VPN Remote Tunneling Service (RTS)

What's new?

To ensure a separation of tasks, VPN Tunneling offers two user roles:
- VPN Tunneling Admin- Administrate and control complete tenant, view all logs, access MindSphere UTS (Usage Transparency Service)
- VPN Tunneling User- Control only connectivity, read System Logs, and access UTS. The scope of action can be limited to specific tunnel.
With IPSec Tunnel Subscription user interface, a VPN connection can easily be installed and configured. Specific MindSphere APIs allow you to start or stop a connection via the VPN tunnel from the Platform to an on-site router and also provides an automatic and secure connection from the on-site device to MindSphere Time Series Store or Integrated Data Lake.
Reporting data for VPN Tunneling usage can be tracked using MindSphere UTS. The available information covers the amount of onboarded routers, transferred data volume and the amount of transferred data volume that is not covered by Free Tier. The information is updated daily and displayed on a monthly basis.

System Requirements for VPN Remote Tunneling Service

To have the best possible work experience with VPN Remote Tunneling Service (VPN RTS) the following system prerequisites and settings are recommended:

Internet connection:

Bandwidth of min 6 Mbps download (minimum of 16 Mbps)
Bandwidth of 1 Mbps upload or larger

Browsers:

MS Windows 7 SP1: Internet Explorer (version 11 or newer), Google Chrome (version 65 or newer)
MS Windows 10: Google Chrome (version 68 or newer)
Screen size / resolution: 1280x1024 and 1920x1080 with zoom level 100%*
Software Requirements for WebSocket Client and Gateway – Native Variant:*
OS: – MS Windows 10 + .NET 3.5 – Debian 9

Hardware Requirements:

Processor: 32-bit or x64-based (Intel or AMD)
RAM: 1 GB (minimum), 2 GB or more (recommended)
Hard disk space: 20 MB
Network Adapter: 100 Mbps

VPN & Remote Service - endpoint information:

IPsec VPN endpoint: 54.93.65.172
DynDNS URL: https://dedi7nihr5ump.cloudfront.net/

{hostName}
?passKey=<PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>

Device proxy settings: 192.168.20.30:3128
FTP Server for Secondary Target File Transfer: 10.100.30.40
SFTP Server for Secondary Target File Transfer: 10.100.30.112

IPSec Settings:

The respective environment’s VPN endpoint IP has to be used as gateway. The internal VPN Remote services are NAT’ed to 192.168.20.0/24 and exposed to customers. Currently, VPN & Remote Service supports the following 30 parameters for IPSec Phase 1, Internet Key Exchange (ISAKMP):

Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-14
Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-15
Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-16
Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-20
Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-21
Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-24
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-14
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-15
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-16
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-20
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-21
Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-24
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-14
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-15
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-16
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-20
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-21
Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-24
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-14
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-15
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-16
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-20
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-21
Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-24
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-14
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-15
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-16
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-20
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-21
Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-24

Endpoint of VPN IPsec infrastructure: https://dedi7nihr5ump.cloudfront.net

IPsec routers in a customer network should leverage https://dedi7nihr5ump.cloudfront.net to access Dynamic DNS servers.

Known issues

In the Remote Tunneling Service (RTS) application, the secondary devices behind the IPSec routers are not visible in the Device mega table.
The firmware download to MDSP Agent is not supported via IPSec tunnel.
If an existing IPSec connection should be lost it could be re-established by opening the IPSec router configuration page and then setting the router's state first to "under construction" and then to "complete".
When assigning specific access grants to a user, newly assigned grants might not be displayed in user management. In such cases, please log out and login again to display the recently added grants.
In case the assignment of grants to users via a list of single systems should not work as intended, please use attribute-based grant assignment instead.
A user's on-site IPSec routers must have a static IP address. In case these routers would use dynamic IP addresses (e.g. via DHCP or NAT), the tunnels might have to be re-established manually after each address change.
Initial provisioning of RTS application to a customer tenant requires a joint configuration with customer's tenant administrators. MindSphere support will approach the customer accordingly.

For information about the workaround, refer Remote Tunneling Service (RTS) Setup of IPsec Routers.