Phobos Wiki - User contributions [en]

RTU client server communication

2019-06-04T11:15:27Z

Igor: /* IEC 101UB Serial */

[[Kasutaja:MarkTomm|MarkTomm]] 25. september 2017, kell 16:05 (EEST)

= Connections =

The IEC 104 TCP was documented on 25.09.2017 when there was an issue with connection. GWM iec 104 server closed the connection every ~20 seconds because it was 101-to-104 with GWMIO and GWMIO was disconnected.

== IEC 104 TCP ==

=== Client log when server disconnects ===
<pre>
2017-09-25 15:48:44.975 [INFO] Gateway.Port16.port - Close connection, connection reset by peer
2017-09-25 15:48:44.977 [DEBUG] Gateway.Port16.link - CommunicationBad
2017-09-25 15:48:44.977 [ERROR] Gateway.Port16.port - Request disconnect, no connection
2017-09-25 15:48:44.977 [ERROR] Gateway.Port16 - Timeout, suppressing following timeout messages!
2017-09-25 15:48:44.997 [DEBUG] Gateway.Port16 - StatusDi: no connection
2017-09-25 15:48:45.000 [ERROR] Gateway.Port16 - Remove from polling
2017-09-25 15:48:45.000 [INFO] Gateway.Port16 - Reset communication
</pre>

=== Client log when it connects ===
<pre>
2017-09-25 15:48:45.980 [INFO] Gateway.Port16.port - Connecting to 10.0.0.173:2404
2017-09-25 15:48:45.982 [INFO] Gateway.Port16.port - Connected to 10.0.0.173:2404
2017-09-25 15:48:45.982 [TRACE] Gateway.Port16.port - Clear communication buffers
2017-09-25 15:48:45.982 [DEBUG] Gateway.Port16 - Port open!
2017-09-25 15:48:45.982 [DEBUG] Gateway.Port16 - Retry/Establish communication
2017-09-25 15:48:45.983 [INFO] Gateway.Port16 - Enable polling
2017-09-25 15:48:45.983 [INFO] Gateway.Port16 - Reset communication done
2017-09-25 15:48:45.983 [TRACE] Gateway.Port16.port.link - Port connected
2017-09-25 15:48:46.003 [DEBUG] Gateway.Port16.port.write.link - UFormat: STARTDT_ACT
2017-09-25 15:48:46.009 [TRACE] Gateway.Port16.port.write - 68 04 07 00 00 00
2017-09-25 15:48:46.011 [TRACE] Gateway.Port16.port.read - 68 04 0B 00 00 00
2017-09-25 15:48:46.012 [DEBUG] Gateway.Port16.port.read.link - UFormat: STARTDT_CON
2017-09-25 15:48:46.012 [DEBUG] Gateway.Port16.link - CommunicationOk
2017-09-25 15:48:46.012 [TRACE] Gateway.Port16 - Status DI needs updating!
2017-09-25 15:48:46.012 [DEBUG] Gateway.Port16 - StatusDi: connected
</pre>

=== Server log when it disconnects ===
<pre>
2017-09-01 15:56:48.669 [DEBUG] Gateway.104port.link - CommunicationBad
2017-09-01 15:56:48.669 [ERROR] Gateway.104port.port - Request disconnect, subdevice removed from polling
2017-09-01 15:56:48.670 [INFO] Gateway.104port.port - Close connection, Force disconnect
2017-09-01 15:56:48.670 [ERROR] Gateway.104port - Timeout, suppressing following timeout messages!
2017-09-01 15:56:49.001 [DEBUG] Gateway.104port.db - Time cn (11) event: 57409 time: 2017-Sep-01 15:56:49.000063, buffered
</pre>

=== Server log when client connects after reset ===
<pre>
2017-09-01 16:09:40.069 [TRACE] Gateway.104port.port - Clear communication buffers
2017-09-01 16:09:40.070 [INFO] Gateway.104port.port - Incoming connection from 10.0.0.231 established.
2017-09-01 16:09:40.070 [TRACE] Gateway.104port.port.link - Port connected
2017-09-01 16:09:40.070 [DEBUG] Gateway.104port - Port open!
2017-09-01 16:09:40.070 [DEBUG] Gateway.104port - Retry/Establish communication
2017-09-01 16:09:40.070 [INFO] Gateway.104port - Enable polling
2017-09-01 16:09:40.070 [INFO] Gateway.104port - Reset communication
2017-09-01 16:09:40.071 [INFO] Gateway.104port - Reset communication done
2017-09-01 16:09:40.097 [TRACE] Gateway.104port.port.read - 68 04 07 00 00 00
2017-09-01 16:09:40.097 [DEBUG] Gateway.104port.port.read.link - UFormat: STARTDT_ACT
2017-09-01 16:09:40.098 [TRACE] Gateway.104port.link - Received U format message with "Start Data Transfer Activation" from master. Reissue "Port connected" to port buffer. This will clear buffers counters and timers.
2017-09-01 16:09:40.098 [TRACE] Gateway.104port.port.link - Port connected
2017-09-01 16:09:40.098 [DEBUG] Gateway.104port.port.write.link - UFormat: STARTDT_CON
2017-09-01 16:09:40.098 [DEBUG] Gateway.104port.link - CommunicationOk
2017-09-01 16:09:40.098 [DEBUG] Gateway.104port - StatusDi: connected
2017-09-01 16:09:40.098 [INFO] Gateway.104port - Connected
2017-09-01 16:09:40.098 [INFO] Gateway.104port - Refresh all values
2017-09-01 16:11:46.093 [TRACE] Gateway.104port.port.write - 68 04 0B 00 00 00
</pre>

=== Server log when client reconnects after sudden disconnect ===
<pre>
2017-09-01 15:56:49.675 [TRACE] Gateway.104port.port - Clear communication buffers
2017-09-01 15:56:49.676 [DEBUG] Gateway.104port - Port open!
2017-09-01 15:56:49.676 [DEBUG] Gateway.104port - Retry/Establish communication
2017-09-01 15:56:49.676 [INFO] Gateway.104port - Enable polling
2017-09-01 15:56:49.676 [INFO] Gateway.104port - Reset communication
2017-09-01 15:56:49.676 [INFO] Gateway.104port - Reset communication done
2017-09-01 15:56:49.676 [TRACE] Gateway.104port.port.link - Port connected
2017-09-01 15:56:49.677 [INFO] Gateway.104port.port - Incoming connection from 10.0.0.231 established.
2017-09-01 15:56:49.703 [TRACE] Gateway.104port.port.read - 68 04 07 00 00 00
2017-09-01 15:56:49.703 [DEBUG] Gateway.104port.port.read.link - UFormat: STARTDT_ACT
2017-09-01 15:56:49.703 [TRACE] Gateway.104port.link - Received U format message with "Start Data Transfer Activation" from master. Reissue "Port connected" to port buffer. This will clear buffers counters and timers.
2017-09-01 15:56:49.703 [TRACE] Gateway.104port.port.link - Port connected
2017-09-01 15:56:49.703 [DEBUG] Gateway.104port.port.write.link - UFormat: STARTDT_CON
2017-09-01 15:56:49.703 [DEBUG] Gateway.104port.link - CommunicationOk
2017-09-01 15:56:49.704 [DEBUG] Gateway.104port - StatusDi: connected
2017-09-01 15:56:49.704 [TRACE] Gateway.104port.port.write - 68 04 0B 00 00 00
</pre>

