USER MANUAL - GWR-I industrial cellular router
Contents
1. Remote Security Group Type IP v IP Address 192 168 10 1 Figure 78 IPSEC configuration page I for GWR I Router 1 USER MANUAL 88 GWR I Industrial Cellular Router Series IPSec Setup Key Exchange Mode Mode Phase 1 DH Group Phase 1 Encryption Phase 1 Authentication Phase 1 SA Life Time Perfect Forward Secrecy Phase 2 DH Group IKE with Preshared key main iv Groupe 1024 3DES v MD5 e 28800 sec Groupe 1024 e Phase 2 Encryption 3DES Phase 2 Authentication MD5 Phase 2 SA Life Time 3600 Preshared Key Failover v sec 1234567890 CI Enable IKE Failover IKE SA Retry el Restart PPP After IKE SA Retry Exceeds Specified Limit CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval Packet Size Advanced Ping Interval Advanced Ping Wait For A Response Maximum Number Of Failed Packets Figure 79 IPSEC configuration page II for GWR I Router 1 Advanced NAT Traversal Send Initial Contact C Compress Support IP Payload Compression Protocol IPComp C Dead Peer Detection DPD 20 se Figure 80 IPSEC configuration page III for GWR I Router 1 NOTE Firmware version used in this scenario also provides options for Connection mode of IPSec tunnel If connection mode Connect is selected that indicates si2. Figure 73 IPSEC configuration page I for GWR I Router 2 IPSec Setup Key Exchange Mode IKE with Preshared key Mode aggressive Y Phase 1 DH Group Group2 1024 k Phase 1 Encryption 3DES Phase 1 Authentication MD5 Phase 1 5A Life Time 8800 sec Perfect Forward Secrecy Phase 2 DH Group Groupe 1024 e Phase 2 Encryption 3DES k Phase 2 Authentication Phase 2 SA Life Time 600 sec 1234567890 Preshared Key Figure 74 IPSec configuration page II for GWR I Router 2 NOTE Options NAT Traversal and Send Initial Contact are predefined Failover CI Enable IKE Failover IKE SA Retry Restart PPP After IKE SA Retry Exceeds Specified Limit CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval Packet Size Advanced Ping Interval Advanced Ping Wait For A Response Maximum Number Of Failed Packets Advanced C Compress Support IP Payload Compression Protocol IPCorp C Dead Peer Detection DPD sec NAT Traversal Send Initial Contact USER MANUAL 85 E Geneko GWR I Industrial Cellular Router Series Figure 75 IPSec configuration page III for GWR I Router 2 Click Start button on Internet Protocol Security page to initiate IPSEC tunnel NOTE Firmware version used in this scenario also provides options for Connection mode of IPSec tunnel If connection mode Connect is selected that indicates side of IPSec tunnel which sends requests for establ
3. Primary Local DNS Secondary Local DNS Local Gateway ution Changes to IP address subnet mask and local DNS require a reboot to take effect ut R r becomes unreachable from local subnet when this option is enabled Reload Save C ion Use local gateway option carefully Route a Ca Ca Figure 88 Network configuration page for GWR I Router USER MANUAL 93 E eneko GWR I Industrial Cellular Router Series e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are Add New Tunnel Tunnel Name IPsec tunnel Enable true Local Group Setup Local Security Gateway Type SIM card Local ID Type IP Address IP Address From SIM 1 WAN connection is established over SIM 1 Local Security Group Type Subnet IP Address 192 168 10 0 Subnet Mask 255 255 255 0 Remote Group Setup Remote Security Gateway Type IP Only IP Address 150 160 170 1 Remote ID Type IP Address Remote Security Group Type Subnet IP Address 10 10 10 0 Subnet Mask 255 255 255 0 IPSec Setup Keying Mode IKE
4. E lt Add New Rule no no no no estin 5 g add a e Policy Action nl a a Tel ato less e es Te pelz Le Jee zs Lola my SS oe Leite DEE NERT sl we Le wo o sis we ee Leem el ET net a Le LC LC e er a ses Ea ESE EEN Ties S o 2 l Poe me fom fm mer gt Glslslsls Ja mo ee ee EES ee ee e e e Se ER e e e e Do ve weer a Cones Coe e ee e e Se eee n pe om ee Iesse Carefully review settings before applying changes Incorrect settings can make the inaccessible from the network Apply Rules Figure 23 Firewall configuration page Settings Firewall MAC Filtering MAC filtering can be used to restrict which Ethernet devices can send packets to the router If MAC filtering is enabled only Ethernet packets with a source MAC address that is configured in the MAC Filter table will be allowed If the source MAC address is not in the MAC Filter table the packet will dropped Label Enable MAC Filterin Enable Name AC address Reload Save USER MANUAL S MAC Filtering Settings Description This field specifies if MAC Filtering is enabled at the router Enable MAC filtering for a specific MAC address Field shows the Rule Name that is given to the MAC filtering rule The Ethernet MAC source address to allow Click Reload to discard any changes and reload previous settings Click Save to save changes back to the GWR router 46 E Geneko GWR I Industrial Cellula
5. Figure 109 Policies from trust to untrust zone USER MANUAL 107 E eneko GWR I Industrial Cellular Router Series OpenVPN tunnel between GWR I router and OpenVNP server Overview OpenVPN site to site allows connecting two remote networks via point to point encrypted tunnel OpenVPN implementation offers a cost effective simply configurable alternative to other VPN technologies OpenVPN allows peers to authenticate each other using a pre shared secret key certificates or username password When used in a multiclient server configuration it allows the server to release an authentication certificate for every client using signature and Certificate authority It uses the OpenSSL encryption library extensively as well as the SSLv3 TLSv1 protocol and contains many security and control features The server and client have almost the same configuration The difference in the client configuration is the remote endpoint IP or hostname field Also the client can set up the keepalive settings For successful tunnel creation a static key must be generated on one side and the same key must be uploaded on the opposite side OpenVPN configuration Open VPN is established between one central locations and three remote locations with Geneko router configured in TCP client mode Authentication used is pre shared key Lan interface PLC 192 168 11 192 168 11 2 GSM UMTS provider rei Z5 a2 168 12 ate g Internet E PLC 19
6. 381 11 3340 591 3340 178 Fax 381 11 3224 437 office geneko rs www geneko rs USER MANUAL 17 E Geneko GWR I Industrial Cellular Router Series Device Configuration There are two methods which can be used to configure the GWR I Router Administrator can use following methods to access router e Web browser e Command line interface Default access method is by web interface This method provides administrator full set of privileges for configuring and monitoring the router Configuration administration and monitoring of the GWR I Router can be performed through the web interface The default IP address of the router is 192 168 1 1 Another method is by command line interface This method has limited options for configuring the GWR I Router but still represents a very powerful tool when it comes to router setup and monitoring Another document deals with CLI commands and instructions Device configuration using web application The GWR I Router s web based utility allows you to set up the Router and perform advanced configuration and troubleshooting This chapter will explain all of the functions in this utility For local access to the GWR I Router s web based utility launch your web browser and enter the Router s default IP address 192 168 1 1 in the address field A login screen prompts you for your User name and Password Default administration credentials are admin admin If you want to use web interface for router ad
7. Connection EE 66 Figure 49 Connection Wizard Router ebessen eege Seege 67 Fig re 30 Connection Wizard Ee 68 Et E Connection Wizard WAN SeN S erci A A A E E E a 68 EE EE 69 FT Sy SNS conie ALON Pan EE 70 USER MANUAL 4 E Geneko GWR I Industrial Cellular Router Series Moure otec kA Rouer as MENE TOU E 72 Figure 55 GRE tunnel between two GWR eege ee 73 Figure 56 Network configuration page for GWR I Router 1 73 Figure 57 GRE configuration page for GWR I Router 1 REENEN 74 Figure 58 Routing configuration page for GWR I Router TA 74 Figure 59 Network configuration page for GWR I Router 2 75 Figure 60 GRE configuration page for GWR I Router e 75 Figure 61 Routing configuration page for GWR I Router 2 76 Figure 62 GRE tunnel between Cisco router and GWR I Router A 77 Figure 6a Network Cone UrallON Pd Se sisicns sossenciencenevonesneacnisheernseteaatensvbosanintucts miensiescasvseathacdelcuanevteattadesiasmsconatandes 78 Eet 79 Ee 79 Figure 66 IPSec tunnel between two GW Ral ROUtELS eege Eeer 80 Figure 67 Network configuration page for GWR I Router 1 81 Figure 68 IPSEC configuration page I for GWR I Router le 82 Figure 69 IPSec configuration page II for GWR I Router 1 82 Figure 70 IPSec configuration page III for GWR I Router le 83 Fig re 71 IPSec start stop pace for GWR e 83 Figure 72 Network configuration page for GWR I Router 2 84 Figure 7 3 IPSEC configuration page I for GW RE 85 Figure
8. First step is STANDARD ping proofing This ping periodically checks if link is alive Standard ping has 4 packets which are sent over the link and if all 4 are returned keep alive remains in standard ping proofing mode If two or more of 4 packets are dropped keep alive activates ADVANCED ping proofing ADVANCED ping proofing is second step in link quality detection Advanced ping proofing sends 5 ping packets in short period of time and gives statistic how much packets are dropped for example if 4 packets are dropped ping lost is 80 If this value is defined as 100 for example that means only if all packets are dropped action will be performed switch SIM or PPP restart Value which is entered here depends on that how many packets can be tolerated to lose on the link For example if value 60 is entered 2 packets of 5 40 are lost keep alive is returned to step one standard ping proofing with no action performed If PPP should be restarted only when all packets are dropped defined value should be 100 In following example keepalive is enabled on both SIM cards Action defined is SWITCH SIM so router will change SIM card when link failure is detected Settings are following SIM1 Ping target 8 8 8 8 Ping interval 120 Advanced ping interval 10 Advanced ping wait for response 5 Maximum number of failed packets 80 Keepalive action switch SIM SIM2 Ping target 212 62 32 1 Ping interval 120 Advanced ping interval 10 A
9. IP Address From SIM 1 WAN connection is established over SIM 1 Local Security Group Type Subnet IP Address 10 0 10 0 Subnet Mask 255 255 255 0 Remote Group Setup Remote Security Gateway Type IP Only IP Address 172 29 8 5 Remote ID Type IP Address Remote Security Group Type IP IP Address 192 168 10 1 IPSec Setup Key Exchange Mode IKE with Preshared key Mode aggressive Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication MD5 Phase 1 SA Life Time 28800 Perfect Forward Secrecy true Phase 2 DH group Group 2 Phase 2 Encryption 3DES Phase 2 Authentication MD5 Phase 2 SA Life Time 3600 Preshared Key 1234567890 Failover Enable Tunnel Failover false Advanced Compress Support IP Payload Compression Protocol PComp false 81 X cenexo GWR I Industrial Cellular Router Series Dead Peer Detection DPD false NAT Traversal true Send Initial Contact true Device 2 Device Tunnel Add New Tunnel Tunnel Number Ze Local ID Type IP Address From Local Security Group Type IP Address Subnet Mask Remote Group Setup IP Address Remote ID Type Remote Security Group Type IP Address IPSec Setup Key Exchange Mode Mode Phase 1 DH Group Phase 1 Encryption Phase 1 Authentication Phase 1 SA Life Time Perfect Forward Secrecy Phase 2 DH Group Phase 2 Encryption Phase 2 Authentication Phase 2 SA Life
10. USER MANUAL GWR I Industrial Cellular Router Series Device firmware version 3 0 Document version 3 3 Date May 2014 GC Geneko GWR I Industrial Cellular Router Series Content LT ORFO URES EE 4 gees 7 DESCRIPTION OF THE GWR I INDUSTRIAL CELLULAR ROUTER SERIES ccccceescecceeseeeceeceeceeeeceseeaeeessaeeeeeas 8 he e A NCU EEEE E tep eines sewer cetacean eee aa A A A EE T 9 Protocols and TE QUE CS asecissnccnsedimsosvencstacenrausesisaiswaterccnsuetinsescarsuucaedinidm sv nuasvntacdGenennas witedencdiveemutantonn 11 POCUT OVV TEE 13 EE EENEG 13 EE 14 PUCHO INCO OSE OI EE 15 Declaration OF eieiei ne SE 17 DEVICE GONFIGURATION BR 18 DEVICE CONFIGURATION USING WEB APPLICATION ccccccccccsseeeececeeceeeeueeseeceeseeeeeeeseeeeeeeeeuaeeseeeeeeeeeeaaeeseeeenes 18 Eege 19 Add Remove Update manipulation in tables ccc cccsecesssscesssscesssscssssesssssessssseeeseeeens 19 SWE dao le IG Aro ue 19 Se EE 19 MN SN eege 19 Status Network InformatiON vaszisaicsnsccsccnasascvaiacesasispantadtaoasainansieaiarsancndasebinacdsanacedatebanneancacaiessbacaeiinnnen 20 EH CR eet EE 20 Status WAIN IAA FOI AG OM EE 20 SO EE le TE 21 Settings Ee 1 22 UEC DACP SEVE EE 23 CUNI E NAN ENEE EE 25 FERNE ROUNO E 29 POTI rono lat O erissa ai eet 31 Settings Dynamic Routing Protocol 31 E E EE 31 RIP routine engine for the GW Ee 32 SUN A N nn ee ner eee ene ener rere 34 GEC TOU US FCG E 34 Eege 35 TUPI OPO CCT ECO E A E titania EA AE E
11. 15 Allow SNMP on ppp_0 SNMP requests are allowed to be sent to the router over WAN interface USER MANUAL 117 5 senexo 16 Allow MODBUS on ppp_0 MODBUS conversion over default port UDP 502 is permitted GWR I Industrial Cellular Router Series 17 REJECT all other traffic All packets which are not stated as ACCEPT in previous rules are denied If this rule is not enabled all packets which are not stated as DROP REJECT are permitted In following example 8 traffic flows are defined under firewall rules In the picture presented with green are marked permitted packets and with red blocked Incoming traffic Firewall Telnet ICMP IPSec WEB to ie authentication server SSH l m Access from LAN WEB Figure 124 Firewall example Firewall is enabled in SETTINGS gt FIREWALL page Page for firewall configuration is presented in the following picture Firin WESSEN Teresi Firewall Pues mamic Howling Pratecad Lsgt e reno ji bilori Spying hijai Fos bet iah rues Sa eh ie om fia Parte Apph Pauling L Mamam eae ee Figure 125 Initial firewall configuration on GWR USER MANUAL E Geneko GWR I Industrial Cellular Router Series Firstly firewall should be enabled that is done by selecting Firewall General Settings gt Enable Firewall can be configured by enabling or editing existing predefined rules or by adding new one Firewall is configured in following way 1 Telnet traffic is denied Sel
12. Bits NVT 2217 Yes Device Mode Client Parity Ethernet Status Stop Bits Client Connection Handflow Server Connection Listen Rx Bytes RixBytes 0 TxBytes 0 Tx Bytes Create COM x Delete COM 4 18 2013 13 31 17 Sending test ping to device 4 18 2013 13 31 17 Virtual serial port COM10 created PER Fini Networking products group www HW group com Version 2 4 Embedded Ethernet Devices Figure 123 Settings for virtual COM port e IP address not used in server mode e Port 1234 e Server Port 1234 e Port Name COM10 random selected After Create COM is activated if everything is alright in log will be shown message that port COM10 is created like in picture above In communication with remote serial device COM10 should be selected on workstation USER MANUAL 116 E Geneko GWR I Industrial Cellular Router Series Firewall example Firewall implemented in GWR routers has numerous options for matching interesting traffic Traffic flow is controlled through the router with three actions triggered by firewall 1 ACCEPT traffic is passed through the router without any changes implemented 2 REJECT traffic is blocked with ICMP error messages 3 DROP traffic is blocked without any error messages connection is retried until the threshold for retransmission is exceeded By default all traffic is PERMITTED To block all the traffic not defined under stated rules last entry in fire
13. Phase 1 SA Life Time 28800 Perfect Forward Secrecy true Phase 2 DH group Group 2 Phase 2 Encryption 3DES Phase 2 Authentication MD5 Phase 2 SA Life Time 3600 Preshared Key 1234567890 e Local Group Setup USER MANUAL Local Security Gateway Type SIM card Local ID Type IP Address IP Address From SIM 1 WAN connection is established over SIM 1 Local Security Group Type Subnet 87 E Geneko GWR I Industrial Cellular Router Series IP Address 10 0 10 0 Subnet Mask 255 255 255 0 e Remote Group Setup Remote Security Gateway Type IP Only IP Address 172 29 8 5 Remote ID Type IP Address Remote Security Group Type IP IP Address 192 168 10 1 e Failover Eanble IKE failover false Enable Tunnel Failover false e Advanced Compress Support IP Payload Compression Protocol PComp false Dead Peer Detection DPD false NAT Traversal true Send Initial Contact true Device 2 Device Tunnel Add New Tunnel Tunnel Number 1 Tunnel Name IPsec tunnel Enable Local Group Setup Local Security Gateway Type SIM Card e Local ID Type IP Address e IP Address From SIM 1 v Local Security Group Type Subnet vj IP Address 10 0 10 0 Subnet Mask 255 255 255 0 Remote Group Setup Remote Security Gateway Type IP Only v IP Address 172 29 6 5 Remote ID Type IP Address e
14. Reject with icmp port unreachable USER MANUAL 119 5 cenexo Configuration should be like on the picture below Firewall Rules GWR I Industrial Cellular Router Series Firewall Rule Basics Rule name Enable Firewall Rule Settings Chain Serice Protocol Port Input interface Output interface Source address M Inverted source address rule logic Destination address Inverted destination address rule logic Packet state Policy Distributed Denial Of Service CI Enable Maximum average matching rate Maximum initial number of packets to match Deny PING to ppp_0 interface INPUT Custom ICMP All Undet ppp_0 Single IP NEW REJECT ICMP type echo request 212 62 38 196 Figure 127 Filtering of ICMP traffic Reject with icmp portunreachable ze After configuration is finished SAVE button should be selected and user is returned to main configuration page Priority of rule is changed by selecting number in drop down menu In this example number 4 is selected 3 ICMP traffic is allowed from single IP addresses With firewall rule configuration shown above IP address stated in Source address field is excluded from REJECT policy but in order to allow ping from that IP address it has to be matched with another rule Configuration of approp
15. Tunnel Name IPsec tunnel Enable true e IPSec Setup Keying Mode IKE with Preshared key Mode aggressive Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication SHA1 Phase 1 SA Life Time 28800 Perfect Forward Secrecy true Phase 2 DH group Group 2 Phase 2 Encryption 3DES Phase 2 Authentication SHA1 Phase 2 SA Life Time 3600 Preshared Key 1234567890 e Local Group Setup Local Security Gateway Type IP Only Local ID Type Custom Custom Peer ID 172 30 147 96 IP Address SIM 1 Local Security Group Type Subnet IP Address 192 168 10 0 Subnet Mask 255 255 255 0 e Remote Group Setup Remote Security Gateway Type IP Only IP Address 150 160 170 1 Remote ID Type IP Address Remote Security Group Type Subnet IP Address 10 10 10 0 Subnet Mask 255 255 255 0 e Advanced USER MANUAL Compress Support IP Payload Compression Protocol PComp false Dead Peer Detection DPD false NAT Traversal true Press Save to accept the changes 99 Geneko yy Device 2 Device Tunnel Add New Tunnel Tunnel Number Tunnel Name Enable Local Group Setup Local Security Gateway Type Local ID Type Custom Peer ID IP Address From Local Security Group Type IP Address Subnet Mask Remote Group Setup Remote Security Gateway Type IP Address Remote ID Type Remote Security Group Type IP Address Subnet Mask IPsec tunnel SIM Card se Custom j
16. an address such as 10 0 0 1 this is normal as it is the GSM UMTS provider s network default gateway e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be provided by your mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Check Routing Tab to see if there is default route should be there by default e Router will automatically adds default route via ppp0 interface e Optionally configure IP Filtering and TCP service port settings to block any unwanted incoming traffic e Configure the GWR I Router LAN address 10 1 1 1 as a default gateway address on your PCs Configure valid DNS address on your PCs USER MANUAL 2 E Geneko GWR I Industrial Cellular Router Series GRE Tunnel configuration between two GWR I Routers GRE tunnel is a type of a VPN tunnel but it isn t a secure tunneling method Simple network with two GWR I Routers is illustrated on the diagram below Figure 55 Idea is to create GRE tunnel for LAN to LAN site to site connectivity Stahc WAN Static WAN 10 251 49 2 10 2751 49 3 GWR 2 LAN 192 168 2 1 S LAN 192 168 4 x LAN 192 168 2 x 192 168 4 1 SC 192 168 2 1 Figure 55 GRE tunnel between two GWR I Routers The GWR I Routers requirements e Static IP WAN address for tunnel source and tunnel destination address e So
17. site to site connectivity Static WAN 172 29 8 5 Private APN M WAN 172 29 8 4 ee E E O gt ane meee e Cisco GSM UMTS Ss Router LAN Network GENS s een cine eee J HO Site Figure 62 GRE tunnel between Cisco router and GWR I Router GRE tunnel is created between Cisco router with GRE functionality on the HQ Site and the GWR I Router on the Remote Network In this example it is necessary for both routers to create tunnel interface virtual interface This new tunnel interface is its own network To each of the routers it appears that it has two paths to the remote physical interface and the tunnel interface running through the tunnel This tunnel could then transmit unroutable traffic such as NetBIOS or AppleTalk The GWR I Router uses Network Address Translation NAT where only the mobile IP address is visible to the outside All outgoing traffic uses the GWR I Router WAN VPN mobile IP address HQ Cisco router acts like gateway to remote network for user in corporate LAN It also performs function of GRE server for termination of GRE tunnel The GWR I Router act like default gateway for Remote Network and GRE server for tunnel 1 HQ router requirements e HQ router require static IP WAN address e Router or VPN appliance have to support GRE protocol e Tunnel peer address will be the GWR I Router WAN s mobile IP address For this reason a static mobile IP address is
18. 0 0 0 0 0 0 0 tep dpt 22 state NEW 0 D ACCEPT tcp ppp_o 0 0 0 0 0 0 0 0 0 0 tcp dpt 60 state NEW D 0 ACCEPT icmp ppp_O 0 0 0 0 0 0 0 0 0 0 icmp type 8 state NEW limit avg l sec burst l 0 D ACCEPT tcp ppp 0 0 0 0 0 0 0 0 0 0 multiport dports 2601 2602 state NEW 0 0 ACCEPT udp ppp_o 00 0 0 070 00 0 0 070 udp dpt 520 state NEW 0 0 ACCEPT 47 ppp H 0 0 0 0 0 0 0 0 0 0 state NEW D 0 ACCEPT udp ppp_o 0 0 0 0 0 0 0 0 0 0 udp dpt 25162 state NEW o D ACCEPT esp ppp 0 0 0 0 0 0 0 0 0 0 state NEW 0 D ACCEPT udp pp H 0 0 0 0 0 0 0 0 0 0 udp dpt 500 state NEW 0 0 REJECT D SE 0 0 0 0 0 0 0 0 0 0 state NEW reject with icmp port unreachable Chain FORWARD policy ACCEPT 0 packets 0 bytes pkts bytes target prot opt in out source destination D D ACCEPT udp ppp_o 0 0 0 0 0 0 0 0 0 0 udp dpt 4500 state NEW D 0 ACCEPT udp ppp 0 0 0 0 0 0 0 0 0 0 udp dpt 1194 state NEW Chain OUTPUT policy ACCEPT 295 packets 86725 bytes pkts bytes target prot opt in out source destination Firewall Active Rules Chain INPUT policy ACCEPT 0 packets 0 bytes 0 ACCEPT tcp PPPp_o 0 0 0 0 0 0 0 0 0 0 tep dpt 1194 state NEW a Reset INPUT Reset FORWARD Reset OUTPUT Figure 10 Firewall Information USER MANUAL 21 E Geneko GWR I Industrial Cellular Router Series Settings Network Click Network Tab to open the LAN network screen Use this screen to configure LAN TCP IP settings Network Tab Parame
19. 1 kel 0 ap Ch L ei CD 5 D L be O wei er D CD Kei we CD lt kel 0 O C L D ef O we Ch WN L direction on Ethernet interface kat lS Th za Lal ve We 3 SJS es E S 8 s Q aja S eh S o s 3 r Sll TD 5 c mh h USER MANUAL 30 GC Seneko GWR I Industrial Cellular Router Series Add Click Add to insert add new item in table to the GWR I Router Click Remove to delete selected item from table Click Reload to discard any changes and reload previous settings Click Save to save your changes back to the GWR I Router After pressing Save Save button it make take more than 10 seconds for router to save parameters and become operational again Table 8 Routing parameters Port translation For incoming data the GWR I Router forwards IP traffic destined for a specific port port range or GRE IPsec protocol from the cellular interface to a private IP address on the Ethernet side of the GWR I Router Settings Dynamic Routing Protocol Dynamic routing performs the same function as static routing except it is more robust Static routing allows routing tables in specific routers to be set up in a static manner so network routes for packets are set If a router on the route goes down the destination may become unreachable Dynamic routing allows routing tables in routers to change as the possible routes change Routing Information Protocol RIP The Routing Infor
20. 172 30 147 96 SIM 1 j 192 168 10 0 255 255 255 0 IP Only v 150 160 170 1 IPAddress 10 10 10 0 255 255 255 0 Figure 95 IPSEC configuration page I for GWR I Router GWR I Industrial Cellular Router Series IPSec Setup Key Exchange Mode Mode Phase 1 DH Group Phase 1 Encryption Phase 1 Authentication Phase 1 SA Life Time Perfect Forward Secrecy Phase 2 DH Group Phase 2 Encryption Phase 2 Authentication Phase 2 SA Life Time Preshared Key Failover CI Enable IKE Failover IKE SA Retry IKE with Preshared key Group2 1024 e 3DES SHAI 8800 sec Groupe 1024 e 3DES SHAI ze 600 sec 1234567890 Figure 96 IPSec configuration page II for GWR I Router Restart PPP After IKE SA Retry Exceeds Specified Limit CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval Packet Size Advanced Ping Interval Advanced Ping Want For A Response Maximum Number Of Failed Packets Advanced C Compress Support IP Payload Compression Protocol IPComp C Dead Peer Detection DPD sec NAT Traversal Send Initial Contact USER MANUAL Figure 97 IPSec configuration page III for GWR I Router 100 E Geneko GWR I Industrial Cellular Router Series Click Start button on Internet Protocol Security page to initiate IPSEC tunnel Click Start button and after that Connect button on Internet Protocol Security pag
