Industrial ethernet security web based management (320 pages)
Summary of Contents for Siemens SINAUT MD741-1
Page 1
Preface, Contents Applications and functions SIMATIC NET Setup EGPRS/GPRS-Router SINAUT MD741-1 Configuration System manual Local interface External interface Security functions VPN connection Remote access Status, log and diagnosis Additional functions Technical Data Applied Standards and Approvals Glossary C79000-G8976-C236-05 Release 01/2013...
Page 2
Note the following: Warning Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
The power supply unit to supply the SINAUT MD741-1 must comply with the requirements for a Limited Power Source according to IEC/EN 60950-1 The power supply unit to supply the SINAUT MD741-1 must comply with NEC Class 2 circuits as outlined in the National Electrical Code ® (ANSI/NFPA 70) only.
VDE 0855 (DIN EN 60728-11) in case there is no lightning protection. This work must be carried out by qualified personnel only. Requirements for compliance to Safety, Telecom, EMC and other standards Caution Observe the regulations listed in chapter 12 before putting the SINAUT MD741-1 into operation. SINAUT MD741-1 C79000-G8976-C236-05...
Page 5
Firmware with Open Source GPL/LGPL The firmware of the SINAUT MD741-1 includes open Source Software under terms of GPL/LGPL. According to section 3b of GPL and of section 6b of LGPL we provide you the source code.
Page 6
Firmware with OpenBSD The firmware of SINAUT MD741-1 contains sections from the OpenBSD software. The use of OpenBSD software is subject to the following copyright notice * Copyright (c) 1982, 1986, 1990, 1991, 1993 * The Regents of the University of California. All rights reserved.
Page 7
Purpose of this documentation This documentation will support you on your way to successful application of GSM/GPRS modem SINAUT MD741-1. It will introduce you to the topic in clear and straightforward steps and provide you with an overview of the hardware of the SINAUT MD741-1 GSM/GPRS modem.
Page 8
SITRAIN With over 300 different courses, SITRAIN covers the entire Siemens product and system spectrum in the field of automation and drive technology. Advanced training tailored to your needs is also available. In addition to our classic range of courses, we also offer a combination of various training media and sequences.
Page 9
You will find the latest version of this documentation under the entry ID 22550242. Alternatively you will find the SIMATIC NET manuals on the Internet pages of Siemens Customer Support for automation: http://support.automation.siemens.com/WW/view/en/10805878 Browse to the designated product group and set the following filter settings: "Entry list" → Entry type "Manuals"...
Page 11
Software Update ....................126 Technical Data ......................128 Applied Standards and Approvals................131 12.1 EU Declaration of Conformance..............131 12.2 Compliance to FM, UL and CSA ..............134 12.3 Compliance to FCC ..................135 Glossary ........................137 SINAUT MD741-1 C79000-G8976-C236-05...
Applications and functions The SINAUT MD741-1 provides a wireless connection to the Internet or to a private network. The SINAUT MD741-1 can provide this connection in any location where a GSM network (Global System for Mobile Communication = mobile phone network) is available which provides the services EGPRS (Enhanced General Packet Radio Service = EDGE) or GPRS (General Packet Radio Service).
Page 13
1 Applications and functions Application examples of the SINAUT MD741-1 S7-300 Central Station ST7cc MD741-1 VPN-Router DSL-Modem INTERNET (E-)GPRS VPN-Tunnel Figure 1-1 Connection between CPU and Central Station Central Station ST7cc MD741-1 VPN-Tunnel DSL-Modem VPN-Router Logical connection INTERNET (E-)GPRS MD741-1...
Page 14
Authentication by pre-shared key (PSK), X.509v3 certificate and CA ● Dead peer detection (DPD) ● Firewall functions The SINAUT MD741-1 provides the following firewall functions in order to protect the local network and itself from external attacks: Stateful inspection firewall ● Anti-spoofing ●...
Page 15
1 Applications and functions Additional functions The SINAUT MD741-1 provides the following additional functions: DNS cache ● DHCP server ● ● Remote logging ● In Port ● Web user interface for configuration ● Sending alarm SMS ● SSH console for configuration ●...
When used in hazardous environments corresponding to Class I, Division 2 or Class I, Zone 2, the device must be installed in a cabinet or a suitable enclosure. To comply with EU Directive 94/9 (ATEX95), this enclosure must meet the requirements of at least IP54 in compliance with EN 60529. SINAUT MD741-1 C79000-G8976-C236-05...
Connect a PC with a Web browser (Admin PC) to the local interface (X2) of the SINAUT MD741-1. Using the Web user interface of the SINAUT MD741-1, enter the PIN (Personal Identification Number) of the SIM card. Disconnect the SINAUT MD741-1 from the power supply.
2 Setup Preconditions for operation In order to operate the SINAUT MD741-1, the following information must be on hand and the following preconditions must be fulfilled: Antenna An antenna, adapted to the frequency bands of the GSM network operator you have chosen: 850 MHz, 900 MHz, 1800 MHz or 1900 MHz.
