Configuring IP Secure Communications

Introduction to IPsec

The Internet Engineering Task Force (IETF) developed and designed as an open set of protocol standards that make IP communication sessions private and secure. The IPsec functionality of the BMENOP0300 module supports the data integrity and origin authentication of IP packets.

Follow the steps below to create a specific IPsec configuration on a Windows 7 PC. For more information about IPsec, refer to the Internet Engineering Task Force website (www.IETF.org).

Client-initiated communications are not supported from the BMENOP0300 module when IPsec is enabled. For example, peer-to-peer (BMENOP0300-to-BMENOP0300) communications are not supported when IPsec is enabled.

NOTE: You cannot enable the IPsec protocol and the IP Forwarding service at the same time. (You cannot build a Control Expert project when both are enabled. Refer to the table for using different services and protocols.)

Process Overview

Configure IPsec communications in these stages:

Stage	Name	Description
1	Policy	Create an IPsec policy.
2	Rule	Tunnel Endpoint: no tunnel (transport mode)
		Connection type: network connections or local area network
		IP Filter List: IP filter: address: IP address of the first BMENOP0300 module protocol: Any description: BMENOP0300 module 1 IP filter 2: address: IP address of the second BMENOP0300 module protocol: Any description: BMENOP0300 module 2 NOTE: Repeat these steps for each BMENOP0300 module in your configuration.
		IP Filter Actions: action: block, permit, negotiate method: SHA-1 (no encryption) key expiration: 86400
		Authentication Method: pre-shared key
3	General Properties	Security policy name and description
		Policy change timeout
		Key exchange settings: PFS authentication timeout (2879 min.) Internet Key Exchange (IKE) security methods key exchange encryption: 3DES Integrity: SHA1 Diffie-Hellman group: 1024 - medium (2)
4	Enable/Disable	Enable or disable the IPsec policy.
5	Configuration Tool	Configure the pre-shared key.

Before You Begin

Configure IPsec manually for each PC that supports IPsec:

These directions are for PCs that run Windows 7.
Confirm that you have administrative privileges to configure IPsec.
Harden the PC that hosts the IPsec client to decrease the attack surface and observe the defense-in-depth concept. Refer to Schneider Electric’s guidelines to harden your PC to reduce the surface of vulnerability.

IP Security Policy

Create an IPsec policy to define the rules for secure communications within the IPsec protocol:

Step	Action
1	On a Windows 7 PC, open the Administrative Tools from the Control Panel. NOTE: Consult your Windows 7 documentation to access the Administrative Tools.
2	Double-click Local Security Policy to open the Local Security Policy window.
3	In the left pane, expand Security Settings and double-click IP Security Policies on Local Computer.
4	In the right pane, right-click and scroll to Create IP Security Policy ... to open the Policy Wizard.
5	In the IP Security Policy Wizard, select the Next button: a. Assign a name to a new Security Policy in the Name field. b Provide a description of the new policy in the Description field. (This step is optional).
6	Select the Next button to proceed to the Requests for Secure Communication window.
7	De-select the check box (Activate the default ...) and select Next to open the Completing the IP Security Policy Wizard.
8	De-select the Edit properties check box and select Finish.

NOTE: The new security policy appears in the right pane of the IP Security Policies on Local Computer window. You can double-click the security policy at any time to access its Properties window.

IP Security Rule

Configure an IPsec rule to enable an IPsec configuration to monitor traffic between the application layer and the network layer:

Step	Action
1	In Windows 7, double-click the policy to open the Properties window.
2	Select the Rules tab.
3	Select Add... to open the Create IP Security Rule Wizard.
4	Select Next to configure the Tunnel Endpoint.
5	Select This rule does not specify a tunnel to use the Transport mode within the IPsec protocol.
6	Select Next to configure the Network Type.
7	Select the All network connections option button to apply the policy to local and remote connections.
8	Select Next to access the IP Filter List configuration. NOTE: The IP Filter List identifies the traffic that is processed through the IPsec rule.

IP Filter List

IPsec uses packet filters to evaluate communication packets according to their connections to various services. Packet filters are located between the endpoints of a peer-to-peer connection to verify that the packets adhere to the established administrative rules for communications.

Every IP filter in a single IP filter list has the IP address of the same source of the communications packets. The IP addresses for the destinations of communications packets (BMENOP0300 modules) are different.

