EWON 2101, 4101, 2005, 4005 VPN router, eCatcher, eSync Connect User guide
Below you will find brief information for VPN router eWON 2101, VPN router eWON 4101, VPN router eWON 2005, VPN router eWON 4005. These eWON routers offer a secure way to connect remote devices to your network using a virtual private network (VPN). You can establish a VPN connection and access devices on the network, such as PLCs, remotely using eCatcher software and a VPN server. The VPN server is managed through the eSync Connect application, allowing you to create a secure VPN environment for your devices.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
eWON-VPN - User Guide
Virtual Private Network by eWONs
eWON-VPN - User Guide Virtual Private Network by eWONs
VPN : what is it ?
A virtual private network (VPN) is a private communications network usually used within a company, or by several different companies or organizations, to communicate over a public network with secured communications.
A good compromise is to use Internet as communication link with a tunnelling protocol (encapsulating the crypted data).
This network is called virtual because it links two physical networks (LAN) with a untrusted link (Internet).
This network is called private because only the computers (or devices) connected on this VPN can understand the crypted data.
In brief, a VPN provide you a global secured link at low cost.
unsecured link
INTERNET
VPN server
VPN secured
VPN client
LAN (private)
Figure 1: VPN draft
Main advantages of VPN are :
•
• low cost by opposition of a real Wide Area Network based on expensive leased lines.
the scalability
It is easy to add/remove a computer from the VPN.
Main disadvantages of VPN are :
•
•
•
•
VPNs require an in-depth understanding of public network security issues and taking proper precautions in VPN deployment.
The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control.
VPN technologies from different vendors may not work well together due to immature standards.
VPN need to accommodate protocols other than IP and existing ("legacy") internal network technology.
The purpose of this document is to show you how to setup your VPN (Virtual Private Network) with eWONs.
© ACT'L 2006 Page 2/21
eWON-VPN - User Guide Virtual Private Network by eWONs
eWONs as VPN routers
To build your VPN, you need that all participants speak the same crypted language. If they are computers, it is feasible to install some VPN software to handle a VPN layer. In the case of old computers or Ethernet devices like PLCs, it is impossible to put the VPN inside the devices.
You need to build your Network in a way completely transparent for the participants.
That job is done by VPN Routers.
Not all eWONs are able to be VPN Routers, only the eWON2101, eWON4101, eWON2005 and eWON4005.
eWON2101 eWON4101 eWON2005 eWON4005
Industrial VPN Routers
These eWONs allow you to put Ethernet devices on your VPN by a Dial-up connection (PSTN, ISDN, GSM or GPRS).
•
•
Remote Maintenance
Alarms
•
•
•
•
Remote Maintenance
Alarms datalogging viewON
Industrial Broadband VPN Routers
These eWONs allow you to put Ethernet devices on your VPN from a broadband connection (like ADSL) or by a Dial-up connection (PSTN, ISDN, GSM or
GPRS).
•
Remote Maintenance
•
Alarms
•
Remote Maintenance
•
Alarms
• datalogging
• viewON
On the computer side, you have two software companions :
eCatcher : the eWON connection tool
eSync Connect : the VPN Server application
Technologies
Today, they are many VPN technologies available, ACT'L choose to build VPN on
OpenVPN standard (see http://openvpn.net
).
In eSync Connect, we need WebServer, DataBase and ServerSide technologies, ACT'L choose to use
Apache (see http://www.apache.org
)
MySQL (see http://www.mysql.com
)
PHP (see http://www.php.net
).
© ACT'L 2006 Page 3/21
eWON-VPN - User Guide
VPN : general topology
B
G
A
VPN
Virtual Private Network by eWONs
H
C
D
E
Figure 2: VPN general topology
With a VPN, you want generally to build a network like the one in Figure 2.
All the devices on the yellow zone are on the same Virtual Private Network.
Every devices on the VPN can connect to every other.
The devices on G and H can access to Internet but have no access to VPN.
