To run IPSEC on a PC that hosts either the Control Expert configuration software or an OPC UA client (e.g. SCADA), you need to add network configuration on the host firewall. For each IPSEC rule configured on the webpages, an associated script (named IPSecWindowsConf.bat) can be downloaded using the gear wheel icon. Run this script to set the host firewall into the proper configuration.
IKE/IPSEC in transport mode for the data flows that are local to the BMENUA0100.
IKE/IPSEC in tunnel mode for the data flows that are forwarded to the Ethernet backplane.
Passthrough rules for HTTPS, secured OPCUA and some other protocols for which IPSEC use=false.
The following examples present Windows firewall configuration scripts with and without IPSEC confidentiality.
In each script example, you need to provide actual values for the following variables:
endpoint1: the remote IP address value in the IPSEC configuration.endpoint2: the BMENUA0100 control port IP address.Auth1psk: the PSK setting in the IPSEC configuration.
Windows Firewall Script With Confidentiality
qmsecmethods=esp:sha256-aes128netsh advfirewall reset
netsh advfirewall set global mainmode mmkeylifetime
2879min,0sess
netsh advfirewall
set global mainmode mmsecmethods dhgroup14:aes128-sha256,dhgroup2:aes128-sha256
netsh advfirewall consec delete rule
name="IPSECtunnel"
netsh advfirewall
consec delete rule name="IPSECtransport"
netsh advfirewall consec delete rule name="IPSECpassthroughOPCUA"
netsh advfirewall consec delete rule
name="IPSECpassthroughHTTPS"
netsh advfirewall consec add rule name="IPSECtransport" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=requireinrequireout description="IPSECtransport"
mode=transport enable=yes profile=public type=static protocol=any
auth1=computerpsk auth1psk= b936789cb3626d83aaaf1e3ddb84984b qmpfs=none qmsecmethods=esp:sha256-aes128+1440min
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=noauthentication
description="IPSECpassthroughOPCUA" mode=transport enable=yes profile=public
type=static protocol=tcp port2=4840
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=noauthentication
description="IPSECpassthroughHTTPS" mode=transport enable=yes profile=public
type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=192.169.0.0/16 endpoint2=192.168.0.0/16 localtunnelendpoint=192.169.1.100
remotetunnelendpoint=192.169.1.50 action=requireinrequireout description="IPSECtunnel"
mode=tunnel enable=yes profile=public type=static protocol=any auth1=computerpsk auth1psk= b936789cb3626d83aaaf1e3ddb84984b qmpfs=none qmsecmethods=esp:sha256-aes128+1440min
netsh advfirewall consec show rule
name=all verbose
pause
Windows Firewall Script Without Confidentiality
qmsecmethods=esp:sha256-Nonenetsh advfirewall reset
netsh advfirewall set global mainmode
mmkeylifetime 2879min,0sess
netsh advfirewall set global mainmode mmsecmethods dhgroup14:aes128-sha256,dhgroup2:aes128-sha256
netsh advfirewall consec delete rule
name="IPSECtunnel"
netsh advfirewall
consec delete rule name="IPSECtransport"
netsh advfirewall consec delete rule name="IPSECpassthroughOPCUA"
netsh advfirewall consec delete rule
name="IPSECpassthroughHTTPS"
netsh advfirewall consec add rule name="IPSECtransport" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=requireinrequireout description="IPSECtransport"
mode=transport enable=yes profile=public type=static protocol=any
auth1=computerpsk auth1psk= b936789cb3626d83aaaf1e3ddb84984b qmpfs=none qmsecmethods=esp:sha256-None+1440min
netsh advfirewall consec add rule name="IPSECpassthroughOPCUA" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=noauthentication
description="IPSECpassthroughOPCUA" mode=transport enable=yes profile=public
type=static protocol=tcp port2=4840
netsh advfirewall consec add rule name="IPSECpassthroughHTTPS" endpoint1=192.169.1.100 endpoint2=192.169.1.50 action=noauthentication
description="IPSECpassthroughHTTPS" mode=transport enable=yes profile=public
type=static protocol=tcp port2=443
netsh advfirewall consec add rule name="IPSECtunnel" endpoint1=192.169.0.0/16 endpoint2=192.168.0.0/16 localtunnelendpoint=192.169.1.100
remotetunnelendpoint=192.169.1.50 action=requireinrequireout description="IPSECtunnel"
mode=tunnel enable=yes profile=public type=static protocol=any auth1=computerpsk auth1psk= b936789cb3626d83aaaf1e3ddb84984b qmpfs=none qmsecmethods=esp:sha256-None+1440min
netsh advfirewall consec show rule
name=all verbose
pause