= Commands =

== IEC 101UB Serial ==

=== IEC 101UB Serial SCADA CMD (Select & Execute) to IEC 101UB IED ===

Port6 - IEC 101UB Scada

DO5T - IED which recv cmd

DI24T - other IED not used in this example

<pre>
2017-09-26 16:15:28.120 [TRACE] telem-gw6e.Port6.port.read - 68 0A 0A 68 73 01 2D
2017-09-26 16:15:28.136 [TRACE] telem-gw6e.Port6.port.read - 01 06 01 00 C9 00 81 F3 16
2017-09-26 16:15:28.137 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] RecvVarLenFrame CTRL_FCV(16) CTRL_FCB(32) CTRL_FN(3) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.137 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(0) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.137 [INFO] telem-gw6e.Port6.db - DO1 (201) control: 2 flags: Select Command Activation time: 2017-Sep-26 16:15:28.137173, recv
2017-09-26 16:15:28.137 [DEBUG] Gateway.Filter.Update - [DO_5_1_1_filter] DO_1_1_value = 2 flags: Select Activation Select Command Activation time: 2017-Sep-26 13:15:28.137173
2017-09-26 16:15:28.137 [TRACE] Gateway.Filter.AddToBuffer - [DO_5_1_1_filter] DO_1_1_buf << 2 flags: Select Activation Confirmation Select Command Activation time: 2017-Sep-26 13:15:28.137173
2017-09-26 16:15:28.137 [DEBUG] telem-gw6e.Port5.DO5T.db - DO1 (1) event: 2 flags: Select Command Activation time: 2017-Sep-26 16:15:28.137173, buffered
2017-09-26 16:15:28.241 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(0) CTRL_FN(CTRL_REQUEST_CLASS_2 - 11) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.241 [TRACE] telem-gw6e.Port5.port.write - 10 5B 01 5C 16
2017-09-26 16:15:28.258 [TRACE] telem-gw6e.Port5.port.read - 10 09 01
2017-09-26 16:15:28.274 [TRACE] telem-gw6e.Port5.port.read - 0A 16
2017-09-26 16:15:28.274 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(0) CTRL_FN(CTRL_NO_DATA - 9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.274 [INFO] telem-gw6e.Port5.DO5T.db - DO1 (1) control: 2 flags: Select Command Activation time: 2017-Sep-26 16:15:28.137173, sent
2017-09-26 16:15:28.274 [TRACE] IEC.setEvent - [Core -> Prot] (Input Events) add event EVENTCODE_DIGITAL_OUTPUT_COMMAND
2017-09-26 16:15:28.437 [TRACE] telem-gw6e.Port6.port.write - 10 00 01 01 16
2017-09-26 16:15:28.568 [TRACE] telem-gw6e.Port6.port.read - 10 5B 01 5C
2017-09-26 16:15:28.575 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 1
2017-09-26 16:15:28.575 [TRACE] telem-gw6e.Port5.ControlStateLogger - SELECT 1
2017-09-26 16:15:28.576 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] SendVarLenFrame CTRL_FCV(1) CTRL_FCB(1) CTRL_FN(CTRL_USER_DATA - 3) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:28.576 [TRACE] telem-gw6e.Port5.port.write - 68 0A 0A 68 73 03 2E 01 06 03 00 01 00 82 31 16
2017-09-26 16:15:28.584 [TRACE] telem-gw6e.Port6.port.read - 16
2017-09-26 16:15:28.584 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 2 data available: no
2017-09-26 16:15:28.584 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.610 [TRACE] telem-gw6e.Port5.port.read - 10 20 03 23 16
2017-09-26 16:15:28.610 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(1) CTRL_FN(CTRL_ACK - 0) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:28.884 [TRACE] telem-gw6e.Port6.port.write - 10 09 01 0A 16
2017-09-26 16:15:28.912 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(1) CTRL_FN(CTRL_REQUEST_CLASS_2 - 11) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:28.912 [TRACE] telem-gw6e.Port5.port.write - 10 7B 01 7C 16
2017-09-26 16:15:28.930 [TRACE] telem-gw6e.Port5.port.read - 10 09 01 0A
2017-09-26 16:15:28.946 [TRACE] telem-gw6e.Port5.port.read - 16
2017-09-26 16:15:28.946 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(0) CTRL_FN(CTRL_NO_DATA - 9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.016 [TRACE] telem-gw6e.Port6.port.read - 68
2017-09-26 16:15:29.032 [TRACE] telem-gw6e.Port6.port.read - 0A 0A 68 73 01 2D 01 06 01 00 C9 00 01 73 16
2017-09-26 16:15:29.032 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] RecvVarLenFrame CTRL_FCV(16) CTRL_FCB(32) CTRL_FN(3) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.032 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(0) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.032 [INFO] telem-gw6e.Port6.db - DO1 (201) control: 2 flags: Activation time: 2017-Sep-26 16:15:29.032667, recv
2017-09-26 16:15:29.032 [DEBUG] Gateway.Filter.Update - [DO_5_1_1_filter] DO_1_1_value = 2 flags: Execute Activation Activation time: 2017-Sep-26 13:15:29.032667
2017-09-26 16:15:29.032 [TRACE] Gateway.Filter.AddToBuffer - [DO_5_1_1_filter] DO_1_1_buf << 2 flags: Execute Activation Confirmation Activation time: 2017-Sep-26 13:15:29.032667
2017-09-26 16:15:29.032 [DEBUG] telem-gw6e.Port5.DO5T.db - DO1 (1) event: 2 flags: Activation time: 2017-Sep-26 16:15:29.032667, buffered
2017-09-26 16:15:29.248 [INFO] telem-gw6e.Port5.DO5T.db - DO1 (1) control: 2 flags: Activation time: 2017-Sep-26 16:15:29.032667, sent
2017-09-26 16:15:29.248 [TRACE] IEC.setEvent - [Core -> Prot] (Input Events) add event EVENTCODE_DIGITAL_OUTPUT_COMMAND
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 1
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.ControlStateLogger - ACTIVATION 1
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 1
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.ControlStateLogger - RESPONSE 1
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] SendVarLenFrame CTRL_FCV(1) CTRL_FCB(0) CTRL_FN(CTRL_USER_DATA - 3) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:29.250 [TRACE] telem-gw6e.Port5.port.write - 68 0A 0A 68 53 03 2E 01 06 03 00 01 00 02 91 16
2017-09-26 16:15:29.281 [TRACE] telem-gw6e.Port5.port.read - 10 20 03 23 16
2017-09-26 16:15:29.281 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(1) CTRL_FN(CTRL_ACK - 0) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:29.332 [TRACE] telem-gw6e.Port6.port.write - 10 00 01 01 16
2017-09-26 16:15:29.448 [TRACE] telem-gw6e.Port6.port.read - 10 5B 01 5C 16
2017-09-26 16:15:29.448 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 2 data available: no
2017-09-26 16:15:29.448 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.584 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(0) CTRL_FN(CTRL_REQUEST_CLASS_2 - 11) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.584 [TRACE] telem-gw6e.Port5.port.write - 10 5B 01 5C 16
2017-09-26 16:15:29.602 [TRACE] telem-gw6e.Port5.port.read - 10 09 01 0A
2017-09-26 16:15:29.618 [TRACE] telem-gw6e.Port5.port.read - 16
2017-09-26 16:15:29.618 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(0) CTRL_FN(CTRL_NO_DATA - 9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.748 [TRACE] telem-gw6e.Port6.port.write - 10 09 01 0A 16
2017-09-26 16:15:29.863 [TRACE] telem-gw6e.Port6.port.read - 10 7B 01 7C 16
2017-09-26 16:15:29.863 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 2 data available: no
2017-09-26 16:15:29.863 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:29.922 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(1) CTRL_FN(CTRL_REQUEST_CLASS_1 - 10) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:29.922 [TRACE] telem-gw6e.Port5.port.write - 10 7A 03 7D 16
2017-09-26 16:15:29.938 [TRACE] telem-gw6e.Port5.port.read - 68
2017-09-26 16:15:29.954 [TRACE] telem-gw6e.Port5.port.read - 0A 0A 68 28 03 2E 01 07 03 00 01 00 82 E7 16
2017-09-26 16:15:29.954 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] RecvVarLenFrame CTRL_PRM(0) CTRL_ACD(1) CTRL_FN(CTRL_DATA - 8) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:29.954 [TRACE] telem-gw6e.Port5.ControlStateLogger - found SELECT obj_addr = 1 obj_id = 0
2017-09-26 16:15:29.954 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 0
2017-09-26 16:15:29.954 [TRACE] telem-gw6e.Port5.ControlStateLogger - SELECT 0
2017-09-26 16:15:29.954 [INFO] telem-gw6e.Port5.DO5T.db - DO1 (1) response: 2 flags: Activation time: 2017-Sep-26 16:15:29.032667, recv
2017-09-26 16:15:29.954 [TRACE] Gateway.Filter.AddToBuffer - [DO_5_1_1_resp_filter] DO_5_1_1_buf << 2 flags: Execute Activation OK GwTime Activation time: 2017-Sep-26 13:15:29.954604
2017-09-26 16:15:29.954 [DEBUG] telem-gw6e.Port6.db - DO1 (201) event: 2 flags: GwTime Activation time: 2017-Sep-26 16:15:29.954604, buffered
2017-09-26 16:15:30.163 [TRACE] telem-gw6e.Port6.port.write - 10 09 01 0A 16
2017-09-26 16:15:30.257 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(1) CTRL_FN(CTRL_REQUEST_CLASS_2 - 11) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:30.257 [TRACE] telem-gw6e.Port5.port.write - 10 7B 01 7C 16
2017-09-26 16:15:30.273 [TRACE] telem-gw6e.Port5.port.read - 10 09 01
2017-09-26 16:15:30.289 [TRACE] telem-gw6e.Port5.port.read - 0A 16
2017-09-26 16:15:30.289 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(0) CTRL_FN(CTRL_NO_DATA - 9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:30.295 [TRACE] telem-gw6e.Port6.port.read - 10 5B 01 5C 16
2017-09-26 16:15:30.295 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 2 data available: no
2017-09-26 16:15:30.295 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 1 data state: digital output response
2017-09-26 16:15:30.295 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(1) CTRL_FN(9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:30.593 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(0) CTRL_FN(CTRL_REQUEST_CLASS_1 - 10) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:30.593 [TRACE] telem-gw6e.Port5.port.write - 10 5A 03 5D 16
2017-09-26 16:15:30.595 [TRACE] telem-gw6e.Port6.port.write - 10 29 01 2A 16
2017-09-26 16:15:30.609 [TRACE] telem-gw6e.Port5.port.read - 68
2017-09-26 16:15:30.625 [TRACE] telem-gw6e.Port5.port.read - 0A 0A 68 28 03 2E 01 07 03 00 01 00 02 67 16
2017-09-26 16:15:30.626 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] RecvVarLenFrame CTRL_PRM(0) CTRL_ACD(1) CTRL_FN(CTRL_DATA - 8) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:30.626 [TRACE] telem-gw6e.Port5.ControlStateLogger - found ACTIVATION obj_addr = 1 obj_id = 0
2017-09-26 16:15:30.626 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 0
2017-09-26 16:15:30.626 [TRACE] telem-gw6e.Port5.ControlStateLogger - ACTIVATION 0
2017-09-26 16:15:30.727 [TRACE] telem-gw6e.Port6.port.read - 10 7A 01 7B
2017-09-26 16:15:30.743 [TRACE] telem-gw6e.Port6.port.read - 16
2017-09-26 16:15:30.744 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 1 data state: digital output response
2017-09-26 16:15:30.744 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 1 data available: yes
2017-09-26 16:15:30.746 [INFO] telem-gw6e.Port6.db - DO1 (201) response: 2 flags: GwTime Activation time: 2017-Sep-26 16:15:29.954604, sent
2017-09-26 16:15:30.746 [TRACE] IEC.setEvent - [Core -> Prot] (Input Events) add event EVENTCODE_DIGITAL_OUTPUT_RESPONSE
2017-09-26 16:15:30.747 [TRACE] telem-gw6e.Port6.link - mSendBuffer.Count() 8 req1:1 req2:0
2017-09-26 16:15:30.747 [TRACE] telem-gw6e.Port6.link - sending mSendBuffer.Count() 8 req1:1 req2:0
2017-09-26 16:15:30.747 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendVarLenFrame CTRL_ACD(1) CTRL_FN(8) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:30.928 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(0) CTRL_FN(CTRL_REQUEST_CLASS_2 - 11) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:30.928 [TRACE] telem-gw6e.Port5.port.write - 10 5B 01 5C 16
2017-09-26 16:15:30.945 [TRACE] telem-gw6e.Port5.port.read - 10 09 01 0A
2017-09-26 16:15:30.961 [TRACE] telem-gw6e.Port5.port.read - 16
2017-09-26 16:15:30.961 [TRACE] telem-gw6e.Port5.DI24T.link - [IEC60870 101 UB Master Link] RecvFixLenFrame. CTRL_ACD(0) CTRL_FN(CTRL_NO_DATA - 9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:31.047 [TRACE] telem-gw6e.Port6.link - mSendBuffer.Count() 0 req1:0 req2:0
2017-09-26 16:15:31.047 [TRACE] telem-gw6e.Port6.port.write - 68 0A 0A 68 28 01 2D 01 07 01 00 C9 00 01 29 16
2017-09-26 16:15:31.191 [TRACE] telem-gw6e.Port6.port.read - 10 5A 01 5B 16
2017-09-26 16:15:31.191 [TRACE] telem-gw6e.Port6 - [IEC60870 101 UB Data] class 1 data available: no
2017-09-26 16:15:31.191 [TRACE] telem-gw6e.Port6.link - [IEC60870 101 UB Slave Link] SendFixLenFrame CTRL_ACD(0) CTRL_FN(9) LINK_ADDR(1) ADDR_LEN(1)
2017-09-26 16:15:31.264 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] SendFixedFrame CTRL_FCV(1) CTRL_FCB(1) CTRL_FN(CTRL_REQUEST_CLASS_1 - 10) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:31.264 [TRACE] telem-gw6e.Port5.port.write - 10 7A 03 7D 16
2017-09-26 16:15:31.281 [TRACE] telem-gw6e.Port5.port.read - 68
2017-09-26 16:15:31.297 [TRACE] telem-gw6e.Port5.port.read - 0A 0A 68 28 03 2E 01 0A 03 00 01 00 02 6A 16
2017-09-26 16:15:31.297 [TRACE] telem-gw6e.Port5.DO5T.link - [IEC60870 101 UB Master Link] RecvVarLenFrame CTRL_PRM(0) CTRL_ACD(1) CTRL_FN(CTRL_DATA - 8) LINK_ADDR(3) ADDR_LEN(1)
2017-09-26 16:15:31.297 [TRACE] telem-gw6e.Port5.ControlStateLogger - found RESPONSE obj_addr = 1 obj_id = 0
2017-09-26 16:15:31.297 [TRACE] telem-gw6e.Port5.ControlStateLogger - register obj_id: 0 arg: 0
2017-09-26 16:15:31.297 [TRACE] telem-gw6e.Port5.ControlStateLogger - RESPONSE 0
</pre>

