Professional Documents
Culture Documents
User manual
User manual
Industrial mobile phone router with integrated firewall and VPN
2014-10-21
Designation:
UM EN PSI-MODEM-3G/ROUTER
Revision:
02
Software release
Order No.
1.04.9
2314008
PSI-MODEM-3G-US/ROUTER
1.04.9
2903394
PSI-MODEM-GSM/ETH
1.04.9
2313355
PHOENIX CONTACT
104672_en_02
This indicates a hazardous situation which, if not avoided, will result in death or serious injury.
WARNING
CAUTION
This symbol together with the signal word NOTE and the accompanying text
alert the reader to a situation which may cause damage or malfunction to the
device, hardware/software, or surrounding property.
This symbol and the accompanying text provide the reader with additional information or refer to detailed sources of information.
How to contact us
Internet
Up-to-date information on Phoenix Contact products and our Terms and Conditions can be
found on the Internet at:
phoenixcontact.com
Make sure you always use the latest documentation.
It can be downloaded at:
phoenixcontact.net/products
Subsidiaries
If there are any problems that cannot be solved using the documentation, please contact
your Phoenix Contact subsidiary.
Subsidiary contact information is available at phoenixcontact.com.
Published by
PHOENIX CONTACT
PHOENIX CONTACT
Table of contents
1
PSI-MODEM-3G...ROUTER.................................................................................. 9
1.1.1
Ordering data ....................................................................................... 10
1.1.2
Technical data ..................................................................................... 10
1.1.3
UL notes .............................................................................................. 13
1.1.4
Dimensions .......................................................................................... 13
1.2
PSI-MODEM-GSM/ETH ...................................................................................... 14
1.2.1
Ordering data ....................................................................................... 15
1.2.2
Technical data ..................................................................................... 15
1.2.3
UL notes .............................................................................................. 18
1.2.4
Dimensions .......................................................................................... 18
Intended use........................................................................................................ 19
2.2
Installation ................................................................................................................................21
3.1
3.2
3.3
Connecting .......................................................................................................... 24
3.3.1
Ethernet network .................................................................................. 24
3.3.2
Antenna ............................................................................................... 25
3.3.3
Inserting the SIM card .......................................................................... 26
3.3.4
Supply voltage ..................................................................................... 28
3.3.5
Switching inputs and switching outputs ................................................ 29
3.4
104672_en_02
4.1
4.2
4.3
Device information............................................................................................... 32
4.3.1
Hardware ............................................................................................. 32
4.3.2
Radio status ......................................................................................... 33
4.4
4.5
PHOENIX CONTACT
4.6
4.7
VPN ..................................................................................................................... 60
4.7.1
IPsec connections (setup) .................................................................... 61
4.7.2
IPsec certificates (certificate upload) ................................................... 68
4.7.3
IPsec status (VPN connection status) .................................................. 70
4.7.4
OpenVPN connections (setup) ............................................................ 71
4.7.5
OpenVPN certificates (certificate upload) ............................................ 75
4.7.6
Static keys (pre-shared secret key authentication) .............................. 76
4.7.7
OpenVPN status (VPN connection status) ........................................... 77
4.8
I/O........................................................................................................................ 78
4.8.1
Inputs (configuration) ........................................................................... 78
4.8.2
Outputs (configuration) ........................................................................ 80
4.8.3
Phonebook .......................................................................................... 81
4.8.4
Socket server ....................................................................................... 82
4.9
System ................................................................................................................ 87
4.9.1
System configuration ........................................................................... 87
4.9.2
User (password change) ...................................................................... 88
4.9.3
Log file ................................................................................................. 89
4.9.4
E-mail configuration ............................................................................. 90
4.9.5
Configuration up-/download ................................................................. 91
4.9.6
Date/time ............................................................................................. 92
4.9.7
Reboot (router) .................................................................................... 94
4.9.8
Firmware update .................................................................................. 95
PHOENIX CONTACT
5.1
Installing .............................................................................................................. 97
5.2
5.3
Creating a CA certificate...................................................................................... 98
5.4
5.5
5.6
104672_en_02
Table of contents
Technical appendix.................................................................................................................107
A1
A2
A3
A4
Appendixes.............................................................................................................................133
104672_en_02
B1
B2
Index.................................................................................................................. 137
PHOENIX CONTACT
PHOENIX CONTACT
104672_en_02
Product description
Product description
1.1
PSI-MODEM-3G...ROUTER
The 3G routers PSI MODEM 3G/ROUTER and PSI-MODEM-3G-US/ROUTER are highperformance routers for industrial Ethernet networks. The devices are used to securely
transmit sensitive data via mobile phone networks. The integrated firewall and the VPN support (Virtual Private Network) protect your application against unauthorized access.
You can easily integrate remote stations into an IP network via a UMTS/HSPA connection.
If UMTS/HSPA is not available, the system automatically switches to GPRS/EDGE.
No matter where your system or controller is located, you can access the process data via
a secure VPN connection from any location.
EMC, electrical isolation and surge protection are provided for reliable and secure communication. In addition, the data link and mobile phone network quality are monitored. If required, an appropriate message is sent or the mobile phone connection reestablished.
Six configurable switching inputs allow the user to independently send an SMS or e-mail
both to one or several recipients.
The four integrated switching outputs can be activated using a password-protected SMS
message. You will thereby be able to remotely monitor the system state and switch functions.
Features
104672_en_02
GPRS/EDGE quad-band (850 MHz / 900 MHz / 1800 MHz / 1900 MHz)
For PSI MODEM 3G/ROUTER:
UMTS/HSPA tri-band (850 MHz / 1900 MHz / 2100 MHz)
For PSI-MODEM-3G-US/ROUTER:
UMTS/HSPA tri-band (850 MHz / 1900 MHz / 1700 MHz ... 2100 MHz AWS)
GPRS (General Packet Radio Service), EDGE (Enhanced Data Rates for GSM Evolution) and UMTS (Universal Mobile Telecommunications System)
Second SIM card holder for backup mobile phone network
Virtual dedicated line to connect networks via mobile phone network
Integrated firewall
IPsec and OpenVPN support
VPN remote start via SMS or call
Configurable inputs and outputs
Alerting via SMS, e-mail or fax directly via integrated switching input
Wide supply voltage range 10 V DC ... 30 V DC
Temperature range -25C ... +65C
High-quality electrical isolation (VCC // UMTS // Ethernet // PE)
Integrated surge protection
Easy configuration via web-based management (WBM)
PHOENIX CONTACT
1.1.1
Ordering data
Description
Type
Order No.
Pcs. / Pkt.
Industrial UMTS/GSM router (850, 900, 1800, 1900, 2100 MHz) with Ether- PSI MODEM 3G/ROUTER
net interface. Firewall, NAT, and IPsec VPN support. SMA-F antenna connector. SMS messaging. 6 digital inputs, 4 digital outputs. Configuration via
web-based management.
2314008
Industrial UMTS/GSM router for the US market (850, 900, 1800, 1900,
1700 ... 2100 MHz) with Ethernet interface. Firewall, NAT, and IPsec VPN
support. SMA-F antenna connector. SMS messaging. 6 digital inputs,
4 digital outputs. Configuration via web-based management.
PSI-MODEM-3G-US/ROUTER
2903394
Accessories
Type
Order No.
Pcs. / Pkt.
PSI-GSM/UMTS-QB-ANT
2313371
PSI-CAB-GSM/UMTS- 5M
2900980
PSI-CAB-GSM/UMTS-10M
2900981
PSI-GSM/UMTS-ANT-OMNI-2-5
2900982
CSMA-LAMBDA/4-2.0-BS-SET
2800491
1.1.2
Technical data
Supply
Supply voltage range
Electrical isolation
Functions
Management
Encryption methods
ESP tunnel
Authentication
X.509v3, PSK
10
PHOENIX CONTACT
104672_en_02
Product description
Transmission length
Test voltage
Supported protocols
Secondary protocols
Wireless interface
PSI-MODEM-3G-US/ROUTER
Data rate
Antenna
SIM interface
GPRS
EDGE
Multislot Class 10
UMTS
Network function
HSPA 3GPP R6
4 time slots for receiving data, 4 time slots for sending data. The PIN is saved in
the device. After a voltage interruption, the system automatically logs back into
the network. Integrated TCP/IP stack, firewall and VPN support, automatic connection establishment.