21. 56 E eneko GWR I Industrial Cellular Router Series Digital output can be controlled via SMS messages in following way DIGITAL OUTPUT HIGH or LOW In order to set digital output state user should send SMS containing this command DIGITAL STATUS In order to read digital output state user should send SMS containing this command After the command is executed router sends one of the following status reports to the user DIGITAL OUTPUT STATUS HIGH or LOW depends of output pin state Output voltage level on GPIO Output can be from 12V 48V DC and it depends on type of consumer device attached to the output Precisely if device attached needs input voltage in range from 12 to 48 V DC it will work with appropriate input voltage level Output voltage level on GPIO output does not depend on input voltage of router s powering In following picture is represented how device should be connected to router charge DIGITAL 12 48V OUTPUT HC Housing of GWR I router Figure 35 Digital output USER MANUAL 57 E eneko GWR I Industrial Cellular Router Series Maintenance The GWR I Router provides administration utilities via web interface Administrator can setup basic router s parameters perform network diagnostic update software or restore factory default settings Maintenance Device Identity Settings Within Device Identity Settings Tab there is an option to define name location of device and description
22. 74 IPSec configuration page II for GWR I Router 2 85 Figure 75 IPSec configuration page II for GW ER 86 Figure 76 IPSec start stop page for GWR eerste 86 Figure 77 Network configuration page for GWR I Router 1 87 Figure 78 IPSEC configuration page I for GWR I Router le 88 Figure 79 IPSEC configuration page Il for GWR Router EE 89 Figure 80 IPSEC configuration page III for GWR I Router 1 89 Figure 81 IPSec start stop page for GWR I Router 1 89 Figure 82 Network configuration page for GWR I Router 2 90 Figure 83 IPSEC configuration page I for GW Ral Router 2 eege 91 Figure 84 IPSEC configuration page Il for GWR I Router 2 sccsosssenivosesstanopaasetaspestpsncpnnantannesstensseadbsdadonassigscssblanisne 91 Figure 85 IPSEC configuration page III for GWR I Router 2 92 Figure 86 IPSec start stop page for GWR I Router ln 92 Figure 87 IPSec tunnel between GWR I Router and Cisco Router 93 Figure 88 Network configuration page for GWR I Routef AA 93 Figure 89 IPSEC configuration page I for GWR I Router Au 95 Figure 90 IPSec configuration page DEER 95 Figure 91 IPSec configuration page II for GWR I Router AE 95 Figure 92 IPSec start stop page for GWR I Router AAA 96 Figure 93 IPSec tunnel between GWR I Router and Cisco Route 98 Figure 94 Network configuration page for GWR I RouteT eeessssseersseresrserrsrsreresrsrersreresrsrsrererrsrstreesreresrnresen 98 Figure 95 IPSEC configuration page I f
23. Configuration manual configuration Local Interface IP Address 2 2 2 2 Remote Interface IP Address 2 2 2 1 Figure 112 OpenVPN GWR I settings Where pre shared secret you paste from the key txt file which you generate on OpenVPN server In routing table static ip route to local OpenVPN server network in this case it is 192 168 2 0 24 should be entered m ooo mun tf ppp 9 Rem Hl Jess Ir Ji Jet Rem Figure 113 Static routes on GWR TUN1 interface isn t available before you start the OpenVPN tunnel so you must start it first That accomplishes configuration of the GWR regarding establishing the OpenVPN and routing through it Implementation You start Open VPN tunnel on server side by right click on the icon in notification bar You choose Open VPN tunnel Server1 and click Connect The same procedure repeat for Server2 and Servers Connect Servers Servers view Log Proxy Settings Edit Config About Change Password gie Exit Figure 114 Starting OpenVPN application USER MANUAL 111 E eneko GWR I Industrial Cellular Router Series When OpenVPN tunnel is up on the Open VPN server you should get following notification A Serverl is now connected Assigned IP 7 2 2 1 Figure 115 OpenVPN status on PC On the GWR side status of the OpenVPN tunnel should be established No Name Enabled Status Auth Mode Advanced Figure 116 OpenVPN status on GWR Portforwarding examp
24. ERROR if something went wrong during the execution of the command Remote control configuration page is presented on the following figure In order to use this feature user must enable the SMS remote control and specify the list of SIM card numbers that will be used for SMS remote control The SIM card number should be entered in the following format Country Code Mobile Operator Prefix Phone Number for example 38164111222 SMS service centre number can be obtained automatically option Use default SMSC is enabled or manually by entering number under field Custom SMSC USER MANUAL 54 E Geneko GWR I Industrial Cellular Router Series As presented on the Figure 31 configuration should be performed for separately for both SIM cards After the configuration is entered user must click on SAVE button in order to save the configuration Short Message Service SIM1 Settings SIM2 Settings CI Enable Remote Control CI Enable Remote Control Use default SMSC Use default SMSC Custom SMSC Custom SMSC Phone Number 1 Phone Number 1 Phone Number 2 Phone Number 2 Phone Number 3 Phone Number 3 Phone Number 4 Phone Number 4 Phone Number 5 Phone Number 5 Phone Number example 38164111222 Reload Save Figure 32 SMS remote control configuration Settings Send SMS SMS send feature allows users to send SMS message from WEB interface I
25. Forward Secrecy oO Phase 2 Encryption 3DES k Phase 2 Authentication SHAI Phase 2 SA Life Time 3600 sec 1234567890 Preshared Key Figure 90 IPSec configuration page II for GWR I Router Failover CI Enable IKE Failover IKE SA Retry Restart PPP After IKE SA Retry Exceeds Specified Limit CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval Packet Size Advanced Ping Interval Advanced Ping Wait For A Response Maximum Number Of Failed Packets Advanced C Compress Support IP Payload Compression Protocol IPComp C Dead Peer Detection DPD 20 sec NAT Traversal Send Initial Contact Figure 91 IPSec configuration page III for GWR I Router Click Start button on Internet Protocol Security page to initiate IPSEC tunnel USER MANUAL 95 E Geneko GWR I Industrial Cellular Router Series Click Start button and after that Connect button on Internet Protocol Security page to initiate IPSEC tunnel Internet Protocol Security Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Log level control SE Enc Auth Grp Local Group Remote Group Remote Gateway Ph1 3DES SHA1 2 aggressive 192 168 10 0 10 10 10 0 Reducing the MTU size on the clientside can help eliminate some connectivity problems occurring at the protocol level Start Stop Refresh Recommended MTU size on client side is 1300 Tunnel
26. NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 192 168 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes USER MANUAL 83 Network Network Settings IP Address Subnet Mask Primary Local DNS Secondary Local DNS Local Gateway GWR I Industrial Cellular Router Series Use the following IP address 192 168 10 1 255 255 255 0 Caution Changes to IP address subnet mask and local DNS require a reboot to take effect Caution Use local gateway option carefully Router becomes unreachable from local subnet when this option is enabled Reload Save Figure 72 Network configuration page for GWR I Router 2 e Use SIM card with a static IP address obtained from Mobile Operator e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are Add New Tunnel USER MANUAL Tunnel Name IPsec tunnel Enable true Local Group Setup Local Security Gateway Type SIM card Local ID Type IP Address IP Address From SIM 1 WAN connectio
27. Power on Status LED GSM link activity Signal quality Reset Operating temperature 25 C to 70 C 13 F to 158 F Storage temperature 40 C to 75 C 40 F to 167 F Environmental Relative humidity 5 to 95 non condensing USER MANUAL 10 Width 50mm Length 104mm Height 135mm Dimensions and weight ht 500 Housing and Robust metal housing mounting options DIN rail mounting kit Table 1 Technical parameters Protocols and features Short description Network GWR I Industrial Cellular Router Series Routing Static DHCP Server e Static lease reservation e Address exclusions DHCP Server support RIP The Routing Information Protocol is a dynamic routing protocol used in local and wide area networks Port forwarding IP TCP UDP packets from WAN to LAN DMZ support DMZ or Demilitarized Zone is a physical or logical subnetwork that contains and exposes an organization s external services to a larger untrusted network usually the Internet SNMPv1 2c Simple Network Management Protocol is used in network management systems to monitor network attached devices for conditions that warrant administrative attention NTP REC1305 The Network Time Protocol is a protocol for synchronizing the clocks of router DynDNS Dynamic DNS DDNS is a domain name service allowing to link dynamic IP addresses to static hostname To start usin
28. Router and third party router 77 IPSec Tunnel configuration between two GWR I Routers eeseseesseessreeereesrrirsrersrrersrersrreesres 80 TS AU ee 80 Ae EE 87 IPSec Tunnel configuration between GWR I Router and CecobRouter eee 93 IPSec Tunnel configuration between GWR I Router and Juniper SSG Trewall 97 OpenVPN tunnel between GWR I router and OpenVNP server 108 Portforwarding example EEN 112 CAPOT GEELEN 113 ES Vy M2 ea E a EA 117 SMS Mahagement Example eege Ee 125 Defining Kkeepalive functionality sremuscisirisirisiesiniiaiienshsiesnrkan uenis iis ARARA NEEESE Ai 126 A How to Achieve Maximum Signal Strength with GWR I Router uuu ee 127 TUTE ACEI CID eege 127 Eege 127 USER MANUAL 3 E Geneko GWR I Industrial Cellular Router Series List of Figures ee E TR E 8 Pigure 2 CGWR T Router tont panel E 14 Feure 3 GW RA Routt iop E EE 15 bois Coes me Volley E NY rere E 16 E Ui Me NO EE 18 Pere eneral Touer m Onna E 19 Peuren INC yO LOB E 20 Poe eD ee e e ai E E E EE E E EEE 20 Figure I WAN a e EE 21 EE EE e EE 21 Figure 11 Network parameters configuration Pa Ge vwssaisiencss soaring eEiet eebe 22 Biers 12 PHCP EE 24 Fig re Lo WAN Settings EISE 25 Fig re 14 Routing configura Hon E 29 Peur EE tee EE 31 Figure 16 GRE tunnel parameters configuration he 35 E EEN EE 36 ILR ite Gh E 41g one ener eR eee aT ee OER eran E E ene eee E eee eee ree eee 3 iy E n tas E N A E N NN A E S O N A 41 Feur 20 Open y TN Seay
29. Service protocol Service port User defined Default 514 Figure 53 Syslog configuration page The GWR I Router supports this protocol and can send its activity logs to an external server Syslog Settings Description Mark this option in order to disable Syslog feature Mark this option in order to enable logging on remote machine Remote local syslog Gtart logging facility locally Remote Syslog Description The GWR I Router can send a detailed log to an external Syslog server The Router s Syslog captures all log activities and includes this information about Service Server IP all data transmissions every connection source and destination IP address IP service and number of bytes transferred Enter the Syslog server name or IP address Sets the port on which Syslog data has been sent The default is 514 Service Port You can specify port by marking on user defined and specify port you want Syslog data to be sent User defined Set manually port number Default Use standard port number for this service 514 SE USER MANUAL TO E eneko GWR I Industrial Cellular Router Series Local Syslog file is stored locally on the router USB Flash Syslog file is stored on flash memory attached to USB interface Syslog file size Set log size on one of the six predefined values 10 20 50 100 200 500 kb Choose which events to be stored You can store System Ipsec events or both Event log afiken En
30. Time Preshared Key Remote Security Gateway Type Tunnel Name IPsec tunnel Enable Local Group Setup Local Security Gateway Type SIMCard ze IPAddress SIM 1 v Subnet v 10 0 10 0 255 255 255 0 IP Only v ECG IP Address IP v 192 168 10 1 Figure 68 IPSEC configuration page I for GWR I Router 1 IKE with Preshared key aggressive Y Groupe 1024 x 3DES v MD5 e 28800 sec Groupe 1024 v 3DES sj MD5 e 3600 sec 1234567890 Figure 69 IPSec configuration page II for GWR I Router 1 NOTE Options NAT Traversal and Send Initial Contact are predefined USER MANUAL 82 E Geneko GWR I Industrial Cellular Router Series Failover IKE SA Retry Restart PPP After IKE SA Retry Exceeds Specified Limit CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval sec Packet Size Advanced Ping Interval sec Advanced Ping Wait For A Response sec Maximum Number Of Failed Packets Advanced CI Compress Support IP Payload Compression Protocol IPComp C Dead Peer Detection DPD fon sec NAT Traversal Send Initial Contact Figure 70 IPSec configuration page III for GWR I Router 1 Click Start button on Internet Protocol Security page to initiat
31. Zone Proxy ID V Local IP Netmask 10 10 10 0 Remote IP Netmask IRN pd a VPN Group None weight F E e e L 5 a e e e L Figure 106 AutoKey IKE advanced parameters Step 4 Routing e Click Destination tab on Routing menu e Click New button Routing parameters are IP Address 192 168 10 0 24 Gateway tunnel 3 tunnel interface from step 1 Click OK Network gt Routing gt Routing Entries gt Configuration SG140RBGE al Virtual Router Name trust vr IP Address Netmask 192 163 10 0 Ile nestor virtual Router Loan Sl O Gateway Interface tunnel 3 v 0 0 0 0 Metric 1 Preference 20 Figure 107 Routing parameters USER MANUAL 105 E Geneko GWR I Industrial Cellular Router Series Step 5 Policies e Click Policies in main menu e Click New button from Untrust to trust zone Source Address 192 168 10 0 24 Destination Address 10 10 10 0 24 Services Any e Click OK SSG140RBGE Figure 108 Policies from untrust to trust zone e Click Policies in main menu e Click New button from trust to untrust zone Source Address 10 10 10 0 24 Destination Address 192 168 10 0 24 Services Any e Click OK USER MANUAL 106 5 senexo GWR I Industrial Cellular Router Series SSG140RBGE KE Juniper SG 740 10 0 0 0 24 Pe es 192 168 10 0 24 ell Siet
32. a given task by entering a command The system waits for the user to conclude the submitting of the text command by pressing the Enter or Return key A command line interpreter then receives parses and executes the requested user command On router s Web interface in Management menu click on Command Line Interface tab to open the Command Line Interface settings screen Use this screen to configure CLI parameters Figure 42 Command Line Interface CLI Settings Enable View Mode Username View Mode Password Confirm Password View Mode Timeout Edit Mode Timeout Console Type Confirm password for View mode Inactivity timeout for View mode in seconds After timeout user will be put in Main mode Inactivity timeout for Edit mode in seconds Note that Username and Password for Edit mode are the same as Web interface login parameters After timeout user will be put in Main mode Windows other Click Save to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 23 Command Line Interface parameters Command Line Interface CLI Settings Enable CLI on View Mode Username View Mode Password Confirm Password View Mode Timeout Edit Mode Timeout Console Type Telnet admin Figure 45 Command Line Interface Detailed instructions related to CLI are located in other document Command_Line_Interface
33. a static IP address obtained from Mobile Operator Note the default gateway may show or change to an address such as 10 0 0 1 this is normal as it is the GSM UMTS provider s network default gateway e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt GRE to configure GRE tunnel parameters VPN Generic Routing Encapsulation GRE Tunneling Enable yes Local Tunnel Address 10 10 10 2 Local Tunnel Netmask 255 255 255 252 Unchangeable always 255 255 255 252 Tunnel Source 10 251 49 3 select HOST from drop down menu if you want to use host name as peer identifier Tunnel Destination 10 251 49 2 select HOST from drop down menu if you want to use host name as peer identifier KeepAlive enable no Period none Retries none Press ADD to put GRE tunnel rule into GRE table Press Save to accept the changes Settings GRE Local Tunnel Address Local Tunnel Netmask Interface KeepAlive Enable 10 10 10 2 255 255 255 252 10 251 49 3 10 251 492 iiget oOo Local Tunnel Address IP Address of virtual tunnel interface Local Tunnel Netmask Unchangeable alw
34. check box allows you to activate deactivate VPN GRE traffic Local Tunnel Address This field specifies IP address of virtual tunnel interface This field specifies the IP netmask address of virtual tunnel This field is unchangeable always 255 255 255 252 Tunnel Source This field specifies IP address or hostname of tunnel source Local Tunnel Netmask Tunnel Destination This field specifies IP address or hostname of tunnel destination Interface This field specifies GRE interface This field gets from the GWR I Router KeepAlive Enable Check for keepalive enable Defines the time interval in seconds between transmitted keepalive packets Enter a number from 3 to 60 seconds Retries Defines the number of retries when failed keepalives are detected before Period USER MANUAL 34 E Geneko GWR I Industrial Cellular Router Series determining that the tunnel endpoint is down Enter a number from 1 to 10 times Add Click Add to insert new item in table Click Remove to delete selected item from table Click Reload to discard any changes and reload previous settings Click Save to save your changes back to the GWR I Router Table 10 GRE parameters Generic Routing Encapsulation GRE Settings Enable Local Tunnel Address Local Tunnel Hetmask Tunnel Destination KeepAlive Enable Period Retries Action Local Tunnel Address IP Addres
35. configuration Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 10 0 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings IP Address Subnet Mask Primary Local DNS Secondary Local DNS Local Gateway Use the following IP address 10 0 10 1 255 255 255 0 ion Changes to IP address subnet mask and local DNS require a reboot to take effect efully Router becomes unreachable from local subnet when this option is enabled Reload Save c aution Use local gateway option car Figure 77 Network configuration page for GWR I Router 1 e Use SIM card with a static IP address obtained from Mobile Operator e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are e Add New Tunnel Tunnel Name IPsec tunnel Enable true e IPSec Setup Keying Mode IKE with Preshared key Mode main Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication MD5
36. detection on the network and setup of the PC to device communication Thanks to this utility user can simply connect the router to the local network without previous setup of the router Connection Wizard will detect the device and allow you to configure some basic functions of the router Connection Manager is enabled by default on the router and if you do not want to use it you can simply disable it Figure 44 USER MANUAL 65 E Geneko GWR I Industrial Cellular Router Series Connection Manager Connection Manager Enable Connection Manager Connection Manager Status Status started Figure 47 Connection Manager Getting started with the Connection Wizard Connection Wizard is installed through few very simple steps and it is available immediately upon the installation After starting the wizard you can choose between two available options for configuration e GWER I Router s Ethernet port With this option you can define LAN interface IP address and subnet mask e GWE I router s Ethernet port and GPRS EDGE HSPA network connection Selecting this option you can configure parameters for LAN and WAN interface d GWR Connection Wizard leegen Geneko Wireless Router Connection Wizard Configure GWR Router s Ethernet port a Configure GWR Router Ethernet port and GPRS EDGE 3G HSDPA network connection Figure 48 Connection Wizard Initial Step Select one of the options and click Next On the next scr
37. down menu In this example number 9 is selected Additionally to these 11 rules two more rules are enabled Allow already established traffic priority number 2 Reject all other traffic priority number 22 USER MANUAL 123 E Geneko GWR I Industrial Cellular Router Series After all rules are configured and saved button APPLY RULES in bottom right corner should be selected to activate traffic filtering When all 13 rules from this example is configured firewall should look like this Firewall 7 Help Allow ALL from local LAN E momma SS oe free ef een a RELATED REJECT with komp port Pe asf ee ceo MES REJECT with lomp port Pe el ms ems nT Tee a ae Ei p g uk ARIE z z ec request aba i e aaa E g wh lia ZS lo Allow IPSec tunnis on ppp_0 IKE la _ TA 3 la BERN REJECT w nkamg pop fee ee ee Yo fe Figure 132 Complete firewall configuration USER MANUAL 124 E eneko GWR I Industrial Cellular Router Series SMS management example GWR routers can be managed over the SMS messages Commands from the SMS are executed on the router with status report sent back to the sender On the picture below are settings for SMS management where three mobile phone numbers are allowed to send commandes to the router over first SIM card In this example management over SIM2 is not enabled Please have in mind that router ca
38. firewall configuration tegen Eet 118 Pode Teer Kn EE 119 Figure DE TE 120 Hode e nacVaul copeeme renter rr ee Terre tT cre E re tn ener er eave ree rer rere een eat earner rn oer 121 IER TE 121 Feure 1 Ee ME 122 Figare 131 TOU Ee e WED ACCESS seansai nea T 123 Figure 132 Complete firewall Cont Surat O11 DEE 124 Figure 133 Configuration page for SMS management 125 Pieure 134 Configuration page e ER E 126 USER MANUAL 6 E Geneko GWR I Industrial Cellular Router Series List of Tables Table L Technical Parrin ter orori na E T O O OA O E er eee E OERE 11 Table 2 GWR Router feo 1b 8 kere ee aR E R E ee 12 Table c Power con UML ON ioei aene EE eE EEE DESEE EE EEE e 15 Tabled Network paraine teri eege 22 Pale DHCP e 23 Te meV EE 27 Table 7 Advanced WAN SOLOS aie sccxschtecosscnnelomtairetoneannisndvanindetawiyenbamtawesonantnsotaataledomatanuendenasetuldassesinanicadsannsegentancd 29 E S Routine E 31 KE e Me SE 32 Table 0 GRE Ee 35 Tabie Ye ce E seg se cette es aa soles Sacra ete nn dune a aloo be Secu EEE EEE EEE rS EE AA EEEa 37 Table 2 U E als ENS eee eee eee ee ee eee eee ee ee eee ee eee eee 40 Table o Open YPN e 43 SMAI a O Te CO E EA E E T E E E O T 46 Table 15 MAC Terie Dealers sipres rinna Ein A AES A AAE A 47 Tanedo N a E E A AEA AA OE A E EAS 48 iio ET EE 51 Table 15 Modb s gateway EE 52 qo Coes E GPIO Ee 56 Table 20e Device eege 58 Table 2 L Router Manag emie E D9 Table22 Date een Ee 60 Table 23 C
39. from one interface to another originated outside the router Sse Predefined list of well known ports and Custom option for user defined services Type of protocol TCP UDP UDPLITE AH SCTP ESP ICMP Custom Number of port Four options are available FULL UNDEF all port numbers Port RANGE for range of ports CSV multiport for defining more than one noncontinuous port numbers CUSTOM for single port ICMP type ICMP List of ICMP packet types are displayed ICMP is filtered in general or by protocol is selected specific type Protocol number Custom protocol is Protocol number is chosen between 1 and 255 selected Selection of firewall input inspection interface when OUTPUT chain is selected Input Interface SE this field cannot be chosen Output Interface Selection of firewall output inspection interface when INPUT chain is selected this field cannot be chosen This field specifies packets with source IP address on which firewall rule is Source address l applied PERET This field specifies packets with destination IP address on which firewall rule Destination address is applied For defined IP address in Source or Destination IP address inverts logic of the filter Instead of applying firewall rule on defined IP addresses all IP addresses EXCEPT defined are covered by firewall rule Packet state Selection of traffic by packet state INVALID is for unrecognized packet state traffic Polic Options for firewall rule action ACC
40. group Group 2 Phase 2 Encryption 3DES Phase 2 Authentication MD5 Phase 2 SA Life Time 3600 Preshared Key 1234567890 e Local Group Setup Local Security Gateway Type SIM card Local ID Type IP Address IP Address From SIM 1 WAN connection is established over SIM 1 Local Security Group Type IP IP Address 192 168 10 1 e Remote Group Setup USER MANUAL Remote Security Gateway Type IP Only IP Address 172 29 8 4 Remote ID Type IP Address 90 5 senexo Remote Security Group Type Subnet IP Address 10 0 10 0 Subnet 255 255 255 0 e Failover Enable IKE failover false Enable Tunnel Failover false e Advanced GWR I Industrial Cellular Router Series Compress Support IP Payload Compression Protocol I PComp false Dead Peer Detection DPD false NAT Traversal true Send Initial Contact true Press Save to accept the changes Device 2 Device Tunnel Help Add New Tunnel Tunnel Number Tunnel Name Enable 1 IPsec tunnel Local Group Setup Local Security Gateway Type SIM Card Local ID Type IP Address e IP Address From SIM 1 v Local Security Group Type IP IP Address 192 168 10 1 Remote Group Setup Remote Security Gateway Type IP Only IP Address 172 29 8 4 Remote ID Type IP Address e Remote Security Group Type IP Address Subnet Ma
41. is selected that indicates side of IPSec tunnel which sends requests for establishing of the IPSec tunnel If connection mode Wait is selected that indicates side of IPSec tunnel which listens and responses to IPSec establishing requests from Connect side Internet Protocol Security Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Log level control Hal Name Enabled Status Enc Auth Grp Local Group Remote Group Remote Gateway Phi 3DES MD5 2 main 10 0 10 0 e 1 pcectunel yes stores Pra 30E SDE elk cP E Bette Comes Reducing the MTU size on the client side can help eliminate some connectivity problems occurring at the protocol level Start Stop Refresh Recommended MTU size on client side is 1300 Tunnel status description started ipsec is running stopped ipsec is not running or tunnel is not enabled connecting ipsec is trying to establish connection waiting for connection ipsec is waiting for other end to connect established tunnel is up Figure 86 IPSec start stop page for GWR I Router 1 Click Start button and after that Wait button on Internet Protocol Security page to initiate IPSEC tunnel e On the device connected on GWR I router 2 setup default gateway 192 168 10 1 USER MANUAL 92 E eneko GWR I Industrial Cellular Router Series IPSec Tunnel configuration between GWR I Router and Cisco Router IPSec tunnel is a type of a VPN tunnel