Operating elements Service button (SET) On the front side of the SINAUT MD741-1 there is a small hole (see B) which is SET marked and has a button behind it. Use a pointed object, e.g. a straightened- out paperclip, to press this button.
Ethernet connection established to the local application / the local network No Ethernet connection to the local application / the local network ON with brief interruptions Data transfer via the Ethernet connection VPN connection active VPN connection active SINAUT MD741-1 C79000-G8976-C236-05...
Ethernet interface for remote monitoring, or a notebook or desktop PC. To set up the SINAUT MD741-1, connect the Admin PC with Web browser here. The interface supports autonegotiation. It is thus detected automatically whether a transmission speed of 10 Mbit/s or 100 Mbit/s is used on the Ethernet.
Page 22
Power supply Figure 2-2 Screw terminals The SINAUT MD741-1 operates with direct current of from DC 12-30 V, nominally DC 24 V. This power supply is connected at the screw terminals on the left-hand side of the device. Connect the positive supply voltage to one or both screw terminals marked 24V and the negative supply voltage to one or both screw terminals marked 0V.
4. Then push the drawer with the SIM card completely into the housing. Notice Do not under any circumstances insert or remove the SIM card during operation. Doing so could damage the SIM card and the SINAUT MD741-1. SINAUT MD741-1 C79000-G8976-C236-05...
2 Setup Top rail mounting The SINAUT MD741-1 is suitable for top-hat rail mounting on DIN EN 50022 rails. A corresponding bracket can be found at the rear of the device. Figure 2-4 Top rail mounting Installation 1. Fit the upper part of the locking mechanism of the device on to the DIN rail.
● either connected directly to the Ethernet jack of the SINAUT MD741-1 via a network cable or it must have direct access to the SINAUT MD741-1 via the local network. The network adapter of the computer (Admin PC) that you use to carry out ●...
Help function for LAN Connection or Properties of Internet Protocol (TCP/IP). Figure 3-1 Properties of Windows Internet Protocol Enter the following values in order to get to the Web user interface of the SINAUT MD741-1: IP address: 192.168.1.2 Subnet mask: 255.255.255.0 SINAUT MD741-1 C79000-G8976-C236-05...
You can define the following as the domain name server: The DNS address of the network operator, ● The local IP address of the SINAUT MD741-1, as long as it is configured for ● breaking out host names into IP addresses (see Chapter 4.3;...
Options..., tab Connections: Under Dial-up and VPN Settings, make sure that Never dial a connection is activated. Calling up the start page of the SINAUT MD741-1 1. In the address line of the browser, enter the address of the SINAUT MD741-1 in full. In the factory settings this is: https://192.168.1.1 Result: A security message appears.
Page 29
You can display the certificate. It must be clear from the certificate that it was issued for SIEMENS AG. The Web user interface is addressed via an IP address and not using a name, which is why the name specified in the security certificate, is not the same as the one in the certificate.
Page 30
Under the Windows menu Start, Connect To ..., Show All Connections… , under LAN or High-Speed Internet right-click on the connection concerned and select Deactivate in the pop-up menu. Enter the address of the SINAUT MD741-1 with a slash: ● https://192.168.1.1/...
3 Configuration Start page of the Web user interface After the Web user interface of the SINAUT MD741-1 is called up and the user name and password are entered, an overview of the current operating state of the SINAUT MD741-1 appears.
Page 32
3 Configuration Assigned IP address Shows the IP address at which the SINAUT MD741-1 can be reached in EGPRS or GPRS. This IP address is assigned to the SINAUT MD741-1 by EGPRS or GPRS. Connection Shows if a wireless connection exists, and which one: EDGE connection (IP connection via EGPRS) ●...
Page 33
: Access is permitted. ● : Access is not permitted. ● Remote accesss SSH Shows whether remote access to the SSH console of the SINAUT MD741-1 via the wireless network is permitted. : Access is allowed. ● : Access is not allowed.
Page 34
(Cell ID). Number of WAN connection attempts (24 h) This counter shows how often the SINAUT MD741-1 attempted to establish a connection to the mobile wireless network in the last 24 hours. Bytes sent and bytes received on this connection These entries show the number of bytes that have been sent or received during the current connection to the mobile wireless network.
Firmware version This shows the version number of the currently installed firmware of the ● SINAUT MD741-1. Language selection The Web user interface of the SINAUT MD741-1 supports English and German language. Figure 3-5 Language selection Automatic The SINAUT MD741-1 selects the language of the Web user interface in...
Figure 3-6 Configuration Note Depending on how you configure the SINAUT MD741-1, you may then have to adapt the network interface of the locally connected computer or network accordingly. When entering IP addresses, always enter the IP address component numbers without leading zeros, e.g.: 192.168.0.8.
3 Configuration Figure 3-7 Indication of invalid entries Configuration Profiles The settings of the SINAUT MD741-1 can be saved in configuration profiles (files) and re-loaded at any time. Figure 3-8 Maintenance > Configurations Profiles Upload Profile Loads to the SINAUT MD741-1 a configuration profile that was created before and saved on the Admin PC.