Network check
Transmission power
0.25 W
Input/output
Description of the input
Digital input
Number of inputs
10 V DC ... 30 V DC
Digital output
Number of outputs
50 mA (short-circuit-proof)
General data
Degree of protection
IP20
Dimensions (W/H/D)
45 mm x 99 mm x 114.5 mm
Weight
226 g
Housing material
PA 6.6-FR, green
1m
104672_en_02
PHOENIX CONTACT
11
EN 61000-6-2
Electromagnetic compatibility
Ambient conditions
Ambient temperature (operation)
Altitude
Approvals
Conformance
CE-compliant
UL, USA/Canada
EN 61000-4-2
Electromagnetic HF field
Contact discharge
4 kV (test intensity 3)
Air discharge
8 kV (test intensity 3)
Remark
Criterion B
EN 61000-4-3
Frequency range
Field strength
10 V/m
Remark
Criterion A
EN 61000-4-4
Conducted influence
Input
1 kV (test intensity 3)
Signal
Remark
Criterion B
EN 61000-4-5
Input
1 kV (symmetrical)
2 kV (asymmetrical)
Signal
Remark
Criterion B
EN 61000-4-6
Frequency range
Voltage
10 V
Remark
Criterion A
Criterion A
Criterion B
12
PHOENIX CONTACT
104672_en_02
Product description
EN 60950
EC Gazette 1999/519/EC
Wireless communication - effective use of the frequency spectrum and prevention of wireless communication interference
DIN EN 301511
1.1.3
UL notes
1.1.4
Dimensions
45
99
POWER
VPN
ALR
RESET
LAN
114,5
NET
ANT
3G
PD
SIM1
SIM2
PSI-MODEM-3G/ROUTER
Ord.-No.2314008
Figure 1-1
104672_en_02
Dimensions of PSI-MODEM-3G...ROUTER
PHOENIX CONTACT
13
1.2
PSI-MODEM-GSM/ETH
The EDGE router PSI-MODEM-GSM/ETH is used for industrial Ethernet networks and securely transmits sensitive data via GSM networks. The integrated firewall and the VPN support (Virtual Private Network) protect your application against unauthorized access.
You can easily integrate remote stations into an IP network via GPRS/EDGE connection.
Quad-band technology allows the router to be used globally in all 850, 900, 1800 and
1900 MHz GSM networks.
No matter where your system or controller is located, you can access the process data via
a secure VPN connection from any location.
EMC, electrical isolation and surge protection are provided for reliable and safe communication. In addition, the GPRS/EDGE service and GSM network quality are monitored. If required, an appropriate message is sent or the GSM connection reestablished.
Features
14
PHOENIX CONTACT
104672_en_02
Product description
1.2.1
Ordering data
Description
Type
Order No.
Pcs. / Pkt.
Industrial GSM router with GPRS/EDGE for mounting on EN DIN rail. GSM
and GPRS/EDGE. 850 + 900 + 1800 + 1900 MHz. Ethernet interface.
Firewall and VPN support. 6 alarm inputs and 4 switching outputs.
24 V DC supply voltage.
PSI-MODEM-GSM/ETH
2313355
Accessories
Type
Order No.
Pcs. / Pkt.
PSI-GSM/UMTS-QB-ANT
2313371
PSI-CAB-GSM/UMTS- 5M
2900980
PSI-CAB-GSM/UMTS-10M
2900981
PSI-GSM/UMTS-ANT-OMNI-2-5
2900982
2800491
Attachment plug with LAMBDA/4 technology as surge protection for coax- CSMA-LAMBDA/4-2.0-BS-SET
ial signal interfaces. Connection: SMA connectors (plug/socket)
1.2.2
Technical data
Supply
Supply voltage range
Electrical isolation
Functions
Management
Encryption methods
ESP tunnel
Authentication
X.509v3, PSK
Transmission length
Test voltage
Supported protocols
Secondary protocols
104672_en_02
PHOENIX CONTACT
15
Wireless interface
Description of the interface
Frequency
Data rate
Antenna
SIM interface
GPRS
EDGE
Multislot Class 10
Network function
4 time slots for receiving data, 4 time slots for sending data. The PIN is saved in
the device. After a voltage interruption, the system automatically logs back into
the network. Integrated TCP/IP stack, firewall and VPN support, automatic connection establishment.
Network check
Input/output
Description of the input
Digital input
Number of inputs
10 V DC ... 30 V DC
Digital output
Number of outputs
250 mA (short-circuit-proof)
General data
Degree of protection
IP20
Dimensions (W/H/D)
35 mm x 99 mm x 114.5 mm
Weight
300 g
Housing material
PA 6.6-FR, green
1m
EN 61000-6-2:2005
Electromagnetic compatibility
Ambient conditions
Ambient temperature (operation)
Altitude
Approvals
Conformance
CE-compliant
UL, USA/Canada
16
PHOENIX CONTACT
104672_en_02
Product description
EN 61000-4-2
Contact discharge
Electromagnetic HF field
Air discharge
8 kV
Remark
Criterion B
EN 61000-4-3
Frequency range
6 kV
Field strength
10 V/m
Remark
Criterion A
EN 61000-4-4
Conducted influence
Input
1 kV
Signal
1 kV
Remark
Criterion A
EN 61000-4-5
Input
1 kV
2 kV
Remark
Criterion B
EN 61000-4-6
Frequency range
Voltage
10 V
Remark
Criterion A
Criterion A
Criterion B
EN 60950
EC Gazette 1999/519/EC
Wireless communication - effective use of the frequency spectrum and prevention of wireless communication interference
DIN EN 301511
104672_en_02
PHOENIX CONTACT
17
1.2.3
UL notes
1.2.4
Dimensions
35
120
99
PSI-MODEM-GSM/ETH
Ord.-No. 23 13 355
VCC
RD
TD
ALR
NET
DCD
SIM
ANT
AA
VPN
ACT
LNK
LAN
Figure 1-2
18
PHOENIX CONTACT
Dimensions of PSI-MODEM-GSM/ETH
104672_en_02
2.1
Intended use
2.2
Safety notes
WARNING:
Observe the following safety notes when using the device.
104672_en_02
Only qualified specialist personnel may install, start up, and operate the device. National safety and accident prevention regulations must be observed.
Installation should be carried out as described in the installation notes. Access to circuits within the device is not permitted.
The device is maintenance-free. Repairs may only be carried out by the manufacturer.
The device is only intended for operation in the control cabinet and with SELV according to IEC 60950/EN 60950/VDE 0805. The device may only be connected to devices,
which meet the requirements of EN 60950.
PHOENIX CONTACT
19
PSI-MODEM-3G/ROUTER
20
PHOENIX CONTACT
104672_en_02
Installation
Installation
3.1
3.1.1
1
POWER
VPN
ALR
RESET
LAN
NET
Reset button
ANT
3G
PD
SIM1
SIM2
PSI-MODEM-3G/ROUTER
Ord.-No.2314008
PSI-MODEM-3G...ROUTER
Power
Green
VPN
Green
ALR
Red
Alarm message
NET
Yellow/green/green
3G
Green
PD
Green
SIM 1
Green
SIM 2
Green
On the back:
104672_en_02
PHOENIX CONTACT
21
3.1.2
1
PSI-MODEM-GSM/ETH
PSI-MODEM-GSM/ETH
Ord.-No. 23 13 355
VCC
RD
TD
ALR
NET
DCD
SIM
ANT
AA
VPN
ACT
LNK
LAN
VCC
Green
RD
Green
n.c.
TD
Yellow
n.c.
ALR
Red
Alarm message
NET
Yellow
Network reception
On: Very good
On, briefly flashing: Good
Off, briefly flashing: Moderate
DCD
Yellow
SIM
Red
AA
Yellow
n.c.
VPN
Green
ACT
Yellow
Link
Green
22
PHOENIX CONTACT
104672_en_02
Installation
3.2
Figure 3-1
104672_en_02
PHOENIX CONTACT
23
3.3
Connecting
3.3.1
Ethernet network
NOTE: Malfunction
Only use shielded twisted pair cables and corresponding shielded RJ45 connectors.