42. method Simple network with two GWR I Routers is illustrated on the diagram below Figure 66 Idea is to create IPSec tunnel for LAN to LAN site to site connectivity Static WAN Static WAN 172 259 8 4 172 29 8 5 GWR I 1 LAN 10 0 10 1 LAN 192 168 10 1 ri ECH LAN 192 168 10 100 SS See Gateway 192 168 10 1 Figure 66 IPSec tunnel between two GWE I Routers The GWR I Routers requirements e Static IP WAN address for tunnel source and tunnel destination address e Dynamic IP WAN address must be mapped to hostname with DynDNS service for synchronization with DynDNS server SIM card must have internet access GSM UMTS APN Type For GSM UMTS networks GWR I Router connections may require a Custom APN A Custom APN allows for various IP addressing options particularly static IP addresses which are needed for most VPN connections A custom APN should also support mobile terminated data that may be required in most site to site VPNs For the purpose of detailed explanation of IPSec tunnel configuration two scenarios will be examined and network illustrated in the Figure 63 will be used for both scenarios Scenario 1 Router 1 and Router 2 presented in the Figure 64 have firmware version that provides two modes of negotiation in IPSec tunnel configuration process e Aggressive e Main In this scenario aggressive mode will be used Configurations for Router 1 and Router 2 are listed below The GWR I Router 1 configura
43. of device function These data are kept in device permanent memory Device Identity Settings window is shown on Figure 36 Device Identity Settings Description This field specifies name of the GWR I Router This field specifies description of the GWR I Router Only for information purpose This field specifies location of the GWR I Router Only for information purpose Click Save button to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 20 Device Identity parameters Device Identity Settings Settings Name Test241 Description TestNewPFyy Location PPLab Figure 36 Device Identity Settings configuration page Maintenance Router Management By Administrator Password Tab it is possible to activate and deactivates device access system through Username and Password mechanism Within this menu change of authorization data Username Password is also done Administer Password Tab window is shown on Figure 37 NOTE The password cannot be recovered if it is lost or forgotten If the password is lost or forgotten you have to reset the Router to its factory default settings this will remove all of your configuration changes USER MANUAL 58 E Geneko GWR I Industrial Cellular Router Series Router Management Router Password Enable Password Authentication User Name admin Old Pa
44. packets to initiate a connection Silent Mode until a valid LCP packet is received from the peer as for the passive option with ancient versions of pppd Append domain name Append the domain name d to the local host name for authentication purposes Show PAP password When logging the contents of PAP packets this option causes pppd to show the in log password string in the log message USER MANUAL 28 Compression Control Protocol negotiation E Geneko GWR I Industrial Cellular Router Series Time to wait before re Specifies how many seconds to wait before re initiating the link after it initiating the link terminates The holdoff period is not applied if the link was terminated because it sec was idle If this option is given pppd will presume the peer to be dead if n LCP echo requests are sent without receiving a valid LCP echo reply If this happens pppd LCP Echo Failure will terminate the connection This option can be used to enable pppd to terminate after the physical connection has been broken e g the modem has hung up in situations where no hardware modem control lines are available If this option is given pppd will send an LCP echo request frame to the peer every n seconds Normally the peer should respond to the echo request by sending an echo reply This option can be used with the cp echo failure option to detect that the peer is no longer connected LCP Echo Interval Roaming Mode By enabling t
45. pdf file on CD that goes with the router You will find detailed specifications of all commands you can use to configure the router and monitor routers performance USER MANUAL 64 E Geneko GWR I Industrial Cellular Router Series Management Remote Management Remote Management Utility is a standalone Windows application with many useful options for configuration and monitoring of GWR I routers More information about this utility can be found in other document Remote_Management pdf In order to use this utility user has to enable Remote Management on the router Figure 43 Remote Management Remote Management Settings Enable Remote Management Protocol Geneko 4 Bind to ppp 4 TCP port l Username Password Remote Management Status Status requesting status Figure 46 Remote Management Command Line Interface Enable Remote Enable or disable Remote Management Management Choose between Geneko and Sarian protocol Specify the interface TCP port Specify the TCP port Specify the username Specify the password Click Save to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 24 Remote Management parameters Management Connection Manager Enabling Connection Manager will allow Connection Wizard located on setup CD that goes with the router to guide you step by step through the process of device
46. to Pre shared Secret Export the PSK If you select UDP protocol whether in connect or wait mode you must specify ax Fragment Size Max Fragment Size default is 1300 bytes If you prefer to keep fragmentation disabled enter 0 Choose the DH Group from the following 786 bits 1024 bits 1536 bits 2048 DH Group bits Remote Host or IP RE Specify server IP address or hostname Redirect Gateway This option allows usage of OpenVPN tunnel as a default route Tunnel Interface Pull tunnel interface configuration from server side Configuration Manual configuration pean las g Specify the IP address of the local VPN tunnel endpoint Click Save to save your changes back to the GWR Router After that router Save automatically goes back and begin negotiations of the tunnels by clicking on the Start button Table 13 OpenVPN parameters USER MANUAL 43 E Geneko GWR I Industrial Cellular Router Series OpenVPN Add New Tunnel Tunnel Number i Tunnel Name Enable KE IS E K OpenVPN Settings Interface Type TUN ze Authenticate Mode pre shared secret Encryption Cipher BF CBC 128 bit w Hash Algorithm RSA SHA1 160 bit i Protocol UDP Port 1194 LZO Compression F NAT Rules O Keep Alive F Max Fragment Size 1300 bytes Generate PSK Pre shared Secret O Paste PSK Figure 21 OpenVPN configuration page Local Remote Gro
47. to upgrade its firmware During this process do not power off the Router or press the Reset button Update Firmware Update Caution 1 Upgrading firmware will take a few minutes please wait and do not turn off the power or press the reset button 2 Please dont close the window or disconnect the link during the upgrade process 3 In order to activate new firmware version it is necessary that the user performs system reboot 4 Clear browser cache after firmware update Current firmware version 3 0 0_raz_lab_276_ 352 Select firmware No file selected C Reset to factory default after firmware upgrade Upload Figure 40 Update Firmware page In order to activate new firmware version it is necessary that the user performs system reset In the process of firmware version change all configuration parameters are not changed and after that the system continues to operate with previous values USER MANUAL 61 E GENeKO GWR I Industrial Cellular Router Series Maintenance Settings Backup This feature allows you to make a backup file of complete configuration or some part of the configuration on the GWR I Router In order to backup the configuration you should select the part of configuration you would like to backup The list of available options is presented on the image 35 To use the backup file you need to import the configuration file that you previously exported Settings Backup Import Configuration File
48. with Preshared key Mode aggressive Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication SHA1 Phase 1 SA Life Time 28800 Phase 2 Encryption 3DES Phase 2 Authentication SHA1 Phase 2 SA Life Time 3600 Preshared Key 1234567890 Failover o Enable Tunnel Failover false Advanced Compress Support IP Payload Compression Protocol PComp false Dead Peer Detection DPD false NAT Traversal true Send Initial Contact Notification true Press Save to accept the changes USER MANUAL 94 Device 2 Device Tunnel Add New Tunnel Tunnel Number Tunnel Name Enable Local Group Setup Local Security Gateway Type Local ID Type IP Address From Local Security Group Type IP Address Subnet Mask Remote Group Setup Remote Security Gateway Type IP Address Remote ID Type Remote Security Group Type IP Address Subnet Mask GWR I Industrial Cellular Router Series i IPsectunnel SIMCard e IPAddress e SIM 1 v Subnet v 192 168 10 0 255 255 255 0 IP Only vj 150 160 170 1 IPAddress e Subnet v 10 10 10 0 255 255 255 0 Figure 89 IPSEC configuration page I for GWR I Router IPSec Setup Key Exchange Mode IKE with Preshared key vi Mode Phase 1 DH Group Group2 1024 v Phase 1 Encryption 3DES v Phase 1 Authentication SHAI Phase 1 SA Life Time 20800 sec Perfect
49. 2 168 12 2 Open VPN Server IP address LAN interface 134 45 22 1 199 168 13 2 Figure 110 Multipoint OpenVPN topology Configuration 1 Open VPN server is in TCP listening mode and it is reachable from the internet over static public IP address 134 45 22 1 and TCP port 1194 default Open VPN port 2 Configuration file in Open VPN server is applied in following way a Open any Text Editor application and make configuration txt file In this example configuration file looks like this USER MANUAL 108 E Geneko GWR I Industrial Cellular Router Series proto tcp server TCP server protocol mode dev tun dev tun mod of Open VPN server ifconfig 2 2 2 1 2 2 2 2 Local and remote IP address of the Open VPN tunnel both addresses must be within 255 255 255 252 subnet dev node adap1 Selection of virtual network adapter named adap1 secret key txt Implementing file with pre shared secret named key txt ping 10 Keepalive comp lzo LZO compression enabled disable occ disable option consistency b Save configuration file in C Program Files OpenVPN config as name ovpn file It is OpenVPN configuration file directory and you can reach it directly through Start menu gt OpenVPN where you get options S OpenVPN GUI SW Uninstall Opent PM Add a new TAF Winaz virtual ethernet adapter Delete ALL T4P Wins2 virtual ethernet adapters ai Generate a static OpenVPN key 9 OpenVPN configuration File directory E OperwE GUI ReadMe 9 OpenVP
50. AA A eeua shies eisseceruaseats 36 EE 4 Settings Firewall IP Filtering WE 44 Settings Firewall MAC PUGS ln e E 46 DN e EE 47 CUA DYDNIA EEA 47 Settings Seral Ge e e E 49 STP ga KEE 50 EE 52 EECHER 53 Settings 5M5 Remote Control EE 54 SEN le Ee e E E 55 SENTIER ca ener E RD nO ET i er OEA oR EET een nen en nee aE eer ree 56 Maintenance Device Identity Settings wo cccsscccssssccsssscesssscesssscesssecesssesesssessssseesseeeens 58 Maintenance Router Management 58 Maintenance Date Time Se ttingS ccc escscecscssecsssceessssesssssesusssesssssessseneuessneuesssenenenenens 59 Wise ER e Tue Cd 61 Maintenance Update Firmware 61 Maintenance Settings BACK UD EEN 62 TT OT CO OOO TS EE 62 E 62 Maintenance Default Settings E 63 USER MANUAL 2 GeneKkoO GC ene GWR I Industrial Cellular Router Series Maintenance System RED ee EE 63 Management Command Line Interface eee cccsssccsssscessscesssecesssecssssssesssecessesesseseens 64 Management Remote Management 65 Management Connection Manager 65 Management Simple Management Protocol NM 69 Momo MONE E e e LE 69 ON TON A eS arse inet E eat dlrs nieester E den eapag TANG Laeuentenans 72 GWR I Router aS Internet ROUTES ee cccsssscccessrcccesssccesssecccessesecessececesseescessesecessasecesseeeecens 72 GRE Tunnel configuration between two GWR I RouterS esssesseeeereseseeesrersreessreesreesrressreesn 73 GRE Tunnel configuration between GWR I
51. ANUAL 16 E Geneko GWR I Industrial Cellular Router Series Declaration of conformity Re Genera Ezonomik HARDWARE SOFTWARE ENGINEERING LE DECLARATION OF CONFORMITY We hereby declare that following product COMMUNICATION EQUIPMENT WIRELESS ROUTER Model Type reference Trade Mark Ratings GWR202 XXXXXX GWR252 XXXXXX GENEKO GWR ROUTER Input for GWR routers 9 12 V 1A GWR302 XXXXXX GWR352 XXXXXX Input for GWR I routers 12 48 V 1A GWR 1202 XXXXXX GWR 1252 XXXXXX GWR 1352 XXXXXX Where x can be any combination of numbers or characters and represents non safety relevant information are in conformity with standards harmonised with directives LVD IEC 60950 1 2005 Second Edition Am 1 2009 Test report No T223 0258 11 EMC EN 301 489 1 V1 8 1 2008 04 EN 301 489 7 V1 3 1 2005 11 Test report No T251 0689 11 R amp TTE Article 10 5 and Annex IV of R amp TTE Directive 1999 5 EC EN 60950 1 2006 A11 2009 EN 301 489 1 V1 8 1 EN 301 489 7 V1 3 1 EN 301 511 V9 0 2 EN 301 908 1 V3 2 1 EN 301 908 2 V3 2 1 Statement of Opinion No 1304 R amp TTE C251 0119 11 RoHS EU Directive 2002 95 EC EU Commission Decision 2005 618 EC 2005 717 EC 2005 747 EC 2006 310 EC 2006 690 EC 2006 691 EC and 2006 692 EC Test report No T211 0129 08 ER Year of affixing of CE mark Director 2008 Borisav Place and date Belgrade August 08 2012 RB GeneralEkonomik Bul Despota Sefana 59a 11000 Belgrade Serbia Phone
52. Click on this button to refresh the Status field in the Summary table Table 11 IPSec Summary To create a tunnel click Add New Tunnel button Depending on your selection the Local Group Setup and Remote Group Setup settings will differ Proceed to the appropriate instructions for your selection Device 3 Device Tunnel Fuld Hew Tunnel Tunnel Number 1 Tunnel Naamgp IPSec tunnel Enable E Local Group Setup Local Secumy Gateway Type SiM Cad Local ID Type asshorn ba Cusi Hor IL IP Address From SIM S Local Sicunty Group Type Sukriti kr IF Address 132 168 1 0 Subit Mack 255 755 255 0 Remote Group Soin Remote Secuny Gateway IP Address Hemole ID Type Remote Secumy Groug Ty IF Address Subnet Mask IPSec Senp Key Exchange Mode bode Phase 1 DH Group Phage 1 Encryption Phase 1 Authentication Phase 1 54 life Time Padect Forward secrecy Phase 2 DH Group Phase 2 Encryption Phase 2 Authentication Phase d 54 Life Time Preshaned K y Follower Ll Enabts KE Failove HE GA Retry Type IP Ony ze Ve2r 2344 IK gdes pe Subnet k 132 168 2 0 255 255 255 0 IKE wah Preshemed key main N Group 10a se UES ka MOS PERON Sit i e Groupe 1024 e RIES M HU sac Layher tatyvedy Riatad PPP Ager IKE SA Rely Encredi Speedo Lt LI Ensbte Tunnel Falin Ping IP Or Hosinamg Ping Interval Packal Size Achanced Ping intareal ser Aghanocod Ping Wan For A Hpzpopp utt Ma
53. EPT forward traffic REJECT deny J traffic with ICMP error returned DROP drop traffic Select the reject type of the rule The default error message is to send a port Reject with unreachable to the host This field is visible only if selected policy is REJECT F O S T e a O Inverted destination address rule logic Distributed DoS This box enables Distributed DOS aximum average Maximum average matching rate specified as a number with an optional time matching rate unit second minute hour or day the default is 3 hour aximum initial Maximum initial number of packets to match this number gets recharged by number of packets to one every time the limit specified above is not reached up to this number the default is 5 Action Click Back to return on firewall home page Back Click Back to return on firewall homepage Click Reload to discard any changes and reload previous settings Click Save to save your changes back to the GWR Router USER MANUAL A5 GWR I Industrial Cellular Router Series New rule to firewall table is added Save changes to table of firewall rules Firewall Table 14 IP filtering parameters Firewall General Settings Firewall Rules Add New Rule Wl Sei Is fe eo ac mn lt Ei lt lt oo lt fell Si Be CH z lt L J E lt a llla zg
54. Enable SIM1 SIM2 Make some traffic periodically in order to maintain connection active You can keepalive set keepalive interval value in minutes Pino tarci This field specifies the target IP address for periodical traffic generated using STI ping in order to maintain the connection active Ping interval This field specifies ping interval for keepalive option een aping This field specifies the time interval of advanced ping proofing Advanced ping wait or a response aximum number of hus field specifies maximum number of failed packets in percent before ailed packets keepalive action is performed This menu provides a choice between two possible keepalive actions in case maximum number of failed packets is exceeded If Switch SIM option is selected router will try to establish the connection using the other SIM card after the maximum number of failed packets is exceeded If Current SIM option is selected router will only restart the PPP connection Enab le S IM1 SES Enable traffic data limit per SIM data limit Defines maximum data amount transferred over SIM card When traffic limit is reached SIM card cannot be longer used for network connection Traffic limit can be defined in units of KB from 1 to 1024 MB from 1 to 1024 or GB from 1 to 1024 In case of reaching defined data traffic limit one of two possible actions will be performed Enable network locking Persistent connection This field specifies the timeout fo
55. Figure 11 Network parameters configuration page USER MANUAL 22 E Geneko GWR I Industrial Cellular Router Series Settings DHCP Server The GWR I Router can be used as a DHCP Dynamic Host Configuration Protocol server on your network A DHCP server automatically assigns available IP addresses to computers on your network If you choose to enable the DHCP server option all of the computers on your LAN must be set to obtain an IP address automatically from a DHCP server By default Windows computers are set to obtain an IP automatically To use the GWR I Router as your network s DHCP server click DHCP Server Tab for DHCP Server setup The GWR I Router has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability DHCP Server Parameters DHCP Dynamic Host Configuration Protocol allows individual clients workstations to obtain TCP IP configuration at startup from a server When configured as a server the GWR Router provides TCP IP configuration for the clients To activate DHCP server click check box Enable DHCP Server To setup DHCP server fill in the IP Starting Address and IP Ending Address fields Uncheck Enable DHCP Server check box to stop the GWR Router from acting as a DHCP server When Unchecked you must have another DHCP server on your LAN or else the computers must be manually configured Ee gie This field specifies the first of the contiguous addresses
56. GE COLLECT router no timers basic Configure interface for RIP protocol router interface greX router ip rip send version VERSION router ip rip receive version VERSION Disable rip authentication at all interface Router interface no ip rip authentication mode md5 text Debug commands router debug rip router debug rip events router debug rip packet router terminal monitor USER MANUAL 33 E Geneko GWR I Industrial Cellular Router Series Settings VPN Settings Virtual private network VPN is a communications network tunneled through another network and dedicated to a specific network One common application of VPN is secure communication through the public Internet but a VPN need not have explicit security features such as authentication or content encryption VPNs for example can be used to separate the traffic of different user communities over an underlying network with strong security features A VPN may have best effort performance or may have a defined Service Level Agreement SLA between the VPN customer and the VPN service provider Generally a VPN has a topology more complex than point to point The distinguishing characteristics of VPNs are not security or performance but that they overlay other network s to provide a certain functionality that is meaningful to a user community Generic Routing Encapsulation GRE Originally developed by Cisco generic routing encapsulation GRE is now a st
57. N log file directory el Open PN Manual Page 9 OpenVPN Sample Configuration Files OpenVPN Web Site OpenvPh Wind README Figure 111 OpenVPN application settings c Generate a static OpenVPN key from the menu above File will be automatically Saved in Open VPN configuration file directory Configuration file and pre shared key must be in same directory d Ifyou have more remote locations every location has to have its own configuration file with different remote interface IP address and virtual network adapter Second virtual network adapter you can create by selecting Add a new TAP Win32 virtual ethernet adapter The same way you can create the third virtual adapter Name virtual adapters as adap1 adap2 and adap3 For example configuration file for second remote location can be proto tcp server dev tun ifconfig 2 2 2 5 2 2 2 6 dev node adap2 secret key txt ping 10 comp lzo disable occ USER MANUAL 109 E eneko GWR I Industrial Cellular Router Series Only difference to previous configuration is 2 2 2 5 2 2 2 6 IP address of local and remote interface and dev node adap2 Configuration file for third remote location is proto tcp server dev tun ifconfig 2 2 2 9 2 2 2 10 dev node adap3 secret key txt ping 10 comp lzo disable occ All three configuration files e g Server1 ovpn Server2 ovpn Server3 ovpn have to be saved in same directory C Program Files OpenVPN config Name of configur
58. Number of retry 6 C Geneko Z Establish connection Figure 51 Connection Wizard WAN Settings After entering the configuration parameters if you mark option Establish connection router will start with connection establishment immediately when you press Finish button If not you have to start connection establishment manually on the router s web interface USER MANUAL 68 G ceneKo GWR I Industrial Cellular Router Series Management Simple Management Protocol SNMP SNMP or Simple Network Management Protocol is a network protocol that provides network administrators with the ability to monitor the status of the Router and receive notification of any critical events as they occur on the network The Router supports SNMP v1 v2c and all relevant Management Information Base II MIBII groups The appliance replies to SNMP Get commands for MIBII via any interface and supports a custom MIB for generating trap messages Simple Network Management Protocol SNMP Settings Enable SNMP Get Community Service Port User Defined Default 161 Serice Access public All Nj SNMP Status Status started Get Community Management Logs Figure 52 SNMP configuration page SNMP Settings SNMP is enabled by default To disable the SNMP agent click this option to unmark Create the name for a group or community of administrators who can view SNMP data The default is public It s
59. P accept port Connection timeout Modbus Serial Settings Transmission mode Response timeout Maximum number of retries Log Settings Log level Status Figure 30 Modbus gateway configuration page Settings Serial Port 2 Most of the settings related to Serial Port 2 are equivalent to the Serial Port 1 settings The only difference is in type of connector and serial port standard Namely serial port 2 supports RS232 and RS485 AW RS422 standards RS485 2W is not supported Please find the PINOUT of the Serial Port 2 presented on the following image 1 g _RS 232 Mode RS 485 4 Wires Mode 1 Not Used 1 Not Used 2 Not Used 2 TX 3 TX output 3 TX pas 4 GND 4 GND 5 GND 5 GND 6 RX input 6 RX 7 Not Used 7 RX 8 Not Used 8 Not Used Figure 31 Serial Port Settings 2 PINOUT USER MANUAL 53 GenekoO E ene GWR I Industrial Cellular Router Series Settings SMS Remote Control SMS remote control feature allows users to execute a short list of predefined commands by sending SMS messages to the router GWR I router series implement following predefined commands 1 In order to establish PPP connection user should send SMS containing following string PPP CONNECT After the command is executed router sends a confirmation SMS with OK if the command is executed without errors or ERROR if something went wrong during the execution of the command 2 In ord
60. Router Series Select EDIT of the rule Enable selected SAVE and exit 9 WEB traffic is permitted only to 212 62 38 210 from LAN This rule is example of traffic filtering in direction from inside to outside New rule should be added by selecting ADD NEW RULE button Policy should be configured in following way Rule name Allow HTTP from LAN Enable selected Chain FORWARD Service HTTP Protocol TCP Port 80 Input interface eth0 Output interface ppp_0 Source address Any Destination address Any Packet state NEW Policy ACCEPT Configuration is shown in following picture Firewall Rules Firewall Rule Basics Rule name Allow HTTP from LAN Enable Firewall Rule Settings Chain FORWARD v Service HTTP Protocol MER Port 60 Input interface eth v Output interface ppp_o Mj Source address Any v Inverted source address rule logic Destination address Any iv Inverted destination address rule logic Packet state NEW v Policy ACCEPT Distributed Denial Of Service CI Enable Maximum average matching rate Maximum initial number of packets to match Figure 131 Outbound rule for WEB access After configuration is finished SAVE button should be selected and user is returned to main configuration page Priority of rule is changed by selecting number in drop