List of saved configurationprofiles This list displays all the configuration profiles stored on the SINAUT MD741-1. The three buttons next to the profiles have the following functions:. "Activate" button ●...
Page 39
3 Configuration Figure 3-9 Access > Password Access password (factory settings) The factory settings for the SINAUT MD741-1 are: User name: admin (cannot be changed) ● Password: sinaut ● Notice Change the factory set password immediately Change the password immediately after initial start-up. The factory settings are general knowledge and does not provide sufficient protection.
3 Configuration Reboot Although the SINAUT MD741-1 is designed for continuous operation, in such a complex system faults may occur, often triggered by external influences. A reboot can rectify these faults. The reboot resets the functions of the SINAUT MD741-1. Current settings according to the configuration profile do not change.
3 Configuration 3.10 Load factory settings The factory settings of the SINAUT MD741-1 can be restored by the following means: Figure 3-11 Maintenance > Factory Reset Reset to factory settings A click on the push button Reset loads the factory settings, resets the passwords and deletes the stored certificates, the configuration profiles and the archived log files.
Page 42
If you do not want to delete created configuration profiles, certificates and log files, instead of resetting to factory settings, you also have the alternative of resetting the device to the standard configuration. For information on this, refer to section 3.7. SINAUT MD741-1 C79000-G8976-C236-05...
Local interface The local interface is the interface of the SINAUT MD741-1 for connecting the local network. The interface is labeled X2 on the device. This is an Ethernet interface with a data rate of 10Mbit/s or 100Mbit/s. The Local network is the Network connected to the local interface of the SINAUT MD741-1.
Page 44
Admin PC Figure 4-2 Local interface You can define additional addresses at which the SINAUT MD741-1 can be reached by local applications. This is useful, for example, when the local network is subdivided into subnetworks. Then multiple local applications from different subnetworks can reach the SINAUT MD741-1 under various addresses.
Figure 4-3 DHCP function on local interface Figure 4-4 Local Network > Basic Settings > DHCP Start DHCP server Start DHCP server – Yes switches on the DHCP server of the SINAUT MD741-1; No switches it off. SINAUT MD741-1 C79000-G8976-C236-05...
Page 46
Here enter the DNS server that should be assigned to the local applications. Enable dynamic IP address pool With Yes the IO addresses that the DHCP server of the SINAUT MD741-1 assigns are drawn from a dynamic address pool. With No the IP addresses must be assigned to the MAC addresses of the local application under Static Leases.
The SINAUT MD741-1 provides a domain name server (DNS) to the local network. If you enter the IP address of the SINAUT MD741-1 in your local application as the domain name server (DNS), then the SINAUT MD741-1 answers the DNS queries from its cache.
Page 48
Figure 4-6 Local Network > Basic Settings > DNS Selected nameserver Select which domain name server (DNS) the SINAUT MD741-1 should query. Provider-defined When a connection is established to EGPRS or GPRS the network operator automatically communicates one or more DNS addresses. These are then used.
The SINAUT MD741-1 can also be addressed from the local network using a host name. To do this, define a host name, e.g. MD741. The SINAUT MD741-1 can then be called up, for example from a Web browser as MD741.
4 Local interface System Time/NTP You can set the system time of the SINAUT MD741-1 yourself manually or have it synchronized automatically with a time server. Figure 4-8 System > System Time/NTP Current system time This entry shows the currently set date and time.
Page 51
To activate this function select Yes. The NTP time server in the SINAUT MD741-1 can be reached via the local IP address set for the SINAUT MD741-1, see Chapter 4.1. Factory settings...
IP address of the gateway via which the subnet is connected. ● You can define any desired number of internal routes. To delete an internal route, click on Delete. Factory settings The factory settings for the SINAUT MD741-1 are as follows: Additional internal routes Default for new routes: Network: 192.168.2.0/24 Gateway: 192.168.0.254...
External interface The external interface of the SINAUT MD741-1 connects the SINAUT MD741-1 to the external network. EGPRS, GPRS or GSM are used for the communication at this interface. External networks are the Internet or a private intranet. External remote stations are network components in an external network, e.g. Web servers on the Internet, routers on an intranet, a central company server, an Admin PC, and much more.
Page 54
Enter the PIN for your SIM card here. You will receive the PIN from your network operator. The SINAUT MD741-1 also works with SIM cards that have no PIN; in this case enter NONE. In this case the input box is left empty.
Page 55
PAP. CHAP: Encrypted transfer of user name and password using the Challenge Handshake Authentication Protocol (CHAP). Challenge Handshake Authentication Protocol (CHAP) PAP Unencrypted transfer of user name and password using the Password Authentication Protocol (PAP) SINAUT MD741-1 C79000-G8976-C236-05...
Page 56
(MCC) and (MNC). You will find the Net-ID in the documentation provided by your GSM/GPRS network provider or on the provider's Internet pages. The Net-ID is stored on the SIM card. The SINAUT MD741-1 reads the Net-ID from the SIM card and selects the corresponding GPRS access data from the list of providers.
Page 57
In this case enter guest in the corresponding box. Factory settings The factory settings of the SINAUT MD741-1 are as follows: Provider selection mode Manual Provider selection mode - manual...