An Ethernet interface in RJ45 format is located on the front of the device, to which only
twisted pair cables with an impedance of 100 can be connected.
Insert the Ethernet cable with the RJ45 connector into the TP interface until the connector engages audibly. Observe the connector coding.
Figure 3-2
24
PHOENIX CONTACT
n.c.
n.c.
TD-
n.c.
n.c.
TD+
RD-
RD+
RJ45
RJ45 interface
104672_en_02
Installation
3.3.2
Antenna
24
0V
I1
I2
NE
WE
PO
N
VP
R
AL
RE
SE
LA
AN
T
3G
PD
1
SIM
2
SIM
UTER
RO
-3G/
EM
OD 14008
PSI-MNo.23
Ord.-
Figure 3-3
Select an antenna position providing good wireless network conditions. The LED indicators can be used to determine the receive quality.
When using the PSI-GSM/UMTS-QB-ANT antenna (Order No. 2313371), drill a hole
measuring 16.5 mm in diameter in the top of the control cabinet.
Observe the following during installation: The antenna has a diameter of 76 mm and is
21 mm high. The cable is 2 m long.
Figure 3-4
104672_en_02
PHOENIX CONTACT
25
3.3.3
A
B
Figure 3-5
26
PHOENIX CONTACT
104672_en_02
Installation
Figure 3-6
Insert the SIM card so that the SIM chip remains visible.
Insert the SIM card holder together with the SIM card into the device until this ends flush
with the device.
PSI-MODEM-GSM/ETH
You must open the housing to access the SIM card slot inside.
Align the contact surface to the PCB and slide the SIM card into the holder. The angled
corner must face upwards.
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
LA
C
LA
Figure 3-7
104672_en_02
PHOENIX CONTACT
27
3.3.4
Supply voltage
24
0V
I1
I2
NE
W
PO
N
VP
R
AL
RE
SE
LA
ER
AN
T
T
3G
PD
1
SIM
2
SIM
UTER
RO
-3G/
EM
OD 14008
PSI-M-No.23
Ord.
Figure 3-8
28
PHOENIX CONTACT
104672_en_02
Installation
3.3.5
+
24V 0V I1 I2
Figure 3-9
104672_en_02
Connect the switching inputs and outputs to the respective plug-in screw terminal
blocks:
To the switching inputs (I1 ... I6) you can connect 10 V DC ... 30 V DC.
The short-circuit-proof switching outputs (O1 ... O4) are designed for max. 50 mA
at 10 V DC ... 30 V DC.
You must connect the 0 V potential of the switching inputs and outputs to the 0 V terminal block of the voltage supply connection.
PHOENIX CONTACT
29
3.4
PSI-MODEM-3G...ROUTER
The 3G routers have a reset button (see Operating and indication elements on page 21,
item 6) that can be used to temporarily reset the routers IP address and the passwords to
the default settings upon delivery.
Disconnect the Ethernet cable from the LAN connection on the router.
Press and hold down the reset button for a further five seconds.
The IP address is now reset to its default address (192.168.0.1).
PSI-MODEM-GSM/ETH
The EDGE router has a covered reset button that can be used to temporarily reset the
routers IP address and the passwords to the default settings upon delivery.
You must open the housing to access the reset button inside.
DC
D
SIM
LA
AA
VP
N
AC
T
LN
K
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
LA
103965a003
Figure 3-10
Disconnect the Ethernet cable from the LAN connection on the router.
Use a screwdriver to lever up the cover of the LAN connection.
Reconnect the Ethernet cable.
Press and hold down the reset button.
Disconnect the Ethernet cable again from the LAN connection on the router.
Reconnect the Ethernet cable.
Press and hold down the reset button for a further five seconds.
30
PHOENIX CONTACT
104672_en_02
Connection requirements
4.2
Figure 4-1
Login window
This page protects the area in web-based management where router settings are modified.
In order to log in, you need the user name and password.
The user name is admin.
The password is admin.
For security reasons, we recommend you change the password during initial configuration (see User (password change) on page 88).
104672_en_02
PHOENIX CONTACT
31
4.3
Device information
You can also access this page via user login. It displays information concerning the
hardware, software and status of the router.
4.3.1
Hardware
Figure 4-2
32
PHOENIX CONTACT
Address
Internet
Type
Order No.
Serial number
Hardware
Release version
Operating system
Web-based
management
104672_en_02
Radio engine
Radio firmware
IMEI
4.3.2
Radio status
Current status information regarding the mobile phone network and network connections is
displayed here.
Radio
Figure 4-3
104672_en_02
Provider
Provider name
Network status
PHOENIX CONTACT
33
Packet data
SIM #1 IMSI
34
PHOENIX CONTACT
Cell ID
104672_en_02
Figure 4-4
IP address
Netmask
DNS server
RX bytes
TX bytes
104672_en_02
IP address
Netmask
PHOENIX CONTACT
35
Figure 4-5
Routing table
This page displays all entries of the routing table.
Figure 4-6
36
PHOENIX CONTACT
104672_en_02
4.4
4.4.1
The connection from the router to the local Ethernet can be set up here. You can modify the
IP configuration, e.g., the IP address, the subnet mask, and the type of address assignment.
Confirm your changes to the IP configuration with Apply. The changes will only take effect
after a restart.
Figure 4-7
Subnet mask
Type of IP address
assignment
Alias addresses
104672_en_02
PHOENIX CONTACT
37
4.4.2
DHCP server
The Dynamic Host Configuration Protocol (DHCP) can be used to automatically assign the
network configuration set here to the devices connected directly to the router.
Figure 4-8
DHCP server
Domain name
Dynamic IP address
allocation
Dynamic IP address pool: When the DHCP server and the dynamic IP address pool have been activated, you can specify
the network parameters to be used by the client.
Begin of IP range
Start of DHCP area: The start of the address area from which
the DHCP server should assign IP addresses to locally connected devices.
End of IP range
End of DHCP area: The end of the address area from which
the DHCP server should assign IP addresses to locally connected devices.
38
PHOENIX CONTACT
104672_en_02
Client IP address
Static assignments must not overlap with the dynamic IP address pool.
Do not use one IP address in multiple static assignments, otherwise multiple MAC addresses will be assigned to this IP address.
4.4.3
With local static routes, you can specify alternative routes for data packets from the local
network via other gateways in higher-level networks. You can specify up to eight static routers.
If the entries for the network and gateway are logically incorrect, the incorrect entries will be
displayed with a red frame.
Figure 4-9
104672_en_02
Network
Gateway
PHOENIX CONTACT
39
4.4.4
The router supports the reading of information via SNMP (Simple Network Management
Protocol). SNMP is a network protocol that can be used to monitor and control network
elements from a central station. The protocol controls communication between the monitored devices and the central station.
If you do not use SNMP for reasons of security, remove the default password public for
read access under Read only. The SNMP service is then stopped on the router.
Figure 4-10
Description
Physical location
Contact
Read only
SNMPv1/v2 community
Trap configuration
40
PHOENIX CONTACT
In certain cases, the router can send SNMP traps. The traps
correspond to SNMPv1 and are part of the standard MIB.
Trap manager IP
address
Port
Target community
104672_en_02
4.5
4.5.1
Radio setup
Figure 4-11
Frequency
UMTS
freq.1
Backup
104672_en_02
SIM2
Decide whether you can use a second SIM card for a backup
mobile phone connection.
Provider timeout2
Backup runtime2
Period of time (in hours) after which there will be a switch back
to the primary mobile phone network.
PHOENIX CONTACT
41
With daily login, the router first attempts to register with the primary mobile phone network.
Time
42
For the PSI-MODEM-3G...ROUTER only. The PSI-MODEM-GSM/ETH EDGE router has only one SIM interface, so that this option is not available.
PHOENIX CONTACT
104672_en_02
4.5.2
SIM
This is where all the settings for the primary mobile phone connection are.
Figure 4-12
104672_en_02
Country
Select the country in which the router is dialing into the GSM
network. This setting limits the selection of providers.