View in VINCI:

[[Image:vincido.png]]

TELEM-GW6 Manual

2019-06-04T11:15:05Z

Igor: /* Introduction */

== Introduction ==
[[Image:Gw6e.jpg|center|thumb|1200px|TELEM-GW6e]]
Data Concentrator TELEM-GW6 (GW6-e) is designed for use in electrical networks as an communication concentrator. 
Main applications of GW6 are: 
*Data acquisition and control of regional and national electricity utilities in SCADA systems for remote control and substation automation.
*Cross-referencing of data exchange protocols
*Creating transparent TCP/IP to serial channels for remote connections to various equipment (for remote handling of various equipment)
*Comprehensive integration of different devices
*Full scale data exchange between substation devices and substation control system including setting values, measurement values, registered fault parameter values, changes of state with associated time markings etc.

== Main features ==
*Transparent TCP/IP connections via Ethernet and serial ports
*Various data exchange protocols via Ethernet and serial ports
*Cross-referencing of data exchange protocols
*Automatic protocol conversion from IEC 60870-5-101 to IEC 60870-5-104 without description of data objects.
*Firewall functionality
*OpenVPN, IPsec, L2TP and SSH connections
*SNMP (Simple Network Management Protocol)
*SDN (Software Defined Networking), DPI (Deep Packet Inspection)
*Syslog
*Graphic Web Server
*A user-friendly configuration tool similar to Microsoft® Windows™
*Configurable remotely over communication line
*Configuration export to ASCII, CSV format files
*TELEM RTU devices can be remotely configured via TELEM-GW6
*Logical operations between digital and analog signals can be described
*PLC logic support, configuration tool with integrated PLC editor in compliance with IEC-61131-3 standard
*Data sending with time and quality stamp
*Console port
*Several time synchronization options (possible to synchronize from multiple control centers. GW6 is used to synchronize substation devices by protocol): 
:*GPS input
:*NTP client and server
:*IEC 60870-5-101
:*IEC 60870-5-104
:*IEC 60870-5-103
*All ports are galvanically isolated from case and power circuit (except C1 and console port from power circuit)
*1-wire sensor port (up to 10 sensors) e.g. for temperature
*Real-time clock with back-up capacitor
*Internal fault relay contact (missing in card L version)

== Technical Data ==
Data communication protocols 
To higher level systems: 
*IEC 60870-5-104
*IEC 60870-5-101 unbalanced and balanced,
To lower level devices: 
*IEC 61850,
*IEC 60870-5-104,
*IEC 60870-5-103,
*IEC 60870-5-101 Unbalanced,
*Modbus-RTU,
*Modbus-TCP,
*IEC 62056-21 (IEC 1107),
*SPA-Bus

'''Communication ports '''
Communication ports may be freely configured for upper or lower level communication 
'''Base board''' 
*3 x Ethernet connection with RJ45 port
*1 x RS-232 serial connection with 4P4C port
*1 x Console mini USB port
'''Expansion card 1''' 
'''Card R''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x Fiber-optic connection with ST or Versatile link connectors
*1 x GPS Fiber-optical connection with ST or Versatile link connectors
*1 x RS-485 (2-wire) serial connection, galvanically isolated
*1 x Internal fault relay contact
'''Card L''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x GPS Fiber-optical connection with ST or Versatile link connectors, data and pulse
*2 x Optical LAN

'''Expansion card 2''' 
*8 x RS-232 serial connections with RJ45 connectors with surge protection
*Secondary power supply