Note Reboot when enabling and disabling If you enable or disable the "Installation mode" function, when you click the "Save" button, the device automatically goes through a reboot. Figure 5-2 External Network > Installation mode SINAUT MD741-1 C79000-G8976-C236-05...
Page 59
ID of the wireless cell ID for the wireless cell in the mobile wireless network LAC (Location Area Code) ID for the current location of the SINAUT MD741-1 within the mobile wireless network ARFCN (Absolute Radio Frequency Channel Number) Based on the ARFCN, the uplink and downlink frequencies can be calculated.
The current data volume of the particular month and the upper limit are displayed on the "System - Status" page opened under the "Overview" entry. The SINAUT MD741-1 can send SMS messages automatically as soon as 80% and 100% of the specified data volume are reached.
Page 61
In the factory settings, the value is set to 1,000,000 bytes. Send SMS when 80% of the max. data volume is reached If you want the SINAUT MD741-1 to send a warning SMS message as soon as 80 % of the data volume has been reached, make the following settings: 1.
EGPRS or GPRS and to the connected external networks, such as the Internet or an intranet. To do this, the SINAUT MD741-1 sends ping packets (ICMPs) to up to four remote stations (target hosts) at regular intervals. This takes place independently of the user data connections.
Page 63
External Network >Advanced Settings > Checking the connection Enable connection check Yes activates the function. Destination Hosts – Host name Select up to four remote stations that the SINAUT MD741-1 can ping. The remote stations must be available continuously and must answer pings. SINAUT MD741-1 C79000-G8976-C236-05...
Page 64
The SINAUT MD741-1 re-establishes the connection to EGPRS or GPRS if the ping packets sent were not answered. Reboot MD741-1 The SINAUT MD741-1 carries out a reboot if the ping packets sent were not answered. Factory settings The factory settings for the SINAUT MD741-1 are as follows:...
Internet under a hostname (e.g. myHost.org), even if these applications do not have a fixed IP address and the hostname is not registered. If you log the SINAUT MD741-1 on to a DynDNS service, you also can reach the SINAUT MD741-1 from external network under a hostname, e.g.
To use the services, additional service agreements are necessary and certain constraints must be kept to. If you are interested in the Siemens Remote Service, speak to your local Siemens contact. If the Siemens Remote Service is activated, the SINAUT MD741-1 transfers its external IP address assigned by the EDGE/GPRS service to a selectable destination server.
Page 67
Use Siemens Remote Service Select Yes if you want to use Siemens Remote Service. If you do not want to use the Siemens Remote Service, select No. Interval for updating (seconds) Enter the interval in seconds at which the assigned IP address of the SINAUT MD741-1 is transferred to the selected destination server.
5 External interface Factory settings The factory settings of the SINAUT MD741-1 are as follows: Use Siemens Remote Service No (turned off) Interval of updating 900 seconds Destination address 0.0.0.0 Group group User name user Password pass NAT - Network Address Translation With NAT, for outgoing frames, the device can change the specified sender IP addresses from its internal network to its own external address.
Page 69
In the input box, enter the networks for which NAT will be used. Enter an address range in the CIDR notation. Factory settings Use NAT for the external network: Yes (turned on) IP address range (CIDR notation): 0.0.0.0/0 SINAUT MD741-1 C79000-G8976-C236-05...
● It is different for a SINAUT MD741-1 with a stateful inspection firewall. Here a firewall rule is only created for the query direction from the source to the destination.
Page 71
(e.g. the Internet) via EGPRS or GPRS. The source is the sender of this IP packet. The destination is the local applications on the SINAUT MD741-1. In the factory settings, no incoming firewall rule is set initially, i.e. no IP packets can go through.
Page 72
Enter the IP address of the local application that is allowed to send IP packets to the external network. Do this by specifying the IP address or an IP range for the local application. 0.0.0.0/0 means all addresses. To specify a range, use the CIDR notation - see the Glossary. SINAUT MD741-1 C79000-G8976-C236-05...
Page 73
The log is kept in the firewall log, see Chapter 6.4. Log entries for unknown outgoing connection attempts This logs all connection attempts that are not covered by the defined rules. Factory settings The factory settings for the SINAUT MD741-1 are as follows: SINAUT MD741-1 C79000-G8976-C236-05...
Page 74
Outgoing firewall Firewall Rules, outgoing - (Everything blocked) Protocol From IP address 0.0.0.0/0 From port To IP address 0.0.0.0/0 To port Action Accept No (switched off) Log entries for unknown outgoing No (switched off) connection attempts SINAUT MD741-1 C79000-G8976-C236-05...
If a rule has been created for port forwarding, then data packets received at a defined IP port of the SINAUT MD741-1 from the external network will be forwarded. The incoming data packets are then forwarded to a specified IP address and port number in the local network.
Page 76
- set Log to No (factory settings) ● The log is kept in the firewall log, see Chapter 6.4. Factory settings The factory settings for the SINAUT MD741-1 are as follows: Forwarding Rules Protocol Arrives at port Is forwarded to IP address 127.0.0.1...