PIN
In the PIN field, enter the PIN for the SIM card. The PIN cannot
be read back, it can only be overwritten.
Roaming
If roaming is activated (default), you can select a specific provider from the Provider pull-down menu.
Enabled: The router can also dial-in via external networks. If Auto is set under Provider, the strongest provider is selected. Additional costs may be incurred in this
case depending on your contract. Alternatively, you can
specify a provider.
Disabled: Roaming is deactivated and only the providers
home network is used. If this network is unavailable, the
router cannot establish an Internet connection.
Provider
Select a provider via which the router is to establish the Internet connection. The country selected under Country limits
the list of providers.
Auto: The router automatically selects the provider based
on the SIM card.
PHOENIX CONTACT
43
User name for packet data access. You obtain the user name
and password from your provider. This field may be left empty
if the provider does not require a special input.
Password
APN
Authentication
4.5.3
Backup SIM
The PSI-MODEM-3G...ROUTER devices are provided with a second SIM interface for a
backup mobile phone connection. For the backup SIM card, you can set the same options
as for the primary SIM card.
The PSI-MODEM-GSM/ETH EDGE router has only one interface, this means that the
Backup SIM menu will not be available.
44
PHOENIX CONTACT
104672_en_02
4.5.4
Activate SMS control and enter the SMS password. The password can contain up
to seven alphanumeric characters.
In addition, the device can forward received SMS messages to a recipient via Ethernet.
Open Wireless Network, SMS configuration and activate the SMS forward function.
Enter the recipient IP address and the port with which you would like to communicate.
The default value for the server is port 1432.
The received SMS is forwarded in the following format:
The SMS syntax for switching inputs, outputs and functions includes the following information:
Password
Function command
Additional subcommands
Table 4-1
Function command
Description
SET:<sub_cmd>
CLR:<sub_cmd>
SEND:STATUS
RESET
REBOOT
Table 4-2
104672_en_02
Subcommand
<sub_cmd>
Description
GPRS
Output
OUTPUT:n
IPSEC
IPSEC:n
PHOENIX CONTACT
45
Figure 4-13
SMS control
SMS password
SMS forward
Server IP address
Example
Text of SMS message in order to start the IPsec tunnel #2 using the password 1234:
#1234:SET:IPSEC:2
In order to stop this connection, you have to send the following SMS message:
#1234:CLR:IPSEC:2
46
PHOENIX CONTACT
104672_en_02
4.5.5
Figure 4-14
Packet data
If this packet data connection is activated, there is only a virtual permanent connection to the remote peer. This wireless
area is not used until data is actually transmitted, such as via
VPN tunnel.
Debug mode
Allow compression
104672_en_02
Event
PHOENIX CONTACT
47
DNS server
4.5.6
With static routes, you can specify alternative routes in the mobile phone network for data
packets. If the entries for the network and gateway are logically incorrect, the incorrect entries will be displayed with a red frame.
Figure 4-15
48
PHOENIX CONTACT
Network
Gateway
104672_en_02
4.5.7
Each mobile phone router is dynamically assigned an IP address by the provider, meaning
that the address changes from session to session.
If the mobile phone router is to be accessed via the Internet, you can specify a fixed host
name with the help of a DynDNS provider for the dynamic IP address. The router can then
be accessed using this host name (e.g., www.example.com).
Check whether your mobile phone provider supports dynamic DNS in the mobile phone
network.
Figure 4-16
Status
DynDNS provider
Select the name of the provider with whom you are registered,
e.g., DynDNS.org, TZO.com, dhs.org.
DynDNS username
DynDNS password
DynDNS hostname
Host name specified for this router with the DynDNS service
The router can be accessed via this host name.
104672_en_02
PHOENIX CONTACT
49
4.5.8
Connection check
The connection check enables you to verify whether the packet data connection in the mobile phone network is functional. In addition, the connection check serves as a keep-alive
function in order to maintain the packet data connection in the mobile phone network.
Figure 4-17
Status
Host #1 ... #3
IP address or host name of the reference point for the connection check
Source
50
PHOENIX CONTACT
Local: The IP packets of the connection check are transmitted via the local network interface with the IP address
of the local interface (LAN).
Wireless network: The IP packets of the connection
check are transmitted via the mobile phone interface with
the IP address assigned by the provider.
Check every
Max. retry
104672_en_02
104672_en_02
PHOENIX CONTACT
51
4.5.9
Monitoring
Monitoring is used to register mobile phone parameters. You can temporarily use this function for startup or troubleshooting purposes, it is not intended for permanent use. All parameters are saved to a separate logradio.txt log file. After the end of the monitoring period,
monitoring needs to be disabled.
Figure 4-18
52
PHOENIX CONTACT
Monitoring
Log duration
Log interval
Ping host
Clear
View
Save
104672_en_02
creg=
Unknown state
Receive level
0
-111 dBm
2...30
31
rssi=
packet=
OFFLINE
ONLINE
GPRS ONLINE
EDGE ONLINE
WCDMA ONLINE
Location
104672_en_02
myip=
Reference IP
ping=
PHOENIX CONTACT
53
4.6
4.6.1
General setup
On this page, you can make the fundamental settings for network security.
Figure 4-19
Firewall
Block outgoing
NetBIOS
54
PHOENIX CONTACT
104672_en_02
External web-based
management
You can use this option to specify whether the router may be
configured via the mobile phone network or the external network using WBM.
Disabled: External configuration via WBM is not possible. Set this option if you want to configure and maintain
the router locally (default).
Enabled: The router can be configured externally via
WBM. Remote maintenance of the router is therefore possible. The router can be accessed via any external IP address. Access cannot be restricted by using a firewall.
External NAT
(Masquerade)
For outgoing data packets, the router can rewrite the specified
sender IP addresses from its internal network to its own external address. This method is used if the internal addresses
cannot be routed externally, e.g., because a private address
area such as 192.168.x.x is used. This method is referred to
as IP masquerading.
Disabled: IP masquerading deactivated
Enabled: IP masquerading is activated and communication from a private, local network to the Internet is supported (default).
Device access via SSH You can use this option to specify whether the router can be
accessed via the SSH service.
Disabled: The SSH service is not available. No access to
the router via SSH (default).
Enabled: Access to the router is possible via SSH service, from local network or via VPN tunnel.
104672_en_02
PHOENIX CONTACT
55
4.6.2
The device includes a stateful packet inspection firewall. The connection data of an active
connection is recorded in a database (connection tracking). Rules can thus only be defined
for one direction. This means that data from the other direction of the relevant connection,
and only this data, is automatically allowed through.
The firewall can be enabled and disabled. For example, it can be deactivated for startup. By
default, the firewall is active and blocks incoming data traffic and only permits outgoing data
traffic.
If multiple firewall rules are defined, these are queried starting from the top of the list of
entries until an appropriate rule is found. This rule is then applied.
If the list of rules contains further subsequent rules that could also apply, these rules are
ignored.
The device supports a maximum of 32 rules for incoming data traffic and 32 rules for outgoing data traffic.
Figure 4-20
Lists the firewall rules that have been set up. They apply for incoming data links that have
been initiated externally.
Incoming traffic Protocol
56
PHOENIX CONTACT
From IP/To IP
104672_en_02
Log
For each individual firewall rule you can specify whether the
event is to be logged if the rule is applied.
Yes: Event will be logged.
No: Event will not be logged (default).
New
The arrows can be used to move the rule one row up or down.
Outgoing traffic Lists the firewall rules that have been set up. They apply for outgoing data links that have
been initiated internally in order to communicate with a remote peer.
Default setting: A rule is defined by default that allows all outgoing connections.
If no rule is defined, all outgoing connections are prohibited (excluding VPN).
Protocol
From IP/To IP
Action
Log
104672_en_02
For each individual firewall rule you can specify whether the
event is to be logged if the rule is applied.
Yes: Event will be logged.
No: Event will not be logged (default).
PHOENIX CONTACT
57
The arrows can be used to move the rule one row up or down.
4.6.3
The NAT table lists the rules established for NAT (Network Address Translation).