61. S header Hostname IP address Date time SMS text Action 1 Pin High SMS Settings SMS header Hostname IP address Date time SMS text Action 2 Pin High SMS Settings SMS header CI Hostname CI IP address CI Date time SMS text Figure 34 GPIO settings page GPIO settings Description Enable digital input Enable or disable digital input on the GWR I Setup required action when router detects low level on digital input It is possible to define two separate actions for this event User can choose between sending an SMS alert on input change to LOW or setting up the digital output HIGH or LOW Setup required action when router detects high level on digital input It is possible to define two separate actions for this event User can choose between Low Action1 Action2 High Action1 Action2 sending an SMS alert on input change to HIGH or setting up the digital output HIGH or LOW Destination phone 1 3 Specify up to three mobile phone numbers that will receive SMS alert Define the content of SMS header Following three options are available Host SMS header name name of the router defined in Device Identity Settings IP address router IP address of the router and Date Time Custom text of SMS message Click Save button to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 19 GPIO parameters USER MANUAL
62. SCE EE 41 Feure21 0pen VPN coni pura Non E 44 Figure 22 OpenVPN network e EE 44 ER E e E ie tee 46 Figure 24 MAC filtering EE 47 Fig re 25 MZ H st COMMUN e E 47 Ee 48 Figure 27 EE Tort setine s mUa eege 49 Pic tire 26 eral Ort oein S LT TINOU asec nase esiceaseopas nse EA AAA EEE AE TREA 49 Feire 29 eral POr Coni raO pA cag etc AE AE EAA 51 Figure 30 Modbus gateway configuration Dage cececescscsssssecsecesecsecesecseessecesssessesseseaeeseseeessesseeeseseeeeaeeneeeaees 53 Figure 3 Serial Port settines A TT ER ET 53 Figure Ee control COMMIS UN ALON EE 55 raa Eege 55 e EE e A E E T T I O aerneemeanceeenay 56 Pre ET 57 Figure 36 Device Identity Settings configuration Dage ce ceescscesecseesecsseeeeseessessecseseeseaecseeesecseseseseeeeaeeeeeeaees 58 Figure 37 Router Management configuration page cecscsessecseesecsecesecseseseesecssessesseseeseaesesesecseseseeeeseaeeeeeaees oY Figure 38 Date Time Settings Configuration Page 0 ce ceecsesscesececesecsecesecseeesecsesesessecseeeseceeseaesaesseesseseeeeaeeneeeaees 60 PP SB Re ege 61 EE Oe E 61 Figure 41 Export Import the configuration on the router cee esceeesecseeeseeseceeessecseeeseceeeaecesesesseeeeeaeeneeeaees 62 FS Oy T E E E natu ice tone ates T E E E E aeceuwatemnadescueceut 63 Feur Ao Delault e E 63 Fig re 44 System Reboot E 63 Figure 45 Command D ET 64 Pie tire AG Remote Mana eE ME saunie a E E EA IOE E TEE EE EA 65 Pipe C Onn cuo N E E a E E O EE E O TE 66 Pigare 4e
63. Select file Export Configuration File The item to backup Network DHCP WAN Settings Route OpenVPN IP Filtering DynDNS Serial Port Administrator Password Date Time Figure 41 Export Import the configuration on the router Import Configuration File To import a configuration file first specify where your backup configuration file is located Click Browse and then select the appropriate configuration file After you select the file click Import This process may take up to a minute Restart the Router in order to changes will take effect Export Configuration File To export the Router s current configuration file select the part of the configuration you would like to backup and click Export USER MANUAL 62 E Geneko GWR I Industrial Cellular Router Series Opening confFile bkg You hawe chosen to apen al confFile bkg which is a BEG File From http f10 0 10 150 What should Firefox do with this File Gi Open with Notepad default w Flash ot Save File Do this automatically For files like this From now on Figure 42 File download Select the location where you want to store your backup configuration file By default this file will be called confFile bkg but you may rename it if you wish This process may take up to a minute Maintenance Default Settings Use this feature to clear all o
64. Service Custom server IP Custom server port Hostname Username Password Update cycle Number of tries Timeout Period Status no ip bal genekolno ip org edun yahoo com eeeceece 86400 1800 started min Click the Save button to start DynDNS synchronizing Reload Save Figure 26 DynDNS settings DynDNS Description Enable DynDNS Client Enable DynDNS Client The type of service that you are using try one of no ip dhs pgpow dyndns dyndns static dyndns custom ods easydns dyns justlinux and zoneedit The server IP to connect to The server port to connect to String to send as host parameter Defines interval between updates of the DynDNS client Default and minimum value for all DynDNS services except No IP service is 86400 seconds Update cycle value for No IP service is represented in minutes and minimum is 1 minute Number of tries default 1 if network problem The amount of time to wait on I O network problem Time between update retry attempts default value is 1800 Click Reload to discard any changes and reload previous settings Custom Server IP Custom Server port aximum interval Click Save to save your changes back to the GWR I Router Table 16 DynDNS parameters USER MANUAL A8 5 senexo GWR I Industrial Cellular Router Series Settings Serial Port 1 Using the router s serial port it is possible to perform serial to ethernet convers
65. Settings e Log level level 1 When serial port is configured button SAVE should be selected and STATUS of the service should change to started like on the picture above 2 Application settings In this example is used application HW Virtual Serial Port which is installed on workstation on central location When application is started on Settings tab option HW VSP works as the TCP Server only should be enabled USER MANUAL GWR I Industrial Cellular Router Series HW Virtual Serial Port Virtual Serial Port UDP Search Binary 1 0 Settings License TER Ke NYT Z NVT Enabl UEA a 09040B0C a deg Iw NYT Filter Z 05060708 4 090408 oc i Iw NYT Port Setup M Use TEA Auth Iw Keep Connection Iw Log files enabled Iw HW VSP works as the TCP Server only Create YSP Port when Hw YSP startup Hide to Tray when HW VSP startup Iw Don t create VSP Port if Ping to remote device failed Iw Connect to device even if YSP Port is closed Iw Automatically renew connection after connection lost M Start HW VSP with Windows startup Save Settings Now Gi Report YSP Setting Final Networking products group www HW group com Version 2 4 Embedded Ethernet Devices Figure 122 Virtual COM port application In Virtual Serial Port tab settings should be following HW Virtual Serial Port Virtual Serial Port UDP Search Binary 1 0 Settings License V5 Port Status Status Created Baud
66. UAL 20 E Geneko GWR I Industrial Cellular Router Series WAN Information Mobile Information Modem Manufacturer huawei Modem Model EM770W Modem Serial Number 357030021311291 Revision 11 126 07 02 00 Mobile Connection Operator YU MOBTEL Cell ID AF79 Signal Strength 51dBm Mobile Statistics Protocol Point Point Protocol Activity Time 05 24 44 WAN Address 10 110 89 241 PPP Address 10 64 64 64 Primary DNS Address 217 65 192 101 Second DNS Address 217 65 192 102 Data Received 1912 RX Packets RX Error Packets o RX Dropped Packets Data Transmitted 74934 TX Packets 1248 TX Error Packets b TX Dropped Packets Figure 9 WAN Information As a primary and secondary DNS are always displayed DNS servers assigned by provider They are not necessarily used by the router If Local DNS is configured it has priority to those DNS servers Status Firewall Firewall Information Tab provides information about active firewall rules divided in three groups INPUT FORWARD and OUTPUT chain Each of these groups has packet counter which can be cleared with one of three displayed button Reset INPUT Reset FORWARD and Reset OUTPUT Firewall D pkts bytes target prot opt in out source destination 19 1218 ACCEPT o etho 0 0 0 0 0 0 0 0 0 0 state NEW 40 5600 ACCEPT o 2 0 0 0 0 0 0 0 0 0 0 state RELATED ESTABLISHED o 0 ACCEPT tcp pppo 0 0 0
67. WR router If you cannot use IP address as a peer identifier at one side of the tunnel private IP subnet ageressive mode has to be utilized IPSec Summary and IPSec Settings are briefly displayed in following figures and tables Internet Protocol Security C Help Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Log level control Enabled Status Enc Auth Grp Local Group Remote Group Remote Gateway Action 1 Connection mode Ph1 3DES MD5 2 main 192 168 1 0 192 168 2 0 To See tunna Ph2 3DES MD5 2 En 255 255 265 0 i Detete Connect Wait Reducing the MTU size on the clientside can help eliminate some connectivity problems occurring atthe protocol level Start Stop Refresh Recommen ded MTU size on client side is ipsec is trying to establish connection ipsec is waiting for other end to connect VPN Settings IPSec Summary Label Description This is the number of defined IPSec tunnels aximum number o i f This is the maximum number of tunnels which can be defined mh Gs Q A e Gel Ee S CS amp This filed indicates the number of the IPSec tunnel Name Field shows the Tunnel Name that you gave to the IPSec tunnel This field shows if tunnel is enabled or disabled After clicking on Start button Enabled only enabled tunnels will be started Field indicates status of the IPSec tunnel Click on Refresh button to see current
68. able syslog saver Save logs periodically on filesystem Save log every Set time duration between two saves GE Click Reload to discard any changes and reload previous settings Click Save button to save your changes back to the GWR I Router and Save enable disable Syslog Table 26 Syslog parameters Logout The Logout tab is located on the down left hand corner of the screen Click this tab to exit the web based utility If you ex it the web based utility you will need to re enter your User Name and Password to log in and then manage the Router USER MANUAL 11 E Geneko GWR I Industrial Cellular Router Series Configuration Examples GWR I Router as Internet Router The GWR I Routers can be used as Internet router for a single user or for a group of users entire LAN NAT function is enabled by default on the GWR I Router The GWR I Router uses Network Address Translation NAT where only the mobile IP address is visible to the outside world All outgoing traffic uses the GWR I Router mobile IP address GSM UMTS Network Figure 54 GWR I Router as Internet router e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP address 10 1 1 1 Netmask 255 255 255 0 e Press Save to accept the changes e Use SIM card with a dynamic static IP address obtained from Mobile Operator Note the default gateway may show or change to
69. al Parameters Directive 2004 108 EC EMC EN 301 489 1 V1 6 1 2005 09 EN 60950 1 2001 1st Ed and or EN 60950 1 2001 Complies with Directive 1999 05 EC standards R amp TTE ETSI EN 301 511 V9 0 2 EN 301 908 1 amp EN 301 908 2 v2 2 1 Directive 2002 95 EC RoHS EU Commission 2005 618 EC 2005 717 EC 2005 747 EC 2006 310 EC 2006 690 EC 2006 691 EC and 2006 692 EC Connector RJ 45 Standard IEEE 802 3 Ethernet interface Physical layer 10 100Base T Speed 10 100Mbps Mode full or half duplex 1 x RS 232C RS485 4W RS422 RJ45 15KV ESD protection 1 x RS 232C RS485 4W RS422 RS485 2W DB9 15KV ESD protection 1 x digital input 0 48VDC 1 5KV isolation 1 x digital output 7OOmA 60VDC 1 5KV isolation Tri band 900 1800 1900 GWR I202 GPRS J GPRS multi slot class 10 mobile station class B GPRS DL 85 6Kbps UL 42 8Kbps Quad band GSM 850 900 1800 1900MHz CWR I252 Ge GPRS EDGE multi slot class 12 mobile station class B Other interfaces EDGE DL 236 8Kbps UL 236 8Kbps GPRS DL 85 6Kbps UL 85 6Kbps UMTS HSDPA HSUPA Quad band 850 900 1900 2100MHz GSM GPRS EDGE Quad band 850 900 1800 1900MHz GPRS EDGE multi slot class 12 mobile station class B HSUPA DL 7 2Mbps HSDPA UL 5 76Mbps UMTS DL 384Kbps UL 384Kbps EDGE DL 236 8Kbps UL 236 8Kbps GPRS DL 85 6Kbps UL 85 6Kbps RF characteristics GWR I352 RF Connector SMA 50Q Ethernet activity network traffic
70. andard defined in RFC 1701 RFC 1702 and RFC 2784 GRE is a tunneling protocol used to transport packets from one network through another network If this sounds like a virtual private network VPN to you that s because it theoretically is Technically a GRE tunnel is a type of a VPN but it isn t a secure tunneling method However you can encrypt GRE with an encryption protocol such as IPSec to form a secure VPN In fact the point to point tunneling protocol PPTP actually uses GRE to create VPN tunnels For example if you configure Microsoft VPN tunnels by default you use PPTP which uses GRE Solution where you can use GRE protocol e You need to encrypt multicast traffic GRE tunnels can carry multicast packets just like real network interfaces as opposed to using IPSec by itself which can t encrypt multicast traffic Some examples of multicast traffic are OSPF EIGRP Also a number of video VoIP and streaming music applications use multicast e You have a protocol that isn t routable such as NetBIOS or non IP traffic over an IP network You could use GRE to tunnel IPX AppleTalk through an IP network e You need to connect two similar networks connected by a different network with different IP addressing Click VPN Settings Tab to open the VPN configuration screen In the Figure 16 you can see screenshot of GRE Tab configuration menu VPN Settings GRE Tunneling Parameters Label Description Enable This
71. ation file is name of your OpenVPN tunnel e Workstation where OpenVPN server is installed should have ip route to subnet which is on the other end of the OpenVPN tunnel This subnet is reachable over remote OpenVPN interface which is in this case 2 2 2 2 Enter following command in the command prompt route p add 192 168 11 0 mask 255 255 255 0 2 2 2 2 first remote location route p add 192 168 12 0 mask 255 255 255 0 2 2 2 6 second remote location route p add 192 168 13 0 mask 255 255 255 0 2 2 2 10 third remote location 2 GWR I router is configured with SIM card which has internet access Configuration of OpenVPN is following USER MANUAL 110 E eneko GWR I Industrial Cellular Router Series Add New Tunnel Tunnel Number 1 Tunnel Name Test Enable OpenVPN Settings Interface Type TUN si Authenticate Mode pre shared secret e Encryption Cipher BF CBC 128 bij ei Hash Algorithm RSA S5SHA1 160 bit v Protocol UDP connect v UDP Port 1194 LZO Compression NAT Rules o Keep Alive Ping Interval 30 sec Ping Timeout 60 7 sec Max Fragment Size 1300 bytes Generate PSK Pre shared Secret O Paste PSK s Caution On some GSM UMTS networks recommended time for Keepalive Ping Interval is grater than 10 seconds Local Remote Group Settings Remote Host or IP Adress 134 55 22 1 Redirect Gateway oO Tunnel Interface
72. ays 255 255 255 252 Reload Save Tunnel So urce IP address of tunnel source Tunnel Destination IP address of tunnel destination Period Valid values 3 60 Retries Valid values 1 10 Figure 60 GRE configuration page for GWR I Router 2 e Configure GRE Route Click Routing on Settings Tab Parameters for this example are Destination Network 192 168 4 0 Netmask 255 255 255 0 USER MANUAL 15 E Geneko GWR I Industrial Cellular Router Series Routing Table Settings Current static routes _DestNetwork __Netmask__ Gateway 192 168 2 0 255 255 255 0 0 0 0 0 0 0 Dest Network Nemo Interface Action E ets Ram Jet lag Figure 61 Routing configuration page for GWR I Router 2 e Optionally configure IP Filtering and TCP service port settings to block any unwanted incoming traffic e On the device connected on GWR I router 2 setup default gateway 192 168 2 1 USER MANUAL 76 E Geneko GWR I Industrial Cellular Router Series GRE Tunnel configuration between GWR I Router and third party router GRE tunnel is a type of a VPN tunnels but it isn t a secure tunneling method However you can encrypt GRE packets with an encryption protocol such as IPSec to form a secure VPN On the diagram below Figure 62 is illustrated simple network with two sites Idea is to create GRE tunnel for LAN to LAN
73. cellent LED II e Qis not known or not detectable running LED Signal strength LED will blink when GPRS EDGE HSPA HSPA LTE connection is not active When connection is active Signal strength LED is on Reset condition will be indicated by blinks of the first and last Signal strength LED When signal quality is not known or not detectable there will be running LED indication USER MANUAL 13 E Geneko GWR I Industrial Cellular Router Series ETHERNET Figure 2 GWR I Router front panel Top Panel On the top panel following connectors are located e SMA connector for connection of the GSM UMTS antenna e Grounding connector e 1x digital input 0 48VDC 1 5KV isolation e 1x digital output 70OOmA 60VDC 1 5KV isolation e Detachable screw terminal for 9 48VDC power supply e Reset button The Reset button can be used for a warm reset or a reset to factory defaults Warm reset If the GWR I Router is having problem connecting to the Internet press and hold the reset button for a second using the tip of a pen Reset to Factory Defaults To restore the default settings of the GWR I Router hold the RESET button pressed for a few seconds Restoration of the default configuration will be signaled by blinks of the first and last signal strength LED on the top panel This will restore the factory defaults and clear all custom settings of the GWR I Router You can also reset the GWR I Router to factory defaults using the Maintenance g
74. coming packets When PPPO interface is selected Destination IP and Netmask are predefined to WAN IP and subnet 32 and cannot be changed On the following picture are marked traffic flows stated above USER MANUAL 112 GWR I Industrial Cellular Router Series WEB to authentication server 192 168 1 5 SSH access to 192 168 1 2 Q 192 168 1 2 22 WEB access to 192 168 1 3 192 168 1 3 80 el Access to 192 168 1 4 192 168 1 4 y zad Figure 117 Portforwarding example Portforwarding is configured on the ROUTING page selected from the main menu Configuration of the examples described above is presented in the following picture D Forwarding Enable Network Address Translation NAT Forward TCP UDP connections from external networks to the following internal devices Enable Protocol Source Netmask Destination IP Destination Netmask Destination Port Forward to IP Forward to port Acti Source IP TCP 172 27 234 0 255 255 255 0 TCP TCP ei 192 168 1 5 255 255 255 255 0 0 0 0 0 0 0 0 5022 192 168 1 2 192 168 1 3 8060 300 400 192 168 1 4 212 62 49 109 TCP amp Destination Port can also be defined as a range e g 2025 2027 which means destination ports are 2025 2026 and 2027 Figure 118 GWR
75. d IKE Phase 2 negotiation will generate new key material for IP traffic encryption and authentication so hackers using brute force to break encryption keys will not be able to obtain future IPSec keys Both ends of the IPSec tunnel must enable this option in order to use the function Perfect Forward Secrecy If the Perfect Forward Secrecy feature is disabled then no new keys will be generated so you do not need to set the Phase 2 DH Group There are three eroups of different prime key lengths Group 1 is 768 bits Group 2 is 1024 bits and Group 5 is 1536 bits long If network speed is preferred select Group 1 If network security is preferred select Group 5 You do not have to use the same DH Group that you used for Phase 1 but both ends of the IPSec tunnel must use the same Phase 2 DH Group Phase 2 is used to create one or more IPSec SAs which are then used to key IPSec sessions Select a method of encryption NULL DES 56 bit 3DES 168 bit or AES 128 128 bit It determines the length of the key used to encrypt or decrypt ESP packets AES 128 is recommended because it is the most secure Both ends of the IPSec tunnel must use the same Phase 2 Encryption setting NOTE If you select a NULL method of encryption the next Phase 2 Authentication method cannot be NULL and vice versa Select a method of authentication NULL MD5 or SHA1 The authentication method determines how the ESP packets are validated MD5 is a one way hash
76. d to IP_ Forward to port Interface Action Toes 0 1 J1 1 J ew my aa Figure 14 Routing configuration page USER MANUAL 29 E eneko GWR I Industrial Cellular Router Series Use this menu to setup all routing parameters Administrator can perform following operations e Create Edit Remove routes including default route e Port translation Reroute TCP and UPD packets to desired destination inside the network Routing Settings Label Description Routing Table Enable This check box allows you to activate deactivate this static route Source IP address from which portforwarding is allowed all other traffic is denied Subnet mask for allowed IP subnet This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID This parameter specifies the IP netmask address of the final destination This is the IP address of the gateway The gateway is a router or switch next hope on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their final destinations For every routing rule enter the IP address of the gateway Please notice that ppp0 interface has only one default gateway provided by Mobi
77. de of IPSec tunnel which sends requests for establishing of the IPSec tunnel If connection mode Wait is selected that indicates side of IPSec tunnel which listens and responses to IPSec establishing requests from Connect side Internet Protocol Security 7 Help Summary Tunnels used Maximum number of tunnels Add New Tunnel Log level control Mol Name Enabled Status _Enc Auth Grp Local Group Remote Group 1 IPsec tunnel stopped Ph1 3DES MD5 2 Ph2 3DES MD5 2 main 10 0 10 0 Ni EE Bee eee Delete Connect wai Reducing the MTU size on the clientside can help eliminate some connectivity problems occurring at the protocol level Start Stop Refresh Recommended MTU size on client side is 1300 Tunnel status description started stopped connecting waiting for connection established ipsec is running ipsec is not running or tunnel is not enabled ipsec is trying to establish connection ipsec is waiting for other end to connect tunnel is up Figure 81 IPSec start stop page for GWR I Router 1 USER MANUAL 89 5 senexo GWR I Industrial Cellular Router Series Click Start button and after that Connect button on Internet Protocol Security page to initiate IPSEC tunnel e On the device connected on GWR I router 1 setup default gateway 10 0 10 1 The GWR I Router 2 configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to confi
78. dkey 1234567890 Local ID 150 160 170 1 VPNs gt AutoKey Advanced gt Gateway gt Edit SSG140RBGE H Gateway Name TestGWR Security Level standard O Compatible O Basic Custom Remote Gateway Type Static IP Address IP Address Hostname Dynamic IP Address Peer ID 172 30 147 96 SE le A Group None v Use As Seed CL Local 10 optional Outgoing Interface ethernet0 2 EE EA RW B e e L S CR B e e e i Figure 102 Gateway parameters e Click Advanced button Security level User Defined custom Phase 1 proposal pre g2 3des sha Mode Agressive must be aggressive because of NAT Nat Traversal enabled Click Return and OK VPNs gt AutoKey Advanced gt Gateway gt Edit SSG140RBGE al Ge Juniper SSG 140 Predefined standard Compatible Basic User Defined Custom Phase 1 Proposal s a pre g2 3des sha v None K T None None t Mode Initiator main ID Protection Aggressive V Enable NAT Traversal UDP Checksum CJ Keepalive Frequency Seconds 0 300 Sec Peer Status Detection Oea Hello 0 Seconds 1 3600 0 disable Reconnect Seconds 60 9999 Sec Threshold 5 H C SE Interval Seconds 3 28800 0 disable E Retry 5 1 128 R Always Send _ E Preferred Certificate optional F Local Cert None a Peer CA None v E Peer typ
79. dvanced ping wait for response 5 Maximum number of failed packets 40 more restrictive condition compared to SIM1 Keepalive action switch SIM Connection settings rennen conmectan Rehant after failed connections Enable SiM 1 keepakye Hem Lord HEHE He internal Tell Advanced ping interval 10 seg Advanced ping ait for a response 5 Ser Maximum number of failed packets ag S keepalme action mareh GM sp Ml Enable Sihi 3 keapative Pang target ALEATE EA Ping interval 120 Ahani piriy interval 10 Get Zeche mmm wail for a sponsi PH Minimum number of Ierd packels 10 B Keenalteg atian eaitch Sih M Enable EM 1 data liri Cl Enable SIM 2 data Ermi SM 1 cormection type Auo k SM 2 connection type Aua bk Figure 134 Configuration page for GSM keepalive USER MANUAL 126 E Geneko GWR I Industrial Cellular Router Series Apendix A How to Achieve Maximum Signal Strength with GWR I Router The best throughput comes from placing the device in an area with the greatest Received Signal Strength Indicator RSSI RSSI is a measurement of the Radio Frequency RF signal strength between the base station and the mobile device expressed in dBm The better the signal strength the less data retransmission and therefore better throughput RSSI information is available from several sources e The LEDs on the device give a general indication e Via the GWR I Router local user interface Signal strength LED indicator e 101 o
80. e DNS server or other machine on network Click Diagnostic tab to provide basic diagnostic tool for testing network connectivity Insert valid IP address in Hostname box and click Ping Every time you click Ping router sends four ICMP packets to destination address Before using this tool make sure you know the device or host s IP address Diagnostics Ping Utility Ping the IP address of a device in order to communicate with it IP Address 192 168 1 20 Average response time is 2 6ms Average response time is 1ms Average response time is 1 2ms Average response time is 1 Dms Response Figure 39 Diagnostic page Maintenance Update Firmware You can use this feature to upgrade the GWR I Router firmware to the latest version If you need to download the latest version of the GWR I Router firmware please visit Geneko support site Follow the on screen instructions to access the download page for the GWR I Router If you have already downloaded the firmware onto your computer click Browse button on Update firmware Tab to look for the firmware file After selection of new firmware version through Browse button mechanism the process of data transfer from firmware to device itself should be started This is done by Upload button The process of firmware transfer to the GWR I device takes a few minutes and when it is finished the user is informed about transfer process success NOTE The Router will take a few minutes