Create a filter list that contains the IP addresses for the BMENOP0300 modules that can communicate with the source (PC):

Step	Action
1	In Windows 7, in the IP filter lists table of the Security Rule Wizard, click Add to create a new IP filter list: a. Assign a name to a new Filter List in the Name field. b. Provide a description of the new Filter List in the Description field. (This step is optional.)
2	Select Add to open the IP Filter Wizard and select Next.
3	Provide an optional description of the new IP Filter in the Description field.
4	Select the Mirrored check box to communicate in both directions (source and destination).
5	Select Next to configure the IP Traffic Source.
6	Select My IP Address to designate the PC at one endpoint of the secure communications.
7	Select Next to configure the IP Traffic Destination.
8	Select a specific IP Address or Subnet and enter the IP address of the BMENOP0300 module in your configuration. (The BMENOP0300 module is the only destination for this traffic.)
9	Select Next to configure the IP Protocol Type and select Any to allow traffic from the trusted IP address.
10	Select Next to view the Completing the IP Filter Wizard window.
11	De-select the Edit properties check box, and select Finish to return to the IP Filter List.
12	Select OK to exit the IP Filter List.

IP Filter Actions

Configure filter actions:

Step	Action
1	In Windows 7, in the Name column of the IP Filter List, select the option button for the newly created IP filter list and click Next to configure the Filter Action.
2	Select the Use Add Wizard check box.
3	Select Add to open the Filter Action Wizard.
4	Select Next to configure the Filter Action Name: a. Enter a name for the Filter Action in the Name field. b. Provide an optional description of the new Filter Action Name in the Description field and Select Next.
5	Select Negotiate security and Next. NOTE: The source and destination addresses agree on a method for secure communication before packets are sent.
6	Select Do not allow unsecure communication, and select Next.
7	Select Custom in the IP Traffic Security window, and select Settings to customize the settings: a. Select Data and Address integrity without encryption, and select SHA1 in the list to use secure hash algorithm 1. b. De-select the Data integrity with encryption check box to disable the Encapsulating Security Payload (ESP).. c. Select the Generate a new key every check box, and enter 86400 in the seconds field to specify that the IKE expires in 86400 seconds. d. Select OK to return to the IP Traffic Security configuration.
8	Select Next.
9	Select the Edit properties check box, and select Finish.
10	Do not select the Use session key perfect forward secrecy (PFS) check box.
11	Select OK.

Authentication Method

Source and destination devices can agree to use a secret text string before communications begin. In this case, the string is called a pre-shared key.

Configure the authentication method to use a pre-shared key:

Step	Action
1	In Windows 7, in the Name column of the Filter Actions, select the option button for the newly created IP filter list, and click Next to configure the Authentication Method.
2	Select the Use this string to protect the key exchange (preshared key) check box.
3	In the text field, use any 16 ASCII characters to create a case-sensitive name for the pre-shared key. NOTE: At the end of this process, you will configure an identical pre-shared key to create a connection between a specific IP address and the BMENOP0300 module.
4	Select Next.
5	De-select the Edit properties check box, and select Finish.

IP Security Policy General Properties

Configure the general properties:

Step	Action
1	In Windows 7, in the Properties window, select the General tab.
2	Click Settings to open the Key Exchange Settings window.
3	Do not select the Master key perfect forward secrecy (PFS) check box.
4	In the minutes field, enter 2879 to set the key lifetime to 2879 minutes (47 hours and 59 minutes).
5	Click Methods... to open the Key Exchange Security Methods window.
6	Click Edit to open the IKE Security Algorithms window.
7	In the three lists, make these selections: Integrity algorithm: SHA1 (Secure Hash Algorithm 1) Encryption algorithm: 3DES (Triple Data Encryption Algorithm) Diffie-Hellman group: Medium (2) (Generate 1024 bits of master key material.)
8	Select OK to return to the Key Exchange Security Methods window.
9	Select OK to return to the Key Exchange Settings window.
10	Select OK to return to the Properties window.
11	Select OK to close the Properties window.

Enable and Disable the Policy

Assign or un-assign a local security policy to enable and disable secure communications:

Step	Action
1	In Windows 7, open Local Security Policy in Administrative Tools.
2	Right-click the name of the new local security policy in the Name column and make a selection: Assign: Assign the local security policy to enable communications to the IPsec-enabled PC. Un-assign: Un-assign the local security policy to disable communications to the PC.

The IPsec policy agent does not run if you see this message: The service cannot be started. In that case, configure the service to start automatically:

Step	Action
1	In Windows 7, expand (+) Administrative Tools.
2	Double-click Services to access the local services.
3	Double-click IPsec Policy Agent to open its properties.
4	Select the General tab.
5	In the Startup type list, select Automatic.
6	In the Service status, select Start. NOTE: When Start is grayed out, the service is already running.
7	Select OK to apply the changes and close the window.

NOTE: When you enable IPsec, the Ethernet backplane port of the BMENOP0300 module is disabled. This isolates the IPsec network (control room network) from the device network. (Refer to the table for using different services and protocols.)