F
© ACT'L 2006 Page 4/21
eWON-VPN - User Guide Virtual Private Network by eWONs
A) VPN server
To build a VPN, you need a server playing the role of master of VPN communications.
Every device must contact the Server to enter on the VPN.
ACT'L has developed the eSync application to make easier the installation, configuration and daily use of the VPN.
The installation of your eSync is very simple (follow the installer) and eSync will install on your computer :
●
An Apache WebServer listenning port 80
Even if you have already a Webserver running on your computer, but eSync will use the port 81.
●
●
A MySQL Database listenning the port 3306
Even if you have already another one running on your computer, but MySQL will use the port 3307.
An OpenVPN layer compose of few Services listenning the port UDP 1194
Even if you have already another OpenVPN running on your computer, but eSync will use the port
1195.
And you are ready to play secured.
You can view your VPN interface on your Network Connections window (renamed here in VPN connection).
Figure 3: Network connections
With the eSync application, you manage your VPN by opening a secure tunnel of communication between every VPN actors and the Server.
The standard setup of eSync will build a VPN where all actors receive an IP address on the range 10.8.x.x.
Figure 4: eSync VPN settings
These addresses could be assigned statically or dynamically.
© ACT'L 2006 Page 5/21
eWON-VPN - User Guide Virtual Private Network by eWONs
By default, the IP address range is divide in two, an half for the Static IP's and the other for DHCP IP's.
You can define also the Base Address of all devices placed on the LAN side of eWON-VPN.
address beginning by 10.9.x.x. to be accessible on the VPN.
After the installation, you configure eSync with your Browser, just connect you to the LAN IP address of the server (and use the right port if necessary).
The Admin account of eSync is by default :
login:
adm
password:
adm
If your Server is accessible on your LAN, you can access to eSync from every computer.
Server requirements:
●
Server must be accessible from Internet, generally by a fixed IP address.
●
Port TCP 80 must be open for the HTTP traffic (or 81 if eSync was installed on 81)
●
Port UDP 1194 must be open on the Server.
© ACT'L 2006 Page 6/21
eWON-VPN - User Guide Virtual Private Network by eWONs
B) Local User connection and Remote (F)
If you want to go on the VPN from a computer, you need to use the VPN Client eCatcher. You can download it freely from the www.ewon.biz
website. The installation requires no parameters.
Now, you need a VPN account.
Go on eSync Configuration, select Users Setup and click on Create New User link.
Fill all informations
Figure 5: Create new user
Figure 6: User Setup
and Create the User Certificate with the Create link.
You must have the following display when Certificate is generated.
Figure 7: User Certificate generated
© ACT'L 2006 Page 7/21
eWON-VPN - User Guide
Now, you need to export this Certificate to your local computer.
Virtual Private Network by eWONs
Figure 8: Export User Certificate
For that, select the User you want to export and click to the Export Selected User link.
You will be prompted to give the location and name for this XML file.
This file is a Key to enter in your VPN !
Store it to a secured place or destroy it after usage.
you can re-export it if you need it again.
In eCatcher, click on the Add an eSync Server link and use your User Certificate file to create your VPN link.
If you double-click on the new eSync Server connection, you will enter in the VPN.
Now, your computer have access to all the devices connected to the VPN.
For example, you can connect to eSync through the VPN connection if you go to http://10.8.0.1:81 (my installation is on port 81).
Point (F) : On a Laptop from a Remote location, the communications will pass through your Modem to reach the Server. The address of the Server need to be public.
© ACT'L 2006 Page 8/21
eWON-VPN - User Guide Virtual Private Network by eWONs
C) eWON dial-up on VPN
To connect your eWON on the VPN, you need to create an account for it.
Go on eSync Configuration, select eWONs Setup and click on the Add an eWON link.
Fill all informations
Figure 9: Create eWON VPN
Figure 10: eWON setup
Use the Suggest link to choose a free Fixed IP Address.
Don't forget to create the Certificate !
© ACT'L 2006 Page 9/21
eWON-VPN - User Guide
Now, you need to export this Certificate to your local computer.