81. e IPSEC tunnel NOTE Firmware version used in this scenario also provides options for Connection mode of IPSec tunnel If connection mode Connect is selected that indicates side of IPSec tunnel which sends requests for establishing of the IPSec tunnel If connection mode Wait is selected that indicates side of IPSec tunnel which listens and responses to IPSec establishing requests from Connect side Internet Protocol Security Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Log level control v Nal Name Enabled Status _Enc Auth Grp Local Group Remote Group Remote Gateway Action 1 Connection mode _ Ph1 3DES MD5 2 aggressive 10 0 10 0 Reducing the MTU size on the clientside can help eliminate some connectivity problems occurring at the protocol level Start Stop Refresh Recommended MTU size on client side is 1300 Tunnel status description started ipsec is running stopped ipsec is not running or tunnel is not enabled connecting ipsec is trying to establish connection waiting for connection ipsec is waiting for other end to connect established tunnel is up Figure 71 IPSec start stop page for GWR I Router 1 Click Start button and after that Connect button on Internet Protocol Security page to initiate IPSEC tunnel e On the device connected on GWR I router 1 setup default gateway 10 0 10 1 The GWR I Router 2 configuration e Click Network Tab to open the LAN
82. e X509 SIG ze It C use Distinguished Name for Peer ID File kel ieee Sa l Organization d Location B S State Country dk 1 E GE e di E Figure 103 Gateway advanced parameters USER MANUAL 103 E Geneko GWR I Industrial Cellular Router Series Step 3 Create AutoKey IKE e Click VPNs in main menu Click AutoKey IKE e Click New button VPNs gt AutoKey IKE SSG140RBGE H List 20 7 rer page SSG 140 z Dialup ew on m TestGWR TestGWR Custom off Edit Remove VPNtoUSSD GW VPNtoUSSD Custom off Edit Remove Figure 104 AutoKey IKE AutoKey IKE parameters are VPNname TestGWR Security level Custom Remote Gateway Predefined Choose VPN Gateway from step 2 ee Juniper SSG 140 Figure 105 AutoKey IKE parameters e Click Advanced button Security level User defined custom Phase 2 proposal pre g2 3des sha Bind to Tunnel interface tunnel 3 from step 1 Proxy ID Enabled LocalIP netmask 10 10 10 0 24 USER MANUAL 104 E Geneko GWR I Industrial Cellular Router Series RemoteIP netmask 192 168 10 0 24 Click Return and OK VPNs gt AutoKey IKE gt Edit SSG140RBGE Security Level Predefined standard Compatible Basic User Defined Custom Phase 2 Proposal g2 esp 3des sha E None None v None v Replay Protection Transport Mode _ For L2TP over IPSec only Bind to O None Tunnel Interface O Tunnel
83. e telnet protocol on the port to set up telnet parameters Enable local echo Enable the local echo feature Enable timeout After defined period of inactivity port is closed default is 1 hour mj vy g gt S wd a T S 3 S L bad _ S CG gt sl 3 2 h o S O h Check TCP connection Enable connection checking Keepalive idle time Set keepalive idle time in seconds Keepalive interval Set time period between checking EE USER MANUAL 50 E Geneko GWR I Industrial Cellular Router Series Log level Set importance level of log messages Click Reload to discard any changes and reload previous settings Gane Click Save button to save your changes back to the GWR I Router and activate deactivate serial to Ethernet converter Table 17 Ser2IP parameters Click Serial Port Tab to open the Serial Port Configuration screen Use this screen to configure the GWR I Router serial port parameters Serial Port 1 Serial Port 1 Settings General Settings Disable all 5 Serial port over TCP UDP settings Modbus gateway settings Serial Port 1 Settings Standard RS 232 v Bits per second 115200 Data bits 8 v Parity none v Stop bits 1 v Flow control none Protocol TCP k Mode client vj Server IP address Connect to TCP port Type of socket raw s CI Enable local echo CI Enable timeout sec Kee
84. e to initiate IPSEC tunnel Internet Protocol Security Summary Tunnels used Maximum number of tunnels Add New Tunnel Log level control v Mo Name Enabled Status 1 Enc Auth Grp Local Group Soe etree Ge e Gene Phi SDES SHA1 2 aggressive 192 168 10 0 10 10 10 F SS DEER Reducing the MTU size on the client side can help eliminate some connectivity problems occurring atthe protocol level Stop Recommended MTU size on client side is 1300 Tunnel status description started ipsec is running stopped ipsec is not running or tunnel is not enabled connecting ipsec is trying to establish connection waiting for connection ipsec is waiting for other end to connect established tunnel is up Figure 98 IPSec start stop page for GWR I Router e On the device connected on GWR router setup default gateway 192 168 10 1 The Juniper SSG firewall configuration Step1 Create New Tunnel Interface e Click Interfaces on Network Tab Network gt Interfaces List SSG140RBGE al List 20 V per page List ALL 14 Interfaces Tunnell e ethernet0 0 10 0 0 250 24 Trust Layer3 Edit E ethernet0 1 Layer3 Edit ethernet0 2 Untrust Layer3 Edit ethernet0 3 10 0 10 254 24 Trust Layer3 Up Edit ethernet0 4 0 0 0 0 0 Null Unused Dovm Edit ethernet0 5 0 0 0 0 0 Null Unused Dovm Edit ethernet0 6 0 0 0 0 0 Null Unused D
85. ec initiators show crypto ipsec sa Displays the IPsec SAs which have been set up between the IPsec initiators debug crypto isakmp Displays messages about Internet Key Exchange IKE events debug crypto ipsec Displays IPsec events debug crypto engine Displays crypto engine events IPSec Tunnel configuration between GWR I Router and Juniper SSG firewall IPSec tunnel is a type of a VPN tunnels with a secure tunneling method On the diagram below Figure 90 is illustrated simple network with GWR I Router and Cisco Router Idea is to create IPSec tunnel for LAN to LAN site to site connectivity USER MANUAL 97 E Geneko GWR I Industrial Cellular Router Series Private Static WAN Public Static WAN 172 30 147 96 antes 150 160 170 1 fiket Juniper 55G firewall nitatoa VPN terminator LAN 192 168 10 1 LAWN 10 10 10 1 LAN 192 168 10 x LAN 10 10 10 x Gateway 192 168 10 1 Gateway 10 10 10 1 Figure 93 IPSec tunnel between GWE I Router and Cisco Router The GWR I Routers requirements e Static IP WAN address for tunnel source and tunnel destination address e Source tunnel address should have static WAN IP address e Destination tunnel address should have static WAN IP address GSM UMTS APN Type For GSM UMTS networks GWR I Router connections may require a Custom APN A Custom APN allows for various IP addressing options particularly static IP addresses which are needed for
86. ect predefined rule number 3 Configuration page like on picture below is shown Firewall Rules 17 Help Deny TELNET on ppp_0 Chain INPUT Service TELNET el Protocol TCP Port 23 Input interface ppp D EX Output interface Source a ddress Any E Inverted source address rule logic Destination address Any Inverted destinstion address rule logic Packet state NEW E Policy REJECT E Reject with icmp port unreachable x Distributed Denial Of Service C Enable Maximum average matching rate Maximum initial number of packets to match Back Reload Jl Save Figure 126 Filtering of Telnet traffic ENABLE option should e selected to have this rule active To deny Telnet traffic POLICY should be changed from ACCEPT to REJECT ICMP error message type can be selected when policy reject is selected After that SAVE button should be pressed and user is returned to main configuration page 2 ICMP traffic is denied from all IP addresses except 212 62 38 196 New rule should be added by selecting ADD NEW RULE button Policy should be configured in following way Rule name Deny PING to ppp_0 interface Enable selected Chain INPUT Service Custom Protocol ICMP ICMP Type echo request Input interface ppp_0 Source address Single IP 212 62 38 196 Inverted source address rule logic selected Destination address Any Packet state NEW Policy REJECT
87. een after Connection Wizard inspects the network whole broadcast domain you ll see a list of routers present in the network with following information Serial number Model USER MANUAL 66 5 cenexo Ethernet IP Firmware version GWR I Industrial Cellular Router Series Pingable if Ethernet IP address of the router is in the same IP subnet as PC interface then this field will be SE i e you can access router over web interface Connectic g4 GW Geneko Wireless Router Connection Wizard Seral Mo Model Firmware version 3570300274637 GWR352 192 168 10 1 2 152923 F452 raz 357030027461397 192 168 5 116 21929 23 35 raz 7 mmm Figure 49 Connection Wizard Router Detection When you select one of the routers from the list and click Next you will get to the following screen USER MANUAL 67 E Geneko GWR I Industrial Cellular Router Series Geneko Wireless Router Connection Wizard IP address 192 168 10 1 Subnet mask 255 755 755 0 gt cenexo Figure 50 Connection Wizard LAN Settings If you selected to configure LAN and WAN interface click upon entering LAN information click Next and you will be able to setup WAN interface 4 GWR Connection Wizard a a l a_i el eS Geneko Wireless Router Connection Wizard WAN Settings V Enabled Provider Telekom Authentication PAP CHAP Usemame mts 064 Dial string ATD 99 1 Initial string at cgdcont 1 IP genekogwr
88. er The DHCP server will ignore an exclusion that does not meet this requirement Figure 12 DHCP Server configuration page USER MANUAL 24 E Geneko GWR I Industrial Cellular Router Series Settings WAN Setting Click WAN Settings Tab to open the Wireless screen Use this screen to configure the GWR I Router GPRS EDGE HSPA HSPA LTE parameters Figure 13 WAN Settings am 11 Samu Enabled Enabled Provider telenor Provider telenor Authentication PAP Authentication PAP Username geneko Username geneko Password geneko Password geneko APN internet APN internet Dial string ATD 991 Dial string ATD 99 14 Number of retry 6 Number of retry 6 LIPIN enabled LIPIN enabled CJ Enable network locking C Enable network locking C Enable failover after hs mins Connection settings Persistent connection Cl Reboot after failed connections CJ Enable SIM 1 keepalive Cl Enable SIM 2 keepalive CJ Enable SIM 1 data limit Cl Enable SIM 2 data limit SIM 1 connection type Only GSM v SIM 2 connection type Only GSM v Mobile status Mobile device Mobile provider ENT7OW EDGE Atached elei Current SIM card SIM 1 Current WAN address 172 27 234 26 Connection up time 01 04 25 Connection status connected Figure 13 WAN Settings configuration page WAN Settings This field specifies name of GSM UMTS ISP You can setup any name for Provider provider This field s
89. er functionalities by SMS Remote management and monitoring software Additional software for management and control of large number of remote GWR GWER I routers Detailed system log Advanced monitoring and diagnostics of the device Default reset Reset the router to a factory default settings Firmware upload Upgrade the firmware version on the router Configuration Export Import Partial or Full Export Import of router configuration Table 2 GWR I Router features USER MANUAL 12 E Geneko GWR I Industrial Cellular Router Series Product Overview Front panel On the front panel Figure 2 the following connectors are located e one RJ45 connector Ethernet port for connection into local computer network e one RJ45 connector for RS232 serial communication e one DB9 connector for RS232 422 485 serial communication e reset button Ethernet connector LED e ACT yellow on Network traffic detected off when no traffic detected e Network Link green LED on Ethernet activity or access point engaged LED Indicator Description 1 Reset red LED on the GWR I Router reset state 2 Power status green LED on Power supply Power status LED will blink when the GWR Router is in initializing state 3 Link red LED will blink when connection is active 4 Signal strength LED indicator e 107 to 98 dBm Weak LED I e 98 to 80 dBm Moderate LED II e 80 or better dBm Ex
90. er to disconnect the router from PPP user should send SMS containing following string PPP DISCONNECT After the command is executed router sends a confirmation SMS with OK if the command is executed without errors or ERROR if something went wrong during the execution of the command 3 In order to reestablish reconnect the router the PPP connection user should send SMS containing following string PPP RECONNECT After the command is executed router sends a confirmation SMS with OK if the command is executed without errors or ERROR if something went wrong during the execution of the command 4 In order to obtain the current router status user should send SMS containing following string PPP STATUS After the command is executed router sends one of the following status reports to the user CONNECTING CONNECTED WAN_IP WAN IP address or the router DISCONNECTING DISCONNECTED 5 In order to establish PPP connection over the other SIM card user should send SMS containing following string SWITCH SIM After the command is executed router sends a confirmation SMS with OK if the command is executed without errors or ERROR if something went wrong during the execution of the command 6 Inorder to restart whole router user should send SMS containing following string REBOOT After the command is executed router sends a confirmation SMS with OK if the command is executed without errors or
91. ers necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt GRE to configure GRE tunnel parameters Enable yes Local Tunnel Address 10 10 10 1 Local Tunnel Netmask 255 255 255 252 Unchangeable always 255 255 255 252 Tunnel Source 10 251 49 2 select HOST from drop down menu if you want to use host name as peer identifier Tunnel Destination 10 251 49 3 select HOST from drop down menu if you want to use host name as peer identifier KeepAlive enable no Period none Retries none Press ADD to put GRE tunnel rule into GRE table Press Save to accept the changes VPN Settings GRE Generic Routing Encapsulation GRE Tunneling Enable Local Tunnel Address Local Tunnel Netmask KeepAlive Enable Retries Action 10 10 10 255 255 255 252 10 251 49 2 mm los Oo Rem e e tual tunnel interface Local Tunnel Netmask Unchangeable always 255 255 255 252 Reload Save unne ource a T T Period Valid values 3 60 Retries Valid values 1 10 Figure 57 GRE configuration page for GWR I Router 1 e Click Routing on Settings Tab to configure GRE Route Parameters for this example are Destina
92. f your configuration information and restore the GWR I Router to its factory default settings Only use this feature if you wish to discard all the settings and preferences that you have configured Click Default Setting to have the GWR I Router with default parameters Keep network settings check box allows user to keep all network settings after factory default reset System will be reset after pressing Restore button Default Settings Settings Be carefull when restoring factory default settings The factory settings will clear all current settings and reboot the system CI Keep network settings Figure 43 Default Settings page Maintenance System Reboot If you need to restart the Router Geneko recommends that you use the Reboot tool on this screen Click Reboot to have the GWR I Router reboot This does not affect the router s configuration System Reboot Click reboot button if you want to reboot the system The reboot process need about 1 minute to complete Figure 44 System Reboot page USER MANUAL 63 G Geneko GWR I Industrial Cellular Router Series Management Command Line Interface CLI command line interface is a user text only interface to a computer s operating system or an application in which the user responds to a visual prompt by typing in a command on a specified line and then receives a response back from the system In other words it is a method of instructing a computer to perform
93. following IPSec modes can be choosed MAIN or AGGRESSIVE Phase 1 is used to create the SA DH Diffie Hellman is a key exchange protocol used during Phase 1 of the authentication process to establish pre shared keys There are three groups of different prime key lengths Group 1 is 768 bits Group 2 is 1024 bits and Group 5 is 1536 bits long If network speed is preferred select IPSec Setup Group 1 If network security is preferred select Group 5 Select a method of encryption DES 56 bit 3DES 168 bit or AES 128 128 bit The method determines the length of the key used to encrypt or decrypt ESP packets AES 128 is recommended because it is the most secure Make sure both USER MANUAL 38 E eneko GWR I Industrial Cellular Router Series NN ends of the IPSec tunnel use the same encryption method Select a method of authentication MD5 or SHA1 The authentication method determines how the ESP packets are validated MD5 is a one way hashing Phase 1 Authentication algorithm that produces a 128 bit digest SHA1 is a one way hashing algorithm that produces a 160 bit digest SHA1 is recommended because it is more secure Make sure both ends of the IPSec tunnel use the same authentication method Configure the length of time IPSec tunnel is active in Phase 1 The default value is 28800 seconds Both ends of the IPSec tunnel must use the same Phase 1 SA Life Time setting If the Perfect Forward Secrecy PFS feature is enable
94. g this feature firstly you should register to DDNS service provider Firewall e NAT e PAT e IP filtering IP address Network filtering Serial to IP Modbus RTU to TCP gateway Modbus to Ethernet converter Serial to Ethernet converter GRE Keepalive Generic Routing Encapsulation is a tunneling protocol that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels Keepalive for GRE tunnels IPSec pass through ESP tunnels IPsec Internet Protocol Security is a suite of protocols for securing IP communications by authenticating and encrypting each IP packet of a data stream OpenVPN OpenVPN site to site graphical user interface GUI implementation allows connecting two remote networks via USER MANUAL 11 G Geneko GWR I Industrial Cellular Router Series point to point encrypted tunnel OpenVPN implementation offers a cost effective simply configurable alternative to other VPN technologies IPSec IKE failover Feature that allows a user to specify number of unsuccessful retries to establish PPP connection before routers switches to another SIM IPSec tunnel failover Quality control mechanism of IPSec tunnel Management WEB Application HTTP based Command Line Interface Serial console telnet and SSH GWR connection wizard Initial setup utility SMS Control Control the basic rout
95. gure LAN TCP IP settings Configure IP address and Netmask IP Address 192 168 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings IP Address Subnet Mask Primary Local DNS Secondary Local DNS Local Gateway Use the following IP address 192 168 10 1 255 255 255 0 C C aution Changes to IP address subnet mask and local DNS require a reboot to take effect efully Router becomes unreachable from local subnet when this option is enabled Reload Save ut aution Use local gateway option car Figure 82 Network configuration page for GWR I Router 2 e Use SIM card with a static IP address obtained from Mobile Operator e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are e Add New Tunnel Tunnel Name IPsec tunnel Enable true e IPSec Setup Keying Mode IKE with Preshared key Mode main Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication MD5 Phase 1 SA Life Time 28800 Perfect Forward Secrecy true Phase 2 DH
96. h SIM try to establish the connection using the other SIM card Click Refresh to see updated mobile network status Click Connect Disconnect to connect or disconnect from mobile network Table 6 WAN parameters Figure 13 shows screenshot of GSM UMTS tab configuration menu GSM UMTS menu is divided into two parts e Upper part provides all parameters for configuration GSM UMTS connection These parameters can be obtained from Mobile Operator Please use exact parameters given from Mobile Operator e Bottom part is used for monitoring status of GSM UMTS connection create maintain destroy GSM UMTS connection Status line show real time status connected disconnected If your SIM Card credit is too low the GWR I Router will performed periodically connect disconnect actions WAN Settings advanced abel This field specifies if Advanced WAN settings is enabled at the GWR I Router Accept Local IP With this option pppd will accept the peer s idea of our local IP address even if Address the local IP address was specified in an option Accept Remote IP With this option pppd will accept the peer s idea of its remote IP address even Address if the remote IP address was specified in an option Idle time before Specifies that pppd should disconnect if the link is idle for n seconds The link is disconnect sec idle when no data packets are being sent or received Refuse PAP With this option pppd will not agree to authenticate itse
97. his option router will be able to connect to roaming network Reset Location By enabling this option router will erase LOCI Elementary File in SIM card This Information will cause SIM card to scan all available networks when registering Table 7 Advanced WAN Settings Settings Routing The static routing function determines the path that data follows over your network before and after it passes through the GWR I Router You can use static routing to allow different IP domain users to access the Internet through the GWR I Router Static routing is a powerful feature that should be used by advanced users only In many cases it is better to use dynamic routing because it enables the GWR I Router to automatically adjust to physical changes in the network s layout The GWR I Router is a fully functional router with static routing capability Figure 14 shows screenshot of Routing page Routing Routing Table Settings Current static routes aoe 192 168 1 0 255 255 255 0 meen GER cone ce Apply the following static routes to the routing table Enable _ Dest Network _Netmask___ _Gateway_ _Metric_ Interface Action C C vee 0 en E Forwarding Enable Network Address Translation NAT Forward TCP UDP connections from external networks to the following internal devices Enable Protocol SourceIP Source Netmask Destination IP Destination Netmask Destination Pom Forwar
98. in the IP address pool IP Ending Address To This field specifies last of the contiguous addresses in the IP address pool This field specifies DHCP session duration time This field specifies IP addresses of DNS server that will be assigned to systems that support DHCP client capability Select None to stop the DHCP Server from assigning DNS server IP address When you select None computers must be manually configured with proper DNS IP address Select Used by ISP to have the GWR Router assign DNS IP address to DHCP clients DNS address is provided by ISP automatically obtained from WAN side This option is available only if GSM connection is active Please establish GSM connection first and then choose this option Select Used Defined to have the GWR Router assign DNS IP address to DHCP clients DNS address is manually configured by user Enable DHCP Server This field specifies IP addresses that will be dedicated to specific DHCP Client based on MAC address DHCP server will always assign same IP address to appropriate client Static Lease Reservation Address Exclusions This field specifies IP addresses that will be excluded from the pool of DHCP IP address DHCP server will not assign this IP to DHCP clients Click Add to insert add new item in table to the GWR Router Click Remove to delete selected item from table Click Save to save your changes back to the GWR Router Click Reload to discard any cha
99. ing algorithm that produces a 128 bit digest SHA1 is a one way hashing algorithm that produces a 160 bit digest SHA1 is recommended because it is more secure Both ends of the IPSec tunnel must use the same Phase 2 Authentication setting NOTE If you select a NULL method of authentication the previous Phase 2 Encryption method cannot be NULL Configure the length of time an IPSec tunnel is active in Phase 2 The default is 3600 seconds Both ends of the IPSec tunnel must use the same Phase 2 SA Life Time setting Phase 2 Authentication This specifies the pre shared key used to authenticate the remote IKE peer Enter a key of keyboard and hexadecimal characters e g Ay_ 4222 or 345fa929b8c3e This field allows a maximum of 1023 characters and or hexadecimal values Both ends of the IPSec tunnel must use the same Preshared Key NOTE It is strongly recommended that you periodically change the Preshared Key to maximize security of the IPSec tunnels Enable IKE failover Enable IKE failover option which try periodically to eestablish security association IKE SA retry Number of IKE retries before failover Restart PPP After IKE With this option enabled PPP connection is restarted when IKE SA retry reaches SA Retry Exceeds defined number of failed attempts After restart SIM1 is used for connection USER MANUAL 39 Preshared Key E Geneko GWR I Industrial Cellular Router Series Enable tunnel failover If there is more than one tu
100. ion Serial port over TCP UDP and ModbusRTU to TCP conversion Modbus gateway Initial Serial Port Settings page is shown in figure bellow By default above described features are disabled Selecting one of two possible applications of Serial port opens up additional options available for configuration Serial Port 1 Serial Port 1 Settings Disable all Serial port over TCP UDP settings Modbus gateway settings Standard RS 232 Bits per second 57600 Data bits 8 Parity none Stop bits 1 Flow control none EEIEIEE Status stopped Figure 27 Serial Port Settings initial menu Following image shows PINOUT of the Serial Port 1 RS 232 Mode RS 485 4 Wires Mode RS 485 2 Wires Mode 1 Not Used 1 Not Used 1 Not Used 2 TX output 2 TX 2 DATA 3 RX input 3 RX 3 Not Used 4 DSR input 4 Not Used 4 Not Used 3 GND 3 GND 3 GND 6 DTR output 6 Not Used 6 Not Used 7 CTS input 7 RX 7 Not Used 8 RTS output 8 TX 8 DATA 9 Not Used 9 Not Used 9 Not Used Figure 28 Serial Port Settings 1 PINOUT USER MANUAL 49 E Geneko GWR I Industrial Cellular Router Series Serial port over TCP UDP settings The GWR I Router provides a way for a user to connect from a network connection to a serial port It provides all the serial port setup a configuration file to configure the ports a control login for modifying port parameters mon