External ICMP to the SINAUT MD741-1 You can use this option to affect the response when ICMP packets are received that are sent from the external network in the direction of the SINAUT MD741-1. You have the following options: Drop: All ICMP packets to the SINAUT MD741-1 are discarded.
Page 78
6 Security functions Factory settings The factory settings for the SINAUT MD741-1 are as follows: Maximum number of new incoming TCP connections per second Maximum number of new outgoing TCP connections per second Maximum number of new incoming ping packets per second...
The application of individual firewall rules is recorded in the firewall log. To do this, the LOG function must be activated for the various firewall functions. Figure 6-4 Security > Firewall Log Note The firewall log is lost in the event of a reboot. SINAUT MD741-1 C79000-G8976-C236-05...
Explanation of VPN connections The IPsec protocol suite The SINAUT MD741-1 uses the IPsec method in the tunnel mode for the VPN tunnel. Here, the frames to be transferred are completely encrypted and provided with a new header before they are sent to the VPN gateway of the partner. The frames received by the partner are decrypted and forwarded to the recipient.
Page 81
The two methods differ in the exchange of the public key. With X.509 certificate, the key and the key file are exchanged between the SINAUT MD741-1 and the VPN gateway manually, for example using a CD-ROM or e-mail. You will find more information on loading the certificate in section 7.4.
Page 82
When a VPN tunnel is being established, a special variant of the NAT is used with the SINAUT MD741-1, the 1:1 NAT, also known as bidirectional NAT. This variant allows connection establishment both from the local network to the external network and from the external network to the local network.
Page 83
NAT-T There may be a NAT router between the SINAUT MD741-1 and the VPN gateway of the remote network. Not all NAT routers allow IPsec frames to pass through. This means that it may be necessary to encapsulate the IPsec frames in UDP packets to be able to pass through the NAT router.
IP address or the hostname of the remote station. Figure 7-1 IPsec VPN > Connections Set the SINAUT MD741-1 up in accordance with what has been agreed with the system administrator of the remote station. SINAUT MD741-1 C79000-G8976-C236-05...
Page 85
CA certificate X.509 partner certificate: Specifies a X.509 partner certificate loaded on the SINAUT MD741-1 as the authentication method and you select the certificate from the following drop-down list. See also section 7.4. Pre-shared key: With this option, you enter the pre-shared key that needs to be known by the communications partner.
Page 86
IPSec-VPN > Connections > Roadwarrior Mode > IKE-settings > Edit ISAKMP-SA encryption, IPsec-SA encryption Agree with the administrator of the remote station which encryption method will be used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the following methods: 3DES-168 ●...
Page 87
It may therefore be necessary to encapsulate the IPsec data packets in UDP packets so that they can go through the NAT router. If the SINAUT MD741-1 detects a NAT router that does not let the IPsec data packets through, then UDP encapsulation is started automatically.
Page 88
GPRS. This can lead to increased costs. Dead peer detection is switched on. Independently of the transmission of user data, the SINAUT MD741-1 detects if the connection is lost, in which case it waits for the connection to be re-established by the remote stations.
7 VPN connection Factory settings The factory settings for the SINAUT MD741-1 are as follows: Name Enabled No (switched off) Authentication method CA certificate Remote ID NONE Local ID NONE Remote certificate ISAKMP-SA encryption 3DES-168 IPsec-SA encryption 3DES-168 ISAKMP-SA hash...
Page 90
IP address. Local network Remote network Admin PC Address of Admin PC the remote network MD741-1 VPN gateway External Local remote INTERNET (E-)GPRS application stations Local application VPN tunnel Figure 7-5 Address of the remote host SINAUT MD741-1 C79000-G8976-C236-05...
Page 91
If you have loaded the certificate of a SCALANCE S device on the SINAUT MD741-1, you can read out the remote ID from the certificate by clicking the "ID from Scalance S" button. The value read out is then automatically adopted as the remote ID.
Page 92
See the input box below. Address for local 1:1 NAT in local network In the input box, enter a network address for frames that are received from the remote network. SINAUT MD741-1 C79000-G8976-C236-05...
Page 93
7 VPN connection Wait for remote connection Select one of the following two options from the drop-down list: The SINAUT MD741-1 waits for the VPN gateway of the remote ● network to initiate establishment of the VPN connection. Nein: The SINAUT MD741-1initiates the connection establishment itself.
Page 94
7 VPN connection ISAKMP-SA encryption, IPsec-SA encryption Agree with the administrator of the remote station which encryption method will be used for the ISAKMP-SA and the IPsec-SA. The SINAUT MD741-1 supports the following methods: 3DES-168 ● AES-128 ● AES-192 ●...
Page 95
● NAT-T There may be a NAT router between the SINAUT MD741-1 and the VPN gateway of the remote network. Not all NAT routers allow IPsec data packets to go through. It may therefore be necessary to encapsulate the IPsec data packets in UDP packets so that they can go through the NAT router.