'''Data communication parameters:''' 
*1 start bit
*Odd, even or no parity
*Communication rates from 300 to 115200 bit/sec
'''Electrical characteristics of isolated input''' 
*Dielectric withstand IEC 60255-5
*Withstand to static discharge IEC 61000-4-2, 15kV
*Withstand to surges, bursts IEC 61000-4-4, 61000-4-5, 2,5kV AC, 4kV DC
'''Mechanical parameters''' 
*Degree of protection IP 31
*Dimensions (W x H x D) 108 x 114 x 166 (190 with protruding parts ) mm
*Ambient temperature in operation –30°C…+55°C
*Weight 1100 g
*Mounting DIN rail
'''Radio frequency compatibility''' 
*RF emission IEC 55022 Class A
*Immunity to RF fields IEC 61000-4-3, 61000-4-6
'''Power supply''' 
*Supply voltage range 12 to 72 V DC
*Power consumption < 8 VA, < 25 VA with card L

== Communication cables ==
[[Image:Kaablid1.jpg|600px|thumb|center|Communication cables]]
[[Image:Kaablid2.jpg|600px|thumb|center|Communication cables]]

== Firmware update ==
NB! Before updating to new firmware read the setup from your device, and make a backup. 
'''Loading firmware via SSH''' 
*Copy the compressed (*.7z) firmware update file (provided by Martem AS) to your computer
*Set up SSH connection with GW6 if you have not done this before in this session or changed users. Login as martem. If you have not changed the password then default password is provided by Martem AS
*Press the “Upd.” button next to SSH settings
*Press the pick button and select the copied update file (file will be automatically unpacked to temporary folder)
*Press the “Update” button, the update process starts
*Wait until the device resumes to its normal operation state (“Run” LED will start slow blinking again)
*Firmware update is complete. Check if firmware update was successful.

'''Checking results of the firmware update operation:''' 
*Press “Get Result” button
*Check the state of installed files at the last part of the file. If the state of update files is OK - firmware update was successful.

'''Loading firmware through Secure Digital (SD) Memory Card slot:''' 
*Connect Secure Digital (SD) Memory Card to your computer
*Extract the compressed firmware update file (provided by Martem AS) to your SD Memory Card
*Disconnect the card from your computer
*Insert the card to TELEM-GW6 SD Memory Card slot
:* SD Memory Card slot is located at the back of the device
*Perform reset operation to TELEM-GW6 device
*Wait until the device resumes to it’s normal operation state
*Firmware update is complete. Remove the SD Memory Card and check if firmware update was successful

'''Checking results of the firmware update operation:''' 
*Connect the SD Memory Card to your computer
*Open the folder you extracted earlier
*Check if the file “res.txt” is present and open it
*Check the state of installed files at the last part of the file
:*If the state of update files is OK - firmware update was successful

== Default setup, indication ==
'''RESET:''' Switch RESET to ON state and then back to OFF state for Reset operation 
'''DFT. SET:''' To apply default setup: 
# Switch DFT. SET to ON state
:*Alert indication LED starts blinking within 5 seconds
:*Alert indication LED will blink for 2 seconds
# Switch DFT. SET back to OFF state when the alert indication LED is blinking to apply default setup
If DFT. SET is switched back to OFF state when the alert indication LED is not blinking, default setup will NOT be applied

'''For operation''' 
Green LED – Blinking green indicates that the program is running 
Red LED – Failure 

'''For communication''' 
Green LED at GPS port – blinking indicates the existence of GPS time synchronization.

== Notes ==
If not stated otherwise on the individual pages of this document, AS Martem reserves the right to make modifications. 
Although the contents of this publication have been checked for conformity with the hardware and software described, we cannot guarantee complete conformity since errors cannot be excluded. 
The information provided in this manual is checked at regular intervals and any corrections that might become necessary are included in the next releases. 
Any suggestions for improvement are welcome. 
The contents of this manual are subject to change without prior notice. 
Latest firmware, software and updates can be downloaded from: phobos.martem.ee/shr 
More information about Martem devices can be found at phobos.martem.ee/wiki/Esileht

== Block diagram ==
[[Media:Telem-GW6.pdf|TELEM-GW6]] 

== Order code ==
TELEM GW6 has many hardware versions, versions are described with an order code. 
User friendly configurator can be found:[http://phobos.martem.ee/order/ phobos.martem.ee/order/] 

GW6-eXXXX-XXXX-CX 
(e.g. GW6-e1112-R211-C0) 

'''Licence'''
*0 – NO IEC61850
*1 – IEC61850
'''Processor'''
*1 – Base model
*2 – Custom model
'''Port C1'''
*1 – COM1 or GPS
*2 – ONE-wire input
'''GPS sync'''
*1 – From Port C1
*2 – GPS optical input
'''Expansion card 1'''
*R – Card R
*L – Card L
'''Port C2 conf.'''
*1 – 4-wire RS485
*2 – 2-wire RS485
*3 – RS422
'''GPS optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Port C3 optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Secondary power'''
*0 – Not Supported
*1 – Supported

== Revision history ==
Rev 1/2014 New version of manual (separate manuals for GW6 and GWS)

Rev 2/2015 Some errors corrected

== Open-source software information ==
This device produced by Martem Ltd. includes open-source components. The most up to date info of exact software used by Martem’s build system and licensing info of used software can be found from http://phobos.martem.ee/shr/br-sources/

TELEM-GW6 Manual

2019-06-04T11:14:47Z

Igor: /* Block diagram */

== Introduction ==
[[image:Gw6e.jpg|center|thumb|1200px|TELEM-GW6e]]
Data Concentrator TELEM-GW6 (GW6-e) is designed for use in electrical networks as an communication concentrator. 
Main applications of GW6 are: 
*Data acquisition and control of regional and national electricity utilities in SCADA systems for remote control and substation automation.
*Cross-referencing of data exchange protocols
*Creating transparent TCP/IP to serial channels for remote connections to various equipment (for remote handling of various equipment)
*Comprehensive integration of different devices
*Full scale data exchange between substation devices and substation control system including setting values, measurement values, registered fault parameter values, changes of state with associated time markings etc.

== Main features ==
*Transparent TCP/IP connections via Ethernet and serial ports
*Various data exchange protocols via Ethernet and serial ports
*Cross-referencing of data exchange protocols
*Automatic protocol conversion from IEC 60870-5-101 to IEC 60870-5-104 without description of data objects.
*Firewall functionality
*OpenVPN, IPsec, L2TP and SSH connections
*SNMP (Simple Network Management Protocol)
*SDN (Software Defined Networking), DPI (Deep Packet Inspection)
*Syslog
*Graphic Web Server
*A user-friendly configuration tool similar to Microsoft® Windows™
*Configurable remotely over communication line
*Configuration export to ASCII, CSV format files
*TELEM RTU devices can be remotely configured via TELEM-GW6
*Logical operations between digital and analog signals can be described
*PLC logic support, configuration tool with integrated PLC editor in compliance with IEC-61131-3 standard
*Data sending with time and quality stamp
*Console port
*Several time synchronization options (possible to synchronize from multiple control centers. GW6 is used to synchronize substation devices by protocol): 
:*GPS input
:*NTP client and server
:*IEC 60870-5-101
:*IEC 60870-5-104
:*IEC 60870-5-103
*All ports are galvanically isolated from case and power circuit (except C1 and console port from power circuit)
*1-wire sensor port (up to 10 sensors) e.g. for temperature
*Real-time clock with back-up capacitor
*Internal fault relay contact (missing in card L version)

== Technical Data ==
Data communication protocols 
To higher level systems: 
*IEC 60870-5-104
*IEC 60870-5-101 unbalanced and balanced,
To lower level devices: 
*IEC 61850,
*IEC 60870-5-104,
*IEC 60870-5-103,
*IEC 60870-5-101 Unbalanced,
*Modbus-RTU,
*Modbus-TCP,
*IEC 62056-21 (IEC 1107),
*SPA-Bus

'''Communication ports '''
Communication ports may be freely configured for upper or lower level communication 
'''Base board''' 
*3 x Ethernet connection with RJ45 port
*1 x RS-232 serial connection with 4P4C port
*1 x Console mini USB port
'''Expansion card 1''' 
'''Card R''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x Fiber-optic connection with ST or Versatile link connectors
*1 x GPS Fiber-optical connection with ST or Versatile link connectors
*1 x RS-485 (2-wire) serial connection, galvanically isolated
*1 x Internal fault relay contact
'''Card L''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x GPS Fiber-optical connection with ST or Versatile link connectors, data and pulse
*2 x Optical LAN

'''Expansion card 2''' 
*8 x RS-232 serial connections with RJ45 connectors with surge protection
*Secondary power supply

