Remote Services: Optional Capabilities¶

This chapter describes functionality, which was rarely used. Thus, this functionality was deactivated. In case you would like to use it, please reach out to your Remote Services (RS) sales representative or product manager.

• IPsec is a special kind of VPN implicating the complex network setup for VPNs such as address space sharing. It is recommended, to rely on Remote Services' genuine Web-Socket-Secure tunnels and use any kind of routers in a transparent fashion, so that IPsec routers do not have to be registered with RS.
• Web-versions of RDP, VNC and SSH do have the advantage of getting remote login without running a Service Endpoint on service personnel's PCs. However, this approach uses standard HTTPS for connecting the browser to Remote Services, instead of using a more secure tunnel for doing so. It is recommended to use native RDP, VNC or SSH instead.

Onboarding of IPsec Routers in Remote Services¶

Example: Administrator Onboards IPsec Router in Primary Device Network¶

Instead of using a downloadable Device Endpoint as gateway on a PC-type or Industrial Edge-type Device, it is also possible to use a hardware router instead. This example outlines, how to onboard such a hardware IPsec router to a primary Device Network, so that Devices located in site-internal secondary Device Networks may be reached via the router's public interface.

In this section we use RS V2 for setting up the router. Please select our exemplary target site Munich from the device menu, which is available under the blue hexagon in the top left corner of the screen. Then we choose "Create Device" at the top right corner of the screen.

The device creation screen pops up. Please enter all required information such as router name Router m01, etc. Then press "Save".

The newly created router Router m01 is now available in the RS device manager. Press "Add Configuration" for switching to the configuration of the router's public interface.

Now please enter the configuration of the router's public communication interfaces such as the pre-shared key and IP-address. Next, we assign an internal network to the router by clicking "Add Remote Network".

Please provide the required internal network address and network mask before pressing "Save".

The router is now connected to both a public plus an internal secondary network and ready for onboarding devices to the secondary network, as will be outlined in the next example.

Example: Administrator Onboards Devices in Secondary Device Network to IPsec Router¶

Open the device information page of our examplary Router m01 and press "Create New Device" on the bottom right side to register devices connected to the router.
Select our exemplary Router m01 in the RS device tree and press "Create New Device" on the bottom right side to register a device, which is physically connected to the site-internal interface of the router.

Please provide all information for this new device named IPC m02. Please note, that the selected Router m01 is already displayed as the pre-assigned gateway. Press "Save" when done.

The router's information page now displays the previously created device IPC m02 in the list of assigned devices on the right.

You may select device IPC m02 from the device tree, and its device information page should now display it as "connected". Press "Assign Protocol Application" to assign a pre-configured protocol to this device.

Here we assigned the previously created protocol application VNC login Europe to IPC m02.

Network and Router Setup for IPsec¶

This section outlines the preconditions and configuration steps for setting up IPsec routers, which are not transparent to RS, but registered with RS.

Network Settings on Devices Connected to an IPsec Router¶

General settings:

• Service Asset proxy settings: 192.168.20.30:3128c
• Additional configuration via Siemens Asset Manager for another Agent residing on same device (Service Device)
• Assign above proxy settings to asset's HTTP proxy and port, set its proxy authentication type to 'basic'
• Set the DNS entry to the same IP address as the HTTP proxy IP (without any port information)

Settings for Connecting IPSec Routers to Remote Services¶

Router settings:

• Public IPsec endpoint for RS: 54.93.65.172
  • The IPSec router connected to RS must be configured as gateway for the Service Assets connected to this router. RS' IPSec endpoint exposes a CIDR range 192.168.20.0/24 to the connected routers.
• RS on Xclerator uses an internal DNS endpoint for receiving notifications on changed IP addresses of connected IPSec routers. Thus, routers must use the following URL for sending notifications on their changed IP addresses:
  
  • https://dyndns.eu1.vpnrts.mindsphere.io/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>
  • Still supported, but subject to upcoming End-of-Life: https://dedi7nihr5ump.cloudfront.net/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>
• The parameters needed for the internal DNS endpoint are:
  • <HOSTNAME> host name of connected IPSec router; for instance, "myipsecrouter" from "myipsecrouter.mydomain.org" where "mydomain.org" is set in ITS application
  • <USERNAME> specified in ITS application for authentication of the administrative user, who may update the IP addresses of connected IPSec routers
  • <PASSKEY> password associated with <USERNAME>
  • <IPADDRESS> changed IP address of connected IPSec router
• RS' IPSec endpoint supports the following Diffie-Hellman (DH) groups for Internet Key Exchange (ISAKMP) for IPSec phase 1:
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-14
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-15
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-16
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-20
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-21
  • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-24
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-14
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-15
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-16
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-20
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-21
  • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-24
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-14
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-15
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-16
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-20
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-21
  • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-24
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-14
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-15
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-16
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-20
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-21
  • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-24
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-14
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-15
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-16
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-20
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-21
  • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-24

Configuring an IPsec Router as Gateway into Secondary Device Network¶

This section provides additional information for IT personnel on how to configure the individual network parameters of an IPsec Router within a Device Network.