The device has one IP address, which can be used to access the device externally. For incoming data packets, the device can convert the specified sender IP addresses to internal
addresses. This process is referred to as NAT (Network Address Translation). Using the
port number, the data packets can be redirected to the ports of internal IP addresses.
The device supports a maximum of 32 rules for port forwarding.
Figure 4-21
58
PHOENIX CONTACT
Protocol
In Port/To Port
To IP
IP address from the local network, incoming packets are forwarded to this address.
104672_en_02
For each individual rule you can specify whether IP masquerading should be used.
Yes: IP masquerading activated, incoming packets from
the Internet are assigned the IP address of the router,
possibility of sending a response to the Internet, even
without default gateway
No: Default gateway required to send a response to the
Internet (default)
Log
For each individual rule you can specify whether the event is
to be logged if the rule is applied.
Yes: Event will be logged.
No: Event will not be logged (default).
New
The arrows can be used to move the rule one row up or down.
104672_en_02
PHOENIX CONTACT
59
4.7
VPN
60
PHOENIX CONTACT
104672_en_02
4.7.1
IPsec (Internet Protocol Security) is a secure VPN standard that is used for communication
via IP networks.
Figure 4-22
Monitor DynDNS
Check interval
Enabled
Name
Settings
Click on Edit to specify the settings for IPsec (see page 62).
IKE
Internet Key Exchange protocol provides automatic key management for IPsec.
Click on Edit to specify the settings for IKE (see page 65).
104672_en_02
PHOENIX CONTACT
61
Figure 4-23
Name
VPN
Remote host
The Remote host setting is only used if Initiate has been selected under Remote connection, i.e., if the router establishes the connection.
If Remote connection is set to Accept, the value %any is
set internally for Remote host in order to wait for a connection.
62
PHOENIX CONTACT
104672_en_02
VPN >> IPsec >> Connections >> Settings >> Edit [...]
Authentication
Remote certificate
Local certificate
Remote ID
104672_en_02
PHOENIX CONTACT
63
VPN >> IPsec >> Connections >> Settings >> Edit [...]
Local ID
Address remote
network
Connection NAT
64
PHOENIX CONTACT
Here, enter the real IP address area for the local network
under which this network is accessed from the remote network
via 1:1 NAT. You can use this function, for example, to access
two machines with the same IP address via a VPN tunnel.
104672_en_02
VPN >> IPsec >> Connections >> Settings >> Edit [...]
Remote connection
Figure 4-24
104672_en_02
Name
PHOENIX CONTACT
65
VPN >> IPsec >> Connections >> IKE >> Edit [...]
Phase 1 ISAKMP SA
Key exchange
ISAKMP SA
encryption
Encryption algorithm
Internet Security Association and Key Management Protocol
(ISAKMP) is a protocol for creating Security Associations (SA)
and exchanging keys on the Internet.
AES128 is preset as standard.
Fundamentally, the following applies: the more bits an encryption algorithm has (specified by the appended number), the
more secure it is. The relatively new AES-256 method is
therefore the most secure, however it is still not used that
widely. The longer the key, the more time-consuming the encryption procedure.
ISAKMP SA hash
Leave this set to all. It then will not make a difference whether
the remote peer is operating with MD5 or SHA-1.
ISAKMP SA lifetime
(sec.)
The keys of an IPsec connection are renewed at defined intervals in order to increase the difficulty of an attack on an IPsec
connection.
ISAKMP SA lifetime
Lifetime in seconds of the keys agreed for ISAKMP SA.
Default setting: 3600 seconds (1 hour)
The maximum lifetime is 86400 seconds (24 hours).
Phase 2 IPsec SA
In contrast to Phase 1 ISAKMP SA (key exchange), the procedure for data exchange is defined here. It does not necessarily
have to differ from the procedure defined for key exchange.
Data exchange
66
PHOENIX CONTACT
IPsec SA encryption
IPsec SA hash
IPsec SA lifetime
(sec.)
Perfect forward
secrecy (PFS)
Default setting: 28800 seconds (8 hours). The maximum lifetime is 86400 seconds (24 hours).
Yes: Perfect Forward Secrecy activated
No: Perfect Forward Secrecy deactivated
104672_en_02
VPN >> IPsec >> Connections >> IKE >> Edit [...]
DH/PFS group
Key exchange procedure (defined in RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet
Key Exchange (IKE))
Perfect Forward Secrecy (PFS): method for providing increased security during data transmission. With IPsec, the
keys for data exchange are renewed at defined intervals. With
PFS, new random numbers are negotiated with the remote
peer instead of being derived from previously agreed random
numbers.
5/modp1536 2/modp1024
Fundamentally, the following applies: the more bits an encryption algorithm has (specified by the appended number), the
more secure it is. The longer the key, the more time-consuming the encryption procedure.
104672_en_02
PHOENIX CONTACT
67
4.7.2
A certificate that is loaded on the router is used to authenticate the router at the remote peer.
The certificate acts as an ID card for the router, which it shows to the relevant remote peer.
The procedure for creating an X.509 certificate is described in Section 5.5, Creating certificates.
There are various certificate types:
Remote certificates contain the public key used to decode the encrypted data.
Own or machine certificates contain the private key used to encrypt the data. The private key is kept secret. A PKCS#12 file is therefore protected by a password.
The CA certificate or root certificate is the mother of all certificates used. It is used to
check the validity of the certificates.
By importing a PKCS#12 file, the router is provided with a private key and the corresponding
certificate. You can load multiple PKCS#12 files on the router, enabling the router to show
the desired self-signed or a CA-signed machine certificate to the remote peer for various
connections.
To use an installed certificate, the certificate must be assigned under VPN >> IPsec >>
Connections >> Settings >> Edit. Click on Apply to load the certificate onto the router.
Figure 4-25
68
PHOENIX CONTACT
104672_en_02
Load Remote
Certificate (.cer .crt)
Here you can upload certificates, which the router can use for
authentication with the VPN remote peer.
The procedure for creating an X.509 certificate
is described in Section 5.5, Creating certificates.
Under VPN >> IPsec >> Connections >> Settings >> Edit,
one of the certificates listed under Remote certificate or Local certificate can be assigned to each VPN connection.
Load Own PKCS#12
Certificate (.p12)
Upload: Import the certificate you have received from the provider. The file must be in PKCS#12 format. Click on Browse
to select the certificate that is to be imported.
Under VPN >> IPsec >> Connections >> Settings >> Edit,
one of the certificates listed under Remote certificate or
Local certificate can be assigned to each VPN connection.
Password: Password used to protect the private key of the
PKCS#12 file. The password is assigned when the key is exported.
Remote Certificates
Own Certificates
104672_en_02
PHOENIX CONTACT
69
4.7.3
Figure 4-26
70
PHOENIX CONTACT
Active IPsec
Connections
104672_en_02
4.7.4
OpenVPN is a program for creating a virtual, private network (VPN) via an encrypted connection. The device supports two OpenVPN connections.
Figure 4-27
104672_en_02
Enabled
Name
Tunnel
Advanced
Click Edit to make extended settings for OpenVPN (see Advanced >> Edit on page 74).
PHOENIX CONTACT
71
Figure 4-28
72
PHOENIX CONTACT
Name
VPN
Remote host
Remote port
Port of the remote peer to which the tunnel will be created (default: 1194).
Protocol
LZO compression
Choose whether data transmission for the OpenVPN connection should be compressed.
Disabled: No OpenVPN compression
Adaptive: Adaptive OpenVPN compression
Yes: OpenVPN compression
Redirect default
gateway
Activate this option in order to redirect all network communication to external networks (e.g., requests to the Internet) using
this tunnel. The OpenVPN tunnel is used as the default gateway of the local network.
104672_en_02
Authentication
X.509 Certificate - Authentication method: Each VPN device has a private (secret) key in the form of an X.509 certificate, which contains additional information about the certificates owner and the certification authority (CA).
Pre-shared secret key: Each VPN device knows one shared
private key. Load this shared key as a Static key (see
page 76).
Local certificate
Check remote
certificate type
Connection NAT
Address local
network1
Virtual IP address/subnet mask of the local network. This virtual IP address enables the IP addresses for the remote network to be accessed via the VPN tunnel. You must enter the
same settings for a remote network on the remote VPN router.