'''Data communication parameters:''' 
*1 start bit
*Odd, even or no parity
*Communication rates from 300 to 115200 bit/sec
'''Electrical characteristics of isolated input''' 
*Dielectric withstand IEC 60255-5
*Withstand to static discharge IEC 61000-4-2, 15kV
*Withstand to surges, bursts IEC 61000-4-4, 61000-4-5, 2,5kV AC, 4kV DC
'''Mechanical parameters''' 
*Degree of protection IP 31
*Dimensions (W x H x D) 108 x 114 x 166 (190 with protruding parts ) mm
*Ambient temperature in operation –30°C…+55°C
*Weight 1100 g
*Mounting DIN rail
'''Radio frequency compatibility''' 
*RF emission IEC 55022 Class A
*Immunity to RF fields IEC 61000-4-3, 61000-4-6
'''Power supply''' 
*Supply voltage range 12 to 72 V DC
*Power consumption < 8 VA, < 25 VA with card L

== Communication cables ==
[[Image:Kaablid1.jpg|600px|thumb|center|Communication cables]]
[[Image:Kaablid2.jpg|600px|thumb|center|Communication cables]]

== Firmware update ==
NB! Before updating to new firmware read the setup from your device, and make a backup. 
'''Loading firmware via SSH''' 
*Copy the compressed (*.7z) firmware update file (provided by Martem AS) to your computer
*Set up SSH connection with GW6 if you have not done this before in this session or changed users. Login as martem. If you have not changed the password then default password is provided by Martem AS
*Press the “Upd.” button next to SSH settings
*Press the pick button and select the copied update file (file will be automatically unpacked to temporary folder)
*Press the “Update” button, the update process starts
*Wait until the device resumes to its normal operation state (“Run” LED will start slow blinking again)
*Firmware update is complete. Check if firmware update was successful.

'''Checking results of the firmware update operation:''' 
*Press “Get Result” button
*Check the state of installed files at the last part of the file. If the state of update files is OK - firmware update was successful.

'''Loading firmware through Secure Digital (SD) Memory Card slot:''' 
*Connect Secure Digital (SD) Memory Card to your computer
*Extract the compressed firmware update file (provided by Martem AS) to your SD Memory Card
*Disconnect the card from your computer
*Insert the card to TELEM-GW6 SD Memory Card slot
:* SD Memory Card slot is located at the back of the device
*Perform reset operation to TELEM-GW6 device
*Wait until the device resumes to it’s normal operation state
*Firmware update is complete. Remove the SD Memory Card and check if firmware update was successful

'''Checking results of the firmware update operation:''' 
*Connect the SD Memory Card to your computer
*Open the folder you extracted earlier
*Check if the file “res.txt” is present and open it
*Check the state of installed files at the last part of the file
:*If the state of update files is OK - firmware update was successful

== Default setup, indication ==
'''RESET:''' Switch RESET to ON state and then back to OFF state for Reset operation 
'''DFT. SET:''' To apply default setup: 
# Switch DFT. SET to ON state
:*Alert indication LED starts blinking within 5 seconds
:*Alert indication LED will blink for 2 seconds
# Switch DFT. SET back to OFF state when the alert indication LED is blinking to apply default setup
If DFT. SET is switched back to OFF state when the alert indication LED is not blinking, default setup will NOT be applied

'''For operation''' 
Green LED – Blinking green indicates that the program is running 
Red LED – Failure 

'''For communication''' 
Green LED at GPS port – blinking indicates the existence of GPS time synchronization.

== Notes ==
If not stated otherwise on the individual pages of this document, AS Martem reserves the right to make modifications. 
Although the contents of this publication have been checked for conformity with the hardware and software described, we cannot guarantee complete conformity since errors cannot be excluded. 
The information provided in this manual is checked at regular intervals and any corrections that might become necessary are included in the next releases. 
Any suggestions for improvement are welcome. 
The contents of this manual are subject to change without prior notice. 
Latest firmware, software and updates can be downloaded from: phobos.martem.ee/shr 
More information about Martem devices can be found at phobos.martem.ee/wiki/Esileht

== Block diagram ==
[[Media:Telem-GW6.pdf|TELEM-GW6]] 

== Order code ==
TELEM GW6 has many hardware versions, versions are described with an order code. 
User friendly configurator can be found:[http://phobos.martem.ee/order/ phobos.martem.ee/order/] 

GW6-eXXXX-XXXX-CX 
(e.g. GW6-e1112-R211-C0) 

'''Licence'''
*0 – NO IEC61850
*1 – IEC61850
'''Processor'''
*1 – Base model
*2 – Custom model
'''Port C1'''
*1 – COM1 or GPS
*2 – ONE-wire input
'''GPS sync'''
*1 – From Port C1
*2 – GPS optical input
'''Expansion card 1'''
*R – Card R
*L – Card L
'''Port C2 conf.'''
*1 – 4-wire RS485
*2 – 2-wire RS485
*3 – RS422
'''GPS optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Port C3 optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Secondary power'''
*0 – Not Supported
*1 – Supported

== Revision history ==
Rev 1/2014 New version of manual (separate manuals for GW6 and GWS)

Rev 2/2015 Some errors corrected

== Open-source software information ==
This device produced by Martem Ltd. includes open-source components. The most up to date info of exact software used by Martem’s build system and licensing info of used software can be found from http://phobos.martem.ee/shr/br-sources/

TELEM-GW6 Manual

2019-06-04T11:14:17Z

Igor:

== Introduction ==
[[image:Gw6e.jpg|center|thumb|1200px|TELEM-GW6e]]
Data Concentrator TELEM-GW6 (GW6-e) is designed for use in electrical networks as an communication concentrator. 
Main applications of GW6 are: 
*Data acquisition and control of regional and national electricity utilities in SCADA systems for remote control and substation automation.
*Cross-referencing of data exchange protocols
*Creating transparent TCP/IP to serial channels for remote connections to various equipment (for remote handling of various equipment)
*Comprehensive integration of different devices
*Full scale data exchange between substation devices and substation control system including setting values, measurement values, registered fault parameter values, changes of state with associated time markings etc.

== Main features ==
*Transparent TCP/IP connections via Ethernet and serial ports
*Various data exchange protocols via Ethernet and serial ports
*Cross-referencing of data exchange protocols
*Automatic protocol conversion from IEC 60870-5-101 to IEC 60870-5-104 without description of data objects.
*Firewall functionality
*OpenVPN, IPsec, L2TP and SSH connections
*SNMP (Simple Network Management Protocol)
*SDN (Software Defined Networking), DPI (Deep Packet Inspection)
*Syslog
*Graphic Web Server
*A user-friendly configuration tool similar to Microsoft® Windows™
*Configurable remotely over communication line
*Configuration export to ASCII, CSV format files
*TELEM RTU devices can be remotely configured via TELEM-GW6
*Logical operations between digital and analog signals can be described
*PLC logic support, configuration tool with integrated PLC editor in compliance with IEC-61131-3 standard
*Data sending with time and quality stamp
*Console port
*Several time synchronization options (possible to synchronize from multiple control centers. GW6 is used to synchronize substation devices by protocol): 
:*GPS input
:*NTP client and server
:*IEC 60870-5-101
:*IEC 60870-5-104
:*IEC 60870-5-103
*All ports are galvanically isolated from case and power circuit (except C1 and console port from power circuit)
*1-wire sensor port (up to 10 sensors) e.g. for temperature
*Real-time clock with back-up capacitor
*Internal fault relay contact (missing in card L version)

== Technical Data ==
Data communication protocols 
To higher level systems: 
*IEC 60870-5-104
*IEC 60870-5-101 unbalanced and balanced,
To lower level devices: 
*IEC 61850,
*IEC 60870-5-104,
*IEC 60870-5-103,
*IEC 60870-5-101 Unbalanced,
*Modbus-RTU,
*Modbus-TCP,
*IEC 62056-21 (IEC 1107),
*SPA-Bus

'''Communication ports '''
Communication ports may be freely configured for upper or lower level communication 
'''Base board''' 
*3 x Ethernet connection with RJ45 port
*1 x RS-232 serial connection with 4P4C port
*1 x Console mini USB port
'''Expansion card 1''' 
'''Card R''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x Fiber-optic connection with ST or Versatile link connectors
*1 x GPS Fiber-optical connection with ST or Versatile link connectors
*1 x RS-485 (2-wire) serial connection, galvanically isolated
*1 x Internal fault relay contact
'''Card L''' 
*1 x RS-422, RS-485 (2-wire) or RS-485 (4-wire) serial connection, galvanically isolated + time sync pulse out
*1 x GPS Fiber-optical connection with ST or Versatile link connectors, data and pulse
*2 x Optical LAN

