Configuring IP Secure Communications

Introduction to IPsec

The Internet Engineering Task Force (IETF) developed and designed as an open set of protocol standards that make IP communication sessions private and secure. The IPsec functionality of the BMENOC0321 module supports the data integrity and origin authentication of IP packets.

Follow the steps below to create a specific IPsec configuration on a Windows 7 PC. For more information about IPsec, refer to the Internet Engineering Task Force website (www.IETF.org).

Client-initiated communications are not supported from the BMENOC0321 Ethernet communication module when IPsec is enabled. For example, peer-to-peer (BMENOC0321-to-BMENOC0321) communications are not supported when IPsec is enabled.

NOTE:

You cannot enable the IPsec protocol and the IP Forwarding service at the same time. (You cannot build a Control Expert project when both are enabled. Refer to the table for using different services and protocols.)
Use Unity Pro 11.1 with DTM v3.6.x (and later) to run IPsec.

Process Overview

Configure IPsec communications in these stages:

Stage	Name	Description
1	Policy	Create an IPsec policy.
2	Rule	Tunnel Endpoint: no tunnel (transport mode)
		Connection type: network connections or local area network
		IP Filter List: IP filter 1: address: IP address of the first BMENOC0321 module. protocol: Any description: BMENOC0321 module 1 IP filter 2: address: IP address of the second BMENOC0321 module. protocol: Any description: BMENOC0321 module 2 NOTE: Repeat these steps for each BMENOC0321 module in your configuration.
		IP Filter Actions: action: block, permit, negotiate method: SHA-1 (no encryption) key expiration: 86400
		Authentication Method: pre-shared key
3	General Properties	Security policy name and description
		Policy change timeout
		Key exchange settings: PFS authentication timeout (2879 min.) Internet Key Exchange (IKE) security methods key exchange encryption: 3DES Integrity: SHA1 Diffie-Hellman group: 1024 - medium (2)
4	Enable/Disable	Enable or disable the IPsec policy.
5	DTM	Configure the pre-shared key in the Control Expert DTM.

Before You Begin

Configure IPsec manually for each PC that supports IPsec:

These directions are for PCs that run Windows 7.
Confirm that you have administrative privileges to configure IPsec.
Harden the PC that hosts the IPsec client to decrease the attack surface and observe the defense-in-depth concept. Refer to Schneider Electric’s guidelines to harden your PC to reduce the surface of vulnerability.

IP Security Policy

Create an IPsec policy to define the rules for secure communications within the IPsec protocol:

Step	Action
1	On a Windows 7 PC, open the Administrative Tools from the Control Panel. NOTE: Consult your Windows 7 documentation to access the Administrative Tools.
2	Double-click Local Security Policy to open the Local Security Policy window.
3	In the left pane, expand Security Settings and double-click IP Security Policies on Local Computer.
4	In the right pane, right-click and scroll to Create IP Security Policy ... to open the Policy Wizard.
5	In the IP Security Policy Wizard, press the Next button: a. Assign a name to a new Security Policy in the Name field. b Provide a description of the new policy in the Description field. (This step is optional).
6	Press the Next button to proceed to the Requests for Secure Communication window.
7	Uncheck the check box (Activate the default ...) and press Next to open the Completing the IP Security Policy Wizard.
8	Uncheck the Edit properties check box and press Finish.

NOTE: The new security policy appears in the right pane of the IP Security Policies on Local Computer window. You can double-click on the security policy at any time to access its Properties window.

IP Security Rule

Configure an IPsec rule to enable an IPsec configuration to monitor traffic between the application layer and the network layer:

Step	Action
1	In Windows 7, double-click the policy to open the Properties window.
2	Select the Rules tab.
3	Press Add... to open the Create IP Security Rule Wizard.
4	Press Next to configure the Tunnel Endpoint.
5	Select This rule does not specify a tunnel to use the Transport mode within the IPsec protocol.
6	Press Next to configure the Network Type.
7	Select the All network connections option button to apply the policy to local and remote connections.
8	Press Next to access the IP Filter List configuration. NOTE: The IP Filter List identifies the traffic that is processed through the IPsec rule.

IP Filter List

IPsec uses packet filters to evaluate communication packets according to their connections to various services. Packet filters are located between the endpoints of a peer-to-peer connection to verify that the packets adhere to the established administrative rules for communications.

Every IP filter in a single IP filter list has the IP address of the same source of the communications packets. The IP addresses for the destinations of communications packets (BMENOC0321 modules) are different.

