Results

IPSec Tunnel Subscription (ITS)

What's new?

Improvements on handling of devices and user grants.

The app now identifies itself as "IPSec Tunnel" on the MindSphere Launchpad.

System Requirements for IPSec Tunnel Subscription (ITS)

Browser-based access to MindSphere IPSec Tunnel Subscription App

  • Microsoft Windows ® 10 version 1909: Google Chrome TM (version 68 or newer)

  • screen resolution: 1280x1024 and 1920x1080 with recommended zoom level 100%

Network Settings on connected Service Assets

  • Service Asset proxy settings: 192.168.20.30:3128

  • additional configuration via MindSphere Asset Manager for a MindSphere Agent residing on same Service Asset

    • assign above proxy settings to asset's HTTP proxy and port, set its proxy authentication type to 'basic'

    • set the DNS entry to the same IP address as the HTTP proxy IP (without any port information)

Settings for connecting IPSec routers to MindSphere ITS

  • MindSphere IPsec endpoint: 54.93.65.172

  • The IPSec router connected to MindSphere must be configured as gateway for the Service Assets connected to this router. MindSphere IPSec endpoint exposes a CIDR range 192.168.20.0/24 to the connected routers.

  • MindSphere uses an internal DNS endpoint for receiving notifications on changed IP addresses of connected IPSec routers. Thus, routers must use the following URL for sending notifications on their changed IP addresses:

    • https://dyndns.eu1.vpnrts.mindsphere.io/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>

    • still supported, but subject to upcoming End-of-Life: https://dedi7nihr5ump.cloudfront.net/<HOSTNAME>?passKey= <PASSKEY>&userName=<USERNAME>&ipAddress=<IPADDRESS>

  • The parameters needed for the internal DNS endpoint are:

    • <HOSTNAME> host name of connected IPSec router; for instance, "myipsecrouter" from "myipsecrouter.mydomain.org" where "mydomain.org" is set in ITS application

    • <USERNAME> specified in ITS application for authentication of the administrative user, who may update the IP addresses of connected IPSec routers

    • <PASSKEY> password associated with <USERNAME>

    • <IPADDRESS> changed IP address of connected IPSec router

  • MindSphere IPSec endpoint supports the following Diffie-Hellman (DH) groups for Internet Key Exchange (ISAKMP) for IPSec phase 1:

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-14

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-15

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-16

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-20

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-21

    • Encryption: AES-128, Hash: SHA-256, Key Exchange Security: DH-group-24

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-14

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-15

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-16

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-20

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-21

    • Encryption: AES-192, Hash: SHA-256, Key Exchange Security: DH-group-24

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-14

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-15

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-16

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-20

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-21

    • Encryption: AES-256, Hash: SHA-256, Key Exchange Security: DH-group-24

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-14

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-15

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-16

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-20

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-21

    • Encryption: AES-192, Hash: SHA-384, Key Exchange Security: DH-group-24

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-14

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-15

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-16

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-20

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-21

    • Encryption: AES-256, Hash: SHA-512, Key Exchange Security: DH-group-24

Known issues

  • The firmware download to MDSP Agent is not supported via IPSec Tunnel.

  • If an existing IPSec connection is lost, it could be re-established by opening the IPSec router configuration page and then setting the router's state first to "under construction" and then to "complete".

  • A user's on-site IPSec routers must have a static IP address. In case these routers would use dynamic IP addresses (e.g. via DHCP or NAT), the tunnels might have to be re-established manually after each address change.

Chap. 1.39.2