Here, enter the real IP address area for the local network
under which this network is accessed from the remote network
via 1:1 NAT. You can use this function, for example, to access
two machines with the same IP address via a VPN tunnel.
Encryption
Keep alive
Period of time in seconds after which the connection to the remote peer should be restarted, if there has been no response
to the keep-alive requests.
Default setting: 120 seconds
104672_en_02
PHOENIX CONTACT
73
Figure 4-29
Name
TUN-MTU
Fragment
MSS fix
Renegotiate key
interval
74
PHOENIX CONTACT
104672_en_02
4.7.5
A certificate that is loaded on the router is used to authenticate the router at the remote peer.
The certificate acts as an ID card for the router, which it shows to the relevant remote peer.
Figure 4-30
Password
Own Certificate Name
104672_en_02
PHOENIX CONTACT
75
4.7.6
Static key authentication is based on a symmetrical encryption method where the communication partners first exchange a shared key via a secure channel. All tunnel network traffic
is then encrypted using this key and can be decoded by anyone who has the key.
Figure 4-31
76
PHOENIX CONTACT
104672_en_02
4.7.7
Figure 4-32
104672_en_02
Active OpenVPN
Connections
PHOENIX CONTACT
77
4.8
I/O
The router has six integrated digital switching inputs and four integrated digital switching
outputs for alarms and switching.
4.8.1
Inputs (configuration)
The inputs can be used for SMS or e-mail alerts. Each input can be configured individually.
Please note that inputs that are, for example, used to start a VPN connection, cannot also
be used for alerts.
Figure 4-33
High
78
PHOENIX CONTACT
104672_en_02
Alarm
104672_en_02
Activate the ALR LED and set the light duration for the LED in
minutes.
PHOENIX CONTACT
79
4.8.2
Outputs (configuration)
The outputs can be switched remotely or, alternatively, provide information about the status
of the router. Each output can be configured individually.
Figure 4-34
Function
Autoreset
80
PHOENIX CONTACT
104672_en_02
4.8.3
Phonebook
Figure 4-35
104672_en_02
PHOENIX CONTACT
81
4.8.4
Socket server
The router has a socket server that can accept operating commands via Ethernet interface.
These commands must be sent in XML format.
Basic communication is initiated by a client from the local network. A TCP connection must
therefore be established to the set server port. The socket server responds to the client requests and then terminates the PCP connection. For another request, a TCP connection
must be newly established. Only one request is permitted for each connection.
Figure 4-36
Socket server
Server Port
(default 1432)
82
PHOENIX CONTACT
104672_en_02
In general, each XML file starts with the header <?xml version="1.0"?> or
<?xml version="1.0" encoding="UTF-8"?>, followed by the basic entry. The following basic
entries are available:
<io>
...........
</io>
I/O system
<info>
...........
</info>
<cmgs> ...........
</cmgs>
<cmgr>
</cmgr>
<cmga> ...........
</cmga>
<email> ...........
</email>
Send e-mails
...........
On/off or 0/1 can be output as a value, depending on the settings for XML bool values.
Response from router (shown with line break):
State of output 1
State of output 2
State of input 1
104672_en_02
PHOENIX CONTACT
83
84
PHOENIX CONTACT
104672_en_02
Make sure that the XML data does not contain any line breaks and that the text is
UTF-8-encoded.
The ASCII characters 34dec, 38dec, 39dec, 60dec and 62dec must be entered as "
' & < and >.
If the XML data is received correctly, the device answers with the sending status:
The response means that there is currently no received SMS message available. The following error codes are possible:
104672_en_02
System error = Problem related to communication with the mobile phone engine
PHOENIX CONTACT
85
86
PHOENIX CONTACT
104672_en_02
4.9
System
4.9.1
System configuration
Enter here the basic options for the router with regard to web-based management and logging. The router can store log files on an external log server via UDP.
Figure 4-37
Web configuration
Server port
Web-based management for the router is accessible using
this port (default: 80).
104672_en_02
Log configuration
Server IP address
Server port
(default 514)
PHOENIX CONTACT
87
4.9.2
Figure 4-38
Admin
User
88
PHOENIX CONTACT
104672_en_02
4.9.3
Log file
With the help of the router log file, you can diagnose different events and operating states.
The log file is a circulating memory where the oldest entries are overwritten first.
Figure 4-39
104672_en_02
Clear
View
Save
PHOENIX CONTACT
89
4.9.4
E-mail configuration
For e-mail alerts, you can configure the mail server via which these alerts are sent. The mail
server must support the SMTP protocol. SMTP stands for Simple Mail Transfer Protocol.
Figure 4-40
SMTP server
Server port
(default 25)
Transport layer
security
Authentication
90
PHOENIX CONTACT
User name
Password
From
104672_en_02
4.9.5
Configuration up-/download
You can save the active configuration to a file and load prepared configurations via WBM.
Figure 4-41
104672_en_02
Download
Upload
Reset to factory
defaults
PHOENIX CONTACT
91
4.9.6
Date/time
Figure 4-42
92
PHOENIX CONTACT
System time
Here you can set the time manually if no NTP server has been
set up (see below) or the NTP server cannot be reached.
Time synchronization
104672_en_02
Time zone
104672_en_02
PHOENIX CONTACT
93
4.9.7
Reboot (router)
Figure 4-43
Reboot NOW!
Daily reboot
Define the days of the week on which the router will be restarted at the specified time.
Following a reboot, another login is made into the mobile
phone network. The provider resets the data link and calculates charges. Regular rebooting provides protection against
the provider aborting and reestablishing the connection at an
unforeseeable point in time.
Time
Event
Choose the digital input with the High signal which will be
used to restart the router if required.
Make sure that following a restart the signal is Low again so
that the router starts up normally.
94
PHOENIX CONTACT
104672_en_02
4.9.8
Figure 4-44
Firmware update
Click on Browse and select the update file with the *.fw
extension.
Click on Apply.
Wait until the update has been performed and the router
restarts automatically.
Do not start the router manually and do not interrupt the power supply during the update process.
104672_en_02
PHOENIX CONTACT
95
96
PHOENIX CONTACT
104672_en_02
5.1
Installing
Start the setup file and follow the on-screen instructions of the setup program.
5.2
Figure 5-1
104672_en_02
PHOENIX CONTACT
97
Figure 5-2
5.3
Assigning a password
Creating a CA certificate
You first create a CA (Certificate Authority) certificate. This root certificate acts as your own
certification body and is used for signing all certificates that are derived from it, thereby
proving the authenticity of these certificates.
Figure 5-3
98
PHOENIX CONTACT
104672_en_02
Enter information about the owner of the root certificate via the Subject tab.
Figure 5-4
Create a key for this certificate. You can retain the preset name, key type and key size.
Figure 5-5
104672_en_02
Creating a key
PHOENIX CONTACT
99
Figure 5-6
Click OK.
The certificate is now created. A new root certificate from which you can derive further machine certificates appears in the overview.
Figure 5-7
100
PHOENIX CONTACT
CA certificate created
104672_en_02
5.4
Creating templates
When using templates, you can create machine certificates quickly and easily.
Switch to the Templates tab and create a new template for an end entity certificate.
Figure 5-8
You can make presettings for certificates that are to be created later using the Subject
tab. The names must be assigned in the corresponding certificates. The entry in angular brackets represents a placeholder that will be replaced when using the template.
Figure 5-9
104672_en_02
PHOENIX CONTACT
101
In the Extensions tab, set the certificate type to End Entity, as the template is to be
used for machine certificates.
In this example, the validity of the certificates to be created is 365 days. After expiry of
the end date, the certificates can no longer be used.
Figure 5-10
Click OK.
The template is created. Based on this template, you can now create certificates signed by
the root certificate.
102
PHOENIX CONTACT
104672_en_02
5.5
Creating certificates
Figure 5-11
104672_en_02
Creating a certificate
PHOENIX CONTACT
103
Figure 5-12
Figure 5-13
Click OK.
You have now created a machine certificate signed by the Certificate Authority (CA).
104
PHOENIX CONTACT
104672_en_02
5.6
Exporting certificates
In order to use the machine certificate for a router, it must first be exported.
