Configuring IP Secure Communications
Original instructions
About us
Introduction to IPsec
The Internet Engineering Task Force (IETF) developed and designed Internet Protocol Security (IPsec) as an open set of protocol standards that make IP communication sessions private and secure. The IPsec authentication and encryption algorithms require user-defined cryptographic keys that process the communications packets in an IPsec session.
NOTE: For more information about IPsec, refer to the Internet Engineering Task Force website (www.IETF.org).
Before You Begin
Configure IPsec manually for each PC that supports IPsec:
NOTE: When IPsec is enabled, the BMENOC0301/11 Ethernet communication module does not support client-initiated communications. In this case, therefore, there is no support for peer-to-peer communications between BMENOC0301/11 modules.
Process Overview
The IPsec configuration includes these stages:
Stage
Description
1
Configure IPsec in the Control Expert DTM.
2
Configure the Windows firewall to use IPsec.
3
Confirm that the connection is valid.
Control Expert DTM Configuration
Configure IPsec in the Control Expert DTM:
Step
Action
1
Open your Control Expert project.
2
Open the DTM Browser (Tools → DTM Browser).
3
In the DTM Browser, double-click the name that you assigned to the BMENOC0301/11 module to open the configuration window.
NOTE: You can also right-click the module and select Open to open the configuration window.
4
Select Security in the navigation tree to view the configuration options.
5
In the IPsec menu, select Enabled.
6
Select the appropriate check boxes:
Enable DH 2048
Enable Confidentiality
Security Level
higher performance
...
...
higher security
7
In the Pre-Shared Key field, enter the 16-character pre-shared key.
Valid passwords contain at least one character from each of these categories:
  • uppercase character from the classical Latin alphabet (A ... Z)
  • lowercase character from the classical Latin alphabet (a ... z)
  • base-10 digit (0 ... 9)
  • special character (~, !, @, $, %, ^, &, *, _, +, -, =, `, |, \, (, ), [, ], :, “, ‘, <, >)
NOTE:
  • To help ensure cyber security, confirm that you change the password with modules that have firmware V1.05 or later.
  • You cannot reset the module to factory settings if you lose the password.
NOTE: These characters are not accepted for use in the pre-shared key:
{
}
;
#
8
Press the Apply button to save the configuration.
9
Rebuild the project and download the application to apply these settings to the BMENOC0301/11 module.
Windows Firewall Configuration
Configure the IP security policy for the Windows firewall according to the selections you made in the Control Expert DTM
NOTE:
For each configuration command in the instructions below, the Windows operating system responds according to validity of the command:
  • correct: When a valid command is accepted, Windows responds with OK.
  • incorrect: When a command is not valid, Windows responds with instructions. In this case, review the structure and syntax of the command.
Instructions:
Step
Action
1
Open a DOS command prompt with administrator privileges.
NOTE: These rules are enforced only when the Windows firewall is active (on). Refer to Windows help to enable the firewall.
2
Run this advanced firewall configuration command:
netsh advfirewall set global mainmode mmkeylifetime 2879min,0sess
3
Run this advanced firewall configuration command:
netsh advfirewall set global mainmode mmsecmethods dh2048_variable
Edit dh2048_variable in the command according to your Enable DH 2048 selection:
  • unchecked: dhgroup2:aes128-sha256
  • checked: dhgroup14:aes128-sha256
4
Edit and run this advanced firewall command to match your the IP address and subnet of your PC and the IP address, subnet, and IPSec parameters of your BMENOC301/311 module:
netsh advfirewall consec add rule name="BMENOC0301_rule_xyz" endpoint1=xxx.xxx.xxx.xxx/xx endpoint2=yyy.yyy.yyy.yyy/yy action=requireinrequireout description="DH2048&confidentiality_state mode=transport enable=yes profile=public type=static protocol=any auth1=computerpsk auth1psk=YourPskGoesHere qmpfs=none qmsecmethods=confidentiality_variable
Edit the command:
  • BMENOC0301_rule_xyz: Modify to meet your application needs.
  • xxx.xxx.xxx.xxx/xx: Use the IP address of the Control Expert host (PC or device).
  • yyy.yyy.yyy.yyy/yy: Use the IP address of the BMENOC301/311 module
  • DH2048&confidentiality_state: Modify this description to reflect the state of the check boxes (Enable DH 2048, Enable Confidentiality).
  • YourPskGoesHere: Use the pre-shared key that is configured in the DTM.
  • Edit confidentiality_variable according to your Enable Confidentiality selection:
    • unchecked: ah:sha256+1440min
    • checked: esp:sha256-aes128+1440min
Confirm the IPsec Connection
Confirm the IPsec connection after you configure the DTM and configure the Windows firewall:
Step
Action
1
Send a constant ping from the PC to confirm that the IPsec connections is working.
NOTE: The first few pings may time out while the connection is being established.
2
Use a network analyzer (like Wireshark) or the Windows Security Console to confirm that the ping requests and replies are secured with IPsec.
3
Use the standard Windows 7 or Windows 10 IPsec diagnostic tools to troubleshoot IPsec communications. For example, these steps use the Microsoft Management Console (MMC) service for management applications.
NOTE: You cannot reset the values. To refresh the count values, relaunch the Microsoft Management Console.
a.
In Windows 7 or Windows 10, create a Microsoft Management Console that includes the IP Security Monitor snap-in and Windows Firewall with Advanced Security snap-in.
b.
In the Windows Firewall with Advanced Security snap-in, expand the Monitoring selection. Also expand the Security Association section to view the current Main Mode and Quick Mode connections. You will see entries for each active IPsec connection.
c.
In the IP Security Monitor, expand the Quick Mode selection and click on Statistics to view the number of bytes that are received and sent via the secured connections.