101. ishing of the IPSec tunnel If connection mode Wait is selected that indicates side of IPSec tunnel which listens and responses to IPSec establishing requests from Connect side Internet Protocol Security Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Log level control Enabled Status 1 fac Au om Local Group waiting for Ph1 3DES MD5 2 aggressive 10 0 10 0 S Lee tunel ve wating fon Ph2 3DES MD5 2 na 192188101 255 255 2550 174384 Reducing the MTU size on the clientside can help eliminate some connectivity problems occurring at the protocol level Start Stop iRefresh Recommended MTU size on client side is 1300 Tunnel status description started ipsec is running stopped ipsec is not running or tunnel is not enabled connecting ipsec is trying to establish connection waiting for connection ipsec is waiting for other end to connect established tunnel is up Figure 76 IPSec start stop page for GWR I Router 2 Click Start button and after that Wait button on Internet Protocol Security page to initiate IPSEC tunnel e On the device connected on GWR I router 2 setup default gateway 192 168 10 1 USER MANUAL 86 G GeneKo Scenario 2 GWR I Industrial Cellular Router Series Router 1 and Router 2 presented in the Figure 64 are configured with IPSec tunnel in Main mode Configurations for Router 1 and Router 2 are listed below The GWR I Router 1
102. itoring ports and controlling ports The GWR I Router supports RFC 2217 remote control of serial port parameters Serial Port over TCP UDP Settings Indicates the standard for serial connection RS232 RS485 2W RS485 4W The unit and attached serial device such as a modem must agree on a speed or baud rate to use for the serial connection Valid baud rates are 300 1200 2400 4800 9600 19200 38400 57600 or 115200 Indicates the number of bits in a transmitted data package Checks for the parity bit None is the default Ston bits The stop bit follows the data and parity bits in serial communication It P indicates the end of transmission The default is 1 Flow control manages data flow between devices in a network to ensure it is processed efficiently Too much data arriving before a device is prepared to manage it causes lost or retransmitted data None is the default Choose which protocol to use TCP UDP Select server mode in order to listen for incoming connection or client mode to establish one Number of the TCP UDP port to accept connections for this device Only on server side Server IP address Specify server IP address Only on client side Connect to TCP UDP Number of the TCP UDP port to accept connections from this device Only on port client side Either raw or telnet Raw enables the port and transfers all data like between the port and the log Telnet enables the port and runs th
103. le Portforwarding feature enables access to workstations behind the router and redirecting traffic in both traffic flow directions inbound and outbound Direction is selected by interface PPPO for inbound WAN gt ETHO and ETHO for outbound traffic ETHO gt WAN In the following example there are three types of access to LAN network enabled every workstation with different service allowed from the outside LAN is accessed through the WAN IP of the router Second and forth rule have additional limitation per source IP address of the incoming packets The forth defined access flow is redirecting all WEB traffic from the local workstation to one outside IP address web authentication server for example Implemented rules are following 1 Traffic destined to WAN IP by port 5022 is forwarded to workstation 192 168 1 2 and port 22 Result SSH is accessible from the outside to the first workstation 2 Traffic destined to WAN IP by port 8080 is forwarded to workstation 192 168 1 3 and port 80 Result WEB is accessible from the outside to the second workstation This rule is limited only to traffic coming from the 172 16 234 0 24 subnet 3 Traffic destined to WAN IP from port range 300 400 is forwarded to workstation 192 168 1 4 to port 12345 4 WEB traffic from the workstation 192 168 1 5 is forwarded to one outside IP address 212 62 49 109 for example If Source IP and Source Netmask fields are empty stated entry is applied to all in
104. le operator and because of that that there is no option for gateway when you choose ppp0 interface Metric represents the cost of transmission for routing purposes IP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks Enter a number that approximates the cost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number etric Interface represents the exit of transmission for routing purposes In this case Eth0 represents LAN interface and ppp0 represents GSM UMTS mobile interface of the GWR I Router a WN WN S S lt es elg Ce ch Ek L 3 S x dl d S S S Z V al SG les Ka z eS z SS w Geng TCP UDP Traffic forwarding Enable This check box allows you to activate deactivate this static port translation Choose between TCP and UDP protocol This field specifies IP address of the incoming traffic This is the TCP UDP port of application This filed specifies IP address where packets should be forwarded Specify TCP UDP port on which the traffic is going to be forwarded Select interface where portforwarding is done Portforwarding from outside WAN interface to inside LAN interface is done on PPP and in reverse yl Ris SIS S18 Ch Jg jon band s J vw L E a Q a 3 a V Geng a 5 kel 0 WN ch ES Ou L Rei O
105. lf to the peer using PAP Require PAP Require the peer to authenticate using PAP Password Authentication Protocol authentication Refuse CHAP With this option pppd will not agree to authenticate itself to the peer using USER MANUAL 27 E eneko GWR I Industrial Cellular Router Series CHAP i Require the peer to authenticate using CHAP Challenge Handshake dee a Authentication Protocol authentication Ge EE Set the maximum number of CHAP challenge transmissions to n default 10 transmissions CHAP restart interval Get the CHAP restart interval retransmission timeout for challenges to n sec seconds default 3 Refuse MS CHAP Ge SC option pppd will not agree to authenticate itself to the peer using MS Refuse MS CHAPv With this option pppd will not agree to authenticate itself to the peer using MS CHAPv 2 Refuse EAP With this option pppd will not agree to authenticate itself to the peer using EAP Enables connection debugging facilities If this option is selected pppd will log Connection debuggin SEME the contents of all control packets sent or received in a readable form Set the MTU Maximum Transmit Unit value to n Unless the peer requests a aximum Transmit smaller value via MRU negotiation pppd will request that the kernel networking code send data packets of no more than n bytes through the PPP network Set the MRU Maximum Receive Unit value to n Pppd will ask the peer to send packets of no more tha
106. lular Router Series set isakmp profile L2L I Crypto map only references instances of the previous dynamic crypto map I crypto map GWR 10 ipsec isakmp dynamic dynGWR l interface FastEthernet0 0 description WAN INTERFACE ip address 150 160 170 1 255 255 255 252 ip nat outside no ip route cache no ip mroute cache duplex auto speed auto crypto map GWR I interface FastEthernet0 1 description LAN INTERFACE ip address 10 10 10 1 255 255 255 0 ip nat inside no ip route cache no ip mroute cache duplex auto speed auto I ip route 02010 0 0 0 0 0 150 160 170 2 ip http server no ip http secure server ip nat inside source list nat_list interface FastEthernet0 0 overload l ip access list extended nat_list deny ip 10 10 10 0 0 0 0 255 192 168 10 0 0 0 0 255 permit ip 10 10 10 0 0 0 0 255 any I access list 23 permit any I line con 0 line aux 0 line vty 0 4 access class 23 in privilege level 15 login local transport input telnet ssh line vty 5 15 access class 23 in privilege level 15 login local transport input telnet ssh I end Use this section to confirm that your configuration works properly Debug commands that run on the Cisco router can confirm that the correct parameters are matched for the remote connections show ip interface Displays the IP address assignment to the spoke router show crypto isakmp sa detail Displays the IKE SAs which have been set up between the IPs
107. mation Protocol RIP is a dynamic routing protocol used in local and wide area networks As such it is classified as an interior gateway protocol IGP using the distance vector routing algorithm The Routing Information Protocol provides great network stability guaranteeing that if one network connection goes down the network can quickly adapt to send packets through another connection Click RIP Tab to open the Routing Information Protocol screen Use this screen to configure the GWR I Router RIP parameters Figure 15 Routing Information Protocol Routing Manager Hostname Router Password zebra Enable log Port to bind at User defined L n Defaut 2601 RIPD Hostname ripd Password zebra Port to bind at O User defined Default 2602 Routing Information Protocol Status Status stopped pyright 2008 Geneko All rights rese http inn geneko rs Figure 15 RIP configuration page USER MANUAL 31 GeneKko E ene GWR I Industrial Cellular Router Series RIP Settings Click Save to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 9 RIP parameters RIP routing engine for the GWR I Router Use telnet to enter in global configuration mode telnet 192 168 1 1 2602 telnet to eth0 at TCP port 2602 To enable RIP use the following commands beginning in global co
108. ministration please enter IP address of router into web browser Please disable Proxy server in web browser before proceed eis ais lt e GWR ROUTER CONFIGURATION CONSOLE HARDWARE Username Password Copyright 2008 Geneko All rights reserved http www geneko co rs Figure 5 User authentication After successfully finished process of authentication of Username Password you can access Main Configuration Menu You can set all parameters of the GWR I Router using web application All functionalities and parameters are organized within few main tabs windows USER MANUAL 18 E eneko GWR I Industrial Cellular Router Series NOTE Add Remove Update manipulation in tables To Add a new row new rule or new parameter in the table please do following e Enter data in fields at the bottom row of the table separated with a line e After entering data in all fields click Add link To Update the row in the table e Change data directly in fields you want to change To Remove the row from the table e Click Remove link to remove selected row from the table Save Reload changes To save all the changes in the form press Save button By clicking Save data are checked for validity If they are not valid error message will be displayed To discard changes press the Reload button By clicking Reload previous settings will be loaded in the form Status Information The GWR I Router s Status menu
109. most VPN connections A custom APN should also support mobile terminated data that may be required in most site to site VPNs The GWR I Router configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 192 168 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings Use the following IP address IP Address 192 168 10 1 Subnet Mask 255 255 255 0 Primary Local DNS Secondary Local DNS Local Gateway i Caution Changes to IP address subnet mask and local DNS require a reboot to take effect Caution Use local gateway option carefully Router becomes unreachable from local subnet when this option is enabled Figure 94 Network configuration page for GWR I Router e Use SIM card with a static IP address obtained from Mobile Operator e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click USER MANUAL 98 G Geneko GWR I Industrial Cellular Router Series Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are e Add New Tunnel
110. n following picture is page from where SMS can be sent There are two required fields on this page Phone number and Message Short Message Service Send SMS Phone number Message Phone Number example 38164111222 Reload Send Figure 33 Send SMS SMS Gateway is used for sending SMS with GET query Command format is following 192 168 1 1 cgi send_exec lua group sms amp phone 2B38164112233 amp message hello world amp auth YWRtaW46YWRtaW4 Field marked with red are changeable First field is phone number where is sent SMS to Second field is message itself Third field is authorization username password encrypted in BASE64 Link for online BASE64 encryption is following http www base64encode org Username and password has to be written in format username password USER MANUAL 55 E Geneko GWR I Industrial Cellular Router Series Settings GPIO GWE I router series implements one digital input and one digital output Numerous telemetry and data acquisition applications imply using digital input and output for providing simple control over certain system functionalities GPIO General Purpose Input Output settings page is displayed on the image bellow General Purpose Input Output Digital Input Settings Enable digital input SMS Settings CI Destination phone 1 C Destination phone 2 C Destination phone 3 Action 1 Pin Low SMS Settings SM
111. n is established over SIM 1 Local Security Group Type IP IP Address 192 168 10 1 Remote Group Setup Remote Security Gateway Type IP Only IP Address 172 29 8 4 Remote ID Type IP Address Remote Security Group Type Subnet IP Address 10 0 10 0 Subnet 255 255 255 0 IPSec Setup Keying Mode IKE with Preshared key Mode aggressive Phase 1 DH group Group 2 Phase 1 Encryption 3DES Phase 1 Authentication MD5 Phase 1 SA Life Time 28800 Perfect Forward Secrecy true Phase 2 DH group Group 2 Phase 2 Encryption 3DES Phase 2 Authentication MD5 Phase 2 SA Life Time 3600 Preshared Key 1234567890 Failover Enable Tunnel Failover false Advanced Compress Support IP Payload Compression Protocol PComp false Dead Peer Detection DPD false NAT Traversal true Send Initial Contact true 84 E Geneko GWR I Industrial Cellular Router Series Press Save to accept the changes Device 2 Device Tunnel Add New Tunnel Tunnel Number i Tunnel Name IPsec tunnel Enable Local Group Setup Local Security Gateway Type SIM Card e Local ID Type IP Address IP Address From SIM 1 v Local Security Group Type iP M IP Address 192 168 10 1 Remote Group Setup Remote Security Gateway Type IP Only v IP Address 172 29 8 4 Remote ID Type IP Address i Remote Security Group Type Subnet k IP Address 10 0 10 0 Subnet Mask 255 255 255 0
112. n n bytes The value of n must be between 128 and 16384 the default is 1500 VJ Compression Disable Van Jacobson style TCP IP header compression in both directions Disable the connection ID compression option in Van Jacobson style TCP IP VJ Connection ID j i i Compression header compression With this option pppd will not omit the connection ID byte from Van Jacobson compressed TCP IP headers Protocol Ficia Disable protocol field compression negotiation in both directions Compression ddress Co ntrol Disable Address Control compression in both directions Compression Or Disable or enable accept or agree to Predictor 1 compression Compression BSD Compression Disable or enable BSD Compress compression Deflate Compression Disable or enable Deflate compression Disable CCP Compression Control Protocol negotiation This option should only be required if the peer is buggy and gets confused by requests from pppd for CCP negotiation agic Number Disable magic number negotiation With this option pppd cannot detect a negotiation looped back line This option should only be needed if the peer is buggy Enables the passive option in the LCP With this option pppd will attempt to Passive Mode initiate a connection if no reply is received from the peer pppd will then just wait passively for a valid LCP packet from the peer instead of exiting as it would without this option With this option pppd will not transmit LCP
113. n receive messages only on SIM card which is currently selected This information is displayed in WAN settings page Mobile Status Current SIM card SMS service center number is automatically obtained Shit Message Semice SIMI Settings SIM Senings Enable Remote Control O Enable Remote Control Jl Use default SMSC Use dekul SMSC Lusiom SMSL Custom Shs Phont Nurnker 1 J8 1B 25998558 Her Numbar 1 Phone Munibar 7 J 60A Phone Number A Phone Number J 301609459439 Phone Number 3 Phone Number A Phone Number 4 Phone Humber 5 Phone Number S Pose Humbe tHamphe 38 ete of rees Reload Ce Figure 133 Configuration page for SMS management Settings are following e Enable Remote Control Enabled e Use default SMSC Enabled e Phone Number 1 2 5 Allowed phone number From the mobile phone user can send 6 different commands for router management Commands are following 1 PPP CONNECT 2 PPP DISCONNECT 3 PPP RECONNECT 4 PPP STATUS Reply to this command is one of four possible states CONNECTING CONNECTED WAN_IP WAN IP address DISCONNECTING DISCONNECTED 5 SWITCH SIM for changing SIM slot 6 REBOOT for router reboot After every SMS sent to the router reply is sent back with status information about SMS received by the router USER MANUAL 125 E GENeKO GWR I Industrial Cellular Router Series Defining keepalive functionality Keep alive mechanism works through two simple steps
114. nd Network Information Network Statistics Interface Name IP Address Netmask Data Received RX Error Packets Data Transmitted eh 192 168 35 2 255 255 255 0 1460523 0 773650 MAC Address MTU Size Broadcast RX Packets RX Dropped Packets TX Packets 00 1e 5c 00 33 00 1500 192 166 35 255 11229 0 2103 TX Error Packets 0 TX Dropped Packets 0 DHCP Server status stopped DNS Server status stopped Figure 7 Network Information Status DHCP DHCP Information Tab provides information about DHCP clients with IP addresses gained from DHCP server MAC addresses expiration period and lease status DHCP DHCP Active IP Table Client Hostname IP Address MAC Address Expires Lease State GenekoTestPC 192 168 35 101 50 e5 49 8e 05 ff 11999 12 01 01 04 36 Figure 8 DHCP Information Status WAN Information WAN Information Tab provides information about GPRS EDGE HSPA HSPA LTE connection and traffic statistics WAN information menu has three submenus which provide information about GPRS EDGE HSPA HSPA LTE mobile module manufacturer and model Mobile operator and signal quality Mobile traffic statistics in bytes Screenshot of WAN information from the router is shown in Error Reference source not found USER MAN
115. nfiguration Export Import and remote management and monitoring software provide wide range of management functionalities All those features and tools empower a user with full control over GWR I routers Typical application Data collection and system supervision e Extra high voltage equipment monitoring e Running water gas pipe line supervision e Centralized heating system supervision e Environment protection data collection e Flood control data collection e Alert system supervision e Weather station data collection e Power Grid e Oilfield e Light Supervision e Solar PV Power Solutions Financial and department store e Connection of ATM machines to central site e Vehicle based bank service e POS e Vending machine e Bank office supervision Security e Traffic control e Video Surveillance Solutions Other e Remote Office Solution e Remote Access Solution There are numerous variations of each and every one of above listed applications Therefore GENEKO formed highly dedicated top rated support team that can help you analyze your requirements and existing system chose the right topology for your new system perform initial configuration and tests and monitor the complete system after installation Enhance your system performance and speed up the ROI with high quality cellular routers and all relevant knowledge of GWR support team behind you USER MANUAL 9 E Geneko GWR I Industrial Cellular Router Series Technic
116. nfiguration mode router router rip To associates a network with a RIP routing process use following commans router network A B C D Mask By default the GWR I Router receives RIP version 1 and version 2 packets You can configure the GWER I Router to receive an send only version 1 Alternatively you can configure the GWR I Router to receive and send only version 2 packets To configure GWR I Router to send and receive packets from only one version use the following command router rip version 1 2 Same as other router Enable route redistribution router redistribute kernel Redistribute routes defined on WEB interface router redistribute static Redistribute routes defined locally in RIP configuration router redistribute connected Redistribute directly connected routes USER MANUAL 32 E eneko GWR I Industrial Cellular Router Series Disable RIP update optional router passive interface ppp_0 router no passive interface ppp 0 RIP is commonly used over Ethernet interface and PPP interface should be set up as passive Routing protocols use several timer that determine such variables as the frequency of routing updates the length of time before a route becomes invalid an other parameters You can adjust these timer to tune routing protocol performance to better suit your internetwork needs Use following command to setup RIP timer router timers basic UPDATE INTERVAL INVALID TIMEOUT GARBA
117. nges and reload previous settings A N z S a Table 5 DHCP Server parameters USER MANUAL 23 E GENEKO GWR I Industrial Cellular Router Series DHCP Server DHCP Server Settings Enable DHCP server IP Address range Lease duration 0 hrs 0 mins From 192 168 35 101 To 192 168 35 132 Network 192 168 35 0 Netmask 255 255 255 0 Primary DNS Secondary DNS O None O None O Used by ISP O Used by ISP User defined User defined Static Lease Reservations IP addresses that will be dedicated to specific DHCP Client based on MAC address Enable IP Address WAC Address _ Action a TI Laag Address Exclusions Exclude these address from the DHCP IP address pool Enable Start Address End Address Action jj M ICa Status DHCP Server status DNS Server status MAC Address format KIKIKI The IP address pool must specify addresses that are in the subnetwork of the GWR Router The DHCP server will not operate if this configuration does not meet this requirement Reload Save A reservation IP address must not be the same as the IP address of the DHCP server itself It must be a valid IP address in the subnetwork of the DHCP server The DHCP server will ignore a reservation that does not meet these requirements An IP address exclusion range must specify valid IP addresses in the subnetwork of the DHCP serv
118. nnel defined this option will failover to other tunnel in case that selected one fails to established connection IP address Hostname at remote side of tunnel which will be pinged in order to Ping IP or Hostname l determine current state Enable tunnel failover Ping interval Specify time period in seconds between two ping Specify packet size for ping message Advanced Ping Interval Time interval between advanced ping packets Advanced Ping Wait l For A Response Advanced ping proofing timeout aximum number of ailed packets Set percentage of failed packets until failover action is performed Compress IP Payload IP Payload Compression is a protocol that reduces the size of IP datagram Select Compression Protocol this option if you want the Router to propose compression when it initiates a connection When DPD is enabled the Router will send periodic HELLO ACK messages to check the status of the IPSec tunnel this feature can be used only when both peers Dead Peer Detection or IPSec devices of the IPSec tunnel use the DPD mechanism Once a dead peer DPD has been detected the Router will disconnect the tunnel so the connection can be re established Specify the interval between HELLO ACK messages how often you want the messages to be sent The default interval is 20 seconds Both the PSec initiator and responder must support the mechanism for detecting the NAT router in the path and changing to a new port a
119. nunuri Mumbo Of F abed Packels Ki Advanced C Compress Support IP Payload Compression Protocol FP Comp LI Diad Poor Debectien FD ee MAT Traversal cand initial Contact Figure 18 IPSec Settings USER MANUAL Back al Reload Eme 37 E Geneko GWR I Industrial Cellular Router Series VPN Settings IPSec Settings Tunnel Number This number will be generated automatically and it represents the tunnel number Tunnel Name Enter a name for the IPSec tunnel This allows you to identify multiple tunnels and does not have to match the name used at the other end of the tunnel Enable Check this box to enable the IPSec tunnel When SIM Card is selected the WAN or Internet IP address of the Router ae automatically appears If the Router is not yet connected to the GSM UMTS IP network this field is without IP address Local ID Tupe Authentication identity for one of the participant Can be an IP address or fully IP qualified domain name preceded by IP Address From Select SIM card over which the tunnel is established Select the local LAN user s behind the Router that can use this IPSec tunnel Local Security Group Select the type you want to use IP or Subnet Local Security gateway NOTE The Local Security Group Type you select should match the Remote Security Group Type selected on the IPSec device at the other end of the tunnel IP Address Only the computer with a specific IP address will be able to acce