Select the required certificate from the list and click on Export.
Figure 5-14
The entire certificate including the private key and the CA certificate must be in PKCS #12
with Certificate Chain format. The certificate can then be uploaded to the relevant device
as a machine certificate.
Figure 5-15
104672_en_02
PHOENIX CONTACT
105
Enter the password. You need the password to load the machine certificate to the respective device.
Figure 5-16
In addition, you need to export the remote certificate. This certificate is stored in PEM
format without the private keys.
Figure 5-17
106
PHOENIX CONTACT
104672_en_02
A Technical appendix
A1
Table A-1
Category
XML element
Info
Device group
Info
XML elements
Description
serialno
hardware
firmware
Firmware release
wbm
imei
Radio group
provider
rssi
creg
104672_en_02
lac
Location Area Code (LAC), location area of the device in a mobile phone
network (hexadecimal number, maximum of 4 digits)
ci
Cell ID, unique radio cell identification within the LAC (hexadecimal number,
maximum of 8 digits)
PHOENIX CONTACT
107
Category
Description [...]
Info
packet
simstatus
simselect
Info
Info
Inet group
ip
rx_bytes
tx_bytes
mtu
IO group
108
gsm
inet
vpn
PHOENIX CONTACT
104672_en_02
XML elements
Table A-1
Category
SMS
Description [...]
destaddr
SMS
timestamp
error
SMS
error
IO
E-mail
to
E-mail address
cc
body
IO
Output element
(output)
no
value
104672_en_02
PHOENIX CONTACT
109
A2
You can configure the device using an XML file. XML files can be output and read in by the
device.
A 2.1
In the <entry> element, only the name attribute will be used. This attribute determines how
to store data in the file tree. As defined in the header, all data must be encoded using the
UTF-8 character set.
Line breaks within the data are indicated as escape sequences: .
A 2.2
A 2.3
LAN interface
The elements ./devlist, ./ifname, ./mode and ./type must not be modified. Even when making
settings on the configuration page, they will not be changed.
110
PHOENIX CONTACT
./ipaddr
./netmask
IPv4 netmask
./proto
./ipalias
This value represents a special list and should only be modified from
the configuration page.
104672_en_02
./enable
DHCP server
0 Off
1 On
./domain
./lease
./dynamic
./addr1
./addr2
./hosts
./names
./options
Static routes
./sroute
104672_en_02
PHOENIX CONTACT
111
./device
./description
./location
./contact
./rocommunity
Password for read access. If the password is left blank, the SNMP
service will not be started.
./rouser
User name for read access, not used, should remain blank
./rwcommunity
./rwuser
User name for write access, not used, should remain blank
./trap_addr
./trap_port
./trap_community
./trap_enable
Send traps
0 No
1 Yes
112
PHOENIX CONTACT
104672_en_02
Wireless network
A3
Wireless network
General settings
./band_setup
./sim_backup
./bak_runtime
./mcc
./cpin
./roaming
Roaming allowed
0 No
1 Yes
./provider
104672_en_02
./username
./password
./apn
./authrefuse
PHOENIX CONTACT
113
./sms_control
./sms_password
./sms_forward
114
PHOENIX CONTACT
./sms_server
./sms_port
104672_en_02
Wireless network
Packet data
./enable
./debug
./noccp
./mtu
./restart
./echo-interval
./echo-failure
./event
Static routes
./sroute
104672_en_02
List of local static routes. This list should only be modified from the
configuration page.
PHOENIX CONTACT
115
./enable
./provider
116
PHOENIX CONTACT
./server
./username
./password
./hostname
104672_en_02
Wireless network
Connection check
./enable
./host[n]
./local[n]
./interval
./retry
./event
Action selection
0 None
1 Reboot the device
2 Reconnect the packet data
3 Reconnect to the GSM/UMTS network
Monitoring
./log_enable
Activate monitoring
0 No
1 Yes
./log_duration
104672_en_02
./log_interval
./log_ping
PHOENIX CONTACT
117
A 3.1
Network security
General settings
./fw_enable
./nat_enable
./fw_netbios
./icmp
./masq_enable
Firewall
The values represent a special list and should only be modified from the configuration page.
./fw_in
./fw_out
NAT table
The values represent a special list and should only be modified from the configuration page.
118
PHOENIX CONTACT
./nat_fw
./nat_vs
104672_en_02
Wireless network
A 3.2
VPN
A 3.2.1
IPsec
Higher-level settings
./enableupdate
./autoupdate
./name
Connection description
./enable
Connection active
0 No
1 Yes
./rightallowany
./host
./auth
104672_en_02
./remote_cert
Remote certificate
./local_cert
Local certificate
./remote_id
./local_id
Own identification
./remote_addr
PHOENIX CONTACT
119
./local_addr
./psk
Pre-shared key
./nat
Connection NAT
0 None
1 Local 1:1 NAT
5 Remote masquerading
./local_net
./mode
Connection type
0 Wait for connection
1 Always establish the connection
2 Control via SMS message
3 Control via call
4 ... 9 Control via inputs 1 ... 66
./autoreset
./resettime
120
PHOENIX CONTACT
104672_en_02
Wireless network
IKE settings (1 ... n)
./ike_crypt
./ike_hash
./ike_life
./esp_crypt
./esp_hash
./esp_life
./pfs
./pfsgroup
DH/PFS group
Valid values: modp1024, modp1536, modp2048
./rekey
./dpd
104672_en_02
./dpddelay
./dpdtimeout
PHOENIX CONTACT
121
./keyingtries
./rekeyfuzz
Value in percent
./rekeymargin
Time in seconds
A 3.2.2
122
PHOENIX CONTACT
Certificates
./cacerts/*
CA certificates
./certs/local/*
Local certificates
./certs/remote/*
Remote certificates
./private/*
Private keys
./ldir/*
104672_en_02
Wireless network
A 3.2.3
Open VPN
Connections 1 ... n
./name
Connection description
./enable
Connection active
0 No
1 Yes
./host
./rport
./proto
Protocol
0 UDP
1 TCP
./complzo
./float
104672_en_02
PHOENIX CONTACT
123
./redir
./bind
./lport
Outgoing port
./auth
Authentication
0 X.509 certificates
1 Pre-shared key
./certificate
Certificate name
./nscert
./psk
Pre-shared key
./remote_ifc
./local_ifc
./remote_addr
./nat
Connection NAT
0 None
1 Local 1:1 NAT
./local_masq
./local_addr
./local_net
./cipher
Encryption type
Valid values: BF-CBC, AES-128-CBC, AES-192-CBC, AES-256CBC, DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC,
CAST5-CBC, RC2-40-CBC, RC2-64-CBC, RC2-CBC, none
./keepalive
124
PHOENIX CONTACT
./ping
./restart
104672_en_02
Wireless network
Further connection settings (1 ... n)
./tun_mtu
./frag_enable
./float
./frag_size
./mssfix_enable
mssfix option
0 No
1 Yes
./mssfix_size
./reneg_sec
Certificates
./cacerts/*
CA certificates
./certs/
Certificates
./private/
Private keys
./ldir/*
Static keys
./ keys/*
Static keys
Diffie-Hellman parameters
104672_en_02
./dh1024.pem
./dh2048.pem
PHOENIX CONTACT
125
A 3.3
Inputs 1 ... 6
./in_[n]/0/*
./in_[n]/1/*
./enable
./action
./sms/phonebook
./sms/message
SMS text
./email/to
Recipient of message
./email/cc
./email/subject
Subject line
./email/message
Text message
./alarm_enable
Activate alarm
0 No
1 Yes
./alarm_time
126
PHOENIX CONTACT
104672_en_02
Wireless network
Outputs 1 ... 4
./out_[n]
./function
./autoreset
./time
Phonebook
./n[xx]
104672_en_02
PHOENIX CONTACT
127
./sock_enable
Socket server
0 Off
1 On
./sock_port
./sock_xml_nl
./sock_xml_io
A 3.4
System
./httpport
./logremote
./logserver
./logport
./lognvm
User authentication
By default, the passwords are stored in plain text for the users admin and user. When assigning a new password, the hash values will only be stored.