'''Expansion card 2''' 
*8 x RS-232 serial connections with RJ45 connectors with surge protection
*Secondary power supply

'''Data communication parameters:''' 
*1 start bit
*Odd, even or no parity
*Communication rates from 300 to 115200 bit/sec
'''Electrical characteristics of isolated input''' 
*Dielectric withstand IEC 60255-5
*Withstand to static discharge IEC 61000-4-2, 15kV
*Withstand to surges, bursts IEC 61000-4-4, 61000-4-5, 2,5kV AC, 4kV DC
'''Mechanical parameters''' 
*Degree of protection IP 31
*Dimensions (W x H x D) 108 x 114 x 166 (190 with protruding parts ) mm
*Ambient temperature in operation –30°C…+55°C
*Weight 1100 g
*Mounting DIN rail
'''Radio frequency compatibility''' 
*RF emission IEC 55022 Class A
*Immunity to RF fields IEC 61000-4-3, 61000-4-6
'''Power supply''' 
*Supply voltage range 12 to 72 V DC
*Power consumption < 8 VA, < 25 VA with card L

== Communication cables ==
[[Image:Kaablid1.jpg|600px|thumb|center|Communication cables]]
[[Image:Kaablid2.jpg|600px|thumb|center|Communication cables]]

== Firmware update ==
NB! Before updating to new firmware read the setup from your device, and make a backup. 
'''Loading firmware via SSH''' 
*Copy the compressed (*.7z) firmware update file (provided by Martem AS) to your computer
*Set up SSH connection with GW6 if you have not done this before in this session or changed users. Login as martem. If you have not changed the password then default password is provided by Martem AS
*Press the “Upd.” button next to SSH settings
*Press the pick button and select the copied update file (file will be automatically unpacked to temporary folder)
*Press the “Update” button, the update process starts
*Wait until the device resumes to its normal operation state (“Run” LED will start slow blinking again)
*Firmware update is complete. Check if firmware update was successful.

'''Checking results of the firmware update operation:''' 
*Press “Get Result” button
*Check the state of installed files at the last part of the file. If the state of update files is OK - firmware update was successful.

'''Loading firmware through Secure Digital (SD) Memory Card slot:''' 
*Connect Secure Digital (SD) Memory Card to your computer
*Extract the compressed firmware update file (provided by Martem AS) to your SD Memory Card
*Disconnect the card from your computer
*Insert the card to TELEM-GW6 SD Memory Card slot
:* SD Memory Card slot is located at the back of the device
*Perform reset operation to TELEM-GW6 device
*Wait until the device resumes to it’s normal operation state
*Firmware update is complete. Remove the SD Memory Card and check if firmware update was successful

'''Checking results of the firmware update operation:''' 
*Connect the SD Memory Card to your computer
*Open the folder you extracted earlier
*Check if the file “res.txt” is present and open it
*Check the state of installed files at the last part of the file
:*If the state of update files is OK - firmware update was successful

== Default setup, indication ==
'''RESET:''' Switch RESET to ON state and then back to OFF state for Reset operation 
'''DFT. SET:''' To apply default setup: 
# Switch DFT. SET to ON state
:*Alert indication LED starts blinking within 5 seconds
:*Alert indication LED will blink for 2 seconds
# Switch DFT. SET back to OFF state when the alert indication LED is blinking to apply default setup
If DFT. SET is switched back to OFF state when the alert indication LED is not blinking, default setup will NOT be applied

'''For operation''' 
Green LED – Blinking green indicates that the program is running 
Red LED – Failure 

'''For communication''' 
Green LED at GPS port – blinking indicates the existence of GPS time synchronization.

== Notes ==
If not stated otherwise on the individual pages of this document, AS Martem reserves the right to make modifications. 
Although the contents of this publication have been checked for conformity with the hardware and software described, we cannot guarantee complete conformity since errors cannot be excluded. 
The information provided in this manual is checked at regular intervals and any corrections that might become necessary are included in the next releases. 
Any suggestions for improvement are welcome. 
The contents of this manual are subject to change without prior notice. 
Latest firmware, software and updates can be downloaded from: phobos.martem.ee/shr 
More information about Martem devices can be found at phobos.martem.ee/wiki/Esileht

== Block diagram ==
[[Image:Telem-GW6.pdf|TELEM-GW6]] 

== Order code ==
TELEM GW6 has many hardware versions, versions are described with an order code. 
User friendly configurator can be found:[http://phobos.martem.ee/order/ phobos.martem.ee/order/] 

GW6-eXXXX-XXXX-CX 
(e.g. GW6-e1112-R211-C0) 

'''Licence'''
*0 – NO IEC61850
*1 – IEC61850
'''Processor'''
*1 – Base model
*2 – Custom model
'''Port C1'''
*1 – COM1 or GPS
*2 – ONE-wire input
'''GPS sync'''
*1 – From Port C1
*2 – GPS optical input
'''Expansion card 1'''
*R – Card R
*L – Card L
'''Port C2 conf.'''
*1 – 4-wire RS485
*2 – 2-wire RS485
*3 – RS422
'''GPS optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Port C3 optics'''
*1 – VL (plastic)
*2 – ST (glass)
*X – None (with card L)
'''Secondary power'''
*0 – Not Supported
*1 – Supported

== Revision history ==
Rev 1/2014 New version of manual (separate manuals for GW6 and GWS)

Rev 2/2015 Some errors corrected

== Open-source software information ==
This device produced by Martem Ltd. includes open-source components. The most up to date info of exact software used by Martem’s build system and licensing info of used software can be found from http://phobos.martem.ee/shr/br-sources/

IEC104 parameters

2019-06-04T11:13:42Z

Igor:

[[Image:GWS_IEC104.png]]

Redundant connections

2019-06-04T11:13:34Z

Igor:

Define redundant connections. 
Connections use the same event buffer, event will be sent to only one channel. When one channel closes, automatically redundant channel is used. 
Used for networks where SCADA system is reserved with many servers, event will be sent to only one server. Maximum number of ports in one reduntunt connection is 4 

Choose ports to work as redundant. 

'''D:''' Delete 

[[Image:redundant.png]]

Comtrade

2019-06-04T11:13:23Z

Igor:

TELEM-GW6 supports automatically downloading and saving comtrade files from IED-s, using IEC61850 file I/O. 
It is possible to upload files to remote server or save them in TELEM-GW6 internal memory or save on SD card. 
TELEM-GW6 can be used for comtrade saving only as an addition to already working RTU. It could be convenient upgrade to an already working substation. 
If '''ICD/SCD''' file is imported to the configuration, then automatically comtrade file list is created, user has to check the devices needed for comtrade saving. '''Local folder''' name can be modified.
If files are saved to GW6 internal memory, '''COMTRADE''' folder containing '''Local folders''' defined by user, is created to '''root''' directory. It is accessible using FTP client (e.g. WinSCP) using username and password, default provided by Martem AS.

[[Image:Comtrade.png]]

GWS templates

2019-06-04T11:13:13Z

Igor:

Starting from GWS version ..., GWS supports creating device templates to simplify the configuration process of Martem RTU-s. 
There are built-in templates included in GWS, and also there is an option to create user specific templates.
A template may contain Port settings, Device settings, Object list and Formulas.
Templates can be included to the setup (and created) from the Devices tab. Note the dropdown sign next to the + button (for creating a new device).
[[Image:Templates1.jpg]]

Once a template device is selected from the list of available templates, a new device will be generated to the setup. Verify all the settings of the generated port, device, objects and formulas (if any).

In order to create user specific templates, create the user specific configuration: port settings, device settings, object list and formulas (if any). Navigate to the Devices tab and click on the dropdown sign next to "New device" button (+ button). Select "create template". Note that this option is only visible, if a device exists in the setup.

[[Image:Templates2.jpg]]

The new template is now visible from the templates list. In the PC, the template is stored in the folder named "templates" that is located in the same directory as GWS.exe. The templates are stored in a csv format.

It is also possible to create a template from a slave port. Note that this option is only visible, if a slave port exists in the setup.
In this case, the template will contain all the objects of the specified port, that are configured in the setup (including object list, formulas and device physical I/O). The slave port template is useful for gathering all the objects from one Martem RTU to another Martem RTU (i.e slave port template is created in one RTU, but used in a setup of another RTU).

Tansparent Connections

2019-06-04T11:12:55Z

Igor:

Transparent Connections is a feature to transfer raw data between two ports. Hence the term "transparent connection". 
For example, transparent connections may be used as a serial-to-ethernet converter for devices with serial communication interface. This way, the device could be remotely configured via serial-to-ethernet connection.