Page 96
Select one of the two options from the drop-down list: Yes: Dead peer detection is enabled. Regardless of whether user data is being transmitted, the SINAUT MD741-1 recognizes loss of the connection. In this case, the device waits for the connection to be re-established by the remote stations.
Page 97
IPsec-SA hash DH/PFS group DH-2 1024 ISAKMP-SA mode Main ISAKMP-SA lifetime (seconds) 86400 IPsec-SA lifetime (seconds) 86400 NAT-T Enable Dead Peer Detection Delay after DPD query (seconds) Timeout after DPD query (seconds) DPD: maximum number of unsuccessful attempts SINAUT MD741-1 C79000-G8976-C236-05...
Here load key files (*.pem, *.cer or *.crt) with remote certificates and public key from remote stations into the SINAUT MD741-1. To do this, the files must be saved on the Admin PC. A remote certificate is only required for the authentication method with X.509 certificate.
The user interface for setting up the firewall rules for VPN tunnels can be found under IPsec VPN > Connections: Figure 7-8 IPsec-VPN > Connections > VPN connections in standard mode > Connections settings > Edit > Firewall rules for VPN tunnel SINAUT MD741-1 C79000-G8976-C236-05...
Page 100
(see Chapter 6.1). However, the rules defined here apply only to the specific VPN connection. Factory settings The factory settings for the SINAUT MD741-1 are as follows: Firewall rules for VPN tunnel No limitations...
(target hosts). This is made independently from payload data. For each VPN connection an own supervision can be configured. If the SINAUT MD741-1 receives the answer for the ping packet from at least one addressed remote station, the VPN connection is still operational.
Page 102
If no remote station answers the ping packet the transmission of the ping packet will be repeated several times after a delay which can be configured. If all repetitions end without success, the VPN client in the SINAUT MD741-1 are will be restarted. This causes a reconnection of all existing VPN connections.
If NAT-T is enabled, then keepalive data packets will be sent periodically by the SINAUT MD741-1 through the VPN connection. The purpose of this is to prevent a NAT router between the SINAUT MD741-1 and the remote station from interrupting the connection during idle periods without data traffic.
Page 104
7 VPN connection Phase 1 timeout (seconds) The Phase 1 timeout determines how long the SINAUT MD741-1 waits for completion of an authentication process of the ISAKMP-SA. If the set timeout is exceeded, the authentication will be aborted and restarted.
Page 105
7 VPN connection Restart of the VPN client with DPD If the SINAUT MD741-1 does not receive any reply to its DPD queries from the remote station, the IPsec connection is considered to be interrupted after a number of permitted unsuccessful attempts. You can specify whether or not the SINAUT MD741-1 is rebooted in such a situation.
This entry shows how often in the last 24 hours there was an attempt to establish a VPN connection. Download VPN protocol This function can be used to download the VPN protocol file to the Admin PC. SINAUT MD741-1 C79000-G8976-C236-05...
HTTPS remote access The HTTPS remote access (= HyperText Transfer Protocol Secure) allows secure access to the Web user interface of the SINAUT MD741-1 from an external network via EGPRS, GPRS or CSD. Configuration of the SINAUT MD741-1 via the HTTPS remote access then takes place exactly like configuration via a Web browser via the local interface (see chapter 3).
Page 108
IP address when specifying the address. Example: If this SINAUT MD741-1 can be accessed via the Internet using the address 192.144.112.5, and if port number 442 has been defined for the remote access, then the following must be specified in the Web browser at the external remote station: https://192.144.112.5:442...
The SSH remote access (= Secured SHell) allows secure access to the file system of the SINAUT MD741-1 from an external network via EGPRS, GPRS or CSD. To do this, a connection must be established using an SSH-capable program from the external remote station to the SINAUT MD741-1.
Page 110
8 Remote access Enable SSH remote access Access to the file system of the SINAUT MD741-1 from the external network via SSH is allowed. Access via SSH is not allowed. Port for SSH remote access Default: 22 (factory settings) You can define a different port. However, if you have defined a different port, then the external remote station conducting the remote access must specify the port number defined here in front of the IP address when specifying the address.
SINAUT MD741-1 via a dial-in data connection (CSD = Circuit Switched Data). To do this, call the SINAUT MD741-1 at the data call number using an analogue modem, or at the voice or data call number of its SIM card using a GSM modem.
Page 112
The telephone connection must support Calling Line Identification Presentation (CLIP), and this function must be activated. The call number entered in the SINAUT MD741-1 must be exactly the same as the call number reported, any may also have to include the country code and prefix, e.g.
Page 113
8 Remote access Factory settings The factory settings for the SINAUT MD741-1 are as follows: Enable CSD dial-in No (switched off) PPP user name service PPP password service Permitted call numbers SINAUT MD741-1 C79000-G8976-C236-05...
● and operating messages ● The log is saved to the log archive of the SINAUT MD741-1 when a file size 1 MByte, is reached, but after 24 hours at the latest. Download current log Download - the current log is loaded to the Admin PC. You can select the directory to save the file to, and can view the file there.