Create a filter list that contains the IP addresses for the BMENOC0321 modules that can communicate with the source (PC):

Step	Action
1	In Windows 7, in the IP filter lists table of the Security Rule Wizard, click Add to create a new IP filter list: a. Assign a name to a new Filter List in the Name field. b. Provide a description of the new Filter List in the Description field. (This step is optional.)
2	Press Add to open the IP Filter Wizard and press Next.
3	Provide an optional description of the new IP Filter in the Description field.
4	Check the Mirrored check box to communicate in both directions (source and destination).
5	Press Next to configure the IP Traffic Source.
6	Scroll to My IP Address to designate the PC at one endpoint of the secure communications.
7	Press Next to configure the IP Traffic Destination.
8	Scroll to a specific IP Address or Subnet and enter the IP address of a BMENOC0321 module in your configuration. (The BMENOC0321 module is the only destination for this traffic.)
9	Press Next to configure the IP Protocol Type and select Any to allow traffic from the trusted IP address.
10	Press Next to view the Completing the IP Filter Wizard window.
11	Uncheck the Edit properties check box and press Finish to return to the IP Filter List.
12	Press OK to exit the IP Filter List.

IP Filter Actions

Configure filter actions:

Step	Action
1	In Windows 7, in the Name column of the IP Filter List, select the option button for the newly created IP filter list and click Next to configure the Filter Action.
2	Check the Use Add Wizard check box.
3	Press Add to open the Filter Action Wizard.
4	Press Next to configure the Filter Action Name: a. Enter a name for the Filter Action in the Name field. b. Provide an optional description of the new Filter Action Name in the Description field and press Next.
5	Select Negotiate security and press Next. NOTE: The source and destination addresses agree on a method for secure communication before packets are sent.
6	Select Do not allow unsecure communication and press Next.
7	Select Custom in the IP Traffic Security window and press Settings to customize the settings: a. Select Data and Address integrity without encryption and select SHA1 in the pull-down menu to use secure hash algorithm 1. b. De-select Data integrity with encryption to disable the Encapsulating Security Payload (ESP).. c. Check the Generate a new key every check box and enter 86400 in the seconds field to specify that the IKE expires in 86400 seconds. d. Press OK to return to the IP Traffic Security configuration.
8	Press Next.
9	Check the Edit properties check box and press Finish.
10	Do not check the Use session key perfect forward secrecy (PFS) check box.
11	Press OK.

Authentication Method

Source and destination devices can agree to use a secret text string before communications begin. In this case, the string is called a pre-shared key.

Configure the authentication method to use a pre-shared key:

Step	Action
1	In Windows 7, in the Name column of the Filter Actions, select the option button for the newly created IP filter list and click Next to configure the Authentication Method.
2	Check the Use this string to protect the key exchange (preshared key) check box.
3	In the text field, use any 16 ASCII characters to create a case-sensitive name for the pre-shared key. NOTE: At the end of this process, you will configure an identical pre-shared key in the Control Expert DTM to create a connection between a specific IP address and the BMENOC0321 module.
4	Press Next.
5	Uncheck the Edit properties check box and press Finish.

IP Security Policy General Properties

Configure the general properties:

Step	Action
1	In Windows 7, in the Properties window, select the General tab.
2	Click Settings to open the Key Exchange Settings window.
3	Do not check the Master key perfect forward secrecy (PFS) check box.
4	In the minutes field, enter 2879 to set the key lifetime to 2879 minutes (47 hours and 59 minutes).
5	Click Methods... to open the Key Exchange Security Methods window.
6	Click Edit to open the IKE Security Algorithms window.
7	In the three pull-down menus, make these selections: Integrity algorithm: SHA1 (Secure Hash Algorithm 1) Encryption algorithm: 3DES (Triple Data Encryption Algorithm) Diffie-Hellman group: Medium (2) (Generate 1024 bits of master key material.)
8	Press OK to return to the Key Exchange Security Methods window.
9	Press OK to return to the Key Exchange Settings window.
10	Press OK to return to the Properties window.
11	Press OK to close the Properties window.

Enable and Disable the Policy

Assign or un-assign a local security policy to enable and disable secure communications:

Step	Action
1	In Windows 7, open Local Security Policy in Administrative Tools.
2	Right-click the name of the new local security policy in the Name column and make a selection: Assign: Assign the local security policy to enable communications to the IPsec-enabled PC. Un-assign: Un-assign the local security policy to disable communications to the PC.

The IPsec policy agent does not run if you see this message: "The service cannot be started ...." In that case, configure the service to start automatically:

Step	Action
1	In Windows 7, expand (+) Administrative Tools.
2	Double-click Services to access the local services.
3	Double-click IPsec Policy Agent to open its properties.
4	Select the General tab.
5	In the Startup type pull-down menu, scroll to Automatic.
6	In the Service status, press Start. NOTE: When Start is grayed out, the service is already running.
7	Press OK to apply the changes and close the window.