Transparent connections enables transferring data in the following configurations:
#serial to serial
#serial to TCP/IP and TCP/IP to serial
#TCP/IP to TCP/IP (i.e port forwarding)

Here is an example configuration of Transparent connections:
[[Image:Transparent.jpg]] 

There is a configuration for serial to TCP/IP transparent connection. (Serial-to-Ethernet converter). 
Port5 is configured as TCP/IP port of the transparent connection. 
Note the parameter "Transp. con. group" (in this case, it is 10). This parameter is used to identify the two transparent ports that belong to the same connection group. If another pair of transparent connections is needed, create two more transparent ports and pair them together with the "Transp. con. group" parameter. Obviously, the second pair of transparent connections requires another value for the "Transp. con. group" parameter (in this case, some value other than 10). 
Incoming TCP/IP connection is accepted from TCP port 23. 
Access is limited to client IP 192.168.0.200 
If this limitation is not needed, configure the "Other side address" as 0.0.0.0 

In this example, all the data that is sent to server @ 192.168.0.111, tcp port 23 by client 192.168.0.200 is sent to serial line (Port1) @ 9600 baud, 8N1

Asdu transfer

2019-06-04T11:12:43Z

Igor:

Asdu transfer is a feature to transfer data from multiple IEC101 master channels to one IEC101 slave channel. 
The feature supports both IEC101 unbalanced and IEC101 balanced transmission. 

In the slave channel, different devices can be polled from a single IEC101 channel by polling different ASDU-s within the channel. 
The link address for all devices will remain as configured in the uplink port (IEC101 slave port). In this example, it is 100 

Here is an example configuration of the IEC101 ports in GWS 

[[Image:Asdu transfer ports.png]]

The uplink (slave channel) is configured to Port4 with link address 100 and ASDU address 100. 

For the lower level devices, three ports are configured: Port1, Port2 and Port3. 

Note that the lower level devices may have different baudrate, parity etc. It is not necessary for these settings to match parameters of the slave channel. 

"Devices" configuration for the lower level RTU-s 
[[Image:Asdu transfer devices.jpg]]

*IEC101 traffic of lower level devices is transferred to Port4 uplink. The parameter to configure this is called ASDU transfer in "Devices" tab. For every device, Port4 has been configured as the asdu transfer uplink port in this example. 

*The ASDU addresses of every device used in the "ASDU transfer" feature must be different. 
*No information objects should be configured for devices in the "ASDU transfer" feature. The data is transferred directly without object database. 
*The link addresses of configured devices may be different for every device, but it may also be equal for every device. 
*Length of link addres, ASDU address, object address and COT may vary. It is not important for these parameters to match the uplink port settings or settings of other lower level devices.
*In this example:
**The controlling station will connect to Port4 using IEC101, link address 100. 
**When the controlling station polls for {link address 100; ASDU address 10}, then the query is only forwarded to Port1, because Device1 has ASDU address 10. 
**Similarily, when the controlling station polls for {link address 100; ASDU address 300}, then the query is only forwarded to Port3, because Device3 has ASDU address 300. 
**When the controlling station polls for {link address 100; ASDU address 100}, then the query is addressed to the Martem RTU itself. The RTU will respond with all the objects configured in the database (all objects in "Objects" tab, plus the physical I/O-s, plus objects from "Formulas")

Direct IEC-101 to IEC-104 Translation

2019-06-04T11:12:31Z

Igor:

Determine groups of ports (up to 2 ports in each group) for direct protocol translation
(without intermediate database) from IEC 60870-5-101 to IEC 60870-5-104 and vice
versa. Lower lewel device still has to be configured in GWS to determine communication
parameters: address, address length etc.

[[Image:IEC101-104_direct.png]] 

In this example, lower level device is configured to Port1 (serial master), using IEC101 protocol.
The uplink is configured to Port14 (TCP/IP slave), using IEC 104 protocol.
By pairing the two ports together in GWS (Common->Direct IEC-101 to IEC104), the IEC101 protocol is translated to IEC104 protocol.
Objects of Device1 are not defined in GWS "Objects" tab.All the data is directly translated to IEC104 channel without intermediate database.

Note: Direct IEC-101 to IEC-104 Translation feature should not be used together with "Redundant Connections" feature.

Configuring IEC-61850 Client via GWS

2019-06-04T11:12:18Z

Igor:

Latest GWS is available from http://phobos.martem.ee/shr/gws

1. Save .icd or .scd file from IED 

2. Run the latest GWS.exe and select GW6e from "Device" menu 

3. Press the icd/scd button 

[[Image:3.icd_scd.png]] 

4. Press the Add/Remove buttons to add/remove .icd/.scd files from RTU config. Select "Create devices and objects" to automatically create ports, devices and objects list for every IED. 

[[Image:4.Load_icd.png]] 

5. Verify the port and device settings that GWS created. It is recommended to add comments (i.e feeder name) to the ports/devices.
6. It is recommended to configure the BRCB options (Select BRCB-s and Datasets that the RTU should connect to). In the following example, BRCB1 and Dataset1 of a WIMO device are selected.
*If BRCB config is empty, then the RTU will use all BRCB-s in the IED.
*"Create first dataset" is for creating a dynamic dataset into the IED. Usually not used (assuming that the IED is reasonably configured). 

[[Image:6.BRCB.png]] 

7. View the objects list generated by GWS. By default, all objects from all datasets have been generated. 

8. If the object list contains objects from too many datasets, then:
* specify the options by clicking the "Load XML" button in "Devices" tab.
* select the proper .icd/.scd file and IED name* select "create objects" to recreate the object list. A new button "Adv" appears for advanced configuration (press it).
* select the required datasets by checking/unchecking them from the DS list
* Press OK 

[[Image:8.objects.png]] 

9. Now the object list has been recreated with the specified options. Verify the objects in the "Objects" tab. Note the colours:
* Red - object is about to be removed from the object list
* Yellow - object already existed in object list or appears in multiple datasets
* Green - object has been added (generated) to the object list. If you accept the changes, press "Confirm" button. Red objects will be removed. 

[[Image:9.confirm.png]] 

10. It is now possible to compare the RTU config with .icd/.scd file. Navigate back to "Devices" tab and press "Load XML" and then "Compare" button. 

[[Image:10.compare.png]] 

Select the .icd/.scd that you wish to compare the RTU config to. Differences are marked red. In the following example it appears that the RTU config contains 2 objects from DS3 and no objects from DS1 

[[Image:10.compare2.png]]

ReservLülitusAutomaatika

2019-06-04T11:11:36Z

Igor:

== RTA-A´s koostatud RLA loogika seletus:==

[[Media:RTA_valemite_seletused.pdf]]

== Katsestendi projekt:==

[[Media:RLA_KatseStend_Martem.pdf]]

=== RLA katsestend===
[[Image:RLA_Katsestend.jpg]]

[[Kasutaja:Vitali Burzak|Vitali Burzak]] 16. märts 2013, kell 17:08 (EET)

Actaris ACE6000

2019-06-04T11:09:00Z

Igor: /* Aims Pro */

=GWS=
==Ports tab==
===Communication parameters===
* Parity: '''EVEN'''
* Stop bits: '''1'''
* Data bits: '''7'''
===Polling delay===
* One device per channel: '''0'''ms - unlimited
* 2 or more devices per channel: '''2000'''ms - unlimited
===Query timeout===
More than '''1500'''ms
==Objects tab==
Enter the object's address to column named "61850 v"

Address for '''Reactive energy import''' is '''3.8.0'''
Address for '''Energy rate 02''' is '''1.8.2'''
Address could even be '''C.55.6''' or '''FF.FF.2'''

You can see the address in the picture under the column '''code'''.