Page 115
STAT = --- = Function not activated yet STAT = 1 = Logged in to home network STAT = 2 = Not logged in; searching for network STAT = 3 = Login rejected STAT = 5 = Logged in to third-party network (roaming) SINAUT MD741-1 C79000-G8976-C236-05...
Page 116
Additional information on the plain text report, such as: Cell ID (identification number of the active GSM cell) ● Software version ● TXS, RXS (IP packets transmitted in the current connection) ● TX, RX (IP packets transmitted since the last factory settings reboot) ● SINAUT MD741-1 C79000-G8976-C236-05...
10 Status, log and diagnosis Remote logging The SINAUT MD741-1 can transfer the system log once per day via FTP (= File Transfer Protocol) to an FTP server. The current system log and the system log files in the archive are transferred. After successful transfer the transferred logs are deleted in the SINAUT MD741-1.
The service snapshot downloads important log files and current device settings that could be important for fault diagnosis and saves them in a file. If you contact our Hotline in the event of a problem with the SINAUT MD741-1, in many cases they will ask you for the snapshot file.
Page 119
Note When advanced diagnosis is active, the frequent write access to the non-volatile memory of the SINAUT MD741-1 can lead to a reduction of its service life. Factory settings The factory settings for the SINAUT MD741-1 are as follows:...
Maintenance > Hardware info Software information Shows important information for software identification. This information is often needed in the event of queries to our Hotline. Planned updates are additionally shown. See also Chapter 10.4. Figure 9-5 Maintenance > Software info SINAUT MD741-1 C79000-G8976-C236-05...
Additional functions 10.1 Service Center The SINAUT MD741-1 also uses the Short Message Service (SMS) of the GSM network. You can specify a special SMS center. Figure 10-1 SMS Center (SMSC) Call number of the SMSC To ensure that the SMS function works reliably, enter the call number of the service center (SMSC) here.
Page 122
Text Here enter the text that will be sent as an alarm message. Factory settings The factory settings of the SINAUT MD741-1 are as follows: SMS service center call number Alarm SMS for event 1: no GPRS connection No (turned off)
SINAUT MD741-1 via the local interface. Via this TCP/IP connection, the application transfers the text of the SMS to the SINAUT MD741-1 that packs the text in an SMS message and sends it. Frame format for the SMS message The text must be transferred in a frame via the TCP/IP connection to the SINAUT MD741-1.
Page 124
User name that must be included in the frame before the text is sent using SMS (see above: "Frame format"). Maximum of 10 characters. Password Password that must be included in the frame before the text is sent using SMS (see above: "Frame format"). Maximum of 10 characters. SINAUT MD741-1 C79000-G8976-C236-05...
10 Additional functions Port number TCP/IP port on which the SINAUT MD741-1 accepts the TCP/IP connection for sending SMS messages. Firewall Rules To allow the TCP/IP connection to be established for sending SMS messages, a firewall rule must be set up on the SINAUT MD741-1.
After that the actual update process begins, which is indicated by the LEDs lighting up in sequence. The settings of the SINAUT MD741-1 will be accepted insofar as the settings still have the same effect in the new software version as they did before the update.
Page 127
Use Browse to select the file, which includes the new operating software, for example: MD741_v1.024-v1.027.tgz Load the firmware to the device with Open. Submit With Submit the operating software is either activated immediately or the operating software is activated at the specified time. SINAUT MD741-1 C79000-G8976-C236-05...
GPRS Multislot Class 12 (4Tx slots) to GPRS Multislot Class 8 (1Tx) from GPRS Multislot Class 10 (2Tx slots) to GPRS Multislot Class 8 (1Tx) CSD / MTC V.110, RLP, non-transparent 2.4, 4.8, 9.6, 14.4kbps SMS (TX) Point to point, MO (outgoing) SINAUT MD741-1 C79000-G8976-C236-04...
Page 129
4.0 W typical at 24 V 4.5 W typical at 30 V Current See table below. consumption Input current [mA] characteristic at 12V Burst 1400 1200 1000 [ms] 4,62ms burst repeat rate [mA] at 24V Burst [ms] 4,62ms burst repeat rate SINAUT MD741-1 C79000-G8976-C236-05...
Page 130
Operating mode [mA] [mA] [mA] [mA] GSM-CSD 1000 EGPRS / GPRS 1260 Measured at GSM900 Power Level 5 (33dBm transmitting power) Measured at GSM900 Power Level 10 (23dBm transmitting power) USB port not used SINAUT MD741-1 C79000-G8976-C236-05...
Directive 94/9/EC (ATEX) of the European Parliament and the Council of 23 ● March 1994 on the approximation of the laws of the Member States concerning equipment and protective systems intended for use in potentially explosive atmospheres. SINAUT MD741-1 C79000-G8976-C236-04...
Page 132
EN55024:1998 + A1 : 2001 + A2 : 2003 ● EN61000-6-2: 2001 ● Warning The SINAUT MD741-1 is a Class A device. This device can cause radio interference in residential areas; in this case the user may be required to take appropriate measures. SINAUT MD741-1 C79000-G8976-C236-04...
