Ah en Secure VPN Client 107160 en 00
Ah en Secure VPN Client 107160 en 00
Ah en Secure VPN Client 107160 en 00
Application note
107160_en_00 © PHOENIX CONTACT 2016-02-19
1 Description
This application note describes how you can establish a
VPN connection from the mGuard Secure VPN Client to a
mobile communication router or ADSL router. This requires
the use of certificates.
You need the following:
Name Order No. Description Link to item
MGUARD SECURE VPN CLIENT 2702579 License for mGuard Secure VPN phoenixcontact.net/product/2702579
LIC Client
PSI MODEM 3G/ROUTER 2314008 Industrial 3G (UMTS/HSPA) phoenixcontact.net/product/2314008
with SIM card and fixed IP address mobile communication router
or dynamic name resolution with integrated firewall and VPN
Alternative:
PSI-MODEM-GSM/ETH 2313355 Industrial GPRS/EDGE router phoenixcontact.net/product/2313355
with SIM card and fixed IP address with integrated firewall and VPN
or dynamic name resolution
Alternative with ADSL:
TC DSL ROUTER X500 A/B 2902710 Industrial ADSL broadband phoenixcontact.net/product/2902710
with ADSL connection and fixed IP router
address or dynamic name resolu-
tion
WARNING:
This application note does not replace the device-specific documents.
Please follow the safety notes in the associated package slips, data sheets, and user manuals.
Table of contents
1 Description.................................................................................................................................. 1
2 Certificates.................................................................................................................................. 3
3 Configuring the router ................................................................................................................. 3
3.1 Mobile communication router ......................................................................................................................... 3
3.2 ADSL router.................................................................................................................................................... 6
2 Certificates
Learn how to create certificates in the “Quick Reference
Guide for creating certificates” at
phoenixcontact.com/product/2314008.
Certificates required
For a VPN tunnel in connection with the mGuard Secure
Client, you require three certificates: a private certificate
from each side and a public certificate from the client loaded
in the VPN server.
– Machine certificate.p12#
– Client.p12#
– Client.crt
Ensure that access to the mobile communication network is possible. For additional information on mobile com-
munication, visit the mobile communication guide at phoenixcontact.com/product/2314008.
• Connect the mobile communication router to the public • Switch to the “VPN, IPsec, Connections” sub-folder.
Internet access. • Enter a name for the VPN connection.
• The settings for establishing Internet access can be • Confirm with “Apply”.
found in the mobile communication router user manual • Under the “Settings” main item, click on the “Edit” but-
(refer to phoenixcontact.com/product/2314008). ton.
• Open the web-based management. Log in with your
user name and password.
• Switch to the “VPN, IPsec, Certificates” sub-folder.
• Load the previously created certificates into the mobile
communication router.
• Confirm with “Apply”.
• Click on “IKE”.
• Take the settings from the figure below.
• Connect the TC DSL ROUTER X500 A/B to the public • Switch to the “VPN, IPsec, Connections” sub-folder
ADSL access. • Enter a name for the VPN connection.
• The settings for establishing Internet access can be • Confirm with “Apply”.
found in the ADSL router user manual (refer to • Under the “Settings” main item, click on the “Edit” but-
phoenixcontact.com/product/2902710). ton.
• Open the web-based management. Log in with your
user name and password.
• Switch to the “VPN, IPsec, Certificates” sub-folder.
• Load the previously created certificates into the ADSL
router.
• Confirm with “Apply”.
• Click on “IKE”.
• Take the settings from the figure below.
Figure 15 Profiles
• Select the previously uploaded certificate. • Apply the IPsec parameters as shown below:
– main mode
– DH-Group 2 (1024 bits)
• In “Gateway”, enter the fixed public IP or the dynamic Figure 19 IPsec Configuration
name of the remote station.
• Apply the settings for the pre-shared key as shown be-
low:
– ASN1 Distinguished Name
107160_en_00 PHOENIX CONTACT GmbH & Co. KG • Flachsmarktstraße 8 • 32825 Blomberg • Germany 12 / 12
phoenixcontact.com