Virtual Private Network by eWONs
Figure 11: Export eWON Certificate
For that, select the eWON you want to export and click to the
Export Selected eWON link.
You will be prompted to give the location of the file.
This file is a Key to enter in your VPN !
Store it to a secured place or destroy it after usage.
you can re-export it if you need it again.
Notice that filename proposed is “eWON_001_comcfg.txt”, the
VPN parameters are formatted in the file to be uploaded by FTP to configure the eWON.
Just rename the file in “comcfg.txt” and send it to the eWON by FTP.
Now, your eWON has the VPN configuration in place.
VPNCnxType:2
VPNKeyType:1
VPNSecretKey:-----BEGIN RSA PRIVATE KEY-----
MIICXA.......
-----END RSA PRIVATE KEY-----
VPNSecretCert:-----BEGIN CERTIFICATE-----
MIIDKj.......
-----END CERTIFICATE-----
VPNCACert:-----BEGIN CERTIFICATE-----
MIIDGT.......
-----END CERTIFICATE-----
VPNPortOut:1194
VPNAlive:40
VPNSrv1:support.ewon.be
VPNSrv2:
VPNP2PIpMode:0
At every connection of this eWON on Internet, it will setup the VPN tunnel with the server.
By example, you can configure your eWON-pstn to use the Callback sequence to connect to Internet and
VPN.
Once the eWON is on the VPN, the eSync main page shows you the eWON connected by displaying the IP address of it.
© ACT'L 2006
Figure 12: eSync shows eWON connected
Page 10/21
eWON-VPN - User Guide Virtual Private Network by eWONs
If you open another Internet Browser and use this address ( http://10.8.128.29
), you will be connected on your eWON through the VPN.
Figure 13: on eWON by VPN
through the VPN (the WAN address provide by the ISP will not answer).
Figure 14: WAN Protection
If you have a PLC connect to this eWON and you want to access it with the corresponding software, simply use this VPN IP address.
© ACT'L 2006 Page 11/21
eWON-VPN - User Guide Virtual Private Network by eWONs
D) eWON GPRS as VPN Gateway
The configuration of an eWON acting as VPN Gateway is the same as in the point “eWON dial-up on VPN“
The only things that change in this configuration are :
•
• eWON is used as Gateway to other ethernet devices eWON use the built in GPRS modem to be connected (permanently) to Internet
Once you create the eWON in eSync, configure the LAN settings parameters (use the Suggest link).
Figure 15: create eWON with a LAN
Then, all devices (and eWON) must have an IP address in this 10.9.9.x range to be part of the VPN.
If eWON has the 10.9.9.1 address, don't forget to set this address as Gateway in other devices.
If your eWON is an GPRS one, you can check the GPRS connection Type. This option will send the
KeepAlive frame slowly (in GPRS, you pay for the traffic not for the time connected).
© ACT'L 2006 Page 12/21
eWON-VPN - User Guide Virtual Private Network by eWONs
Once the Certificate is in the eWON, you may configure the eWON to play the Gateway behavior you want.
The Gateway function is always activated in eWON-VPN, you don't have the “Enable IP Gateway” checkbox like in eWON with firmware 4.x.
Go on the eWON Routing page, and set the option you need.
Figure 16: eWON Routing page
Usually, you need to set the NAT and TF (Transparent Forwarding) on WAN. This configuration allows your ethernet devices to use the both interfaces (WAN and VPN) to go outside.
The WAN will be used if your device send an eMail to the ISP.
The VPN connection will be use when the device needs to access another VPN participant or when it replies to a request coming from the VPN.
As you are in GPRS, you can stay connected permanently to Internet, check the Maintain Connection checkbox.
Figure 17: Maintain Connection parameter
Be aware that eWON and eSync will send small packets (ping) to maintain the connection open
(KeepAlive). Then this permanent connection will cost some money (even if there is no usefull traffic).
Once connected on GPRS, the eWON will establish its VPN connection and be accessible by other VPN participants.
Figure 18: eWON-Gateway connected
The eWON is accessible at the address 10.8.128.33 (address on the VPN) or at the address 10.9.9.1
(address on the eWON LAN).