Page 133
T4, Ambient temperature range: -20°C … +60°C Specific Conditions of Use: 1. The SINAUT MD741-1 shall be installed in an Enclosure which maintains an ingress protection rating of IP54; meets the enclosure requirements of EN60079-0 and is only accessible with the use of a tool.
Class I, Zone 2, Group IIC, 135°C maximum surface temperature, Ambient temperature range: -20°C … +60°C You can download the FM marking by follow the link: http://support.automation.siemens.com/WW/view/en/35029750 UL/CSA Certification Marking Applied standards UL 60950, 1st edition CSA C22.2 No.60950 SINAUT MD741-1 C79000-G8976-C236-05...
12 Applied Standards and Approvals 12.3 Compliance to FCC Marking SINAUT MD741-1 FCC ID: LYHMD741-1 contains MC75 FCC ID: QIPMC75 Applied standards FCC Part 15 ● FCC Part 15.19 ● FCC Part 15.21 ● Mandatory user information FCC Part 15 This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules.
Page 136
You may only use the SINAUT MD741-1 with an antenna of the SINAUT MD741-1 accessory program. The installation of the SINAUT MD741-1 and the antenna as well as servicing is to be performed by qualified technical personnel only. When servicing the antenna, or working at distances closer than those listed below, ensure the transmitter has been disabled.
APN to indicate which network it wants to be connected to: the Internet or a private company network that is connected via a dedicated line. The APN designates the transfer point to the other network. It is communicated to the user by the network operator. SINAUT MD741-1 C79000-G8976-C236-04...
Page 138
Netmask: 255.255.255.0 Additional internal routes Network A is connected to the SINAUT MD741-1 and via it to a remote network. Additional internal routes show the path to additional networks (networks B, C), which are connected to each other via gateways (routers). For the SINAUT MD741-1, in the example shown networks B and C can both be reached via gateway 192.168.11.2 and...
Page 139
Asymmetrical encryption methods such as RSA are, however, slow and vulnerable to certain attacks, which is why they are often combined with a symmetrical method ( symmetrical encryption). On the other hand, concepts are also possible which avoid the complex administration of symmetrical keys. SINAUT MD741-1 C79000-G8976-C236-05...
Page 140
This method is described in RFC 1518. In order to specify a range of IP addresses to the SINAUT MD741-1, or when configuring the firewall, it may be necessary to specify the address space in the CIDR notation.
Page 141
CSQ values correspond to the received field strength RSSI (= Received Signal Strength Indication): RSSI < 6 < -101 dBm 6…10 -101…-93 dBm 11…18 -91…-77 dBm > 18 > 75 dBm Not logged in SINAUT MD741-1 C79000-G8976-C236-05...
Page 142
(DNS) and gets back the associated IP address. Only then does the sender address its data to this IP address. SINAUT MD741-1 C79000-G8976-C236-05...
Page 143
EDGE, GPRS is expanded to become EGPRS (Enhanced GPRS), and HSCSD is expanded to become ECSD. EGPRS EGPRS stands for "Enhanced General Packet Radio Service", which describes a packet-oriented data service based on GPRS, which is accelerated by means of EDGE technology. SINAUT MD741-1 C79000-G8976-C236-05...
Page 144
65,536 hosts (2 bytes of address space: 256 x 256). There can be 32 x 256 x 256 Class C networks, each of which can contain up to 256 hosts (1 byte of address space). SINAUT MD741-1 C79000-G8976-C236-05...
Page 145
Using the table the NAT box exchanges the destination IP address and the destination port and forwards the datagram to the internal network. SINAUT MD741-1 C79000-G8976-C236-05...
Page 146
DSL, Wireless LAN or cable modem. PPTP Acronym for Point-to-Point Tunneling Protocol. This protocol was developed by Microsoft, U.S. Robotics and others in order to transmit data securely between two VPN nodes ( VPN) over a public network. SINAUT MD741-1 C79000-G8976-C236-05...
Page 147
The forged Internet address is used to pose as an authorised user. Anti-spoofing means mechanisms to reveal or prevent spoofing. SSH (Secure Shell) is a protocol that enables secure, encrypted data exchange between computers. Secure SHell is used for remote access to the input console from LINUX-based machines. SINAUT MD741-1 C79000-G8976-C236-05...
Page 148
Symmetrical With symmetrical encryption the data are encrypted and decrypted encryption using the same key. Examples of symmetrical encryption algorithms are DES and AES. These are fast, but require complex administration as the number of users increases. SINAUT MD741-1 C79000-G8976-C236-05...
Page 149
(subnets) via a public network, e.g. the Internet, to form a shared network. Confidentiality and authenticity are ensured by using cryptographic protocols. A VPN therefore provides an inexpensive alternative to dedicated lines when it comes to setting up a supraregional corporate network. SINAUT MD741-1 C79000-G8976-C236-05...
Page 150
Involving certification authorities means that not every key owner needs to know the other one, but only the certification authority used. The additional key information also simplifies the administrability of the key. X.509 certificates are employed, e.g. in e-mail encryption, using S/MIME or IPsec. SINAUT MD741-1 C79000-G8976-C236-05...