because the CHILD SA normally transfers much more data than IKE SA (key exchange only). Changing the keys serves as protection against breaking the cypher by analyzing big amounts of data encrypted by the same cypher.

    • PSK

      PSK (Pre-shared key) authentication is used for IKE SA authentication. The relevant peer is identified using it’s “Peer ID”. The key must be the same for both local and peer side of the IPsec.

      • Passphrase

        The PSK key is entered as a password. Empty password is not allowed. It is possible to set 256 bits long Key instead of Passphrase in the ADVANCED / VPN / IPsec menu.

  • Traffic selector

    “Traffic selector” defines which traffic is forwarded to the IPsec tunnel. The rule that defines this selection matches an incoming packet to “Local network …” and “Remote network …” address ranges.

  • Basic rules:

    Each line contains the configuration settings of one CHILD SA and indicates its association to a specific IKE SA

    There can be a maximum of 16 active CHILD SA (in total over all Active IKE SA)

    Every “Active” line must have an equivalent on the peer side with reversed “Local network…” and “Remote network…” fields

    “Local network…” and “Remote network…” fields must contain different address ranges and must not interfere with the USB service connection (10.9.8.7/28) or internal connection to FPGA (192.0.2.233/30)

    Each “Active” Traffic selector in the configuration table must be unique.

  • Local network address / Mask

    Source IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Remote network address / Mask

    Destination IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Active {On, Off}, default On

    Relevant CHILD SA can be enabled/disabled.

Advanced menu

Several additional parameters are available in menu: ADVANCED / VPN / IPsec

  • DPD check period [s]

    Default = 30 s. Range [5 – 28800 s]

    Dead Peer Detection check period

  • Dead Peer Detection

    List box {Clear, Hold, Restart}, default = Hold

    One of three connection states automatically activated when connection loss is detected:

    • Clear: Connection is closed and waiting

    • Hold: Connection is closed. Connection is established when first packet transmission through tunnel is attempted

    • Restart: Connection is established immediately

7.4.2. GRE L2

GRE L2 tunnel is interconnected to the bridge (LAN interface) as one of the bridge’s port, it captures Ethernet frames of the bridge and sends them to the other end of the tunnel. It enables to build bridge via the complex network and combine the local partial networks to one network.

  • GRE L2 Enable – switches all L2 tunnels On or Off

Individual L2 tunnels:

  • Enable – enables actual L2 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Network interface name – has to be set as one of existing bridge’s name in SETTING/Interfaces/Ethernet/ Network interface Name

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel

    Number [0 to 4,294,967,295], default 0

  • MTU – MTU of the L2 tunnel.

    Number of Bytes [74 to 1500], default 1462

    Overhead of the L2 tunnel is 38 B, so it should be GRE MTU = Path MTU – 38.

7.4.3. GRE L3

GRE L3 tunnel works as an additional unit’s interface with its own IP address (and mask). The routing rules are used for sending packets to this interface. It bridges part of the network, so it seems to be one hop for the user traffic.

  • GRE L3 Enable – switches all L3 tunnels On or Off

Individual L3 tunnels:

  • Enable – enables actual L3 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Tunnel address / Mask – IP address and mask of the GRE tunnel interface

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel

    [0 to 4,294,967,295], default 0

  • MTU – MTU of the L2 tunnel.

    [70 to 1476], default 1476

    Overhead of the L3 tunnel is 24 B, so it should be GRE MTU = Path MTU – 24. If the MTUZ is bigger than is allowed along the route, the GRE packets will be discarded and ICMP report will be send back to the source of the original packet (Path MTU discovery).

7.5. Device

7.5.1. Unit

General

The general settings affecting the whole unit.

  • Unit name

    This name is used as a real name of the Linux router, so the allowed characters are strictly limited to:

    _a..zA..Z0..9

  • Unit note

    Longer unit name without special characters restrictions.

  • Mode list box {Bridge, Router}, default Bridge

    Selecting Bridge or Router mode affects many other parameters across the unit. See Section 5.1, “Bridge mode” and Section 5.2, “Router mode” for detailed description.

Time

7.5.2. Configuration

You can backup the actual unit configuration into a file or restore backed up configuration from the file.

7.5.3. Firmware

The firmware update has two phases:

  • Upload new firmware into archive

  • Update firmware from archive

[Warning]Warning

Do not shut down the unit during the firmware update process. It may permanently damaged the unit.