SECURE VPN CLIENT

VPN connection to the mobile communication router

or the ADSL router

Application note
107160_en_00 © PHOENIX CONTACT 2016-02-19

1 Description
This application note describes how you can establish a
VPN connection from the mGuard Secure VPN Client to a
mobile communication router or ADSL router. This requires
the use of certificates.
You need the following:
Name Order No. Description Link to item
MGUARD SECURE VPN CLIENT 2702579 License for mGuard Secure VPN phoenixcontact.net/product/2702579
LIC Client
PSI MODEM 3G/ROUTER 2314008 Industrial 3G (UMTS/HSPA) phoenixcontact.net/product/2314008
with SIM card and fixed IP address mobile communication router
or dynamic name resolution with integrated firewall and VPN
Alternative:
PSI-MODEM-GSM/ETH 2313355 Industrial GPRS/EDGE router phoenixcontact.net/product/2313355
with SIM card and fixed IP address with integrated firewall and VPN
or dynamic name resolution
Alternative with ADSL:
TC DSL ROUTER X500 A/B 2902710 Industrial ADSL broadband phoenixcontact.net/product/2902710
with ADSL connection and fixed IP router
address or dynamic name resolu-
tion

WARNING:
This application note does not replace the device-specific documents.
Please follow the safety notes in the associated package slips, data sheets, and user manuals.

Make sure you always use the latest documentation.

It can be downloaded at phoenixcontact.net/products.
 SECURE VPN CLIENT

Table of contents
1 Description.................................................................................................................................. 1
2 Certificates.................................................................................................................................. 3
3 Configuring the router ................................................................................................................. 3
3.1 Mobile communication router ......................................................................................................................... 3
3.2 ADSL router.................................................................................................................................................... 6

4 Configuring the mGuard Secure Client ....................................................................................... 9

4.1 Installation ...................................................................................................................................................... 9
4.2 Uploading a certificate.................................................................................................................................... 9
4.3 Creating a profile ............................................................................................................................................ 9
4.4 Testing the connection ................................................................................................................................. 12

107160_en_00 PHOENIX CONTACT 2 / 12

 SECURE VPN CLIENT

2 Certificates
Learn how to create certificates in the “Quick Reference
Guide for creating certificates” at
phoenixcontact.com/product/2314008.

Certificates required
For a VPN tunnel in connection with the mGuard Secure
Client, you require three certificates: a private certificate
from each side and a public certificate from the client loaded
in the VPN server.
– Machine certificate.p12#
– Client.p12#
– Client.crt

3 Configuring the router

If you are using an ADSL router, you can skip the
next section. Read more in “ADSL router” on
page 6

3.1 Mobile communication router

Figure 1 System overview with mobile communication router

Ensure that access to the mobile communication network is possible. For additional information on mobile com-
munication, visit the mobile communication guide at phoenixcontact.com/product/2314008.

107160_en_00 PHOENIX CONTACT 3 / 12

 SECURE VPN CLIENT

• Connect the mobile communication router to the public • Switch to the “VPN, IPsec, Connections” sub-folder.
Internet access. • Enter a name for the VPN connection.
• The settings for establishing Internet access can be • Confirm with “Apply”.
found in the mobile communication router user manual • Under the “Settings” main item, click on the “Edit” but-
(refer to phoenixcontact.com/product/2314008). ton.
• Open the web-based management. Log in with your
user name and password.
• Switch to the “VPN, IPsec, Certificates” sub-folder.
• Load the previously created certificates into the mobile
communication router.
• Confirm with “Apply”.

Figure 3 IPsec connections

Figure 2 IPsec certificates • Activate the VPN tunnel.

• Select the certificates.
• Enter the network area of the local network. Enter the
fixed IP address of the client. The example shows the
network area 192.168.2.0/24 and for the client
192.168.9.1/32.
• Confirm with “Apply”.

Figure 4 IPsec connection settings

107160_en_00 PHOENIX CONTACT 4 / 12

 SECURE VPN CLIENT

• Click on “IKE”.
• Take the settings from the figure below.

Figure 5 IPsec - Internet key exchange settings

107160_en_00 PHOENIX CONTACT 5 / 12

 SECURE VPN CLIENT

The settings for the mobile communication router are now

complete.
• In the “Status” VPN sub-folder, you can monitor the sta-
tus of the VPN tunnel. In addition, the mobile communi-
cation router has a VPN LED for diagnostics.