128
PHOENIX CONTACT
104672_en_02
Wireless network
E-mail configuration (SMTP)
./server
./port
./auth
Authentication to server
0 None
1 STARTTLS
2 Encrypted password
./tls
104672_en_02
./gsm/at1cmd
./gsm/at2cmd
./gprs/at1cmd
./gprs/dialup
PHOENIX CONTACT
129
./newtime
./ntpenable
./ntpserver
./ntpiface
./daylight
./timezone
./ntplocal
Reboot
./rebootenable
./reboottime
./rebootevent
130
PHOENIX CONTACT
104672_en_02
A4
IP netmasks and CIDR are methods of notation that combine several IP addresses to create
an address area. An area comprising consecutive addresses is handled like a network.
To specify an area of IP addresses for the router, e.g., when configuring the firewall, it may
be necessary to specify the address area in CIDR format. In the table below, the left-hand
column shows the IP netmask, while the far right-hand column shows the corresponding
CIDR notation.
IP netmask binary
CIDR
104672_en_02
PHOENIX CONTACT
131
132
PHOENIX CONTACT
104672_en_02
B Appendixes
B1
104672_en_02
List of figures
Figure 1-1:
Figure 1-2:
Figure 3-1:
Figure 3-2:
Figure 3-3:
Figure 3-4:
Figure 3-5:
Figure 3-6:
Figure 3-7:
Figure 3-8:
Figure 3-9:
Figure 3-10:
Opening the housing and pressing the reset button (1) ...................... 30
Figure 4-1:
Figure 4-2:
Figure 4-3:
Figure 4-4:
Figure 4-5:
Figure 4-6:
Figure 4-7:
Figure 4-8:
Figure 4-9:
Figure 4-10:
Figure 4-11:
Figure 4-12:
Figure 4-13:
Figure 4-14:
Figure 4-15:
Figure 4-16:
Figure 4-17:
Figure 4-18:
Figure 4-19:
Figure 4-20:
PHOENIX CONTACT
133
134
PHOENIX CONTACT
Figure 4-21:
Figure 4-22:
Figure 4-23:
VPN >> IPsec >> Connections >> Settings >> Edit ............................ 62
Figure 4-24:
VPN >> IPsec >> Connections >> IKE >> Edit .................................... 65
Figure 4-25:
Figure 4-26:
Figure 4-27:
Figure 4-28:
VPN >> OpenVPN >> Connections >> Tunnel >> Edit ....................... 72
Figure 4-29:
VPN >> OpenVPN >> Connections >> Advanced >> Edit .................. 74
Figure 4-30:
Figure 4-31:
Figure 4-32:
Figure 4-33:
Figure 4-34:
Figure 4-35:
Figure 4-36:
Figure 4-37:
Figure 4-38:
Figure 4-39:
Figure 4-40:
Figure 4-41:
Figure 4-42:
Figure 4-43:
Figure 4-44:
Figure 5-1:
Figure 5-2:
Figure 5-3:
Figure 5-4:
Figure 5-5:
Figure 5-6:
Figure 5-7:
Figure 5-8:
Figure 5-9:
Figure 5-10:
Creating a template - specifying the certificate validity and type ....... 102
Figure 5-11:
Figure 5-12:
Figure 5-13:
104672_en_02
List of figures
104672_en_02
Figure 5-14:
Figure 5-15:
Figure 5-16:
Figure 5-17:
PHOENIX CONTACT
135
136
PHOENIX CONTACT
104672_en_02
B2
Index
A
Accessories
PSI-MODEM-3G...ROUTER ................................. 10
PSI-MODEM-GSM/ETH ........................................ 15
Alarm alert
E-mail .............................................................. 78, 90
SMS ...................................................................... 78
Antenna ...................................................................... 25
Approvals
PSI-MODEM-3G...ROUTER ................................. 12
PSI-MODEM-GSM/ETH ........................................ 16
Dimensions
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH........................................
DIN rail ........................................................................
DPD (Dead Peer Detection) ........................................
DynDNS (Dynamic DNS) ............................................
13
18
23
67
49
E
Electrical connection............................................. 24, 28
E-mail configuration .................................................... 90
F
B
Backup mobile phone connection ............................... 41
Backup SIM card......................................................... 44
Firewall ....................................................................... 56
Firmware update ......................................................... 95
I
C
CA certificate............................................................... 98
Certificate.................................................................... 68
Creating............................................................... 103
Exporting ............................................................. 105
Template ............................................................. 101
Class A........................................................................ 19
Configuration download
See Configuration up-/download
Configuration up-/download ........................................ 91
Configuration upload
See Configuration up-/download
Configuring via web-based management.................... 31
Connecting
Antenna................................................................. 25
Ethernet network ................................................... 24
Supply voltage................................................. 24, 28
Switching input ...................................................... 29
Switching output .................................................... 29
Connection check ....................................................... 50
D
Data packet redirection
See Redirecting data packets
Date/time .................................................................... 92
Device information ...................................................... 32
DHCP server ............................................................... 38
104672_en_02
I/O status.....................................................................
IKE (Internet Key Exchange).......................................
Input............................................................................
See Switching input
Installing......................................................................
Intended use ...............................................................
IP configuration ...........................................................
IPsec certificate...........................................................
IPsec connection ........................................................
IPsec status ................................................................
36
65
78
24
19
37
68
61
70
K
Key
See Static key
L
Local network.............................................................. 37
See Local network
Local static route
See Static route
Log file ........................................................................ 89
Structure................................................................ 53
M
Mobile phone settings
See Wireless network
PHOENIX CONTACT
137
N
NAT (Network Address Translation) ...........................
NAT table ....................................................................
Network connection ....................................................
Network security .........................................................
58
58
35
54
O
OpenVPN certificate ...................................................
OpenVPN connection .................................................
OpenVPN status .........................................................
OpenVPN tunnel
See VPN tunnel
Operating and indication elements
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH ........................................
Ordering data
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH ........................................
Output .........................................................................
See Switching output
75
71
77
21
22
10
15
80
P
Packet data setup ....................................................... 47
Password .............................................................. 31, 88
Phonebook.................................................................. 81
Port forwarding
See NAT table
Power supply
See Supply voltage
Pre-shared secret key
See Static key
Product description
PSI-MODEM-3G...ROUTER ................................... 9
PSI-MODEM-GSM/ETH ........................................ 14
R
Radio setup.................................................................
Radio status ................................................................
Reboot ........................................................................
Redirecting data packets ............................................
41
33
94
39
Reset
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH........................................
Resetting to default upon delivery
See Reset
Restart
See Reboot
RJ45 interface.............................................................
Root certificate
See CA certificate
Routing table...............................................................
30
30
24
36
S
Safety notes ................................................................
Security settings
See Network security
SIM .............................................................................
SIM card insertion
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH........................................
Size
See Dimensions
SMS settings...............................................................
SNMP configuration ....................................................
Socket server ..............................................................
Stateful packet inspection firewall
See Firewall
Static key ....................................................................
Static key authentication
See Static key
Static route..................................................................
Subcommand .............................................................
Supply voltage ............................................................
Switching input
Configuring............................................................
Connecting............................................................
Switching output
Configuring............................................................
Connecting............................................................
Synchronization ..........................................................
System configuration ..................................................
19
43
26
27
45
40
82
76
39
45
28
78
29
80
29
92
87
T
Technical data
PSI-MODEM-3G...ROUTER ................................. 10
PSI-MODEM-GSM/ETH........................................ 15
138
PHOENIX CONTACT
104672_en_02
Index
Tunnel
See VPN Tunnel
Twisted pair cable ....................................................... 24
U
UL notes
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH ........................................
Update
See Firmware update
User ............................................................................
User level ....................................................................
User name ..................................................................
13
18
88
32
31
V
VPN (Virtual Private Network) ..................................... 60
VPN tunnel .................................................................. 72
W
Web-based management
Logging in..............................................................
Starting..................................................................
Wireless network.........................................................
Wireless static route....................................................
31
31
41
48
X
X.509 certificate .................................................... 68, 97
XCA ............................................................................ 97
104672_en_02
PHOENIX CONTACT
139
140
PHOENIX CONTACT
104672_en_02