Configure IPsec in the Configuration Tool

Enable IPsec and set the pre-shared key:

Step	Action
1	Open your Control Expert project.
2	In the configuration tool, double-click the name that you assigned to the BMENOP0300 module to open the configuration window. NOTE: You can also right-click the module and select Open to open the configuration window.
3	Select Security to view the configuration options.
4	In the IPsec menu, select Enabled.
5	In the Pre-Shared Key field, enter the 16-character name of the pre-shared key. NOTE: The ASCII characters in the case-sensitive pre-shared key match the 16-character pre-shared key that you defined earlier.
6	Select the Apply button to save the configuration.
7	Rebuild the project and download the application to apply these settings to the BMENOP0300 module.

Troubleshooting IPsec Communications

Use the standard Windows 7 IPsec diagnostic tools to troubleshoot IPsec communications. For example, these steps use the Microsoft Management Console (MMC) service for management applications:

Step	Action
1	In Windows 7, create a console that includes an IP Security Monitor.
2	Click a server name.
3	Double-click Quick Mode.
4	Double-click Statistics to see the number of authenticated bytes that are sent and received.

NOTE:

You cannot reset the values. To refresh the count values, relaunch the Microsoft Management Console.
Disable IP Forwarding before you enable IPsec. IPsec applies to a single IP address.

Use a Wireshark network analyzer to confirm that IPsec communications have started for an established IKE session. IPsec packets have an authentication header instead of the normal protocol header. This table shows an example of a network trace of a successful IKE session that was established by a ping request between a Windows 7 PC (source) and BMENOP0300 module (destination):

Number	Time	Source	Destination	Protocol	Length	Information
1	0	192.168.20.201	192.168.20.1	ISAKMP	342	Identity Protection (Main Mode)
2	0.00477	192.168.20.1	192.168.20.201	ISAKMP	126	Identity Protection (Main Mode)
3	0.012426	192.168.20.201	192.168.20.1	ISAKMP	254	Identity Protection (Main Mode)
4	1.594495	192.168.20.1	192.168.20.201	ISAKMP	270	Identity Protection (Main Mode)
5	1.598533	192.168.20.201	192.168.20.1	ISAKMP	110	Identity Protection (Main Mode)
6	1.603296	192.168.20.1	192.168.20.201	ISAKMP	110	Identity Protection (Maine mode)
7	1.612634	192.168.20.201	192.168.20.1	ISAKMP	366	Quick Mode
8	3.202976	192.168.20.1	192.168.20.201	ISAKMP	374	Quick Mode
9	3.207794	192.168.20.201	192.168.20.1	ISAKMP	102	Quick Mode

Use these solutions to facilitate communications when IPsec is enabled:

Behavior	Explanation
There is no communication with the BMENOP0300 when IPsec is enabled on the Windows PC.	Explanation: The IPsec policy agent is not running. Solution: Configure IPsec to start automatically.
	Explanation: IPsec is not enabled on the BMENOP0300. Solution: Enable IPsec on the Security tab of the configuration tool.
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
Control Expert cannot connect to the BMENOP0300 via Ethernet.	Explanation: IPsec is not enabled on both the BMENOP0300 and the Windows PC. Solution: See NOTE 2 (below).
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
	Explanation: The power to the BMENOP0300 module was recently cycled. Solution: See NOTE 3 (below).
The firmware update tool is not able to connect to the BMENOP0300 via Ethernet.	Explanation: IPsec is not enabled on both the BMENOP0300 and the Windows PC. Solution: See NOTE 2 (below).
	Explanation: IPsec is not configured properly in Windows. Solution: See NOTE 1 (below).
	Explanation: The power to the BMENOP0300 was recently cycled. Solution: See NOTE 3 (below).
	Explanation: The IKE and IPsec ports may be blocked by a firewall or another program associated with antivirus applications. Solution: See NOTE 4 (below).
NOTE 1: Confirm that the parameters in the Windows configuration match those in the IPsec implementation: Double-check the pre-shared key. Double-check the IP address of the BMENOP0300 module in the configuration tool. Disable Perfect Forward Secrecy for both communication endpoints in Windows.
NOTE 2: Verify that the configuration and the Local Security Policy are enabled for IPsec.
NOTE 3: Choose a solution: Wait 5 minutes for the Windows security associations to timeout. Unassign then reassign the local security policy in Windows to force the security associations to be reset.
NOTE 4: Verify that the IKE port (UDP 500) and IPsec Authentication Header port (51) are open on any firewall between the PC application and the PAC, including the firewalls associated with antivirus applications (like McAfee or Symantec).