Figure 6 IPsec status

If you are using a mobile communication router,

you can skip the next section. Read more in “Con-
figuring the mGuard Secure Client” on page 9

3.2 ADSL router

Figure 7 System overview with ADSL router

107160_en_00 PHOENIX CONTACT 6 / 12

 SECURE VPN CLIENT

• Connect the TC DSL ROUTER X500 A/B to the public • Switch to the “VPN, IPsec, Connections” sub-folder
ADSL access. • Enter a name for the VPN connection.
• The settings for establishing Internet access can be • Confirm with “Apply”.
found in the ADSL router user manual (refer to • Under the “Settings” main item, click on the “Edit” but-
phoenixcontact.com/product/2902710). ton.
• Open the web-based management. Log in with your
user name and password.
• Switch to the “VPN, IPsec, Certificates” sub-folder.
• Load the previously created certificates into the ADSL
router.
• Confirm with “Apply”.

Figure 9 IPsec connections

• Activate the VPN tunnel.

• Select the certificates.
Figure 8 IPsec certificates • Enter the network area of the local network. Enter the
fixed IP address of the client. The example shows the
network area 192.168.2.0/24 and for the client
192.168.9.1/32.
• Confirm with “Apply”.

Figure 10 IPsec connection settings

107160_en_00 PHOENIX CONTACT 7 / 12

 SECURE VPN CLIENT

• Click on “IKE”.
• Take the settings from the figure below.

Figure 11 IPsec - Internet key exchange settings

The settings for the ADSL router are now complete.

• In the “Status” VPN sub-folder, you can monitor the sta-
tus of the VPN tunnel. In addition, the ADSL router has
a VPN LED for diagnostics.

Figure 12 IPsec status

107160_en_00 PHOENIX CONTACT 8 / 12

 SECURE VPN CLIENT

4 Configuring the mGuard Secure Client

4.1 Installation 4.3 Creating a profile
• Install the mGuard Secure Client as described in the • In the main menu, select “Configuration”.
corresponding data sheet (see phoenixcontact.com/ • Select “Profiles”.
product/2702579). • Add a new profile
4.2 Uploading a certificate
• Start the software

Figure 15 Profiles

• Select the manual configuration.

• Enter a profile name.

Figure 13 Certificate configuration

• Click on “Configuration” and then “Certificates”.

• Enter a name.
• In the “User Certificate” tab, select the “from PKCS#12
file” option.
• Upload the previously created certificate.

Figure 16 Profile Name

Figure 14 User Certificate

107160_en_00 PHOENIX CONTACT 9 / 12

 SECURE VPN CLIENT

• Select the previously uploaded certificate. • Apply the IPsec parameters as shown below:
– main mode
– DH-Group 2 (1024 bits)

Figure 17 Certificate Configuration

• In “Gateway”, enter the fixed public IP or the dynamic Figure 19 IPsec Configuration
name of the remote station.
• Apply the settings for the pre-shared key as shown be-
low:
– ASN1 Distinguished Name

Figure 18 Gateway (Tunnel Endpoint)

Figure 20 Pre-Shared Key

107160_en_00 PHOENIX CONTACT 10 / 12

 SECURE VPN CLIENT

• Enter the client IP address. In the example in the system

overview, the IP address is 192.168.9.1.
NOTE: Malfunction
The logical network on the PC and on the remote
station must be located in different network areas.
Otherwise problems may arise when routing.
– Select different network areas.
• Enter the network area of the remote station. In the ex-
ample in the system overview, the network area is
192.168.2.0/24.
• Close the wizard with “Finish”.

Figure 21 IPsec Configuration - IP Addresses, Client

Figure 22 IPsec Configuration - IP Addresses, remote

station network area

107160_en_00 PHOENIX CONTACT 11 / 12

 SECURE VPN CLIENT

4.4 Testing the connection

• In the main menu, select your profile. Activate the con- • If you have used a password when creating the certifi-
nection. cates, enter this here.

Figure 24 Entering the password

The connection is established. If no data traffic takes place

within the timeout time set, the VPN tunnel is aborted.

Figure 23 Gateway, testing the connection

Figure 25 Connection established

107160_en_00 PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany 12 / 12
phoenixcontact.com