120. ommand Line Interface parameters scssscstcesscsssssontcerscesscsssnserscessessntserscentsersessaesonsetonnsenseesoetes 64 Table 24 Remote Management Darameterg 65 oT eS 29e NMP Parame EE 69 E ee Ee 71 USER MANUAL 7 E Geneko GWR I Industrial Cellular Router Series Description of the GWR I Industrial Cellular Router Series GWR I Industrial Cellular Router Series represents a group of industrial graded routers specially designed for expansion of existing industrial networks remote telemetry and data acquisition in harsh environments Low transmission delay and very high data rates offered by existing cellular networks completely eliminate the need for very complex installation of wired infrastructure in industrial environments Fasy to install reliable and high performance router models from GWR I series introduce a completely new dimension into industrial networking area Figure 1 GWR I Industrial Cellular Router The complete series inherited the basic concept of GWR cellular router series RELIABILITY COMES FIRST Therefore all router models have dual SIM card support The form factor of the router is adjusted to industrial environments and DIN rail mounting kit is part of standard equipment for GWR I series Many useful features make GWR I cellular routers a perfect solution for wide variety of industrial applications e Dual SIM card support increases the reliability of the router and provides a solution for those ap
121. on GRE Tunneling Enable Local Tunnel Address Local Tunnel Netmask KeepAlive Enable Period Retries Action v a oo eesse e es Jp esa leg o J _ ken Local Tunnel Address IP Address of virtual tunnel interface Local Tunnel Netmask Unchangeable always 255 255 255 252 Tunnel Source IP address of tunnel source Tunnel Destination IP address of tunnel destination Period Valid values 3 60 Retries Valid values 1 10 Figure 64 GRE configuration page e Configure GRE Route Click Routing on Settings Tab Parameters for this example are Destination Network 10 2 2 0 Netmask 255 255 255 0 Routing Help Routing Table Settings Current static routes _DestNetwork Netmask__ Gateway 10 64 64 64 255 255 255 255 10 10 10 0 255 255 255 252 192 168 3 0 255 255 255 0 192 168 2 0 255 255 255 0 0 0 0 0 0 0 10 2 2 0 Figure 65 Routing configuration page e Optionally configure IP Filtering and TCP service port settings to block any unwanted incoming traffic User from remote LAN should be able to communicate with HQ LAN USER MANUAL 19 E Geneko GWR I Industrial Cellular Router Series IPSec Tunnel configuration between two GWR I Routers IPSec tunnel is a type of a VPN tunnels with a secure tunneling
122. on Valid stop bits are 1 and 2 The default is 1 Flow control manages data flow between devices in a network to ensure it is processed efficiently Too much data arriving before a device is prepared to manage it causes lost or retransmitted data None is the default This field determines the TCP port number that the serial server will listen for connections on The value entered should be a valid TCP port number The default Modbus TCP port number is 502 When this field is set to a value greater than 0 the serial server will close Connection timeout connections that have had no network receive activity for longer than the specified period Transmission mode Select RTU based on the Modbus slave equipment attached to the port This is the timeout in milliseconds to wait for a response from a serial slave device before retrying the request or returning an error to the Modbus master Should no valid response be received from a Modbus slave the value in this field determines the number of times the serial server will retransmit request Table 18 Modbus gateway parameters USER MANUAL 52 E Geneko GWR I Industrial Cellular Router Series Serial Port Serial Port Settings General Settings Disable all Serial port over TCP UDP settings Modbus gateway settings Serial Port Settings Bits per second Data bits Parity Stop bits Flow control Modbus Gateway Settings TC
123. or error during establishing openVPN tunnel Figure 20 OpenVPN Summary screen USER MANUAL 41 E Geneko GWR I Industrial Cellular Router Series OpenVPN IP Filtering Tunnel Number Automatically assigned number of the tunnel Tunnel Name This field specifies tunnel name Check this setting in order to enable OpenVPN tunnel Allow access from the following devices Interface Type There are two modes of OpenVPN tunnel routed and bridged mode IP For routed mode select option TUN and for bridged TAP Choose one of the following options none Select this option if you do not want to use any kind of authentication pre shared secret Select this option if you want to use PSK as a authentication method username password Select this option if you want to use username password along with CA Certificate as a authentication method X 509 cert client Select this option if you want to use X 509 certificates as a authentication method in client mode X 509 cert server Select this option if you want to use X 509 certificates as a authentication method in server mode a 2 Co haw Authenticate Mode Encrypt packets with cipher algorithm The default is BF CBC an abbreviation for Blowfish in Cipher Block Chaining mode Blowfish has the advantages of being fast very secure and allowing key sizes of up to 448 bits Blowfish is designed to be used in situations where keys are changed infrequently OpenVPN suppor
124. or GWR I Router sssesessssessesrssseesrstsrrstsrerrsrsreresrsreresrsrereststeersretsteeeseses 100 Figure 96 IPSec configuration page II for GWR IRouter A 100 Figure 97 IPSec configuration page II for GWR I Router ooo eee cececececeeseeseeeseeseeeseseeseeseesaeeaeenees 100 Figure 98 IPSec start stop page for CWR RE 101 Pipe 99 Network Interiaces E 101 Figure 100 Network Mmteri aces E E 102 Figure 10L AutoKkey Advanced E 102 IEN EE E parari EE 103 Figure 103 Gateway advanced EE E 103 Pouarc IOF Amok y IEE seinn E E 104 Bie ce 109 eI ee 104 Figure 106 E EE 105 ee EE 105 Figure 108 Policies from untrust EE 106 USER MANUAL 5 E Geneko GWR I Industrial Cellular Router Series Figure 109 EE 107 Figure 110 Multipoint OpenVPN topology AAA 108 eet 109 PAT er le E EE e 111 Ur Me Te RO E 111 Figure 114 Starting Open FIN app Cation E 111 Powe Ee NiO E 112 Pre ne E pe ayy IN aire E E a A E screens atc cece A a A E E tan eomaawe sae anee 112 FT hg OM ee SA EI 113 Figure 118 GWR portforwarding configuration ce eee esecseceseeseceseesececeesecseeesecseeesecseseeeeseceeeaecseseeseaeeseseaeeaes 113 Figure 119 Transparent serial COMMCCU E 114 DV TR Serial e 114 Figure 121 GWR settings for Serial to P conversion eee eeeeceseeeseeseeeeeeseceeeaecseeesecseceeeeaesaseaesseseeseaesseeaeeaes 114 Figure 122 Virtiial COM port Greet eege 116 Figure 125 Settings for virtual COM E 116 BO Ee E 118 Figure T25 Initial
125. ovm Edit ethernet0 7 0 0 0 0 0 Null Unused Dovm Edit ethernet0 8 0 0 0 0 0 Null Unused Dovm Edit ethernet0 9 0 0 0 0 0 Null Unused Dovm e Edit tunnel 1 unnumbered Untrust Tunnel Ready Edit tunnel 2 unnumbered Untrust Tunnel Ready Edit tunnel 3 unnumbered Untrust Tunnel Ready Edit vlani 0 0 0 0 0 VLAN Layer3 Dovm LP Fal L Fel i fa Figure 99 Network Interfaces list e Bind New tunnel interface to Untrust interface outside int with public IP addresss e Use unnumbered option for IP address configuration USER MANUAL 101 GWR I Industrial Cellular Router Series Network gt Interfaces gt Edit SSG140RBGE KI Interface tunnel 3 IP Netmask 0 0 0 0 0 Back To Interface List Untrust trust vr e 0 0 0 0 jo ethernet0 2 trustvr ze 1500 Figure 100 Network Interfaces edit Step 2 Create New VPN IPSEC tunnel e Click VPNs in main menu To create new gateway click Gateway on AutoKey Advanced tab Figure 101 AutoKey Advanced Gateway e Click New button Enter gateway parameters Gateway name TestGWR Security level Custom Remote Gateway type Dynamic IP address because your GWR I router are hidden behind Mobile operator router s firewall NAT Peer ID 172 30 147 96 USER MANUAL 102 E Geneko GWR I Industrial Cellular Router Series Preshare
126. palive Settings CI Check TCP connection Kepalive idle time sec Kepalive interval sec Log Settings Log level level 1 v Status stopped Figure 29 Serial port configuration page USER MANUAL 51 E eneko GWR I Industrial Cellular Router Series Modbus Gateway settings The serial server will perform conversion from Modbus TCP to Modbus RTU allowing polling by a Modbus TCP master The Modbus Gateway carries out translation between Modbus TCP and Modbus RTU This means that Modbus serial slaves can be directly attached to the unit s serial ports without any external protocol converters Click Serial Port Tab to open the Modbus Gateway configuration screen Choose Modbus Gateway options to configure Modbus At the Figure 28 you can see screenshot of Modbus Gateway configuration menu Modbus Gateway Parameters Standard Indicates the standard for serial connection RS232 RS485 2W RS485 4W The unit and attached serial device such as a modem must agree on a speed or Bits per second baud rate to use for the serial connection Valid baud rates are 300 1200 2400 4800 9600 19200 38400 57600 or 115200 Indicates the number of bits in a transmitted data package Valid data bits are Data bits 8 and 7 i Checks for the parity bit Valid parity are none even and odd None is the ray default The stop bit follows the data and parity bits in serial communication It indicates the end of transmissi
127. pecifies password authentication protocol Select the appropriate Authentication protocol from drop down list PAP CHAP PAP CHAP This field specifies Username for client authentication at GSM UMTS network Username e Se Mobile provider will assign you specific username for each SIM card This field specifies Password for client authentication at GSM UMTS network Password l i D Mobile provider will assign you specific password for each SIM card This field specifies APN USER MANUAL 25 E eneko GWR I Industrial Cellular Router Series This field specifies Dial String for GSM UMTS modem connection initialization Dial String In most cases you have to change only APN field based on parameters obtained from Mobile Provider This field cannot be altered Check this field in order to enable failover feature This feature is used when both SIM are enabled You specify the amount of time after which Failover feature brings down current WAN connection SIM2 and brings up previous WAN connection SIM1 Enable Failover Option that allows a user to lock a SIM card for a desired operator by specifying PLMN id of the operator This option is very useful in border areas since you can avoid roaming expenses S SSS LE EE EE Keep connection alive after Do not exit after a connection is terminated Instead try to reopen the connection R j l l ge e ER Reboot after n consecutive failed connection attempts connections
128. plications where failure of one mobile network must not result in system downtime Automatic failover feature will detect the failure of primary connection and automatically switch to alternative connection When the connectivity over primary connection is restored GWR router will perform switchover to primary connection e The whole set of advanced WAN settings allow a user to specify desired parameters in order to meet the requirements of specific cellular network GWR I routers proved themselves to be reliable and high performance devices in so many countries around the world All advanced parameters included represent the result of detailed analysis of large number of different cellular networks In few simple steps it is possible to optimize the performance of the router on almost any cellular network USER MANUAL 8 E Geneko GWR I Industrial Cellular Router Series e VPN GRE IPsec and OpenVPN tunnel support provides powerful options for network expansion and secure data transfer over the cellular network e With Serial to IP feature it is possible to connect control and perform data acquisition from almost any device with serial RS232 port In addition to this feature GWR I router series implements ModbusRTU to ModbusTCP functionality designed to support expansion of Modbus SCADA networks over the cellular networks e Easy to use web interface extended CLI Command Line Interface detailed log SMS control feature partial and full co
129. portforwarding configuration Serial port example For connecting serial devices from remote locations to central location serial transparent conversion can be used Serial communication is encapsulated in TCP IP header and on the central location is recognized by the Virtual COM port application This way serial communication is enabled between two distant locations In the picture below serial communication is achieved over GWR router in client mode on remote location and Virtual COM port application on central side On GWR router RS 232 is used As application is in server mode IP address of the workstation has to be accessible from the router In this example that is IP address 96 34 56 2 GWR routers supports both server and client mode so GWR routers can be used on both side of communication link one in server and one in client mode USER MANUAL 113 E Geneko GWR I Industrial Cellular Router Series Server Virtual COM port GWR client application Vaa iaa ET Sana Dart O Setege Leen A Es S02 Ver Deeg Mode Serve Se ee 1 D tote RS232 serial p A Figure 119 Transparent serial connection 1 Settings on GWR router From the main menu on the left side of web interface option SERIAL PORT should be selected and following page is displayed Serial Port Semings Digable al O Saral part over TCPADE antinge CI Modbus gateway setings Tinut stepped D ss Figure 120 GWR Serial por
130. preferred on the GWR I Router WAN GPRS side e Remote Subnet is remote LAN network address and Remote Subnet Mask is subnet of remote LAN 2 The GWR I Router requirements e Static IP WAN address e Peer Tunnel Address will be the HQ router WAN IP address static IP address USER MANUAL 1T E Geneko GWR I Industrial Cellular Router Series e Remote Subnet is HQ LAN IP address and Remote Subnet Mask is subnet mask of HQ LAN GSM UMTS APN Type For GSM UMTS networks GWR I Router connections may require a Custom APN A Custom APN allows for various IP addressing options particularly static IP addresses which are needed for most VPN connections A custom APN should also support mobile terminated data that may be required in most site to site VPNs Cisco router sample Configuration Interface FastEthernet 0 1 ip address 10 22 2261 2594295429920 description LAN interface interface FastEthernet 0 0 ip address E Ten 2556255225520 description WAN interface interface Tunnel ip address 101010 2 20940932990 tunnel source FastEthernet0 0 tunnel destination 1172 29 34 ip route 10 14140 25522959 25540 tunnel The GWR I Router Sample Configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 10 1 1 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings Use the following IP add
131. provides general information about router as well as real time network information Status information is divided into following categories General Information Network Information LAN WAN Information Status General General Information Tab provides general information about device type device firmware version kernel version CPU vendor Up Time since last reboot hardware resources utilization and MAC address of LAN port Screenshot of General Router information is shown at Figure 6 Data in Status menu are read only and cannot be changed by user If you want to refresh screen data press Refresh button SIM Card detection is performed only at time booting the system and you can see the status of SIM slot by checking the Enable SIM Card Detection option General Information Router Information Model GWR 1352 i Firmware Version 3 0 0_352_ind Kernel Version 2 6 21 5 r geneko_w4 CPU Vendor CirrusLogic ARM9 EP9302A 200MHz Up Time 01 27 20 Total Memory 94680K Used Memory 30376K Free Memory 64304K MAC Address 00 1e 5c 00 29 63 Figure 6 General router information USER MANUAL 19 5 senexo GWR I Industrial Cellular Router Series Status Network Information Network Information Tab provides information about Ethernet port and Ethernet traffic statistics in bytes Screenshot of Network Router information is shown in Error Reference source not fou
132. r Router Series Table 15 MAC filtering parameters MAC Filtering MAC Filtering Settings C Enable MAC filtering Rule Name MAC Address MAC Address format KIKIKI Caution Carefully review settings before applying changes Incorrect settings can make the inaccessible from the local network Reload Save Figure 24 MAC filtering configuration page DMZ Host Demilitarized Zone DMZ allows one IP Address to be exposed to the Internet Because some applications require multiple TCP IP ports to be open DMZ provides this function by forwarding all the ports to one computer at the same time In the other words this setting allows one local user to be exposed to the Internet to use a special purpose services such as Internet gaming Video conferencing and etc It is recommended that you set your computer with a static IP if you want to use this function DMZ Host Demilitarized Zone Host Settings Cl Enable IP address from LAN Figure 25 DMZ Host configuration page Settings DynDNS Dynamic DNS is a domain name service allowing to link dynamic IP addresses to static hostname To start using this feature firstly you should register to DDNS service provider Section of the web interface where you can setup DynDNS parameters is shown in Figure 25 USER MANUAL 47 GWR I Industrial Cellular Router Series Dynamic DNS DynDNS Settings Enable DynDNS Client
133. r advanced ping proofing traffic limit has been reached to another SIM card 2 Disconnect disconnects network connection over the SIM card on which data traffic limit has been reached Displays amount of traffic that has been transferred over SIM card from the moment of enabling SIM data limit option In order to refresh the displayed value in the Current traffic field please click on Refresh button Reset current traffic Click on Reset button resets a value of the current traffic to zero USER MANUAL 26 E Geneko GWR I Industrial Cellular Router Series Reset current traffic value on specified day of the month Every month on the specified day a value of the current traffic will be reset to zero The day of reset is specified by ordinal number Specifies the type of connection router will try to establish There are three available options only GSM only UMTS and AUTO For example if you select Only GSM option router will not try to connect to UMTS instead router will automatically try to connect to GSM By selecting AUTO option router will first try to establish UMTS connection and if it fails router will go for GSM connection Connection type TE ee ee Displays data related to mobile connection current WAN address uptime connection status obile status Click Reload to discard any changes and reload previous settings Click Save to save your changes back to the GWR I Router Click Switc
134. r less dBm Unacceptable running LED e 100 to 91 dBm Weak 1 LED e 90 to 81 dBm Moderate 2 LED e 80 to 75 dBm Good 3 LED e 74 or better dBm Excellent 4 LED e Qis not known or not detectable running LED Antenna placement Placement can drastically increase the signal strength of a cellular connection Often times just moving the router closer to an exterior window or to another location within the facility can result in optimum reception Another way of increasing throughput is by physically placing the device on the roof of the building in an environmentally safe enclosure with proper moisture and lightning protection e Simply install the GWR I Router outside the building and run an RJ 45 Ethernet cable to your switch located in the building e Keep antenna cable away from interferers AC wiring Antenna Options Once optimum placement is achieved if signal strength is still not desirable you can experiment with different antenna options Assuming you have tried a standard antenna next consider e Check your antenna connection to ensure it is properly attached e High gain antenna which has higher dBm gain and longer antenna Many cabled antennas require a metal ground plane for maximum performance The ground plane typically should have a diameter roughly twice the length of the antenna NOTE Another way of optimizing throughput is by sending non encrypted data through the device Application layer encr
135. ress IP Address 10 1 1 1 Subnet Mask 255 255 255 0 Primary Local DNS Secondary Local DNS Local Gateway Caution Changes to IP address subnet mask and local DNS require a reboot to take effect Caution Use local gateway option carefully Router becomes unreachable from local subnet when this option is enabled Figure 63 Network configuration page e Use SIM card with a dynamic static IP address obtained from Mobile Operator Note the default gateway may show or change to an address such as 10 0 0 1 this is normal as it is the GSM UMTS provider s network default gateway e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt GRE Tunneling to configure new VPN tunnel parameters Enable yes Local Tunnel Address 10 10 10 1 Local Tunnel Netmask 255 255 255 252 Unchangeable always 255 255 255 252 Tunnel Source 172 29 8 5 Tunnel Destination 172 29 8 4 KeepAlive enable no USER MANUAL 18 E Geneko GWR I Industrial Cellular Router Series Period none Retries none Press ADD to put GRE tunnel rule into VPN table Press Save to accept the changes VPN Settings GRE 7 Help Generic Routing Encapsulati
136. riate rule for allowing ping traffic originating from precise IP address is shown below Firewall Rules 7 Help Firewall Rule Basics Rule name Ensble Firewall Rule Settings Chain Service Protocol Port Input interface Output interface Source address El Inverted source address rule logic Destinstion address Inverted destinstion address rule logic Packet state Policy Distributed Denial Of Service El Enable Maximum average matching rate Maximum initial number of packets to match USER MANUAL ICMP type echo request _ E 212 62 38 196 120 E eneko GWR I Industrial Cellular Router Series Figure 128 Allowing ICMP traffic After configuration is finished SAVE button should be selected and user is returned to main configuration page Priority of rule is changed by selecting number in drop down menu In this example number 5 is selected 4 Establishing of IPSec tunnel is allowed Firewall has to allow IKE and ESP protocol for IPSec tunnel establishment If NAT traversal is used one additional port has to be allowed All these rules are predefined and they have priorities 10 11 and 12 in default firewall configuration they are named as Allow IPSec tunnels on ppp_0 protocol IKE and NATO As these rules are already configured it is enough just to enable them to have IPSec passed through firewall SOOS OCOOME epee e e e e e e a e 12 Aaw IPSec mes on yea INPUT Custom none an
137. s defined in RFC 3947 NOTE NAT T function is enabled by default and cannot be disabled The default interval or keep alive packets is 20 seconds NAT Traversal The initial contact status message may be used when one side wishes to inform the other that this is the first SA being established with the remote system The receiver of this Notification Message might then elect to delete any existing SA s it has for the sending system under the assumption that the sending system has rebooted and no longer has access to the original SA s and their associated keying material NOTE Send initial contact function is enabled by default and cannot be disabled Click Back to return on IPSec Summary screen Click Reload to discard any changes and reload previous settings Click Save to save your changes back to the GWR Router After that router automatically goes back and begin negotiations of the tunnels by clicking on the Table 12 IPSec Parameters USER MANUAL 40 E Geneko GWR I Industrial Cellular Router Series OpenVPN OpenVPN site to site allows connecting two remote networks via point to point encrypted tunnel OpenVPN implementation offers a cost effective simply configurable alternative to other VPN technologies OpenVPN allows peers to authenticate each other using a pre shared secret key certificates or username password When used in a multiclient server configuration it allows the server to release an authentication certifica
138. s of virtual tunnel interface Local Tunnel Netmask Unchangeable always 255 255 255 252 Tunnel Source IP address of tunnel source Tunnel Destination IP address of tunnel destination Period Valid values 3 60 Retries Valid values 1 10 Figure 16 GRE tunnel parameters configuration page GRE Keepalive GRE tunnels can use periodic status messages known as keepalives to verify the integrity of the tunnel from end to end By default GRE tunnel keepalives are disabled Use the keepalive check box to enable this feature Keepalives do not have to be configured on both ends of the tunnel in order to work a tunnel is not aware of incoming keepalive packets You should define the time interval in seconds between transmitted keepalive packets Enter a number from 1 to 60 seconds and the number of times to retry after failed keepalives before determining that the tunnel endpoint is down Enter a number from 1 to 10 times USER MANUAL 35 E Geneko GWR I Industrial Cellular Router Series Internet Protocol Security IPSec Internet Protocol Security IPSec is a protocol suite for securing Internet Protocol communication by authenticating and encrypting each IP packet of a data stream Click VPN Settings IPSec to open the VPN configuration screen At the Figure 17 IPSec Summary screen you can see IPSec Summary This screen gathers information about settings of all defined IPSec tunnels Up to 5 IPSec tunnels can be defined on G
139. s with a secure tunneling method Diagram below illustrates simple network with GWR I Router and Cisco Router Idea is to create IPSec tunnel for LAN to LAN site to site connectivity Private Static WAN Public Static WAN 172 30 147 96 FE GWR Get Initiator Cisco 1841 VPN terminator LAN 192 168 10 1 E LAN 10 10 10 1 LAN 192 168 10 x LAN 10 10 10 x 5 Gateway 192 168 10 1 Gateway 10 10 10 1 Figure 87 IPSec tunnel between GWR I Router and Cisco Router The GWR I Routers requirements e Static IP WAN address for tunnel source and tunnel destination address e Dynamic IP WAN address must be mapped to hostname with DynDNS service for synchronization with DynDNS server SIM card must have internet access GSM UMTS APN Type For GSM UMTS networks GWR I Router connections may require a Custom APN A Custom APN allows for various IP addressing options particularly static IP addresses which are needed for most VPN connections A custom APN should also support mobile terminated data that may be required in most site to site VPNs The GWR I Router configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 192 168 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings Use the following IP address IP Address 192 168 10 1 Subnet Mask 255 255 255 0