The devices placed on the LAN of the eWON are accessible by their address 10.9.9.x directly from your computer.
© ACT'L 2006 Page 13/21
eWON-VPN - User Guide Virtual Private Network by eWONs
If you display the IP Routes of your computer (command ROUTE PRINT in a DOS box), you will see that VPN has automatically add a Route to the 10.9.0.0 (Base Address of eWONs LAN pools in the eSync Setup).
Figure 19: IP Routes
© ACT'L 2006 Page 14/21
eWON-VPN - User Guide Virtual Private Network by eWONs
E) eWON2005 as Broadband VPN router
In this configuration, you want to pass through an ADSL router because you need to transmit a lot of data.
With an ADSL router, you must use an eWON2005 or eWON4005. These devices have two Ethernet interfaces, one for the WAN (connect to the ADSL router) and one for the LAN (connect to your devices)
The setup of this eWON is always very close than those from point C and D.
The only thing that differs from point D is :
• eWON use its WAN interface to connect on Internet.
Once you create the eWON in eSync, configure the LAN parameters like following.
Figure 20: setup eWON2005 in eSync
Then, all devices must have an IP address in the 10.9.6.x range to be part of the VPN.
© ACT'L 2006 Page 15/21
eWON-VPN - User Guide Virtual Private Network by eWONs
On the eWON2005, you have two Ethernet interfaces to configure, the LAN and the WAN.
Figure 21: eWON2005 LAN setup
Then, if your eWON2005 has the 10.9.6.1 LAN IP address, don't forget to set this address as Gateway in the devices you want to access.
And the WAN Ethernet interface must be configure with parameters compatible with your ADSL device.
Figure 22: eWON2005 WAN setup
Here, you can see that we have an ADSL router on the 10.1.0.1 (eWON default gateway).
The IP addresses of your Remote Site will be as shown on the rigth.
© ACT'L 2006
Figure 23: eWON2005 remote site IP addresses
Page 16/21
eWON-VPN - User Guide Virtual Private Network by eWONs
There is no MODEM configuration to set. You can disable the Modem Outgoing Connection.
Figure 24: eWON2005 Outgoing connection disable
The VPN configuration is always the same. Put the certificate generate by eSync in the eWON.
Figure 25: eWON2005 VPN certificate setup
In the Networking Config branch, the Internet Connection must be set on the WAN interface.
Figure 26: eWON2005 Internet Connection
If you need a permanent access to Internet, use the Maintain Connection checkbox (as shown).
© ACT'L 2006 Page 17/21
eWON-VPN - User Guide
VPN Connection must be enable.
Virtual Private Network by eWONs
Figure 27: eWON2005 VPN connection
Set the Routing configuration if you need to allow devices on LAN to go outside.
Set the Security you need.
Figure 28: eWON2005 Routing
Figure 29: eWON2005 Security
With a WAN Protection Level set to “Allow All”, your eWON accept also traffic coming from the
“unsecured” world (not VPN).
© ACT'L 2006 Page 18/21
eWON-VPN - User Guide Virtual Private Network by eWONs
With this configuration, you can access your eWON2005-VPN through the ADSL.
Figure 30: eWON2005 connected in eSync
The eWON2005 is accessible at this VPN address 10.8.128.17 and at this LAN address 10.9.6.1 (eSync knows that all address belonging to 10.9.6.x must be routed to this eWON2005).
You can PING your eWON at 10.9.6.1 and your LAN device at 10.9.6.8.
Figure 31: ping through VPN
© ACT'L 2006 Page 19/21
eWON-VPN - User Guide
Appendix eWON at C configuration
Virtual Private Network by eWONs
© ACT'L 2006 Page 20/21
eWON-VPN - User Guide Virtual Private Network by eWONs
© ACT'L 2006 Page 21/21
advertisement
Key Features
- Secure VPN connection
- Remote access for devices
- eCatcher software for remote connection
- eSync Connect application for VPN server management
- Supports various dial-up & broadband connections