NOTE: When you enable IPsec, the DTM automatically disables the backplane Ethernet port on the BMENOC0321. This isolates the IPsec network (control room network) from the device network. (Refer to the table for using different services and protocols.)

Configure IPsec in the Control Expert DTM

Enable IPsec and set the pre-shared key in the Control Expert :

Step	Action
1	Open your Control Expert project.
2	Open the DTM Browser (Tools → DTM Browser).
3	In the DTM Browser, double-click the name that you assigned to the BMENOC0321 module to open the configuration window. NOTE: You can also right-click the module and select Open to open the configuration window.
4	Select Security in the navigation tree to view the configuration options.
5	In the IPsec menu, select Enabled.
6	In the Pre-Shared Key field, enter the 16-character name of the pre-shared key. NOTE: The ASCII characters in the case-sensitive pre-shared key match the 16-character pre-shared key that you defined earlier.
7	Press the Apply button to save the configuration.
8	Rebuild the project and download the application to apply these settings to the BMENOC0321 module.

Troubleshooting IPsec Communications

Use the standard Windows 7 IPsec diagnostic tools to troubleshoot IPsec communications. For example, these steps use the Microsoft Management Console (MMC) service for management applications:

Step	Action
1	In Windows 7, create a console that includes an IP Security Monitor.
2	Click a server name.
3	Double-click Quick Mode.
4	Double-click Statistics to see the number of authenticated bytes that are sent and received.

NOTE:

You cannot reset the values. To refresh the count values, relaunch the Microsoft Management Console.
Disable IP Forwarding before you enable IPsec. IPsec applies to a single IP address.

Use a Wireshark network analyzer to confirm that IPsec communications have started for an established IKE session. IPsec packets have an authentication header instead of the normal protocol header. This table shows an example of a network trace of a successful IKE session that was established by a ping request between a Windows 7 PC (source) and BMENOC0321 module (destination):

Number	Time	Source	Destination	Protocol	Length	Information
1	0	192.168.20.201	192.168.20.1	ISAKMP	342	Identity Protection (Main Mode)
2	0.00477	192.168.20.1	192.168.20.201	ISAKMP	126	Identity Protection (Main Mode)
3	0.012426	192.168.20.201	192.168.20.1	ISAKMP	254	Identity Protection (Main Mode)
4	1.594495	192.168.20.1	192.168.20.201	ISAKMP	270	Identity Protection (Main Mode)
5	1.598533	192.168.20.201	192.168.20.1	ISAKMP	110	Identity Protection (Main Mode)
6	1.603296	192.168.20.1	192.168.20.201	ISAKMP	110	Identity Protection (Maine mode)
7	1.612634	192.168.20.201	192.168.20.1	ISAKMP	366	Quick Mode
8	3.202976	192.168.20.1	192.168.20.201	ISAKMP	374	Quick Mode
9	3.207794	192.168.20.201	192.168.20.1	ISAKMP	102	Quick Mode

Use these solutions to facilitate communications when IPsec is enabled:

Behavior	Explanation
There is no communication with the BMENOC0321 when IPsec is enabled on the Windows PC.	Explanation: The IPsec policy agent is not running. Solution: Configure IPsec to start automatically.
	Explanation: IPsec is not enabled on the BMENOC0321. Solution: Enable IPsec on the Security tab of the BMENOC0321 DTM.
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
Control Expert cannot connect to the BMENOC0321 via Ethernet.	Explanation: IPsec is not enabled on both the BMENOC0321 and the Windows PC. Solution: See NOTE 2 (below).
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
	Explanation: The power to the BMENOC0321 was recently cycled. Solution: See NOTE 3 (below).
The firmware update tool is not able to connect to the BMENOC0321 via Ethernet.	Explanation: IPsec is not enabled on both the BMENOC0321 and the Windows PC. Solution: See NOTE 2 (below).
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
	Explanation: The power to the BMENOC0321 was recently cycled. Solution: See NOTE 3 (below).
	Explanation: The IKE and IPsec ports may be blocked by a firewall or another program associated with antivirus applications. Solution: See NOTE 4 (below).
NOTE 1: Confirm that the parameters in the Windows configuration match those in the IPsec implementation: Double-check the pre-shared key. Double-check the IP address of the BMENOC0321 in the in the DTM. Disable Perfect Forward Secrecy for both communication endpoints in Windows.
NOTE 2: Verify that the DTM configuration and the Windows Local Security Policy are enabled for IPsec.
NOTE 3: Choose a solution: Wait 5 minutes for the Windows security associations to timeout. Unassign then reassign the local security policy in Windows to force the security associations to be reset.
NOTE 4: Verify that the IKE port (UDP 500) and IPsec Authentication Header port (51) are open on any firewall between the PC application and the PAC, including the firewalls associated with antivirus applications (like McAfee or Symantec).