For IPsec connections the following ports should be opened to allow for IPsec traffic:

Such router configuration comprises the following steps, which are outlined in the following:

1. DDNS configuration
2. ISAKMP policy configuration
3. Transform-set configuration
4. Crypto Map configuration and application to interface
5. Configure a route to RS backend
6. Define an access-list to allow internal traffic

Example: DDNS Configuration¶

This section is applicable if the public IP of an IPsec router in a primary Device Network is dynamic. For instance, your router might not have an own IP address space but rely on an Internet Service Provider (ISP), who may assign dynamic IP addresses to your router.

ip DDNS update method LabDynDNS 
HTTP
add https://{DDNS server access}/{Dynamic Domain Name}?passKey={Dynamic DNS Password}&userName={Dynamic Domain Name}&ipAddress=
interval maximum 0 0 3 0
!
interface GigabitEthernet1
ip ddns update LabDynDNS

Additional information:

• Information on "DDNS server access" can be found in the RS-specific release notes
• "Dynamic Domain Name" is a unique RS-internal name, which you specify in the RS user interface for the purpose of managing a set of devices connected to this router, e.g. "company_name_location_Munich.com"
• "Dynamic DNS Password" is a user-specified password for accessing this domain
• "userName" is an RS-internal name and must be the same as the "Dynamic Domain Name"

Example: ISAKMP Policy Configuration¶

!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 15
crypto isakmp key {........} address {........}
crypto isakmp keepalive 30 5 periodic
!

Example: Transform-Set Configuration¶

!
crypto ipsec transform-set EA6EHS esp-aes 256 esp-sha256-hmac
mode tunnel
!

Example: Configuring the Crypto Map and Applying the Crypto Map to Your Interface¶

!
crypto map CmapTu01 1 ipsec-isakmp
set peer {IP address}
set transform-set EA6EHS
set pfs group15
match address aclTu01
!
!
interface GigabitEthernet1
crypto map CmapTu01

Example: Defining a Route for Traffic from Device Network to RS¶

ip route 192.168.20.0 255.255.255.0 
!

Example: Defining Firewall Access-List to Allow Traffic to RS¶

ip access-list extended aclTu01
permit ip 10.10.10.0 0.0.0.127 192.168.20.0 0.0.0.255
!

Additional information

• "10.10.10.0 0.0.0.127" is an example for your internal Device Network's address range in which the devices connected to the router reside
• "192.168.20.0 0.0.0.255" is the static RS-internal network setup, which must be connected via IPsec to the Device Network side in order to use RS

Hints for configuring a Siemens SCALANCE Router¶

This section gives hints for configuring a Siemens SCALANCE Router for IPsec connections to a Device Network via SCALANCE Web Management.

1. menu System → cRSP/SRS: WAN_IP is a keyword, which the router replaces with the current external IP address of the device to the destination server
   
2. menu Security → IPsec VPN → tab Connections: enter a connection name and configure it with
   
   • Keying Protocol: IKEv1
     
   • Remote End: Select value from above step 5
     
   • Local Subnet: {target network}
     
3. menu Security → IPsec VPN → tab Authentication: enter the following values in the respective fields:
   
   • Remote Address: {public IPsec endpoint of RS}
     
   • Remote Subnet: {192.168.20.0/24}
     
   • Authentication: PSK
     
   • Remote ID: {public IPsec endpoint of RS}
     
   • PSK: {freely generated} [must match value of pre-shared secret in Remote Services app]
     
   • PSK Confirmation: repeat PSK value
     
4. Switch to tab Phase 1: Uncheck Default Ciphers checkbox. Enter the following values:
   
   • Encryption: select the same value as in the Remote Services app
     
   • Authentication: select the same value as in the Remote Services app
     
   • Key Derivation: select the same value as in the Remote Services app
     
   • Lifetime (in seconds): 86400
     
5. Switch to tab Phase 2: Uncheck Default Ciphers checkbox. Enter the following values in the respective fields:
   
   • Encryption: select the same value as in the Remote Services app
     
   • Authentication: select the same value as in the Remote Services app
     
   • Key Derivation: select the same value as in the Remote Services app
     
   • Lifetime: 60
     
   • Check Auto Firewall Rules checkbox.
     
6. Switch to tab Connections tab: select "wait" from Operation dropdown.
   

Troubleshooting IPsec Router Issues¶

In case of connectivity issues with IPsec routers registered (!) to Remote Services please consider the following:

• If IPsec routers are being used, the RS public IPsec endpoint must be reachable via the firewall - please obtain its IP address from the section on Advanced Connections.
• If an IPsec tunnel is not established with your given tunnel configuration, then please check if your router's IPsec parameters match with the ones configured in RS. Also, check if the phase 1 lifetime value is set to 1440 hours. If all these parameters are matching, check if the outbound ports/protocols UDP 500, 4500 and IP 50 are opened on the Internet access/firewall.
• If an IPsec tunnel is successfully established, and only the counter for sending messages is increasing but not the one for received messages, you might check if a route or a gateway is configured to point to the router on your target system. If yes, also check if used TCP/UDP port is enabled in the firewall rules of the target device.
• In case of handshake failures after the configuration of your DDNS update, you might have to import and use valid certificates.
• In case registered devices in a secondary Device Network are not being displayed in the device table, please expand the IPSec router node to view them.
• If an existing IPSec connection is lost, it could be re-established by opening the IPSec router configuration page and then setting the router's state first to "under construction" and then to "complete".
• IPSec routers in Device Networks must have a static IP address. In case these routers would use dynamic IP addresses (e.g. via DHCP or NAT), the tunnels might have to be re-established manually after each address change.