140. sk Subnet v 10 0 10 0 255 255 255 0 Figure 83 IPSEC configuration page I for GWR I Router 2 IPSec Setup Key Exchange Mode Mode Phase 1 DH Group Phase 1 Encryption Phase 1 Authentication Phase 1 5A Life Time Perfect Forward Secrecy Phase 2 DH Group Phase 2 Encryption Phase 2 Authentication Phase 2 SA Life Time Preshared Key IKE with Preshared key Groupe 1024 e 3DES v MD5 ei 28800 sec Groupe 1024 e 3DES MD5 ei 3600 sec 1234567890 Failover CI Enable IKE Failover IKE SA Retry CI Enable Tunnel Failover Ping IP Or Hostname Ping Interval Packet Size Advanced Ping Interval Advanced Ping Wait For A Response Maximum Number Of Failed Packets Restart PPP After IKE SA Retry Exceeds Specified Limit Figure 84 IPSEC configuration page II for GWR I Router 2 USER MANUAL 91 5 senexo Advanced GWR I Industrial Cellular Router Series C Compress Support IP Payload Compression Protocol IPComp CI Dead Peer Detection DPD 2 sec NAT Traversal Send Initial Contact Figure 85 IPSEC configuration page III for GWR I Router 2 NOTE Firmware version used in this scenario also provides options for Connection mode of IPSec tunnel If connection mode Connect
141. ss the tunnel Subnet Mask Enter the subnet mask Remote Security Select the remote IP address behind the Router at the other end that can use this Gateway Type IPSec tunnel Select the type you want to use IP or Subnet IP Address Only the computer with a specific IP address will be able to access the tunnel Remote ID Type Authentication identity for one of the participant Can be an IP address or fully qualified domain name preceded by Select the remote IP address hostname behind the Router at the other end that Remote Security Group can use this IPSec tunnel Select the type you want to use IP Only or hostname NOTE The Remote Security Group Type you select should match the Local Security Group Type selected on the IPSec device at the other end of the tunnel IP Address Only the computer with a specific IP address will be able to access the tunnel Subnet Mask Enter the subnet mask In order to establish an encrypted tunnel the two ends of an IPSec tunnel must agree on the methods of encryption decryption and authentication This is done by sharing a key to the encryption code For key management the Router uses only IKE with Preshared Key mode IKE with Preshared Key IKE is an Internet Key Exchange protocol used to negotiate key material for Security Association SA IKE uses the Preshared Key to authenticate the remote IKE peer Both ends of IPSec tunnel must use the same mode of key management Mode sis One of
142. ssword New Password Confirm Password WEB Access HTTP WEB GUI port DU OHTIPS WEB GUI port 443 OHTIP HTTPS WEB GUI timeout AE min Figure 37 Router Management configuration page Administrator Password Label Description By this check box you can activate or deactivate function for authentication when you access to web console application This field specifies Username for user administrator login purpose Enter the old password The default is admin when you first power up the GWR I Router Enter a new password for GWR Router Your password must have 20 or fewer characters and cannot contain any space Click Save button to save your changes back to the GWR Router Click Reload to discard any changes and reload previous settings Table 21 Router Management Maintenance Date Time Settings To set the local time select Date Time Settings using the Network Time Protocol NTP automatically or Set the local time manually Date and time setting on the GWR I Router are done through window Date Time Settings USER MANUAL 59 E Geneko GWR I Industrial Cellular Router Series Date Time Settings Current Date and Time Date 2012 10 03 Time is ae oe L Date and Time Setup Update router date and time Manually From time server Date 2012 i a 10 eil Time 13 jag 46 ec e Time protocol NTP RFC 1305 Time server address 195 176 208 1 Time zone GMT 1 00 hours CET Cen
143. status description started ipsec is running stopped ipsec is not running or tunnel is not enabled connecting ipsec is trying to establish connection waiting for connection ipsec is waiting for other end to connect established tunnel is up Figure 92 IPSec start stop page for GWR I Router e On the device connected on GWR router setup default gateway 192 168 10 1 The Cisco Router configuration version 12 4 service timestamps debug datetime msec service timestamps log datetime msec no service password encryption I hostname Cisco Router I boot start marker boot end marker l sern me admin password 7 eerste nnes hes l enable secret 5 KKEKKKKKKKKKKKEKKKKKKEKE l no aaa new model l no ip domain lookup l l Keyring that defines wildcard pre shared key I crypto keyring remote pre shared key address 0 0 0 0 0 0 0 0 key 1234567890 I ISAKMP policy I crypto isakmp policy 10 encr 3des authentication pre share group 2 lifetime 28800 Profile for LAN to LAN connection that references the wildcard pre shared key and a wildcard identity crypto isakmp profile L2L description LAN to LAN vpn connection keyring remote match identity address 0 0 0 0 l l crypto ipsec transform set testGWR esp 3des esp sha hmac l Instances of the dynamic crypto map reference previous IPsec profile l crypto dynamic map dynGWR 5 set transform set testGWR USER MANUAL 96 E Geneko GWR I Industrial Cel
144. status of defined IPSec tunnels Status This field shows both Phase 1 and Phase 2 details Encryption method Enc Auth Grp DES 3DES AES Authentication method MD5 SHA1 and DH Group number 1 2 5 that you have defined in the IPSec Setup section Field shows the chosen mode of IPSec and options from IPSec Advanced section Advanced i l by displaying the first letters of enabled options Field shows the IP address and subnet mask of the Local Group Field displays the IP address and subnet mask of the Remote Group Field shows the IP address of the Remote Device Action Edit This link opens screen where you can change the tunnel s settings Action Delete Click on this link to delete the tunnel and all settings for that particular tunnel Field displays connection mode of the current tunnel Connection mode Connect IPSec tunnel initiating side in negotiation process Wait IPSec tunnel responding side in negotiation process Set IPSec log level Local Group Remote Group Remote Gateway USER MANUAL 36 Add New Tunnel GWR I Industrial Cellular Router Series Click on this button to add a new Device to Device IPSec tunnel After you have added the tunnel you will see it listed in the Summary table This button starts the IPSec negotiations between all defined and enabled tunnels If the IPSec is already started Start button is replaced with Restart button This button will stop all IPSec started negotiations
145. t Default Settings screen USER MANUAL 14 Geneko E ene GWR I Industrial Cellular Router Series DIGITAL IN DIGITAL OUT 12 48 VDC MAIN ANTENNA Figure 3 GWR I Router top panel side Putting Into Operation Before putting the GWR I Router in operation it is necessary to connect all components needed for the operation e GSM antenna e Ethernet cable and e SIM card must be inserted And finally device should have powered up external power supply Power consumption of the unit depends on input voltage according to following table Voltage V Idle mode mA Burst mode mA Table 3 Power consumption NOTE Since the router is dedicated for operation in rough environments SIM card slots are located within the router chassis In order to insert the SIM card please remove the screws pointed on the following image SIM slots are located directly on the PCB of the router After the SIM cards are inserted and before the router USER MANUAL 15 5 senexo is put in the operation make sure that router box is properly sealed GWR I Industrial Cellular Router Series comme mm mmm mm mmm mm mmm mmm In order to open the router chassis please remove pointed screws mn mm mmm ol Figure 4 Inserting the SIM card SIM card must not be changed installed or taken out while device operates This procedure is performed when power supply is not connected USER M
146. t settings Option SERIAL PORT OVER TCP UDP SETTINGS is used for configuration of transparent serial communication Configuration parameters are presented in picture below Serial Port 1 Serial Port 1 Settings General Settings Disable all Serial port over TCP UDP settings Modbus gateway settings Serial Port 1 Settings Standard RS 232 E Bits per second 57600 v Data bits s M Parity none Stop bits i Flow control none E Protocol TCP v Mode den ei Server IP address 96 34 56 2 Connect to TCP port 1234 Type of socket raw i C Enable local echo Enable timeout mem OO sec Keepalive Settings Check TCP connection Kepalive idle time 120 sec Kepalive interval 60 sec Log Settings Log level level 1 v Status started Figure 121 GWR settings for Serial to IP conversion USER MANUAL 114 E eneko GWR I Industrial Cellular Router Series General Settings e Serial port over TCP UDP settings Serial port settings e Standard RS 232 e Bits per second 57600 e Data bits 8 e Parity none e Stop bits 1 e Flow control none TCP UDP Settings e Protocol TCP e Mode client e Server IP address 96 34 56 2 IP address of server e Connect to TCP port 1234 e Type of socket raw e Enable local echo Disabled e Enable timeout 3600 sec Keepalive Settings e Check TCP connection Enable e Keepalive idle time 120 sec e Keepalive interval 60 sec Log
147. te for every client using signature and Certificate authority It uses the OpenSSL encryption library extensively as well as the SSLv3 TLSv1 protocol and contains many security and control features The server and client have almost the same configuration The difference in the client configuration is the remote endpoint IP or hostname field Also the client can set up the keepalive settings For successful tunnel creation a static key must be generated on one side and the same key must be uploaded on the opposite side Remote Endpoint IP XXX XXX XXX XXX E Tunnel IP 10 0 0 1 Tunnel IP 10 0 0 2 Client Network IP 19 7 168 1 0 24 Network IP 192 168 0 0 24 Pn OpenVPN tunnel Ir 192 168 0 2 LAN 192 168 1 2 Figure 19 OpenVPN example Click VPN Settings OpenVPN to open the VPN configuration screen At the Figure 17 IPSec Summary screen you can see OpenVPN Summary This screen gathers information about settings of all defined OpenVPN tunnels Up to 5 OpenVPN tunnels can be defined on GWR router OpenVPN Summary and OpenVPN Settings are briefly displayed in following figures and tables Open PN Summary Tunnels used 1 Maximum number of tunnels 5 Add New Tunnel Ee e ees Remote So Tunnel status description Stop started openVPN is running stopped openVPN is not running or tunnel is not enabled connecting openVPN is trying to establish connection established tunnel is up err
148. ters abe Use the following IP Choose this option if you want to manually configure TCP IP parameters of address Ethernet port IP Address Type the IP address of your GWR Router in dotted decimal notation 192 168 1 1 is the factory default IP address The subnet mask specifies the network number portion of an IP address The GWR Router support sub netting You must specified subnet mask for your LAN TCP IP settings Primary Local DNS IP address of your primary local DNS server Secondary local DNS IP address of your secondary local DNS server Local Gateway All incoming packets are forwarded to IP address defined in this field Reload Click Reload to discard any changes and reload previous settings Click Save button to save your changes back to the GWR Router Whether you Save l make changes or not router will reboot every time you click Save Table 4 Network parameters In the Error Reference source not found you can see screenshot of Network Tab configuration menu Network Help Network Settings Use the following IP address IP Address 192 168 35 2 Subnet Mask 255 255 255 0 Primary Local DNS 6 8 6 8 Secondary Local DNS 6 8 4 4 Local Gateway aution Changes to IP address subnet mask and local DNS require a reboot to take effect aution Use local gateway option carefully Router becomes unreachable from local subnet when this option is enabled Reload Save CO CH
149. tion Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 10 0 10 1 Subnet Mask 255 255 255 0 Press Save to accept the changes USER MANUAL 80 Network Network Settings Use the following IP address IP Address Subnet Mask Primary Local DNS Secondary Local DNS Local Gateway GWR I Industrial Cellular Router Series 10 0 10 1 255 255 255 0 Changes to IP address subnet mask and local DNS require a reboot to take effect Caution Caution Use local gateway option carefully Router becomes unreachable from local subnet when this option is enabled Reload Save Figure 67 Network configuration page for GWR I Router 1 e Use SIM card with a static IP address obtained from Mobile Operator e Click WAN Settings Tab to configure parameters necessary for GSM UMTS connection All parameters necessary for connection configuration should be required from mobile operator e Check the status of GSM UMTS connection WAN Settings Tab If disconnected please click Connect button e Click VPN Settings gt IPSEC to configure IPSEC tunnel parameters Click Add New Tunnel button to create new IPSec tunnel Tunnel parameters are Add New Tunnel USER MANUAL Tunnel Name IPsec tunnel Enable true Local Group Setup Local Security Gateway Type SIM card Local ID Type IP Address
150. tion Network 192 168 2 0 Netmask 255 255 255 0 Interface gre_x Routing Routing Table Settings Current static routes Enable _DestNetwork 1 Memask Gateway D nn ss Jr fomos fesses gt i Te rserees0 __ zsszssasso i Ea 192 168 2 0 255 255 255 0 0 0 0 0 Apply the following static routes to the routing table Enable Dest Network _ Netmask_ 0 0 0 0 0 0 0 0 O l Figure 58 Routing configuration page for GWR I Router 1 192 168 2 0 255 255 255 0 e Optionally configure IP Filtering and TCP service port settings to block any unwanted incoming traffic e On the device connected on GWR I router 1 setup default gateway 192 168 4 1 The GWR I Router 2 configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask USER MANUAL 74 E Geneko GWR I Industrial Cellular Router Series IP Address 192 168 2 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings Use the following IP address IP Address 192 168 2 1 Subnet Mask 255 255 255 0 Primary Local DNS Secondary Local DNS Local Gateway C C EE Figure 59 Network configuration page for GWR I Router 2 e Use SIM card with
151. tral Europe Time Belgrade Copenhagen Madrid Paris Automatically synchronize NTP Update time every 15 min Update for Daylight Saving Time Start Month January Day 01 Hour 00 Stop Month January Day 01 Hour 00 Figure 38 Date Time Settings configuration page Date Time Settings Label Description Sets date and time manually as you specify it Sets the local time using the Network Time Protocol NTP automatically This field species Date and Time information You can change date and time by changing parameters Sync Clock With Client Date and time setting on the basis of PC calendar Time Protocol Choose the time protocol Time Server Address _ Time server IP address Select your time zone Automatically Setup automatic synchronization with time server Update time every Time interval for automatic synchronization Click Save button to save your changes back to the GWR I Router Click Reload to discard any changes and reload previous settings Table 22 Date time parameters USER MANUAL 60 E eneko GWR I Industrial Cellular Router Series Maintenance Diagnostics The GWR I Router provide built it tool which is used for troubleshooting network problems The ping test bounces a packet of machine on the Internet back to the sender This test shows if the GWR I Router is able to connect the remote host If users on the LAN are having problems accessing service on the Internet try to ping th
152. ts the CBC cipher mode Authenticate packets with HMAC using message digest algorithm The default is SHA1 HMAC is a commonly used message authentication algorithm MAC that uses a data string a secure hash algorithm and a key to produce a digital signature OpenVPN s usage of HMAC is to first encrypt a packet then HMAC the resulting ciphertext In TLS mode the HMAC key is dynamically generated and shared between peers via the TLS control channel If OpenVPN receives a packet with a bad HMAC it will drop the packet HMAC usually adds 16 or 20 bytes per packet Set none to disable authentication Hash Algorithm NOTE Depending on the options selected in the previous steps some of the following options will be available for configuration Selection between TCP in server or client mode and UDP protocol in connect or Protocol l wait mode TCP UDP port Depending on the selected protocol port number should be specified LZO Compression Check the box to enable fast adaptive LZO compression NAT Rules Enables NAT through the tunnel Keep Alive Check the box if you want to use keepalive Ping Interval This field specifies the target IP address for periodical traffic generated using USER MANUAL 42 E Geneko GWR I Industrial Cellular Router Series WE ping in order to maintain the connection active Ping Timeout This field specifies ping interval for keepalive option Generate or Paste the Pre shared Secret You have an additional option
153. up Settings Remote Host or IP Adress Redirect Gateway O Tunnel Interface Configuration Fpull from i S erver ae iv Network Topology p2p Figure 22 OpenVPN network topology Settings Firewall IP Filtering TCP IP traffic flow is controlled over IP address and port number through router s interfaces in both directions With firewall options it is possible to create rule which exactly matches traffic of interest Traffic can be blocked or forward depending of action selected It is important when working with firewall rules to have in mind that traffic for router management should always be allowed to avoid problem with unreachable router Firewall rules are checked by priority from the first to the last Rules which are after matching rule are skipped abel Firewall General Settings Enable This field specifies if Firewall is enabled at the router Add New Rule Applies configured rules to router Firewall rules USER MANUAL 44 E Geneko GWR I Industrial Cellular Router Series Firewall rules are evaluated from the top down The first rule to match is executed immediately and the rest are skipped Name Description of applied rule Enabled This field specifies if rule is enabled in the firewall Priority There are three options available in this section INPUT for traffic going to the interface OUTGOING for traffic originated at the router going out of the interface and FORWARD for traffic routed
154. upports up to 64 alphanumeric characters Sets the port on which SNMP data has been sent The default is 161 You can specify port by marking on user defined and specify port you want SNMP data to be sent Sets the interface enabled for SNMP traps The default is Both Click Reload to discard any changes and reload previous settings Click Save button to save your changes back to the GWR I Router and enable disable SNMP Table 25 SNMP parameters Syslog is a standard for forwarding log messages in an IP network The term syslog is often used for both the actual syslog protocol as well as the application or library sending syslog messages USER MANUAL 69 E Geneko GWR I Industrial Cellular Router Series Syslog is a client server protocol the syslog sender sends a small less than 1KB textual message to the syslog receiver Syslog is typically used for computer system management and security auditing While it has a number of shortcomings syslog is supported by a wide variety of devices and receivers across multiple platforms Because of this syslog can be used to integrate log data from many different types of systems into a central repository System Logger Syslog Status Disable O Local syslog O Remote local syslog Status stopped Local Syslog Log to Syslog file size KB Event log Enable syslog saver Save log every hours Remote Syslog Service server IP
155. urce tunnel address should have static WAN IP address e Destination tunnel address should have static WAN IP address GSM UMTS APN Type For GSM UMTS networks GWR I Router connections may require a Custom APN A Custom APN allows for various IP addressing options particularly static IP addresses which are needed for most VPN connections A custom APN should also support mobile terminated data that may be required in most site to site VPNs The GWR I Router 1 configuration e Click Network Tab to open the LAN NETWORK screen Use this screen to configure LAN TCP IP settings Configure IP address and Netmask IP Address 192 168 4 1 Subnet Mask 255 255 255 0 Press Save to accept the changes Network Network Settings Use the following IP address IP Address 192 168 4 1 Subnet Mask 255 255 255 0 Primary Local DNS Secondary Local DNS Local Gateway Caution Ch to IP address subnet mask and local DNS i boot to take effect EaR Bien SC SC Geet Bee aes gine when this option is enabled Figure 56 Network configuration page for GWR I Router 1 e Use SIM card with a static IP address obtained from Mobile Operator Note the default gateway may show or change to an address such as 10 0 0 1 this is normal as it is the GSM UMTS USER MANUAL 13 E Geneko GWR I Industrial Cellular Router Series provider s network default gateway e Click WAN Settings Tab to configure paramet
156. wall Rule Serilnes Cham INPUT k perce HITE k Drc ncal TCR Por Oo Inpul wleclare pp H kd Jul pul d Bourde address Single E kd Cle be a H merted d l q Dashination address k reeled desimaiy Packet slate NEW k Policy ACCEPT we Dispibeted Denial OH Service C Enable Rame dvtrage matching oi Kaumemm infial number of packets je match Figure 130 Allowing WEB access After configuration is finished SAVE button should be selected and user is returned to main configuration page 7 FIP traffic is allowed New rule should be added by selecting ADD NEW RULE button Policy should be configured in following way Rule name Allow FTP Enable selected Chain INPUT Service FTP Protocol TCP Port 21 Input interface ppp_0 Source address Any Destination address Any Packet state NEW Policy ACCEPT After configuration is finished SAVE button should be selected and user is returned to main configuration page Priority of rule is changed by selecting number in drop down menu In this example number 8 is selected 8 Access from LAN to router is allowed This is first rule in predefined firewall settings Allow ALL from local LAN It is recommended to have this rule enabled to allow access to management interfaces of the router As this rules is already configured it is enough just to enable it to have access to router from LAN USER MANUAL 122 E Geneko GWR I Industrial Cellular
157. wall table should be DROP ALL Rule priority defines order by which router matches inspected packets After first match between rule and packet no other rule is compared against matched traffic Firewall has 17 predefined rules for the most common usage These 17 rules are following 1 Allow ALL from local LAN All traffic originating from local subnet is allowed to access router Ethernet interface It is important to keep this rule enabled to prevent losing local management interface 2 Allow already established traffic For inbound TCP only Allows TCP traffic to pass if the packet is a response to an outbound initiated session 3 Allow TELNET on ppp_0 Accepts telnet connection from the outside to router s WAN interface for management over CLI interface 4 Allow HTTP on ppp_0 Accepts WEB traffic from the outside to router s WAN interface for management over WEB interface 5 Allow PING on ppp_0 with DDoS filter ICMP traffic to WAN interface of the router is allowed with prevention of Distributed Denial of service attack Allow RIP protocol 6 Allow RIP on ppp_0 7 Allo RIP on ppp_0O route Allow GRE protocol 8 Allow GRE tunnels on ppp_0O 9 Allow GRE Keepalive on ppp_0 Allow IPSec protocol 10 Allow IPSec tunnels on ppp_0 protocol 11 Allow IPSec tunnels on ppp_0 IKE 12 Allow IPSec tunnel on ppp_0 IKE_NATt Allow OpenVPN protocol 13 Allow OpenVPN tunnels on ppp_0 UDP 14 Allow OpenVPN tunnels on ppp_0 TCP
158. y PET Edit _ Edit EE ppp_O IKE_ MAT Figure 129 IPSec firewall rules These three rules are enabled in following way Select EDIT of the rule Enable selected SAVE and exit 5 SSH access is allowed from IP range 212 62 38 210 220 New rule should be added by selecting ADD NEW RULE button Policy should be configured in following way Rule name Allow SSH Enable selected Chain INPUT Service Custom Protocol TCP Port Custom 22 Input interface ppp_0 Source address Range 212 62 38 210 212 62 38 220 Destination address Any Packet state NEW Policy ACCEPT After configuration is finished SAVE button should be selected and user is returned to main configuration page Priority of rule is changed by selecting number in drop down menu In this example number 6 is selected 6 WEB access is allowed from 212 62 38 210 IP address USER MANUAL 121 E Geneko GWR I Industrial Cellular Router Series In default firewall configuration rule for allowing WEB traffic is predefined rule with priority 4 named Allow HTTP on ppp_0 This rule can be used in example with additional restriction in source IP address to 212 62 38 210 Policy should be configured in following way Enable selected Source address Single IP 212 62 38 210 All other settings should remain the same like in the picture below Fireerall Rules Firewall Rule Basics Rule marie Allow HTTF on ppt Enable E Fhe
159. yption or VPN put a heavy toll on bandwidth utilization For example IPsec ESP headers and trailers can add 20 30 or more overhead USER MANUAL 127 GENEKO Bul Despota Stefana 59a 11000 Belgrade Serbia Phone 381 11 3340 591 3340 178 Fax 381 11 3224 437 e mail gwrsupport geneko rs www geneko rs UM GWR I Rev A May 14
Download Pdf Manuals
Related Search