=Aims Pro=
Display tab in ACE6000 configuration program

[[Image:ACE6000_Aims_Pro_Display_page.jpg]]

=Pealtkuulamine=
17:06:31.640: /?0!
17:06:31.640: [CR][LF]
17:06:31.897: /ACE5\2ACE6000_R3[CR][LF]
17:06:32.005: [ACK]050[CR][LF]
17:06:32.247: [STX]0.9.2(9.17.10,5)[CR][LF]
17:06:32.279: 0.9.1(16:7:47:255)[CR][LF]
17:06:32.311: 1.8.1(0*kWh)[CR][LF]
17:06:32.326: 1.8.2(0*kWh)[CR][LF]
17:06:32.361: 2.8.1(0*kWh)[CR][LF]
17:06:32.376: 2.8.2(0*kWh)[CR][LF]
17:06:32.410: 3.8.0(0*kvarh)[CR][LF]
17:06:32.442: 4.8.0(0*kvarh)[CR][LF]
17:06:32.474: 1.6.1(0.0*kW)(0100917070000)[CR][LF]
17:06:32.522: 1.6.2(0.0*kW)(0100917160000)[CR][LF]
17:06:32.550: 13.7(1.0000)[CR][LF]
17:06:32.586: 1.7(0*W)[CR][LF]
17:06:32.602: 2.7(0*W)[CR][LF]
17:06:32.617: 3.7(0*var)[CR][LF]
17:06:32.650: 4.7(0*var)[CR][LF]
17:06:32.666: 9.7(0*VA)[CR][LF]
17:06:32.681: 10.7(0*VA)[CR][LF]
17:06:32.710: 32.7(0.77*V)[CR][LF]
17:06:32.730: 52.7(0.87*V)[CR][LF]
17:06:32.762: 72.7(227.41*V)[CR][LF]
17:06:32.777: 31.7(0.00*A)[CR][LF]
17:06:32.810: 51.7(0.00*A)[CR][LF]
17:06:32.825: 71.7(0.00*A)[CR][LF]
17:06:32.842: 14.7(50.0*Hz)[CR][LF]
17:06:32.874: C.53.1(0)[CR][LF]
17:06:32.890: C.53.2(0*s)[CR][LF]
17:06:32.922: C.55.1(0)[CR][LF]
17:06:32.938: C.55.2(0*h)[CR][LF]
17:06:32.953: C.55.3(0)[CR][LF]
17:06:32.984: C.55.4(0*h)[CR][LF]
17:06:33.000: C.55.5(1)[CR][LF]
17:06:33.015: C.55.6(432*h)[CR][LF]
17:06:33.046: F.F.1(00000000)[CR][LF]
17:06:33.066: F.F.2(0000001000000011000000010100000001000000)[CR][LF]
17:06:33.129: 7.0(28*0C)[CR][LF]
17:06:33.153: 0.2.0(123[ ][ ][ ][ ][ ])[CR][LF]
17:06:33.164: !
17:06:33.164: [CR][LF]
17:06:33.164: [ETX]@

Seadmete tarkvara testimine

2019-06-04T11:08:36Z

Igor:

==TELEM-DO5-T ja TELEM-DI24-T==
#Ettevalmistus
##Ühenda esimese pordi kaudu seade Telem-DO5-T TELEM2000-ega.
##Muuda seadme aadressiks 1 (0001).
##Lae seadmesse vaikesätted (default setup: RST-ON -> DFT-ON -> RST-OFF -> DFT-OFF).
#Side testimine
##Veendu et side toimib vaikesätetel (9600 no parity).
##Testi side toimimist kõige aeglasemal võimalikul kiirusel "even parity"-ga. NB! kiirus 200 ei tööta läbi USB.
##Testi side toimimist kõige kiiremal võimalikul kiirusel "odd parity"-ga.
#Objekti baasaadress
##Muuda objekti baasaadress 2-meks. Kontrolli et juhtmiste aadressid on nihkunud 2-he võrra( 3=1,4=2 jne.).(kuna eelnevalt sai tehtud default setup tuleb eelnevalt määrata, et juhtimised oleks kasutuses - "2-In use")
==Ainult TELEM-DO5-T==
#Tee seadmele reset 3(vaikesätte laadimine).
#Lae seadmesse järgmine konfiguratsioon: [[Image:Testkonf.png|left|thumb|500px]] 
#Antud konfiguratsiooni abil on võimalik tuvastada kas on töökorras järgmised seadistuse variandid: In use- sees/väljas, Direct execute- lubatud või mitte, Lühikese impulsi pikkuse ja arvu määramine ja pika impulsi piukkuse ja arvu määramine.
==Ainult TELEM-DI24-T==
#Tee seadmele reset 3(vaikesätte laadimine).
#Lae seadmesse järgmine konfiguratsioon: [[Image:Testkonfdi.png|left|thumb|500px]] 
#Antud konfiguratsiooni abil on võimalik tuvastada kas on töökorras järgmised seadistuse variandid: In use- sees/väljas, tüübid- single/double/counter/counter(double), ajamärgi lisamine, debouncing filter ja chatter filter(ajad piisavalt pikad käsitsi testimiseks) ja Counter( vajalik signaalide arv sündmuse tekitamiseks.

Failide süstematiseerimine

2019-06-04T11:07:54Z

Igor:

See on kunagine ettepanek (mis ei jõudnudki tutvustamisele) selle kohta , kuidas Martemi serveris korda luua. Ehk keegi viitsib vaadata ja kommenteerida !

[[Image:filesTree.swf]]

4x-FO-3

2019-06-04T11:07:04Z

Igor:

== TESTIMISJUHEND==

Pressi nuppu Telem-4xFO-3 kui oled avanud lehe:

[http://www.martem.ee/ylo SIIN TA ON ! (TA=JUHEND)]
[[Image:VirtualTest.png]]

== Telem-4xFO rev.3 testimine ==

Testimisel tuleb pöörata tähelepanu kõigi skeemiosade vähemalt ühekordsele ülekontrollimisele
Üldstruktuur:

[[Image:4x-FO-3-structure.png]]

== 1. Põhireziim (vaikimisi) - kasutusel aimult üks 4x-FO-3 seade ==

"Master" = RS232
[[Image:RS232master-default.png]]

== 2. Kasutusel aimult üks 4x-FO-3 seade ("Master" ühendada RS232 DB9 või 1. RJ12 ) ==

"Master" = RS232
[[Image:RS232master-1standardRxOutput.png]]

== 3. "Master" = RS422 ==

[[Image:RS422master.png]]

== 4. Põhireziim mitme 4x-FO-3 seadme kasutamisel ==

kogu side = RS232
[[Image:2x-4x-FO-3-default.png]]

== 5. Erireziimid mitme 4x-FO-3 seadme kasutamisel ==
Saade Tx seadmte vahel = RS422
Vastuvõtt Rx seadmte vahel = RS232
[[Image:2x-4x-FO-3-special-Rx.png]]

== 6. 1x- Optical Loop ==

Anda optiline Tx-signaal opt. sisenditesse 1
Jälgida selle signaali jõudmist optilistesse väljunditesse

[[Image:1x-optical-loop.png]]

== 7. 2x- Optical Loop ==

Anda optiline Tx-signaal kordamööda opt. sisenditesse 1 ja 2
Jälgida selle signaali jõudmist optilistesse väljunditesse
[[Image:2x-optical-loop.png]]

== 8. 2x loop kasutamisel lisaindikatsioonid: ==

8.1 "Slave"- seadme 4xFO-le
Rx1 puudumise indikaator
Rx2 puudumise indikaator
8.1 "Master"- seadme 4xFO-le
Rx1 & Rx2 erinevuse indikaator

[[Image:2x-4x-FO-3-special-functions.png]]

Telem-DI24-T

2019-06-04T11:05:57Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-DI24-T_usermanual.pdf|User Manual]]
|-
|[[Media:Telem-DI24-T_data_sheet.pdf|Data Sheet]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|-
| [[Image:DI24T.jpg|center|thumb|250px|TELEM-DI24-T]]
|}

Graafik reaalajas

2019-06-04T11:04:59Z

Igor:

See on kasutusel VKG-s
[[Image:koguvoim-flashTrend.png]]
[[Image:koguvoim-clientTrend.png]]

Telem-DO8G

2019-06-04T10:58:52Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-DO8G_usermanual.pdf|User Manual]] | [[:File:Telem-DO8G_usermanual.pdf|Faili ajalugu]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|}

Telem-DO5-T

2019-06-04T10:58:06Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-DO5-T_usermanual.pdf|User Manual]] | [[:File:Telem-DO5-T_usermanual.pdf|Faili ajalugu]]
|-
|[[Media:Telem-DO5-T_data_sheet.pdf|Data Sheet]] | [[:File:Telem-DO5-T_data_sheet.pdf|Faili ajalugu]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|-
| [[image:DO5T.jpg|center|thumb|250px|TELEM-DO5-T]]
|}

Telem-AI12-T

2019-06-04T10:56:47Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-AI12-T_usermanual.pdf|User Manual]] | [[:File:Telem-AI12-T_usermanual.pdf|Faili ajalugu]]
|-
|[[Media:Telem-AI12-T_data_sheet.pdf|Data Sheet]] | [[:File:Telem-AI12-T_data_sheet.pdf|Faili ajalugu]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|-
| [[Image:AI12T.jpg|center|thumb|250px|TELEM-AI12-T]]
|}

[[IEC101 Objects]]

GWS ja BDE installeerimine

2019-06-04T10:54:06Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">GWS Setup</h3>
|-
|[[Media:GWS_Setup.zip]] | [[:File:GWS_Setup.zip|Faili ajalugu]]
|-
|}

Just start the GWS.EXE, if you don't need to configure the Telem RTU modules
(menu item "Device/RTU modules").

If you wish to configure also the Telem RTU modules with GWS.EXE and you
haven't installed our Telem Data concentrator software (Telem-2000),
then you need to follow the items below.

1) Start GWS_&_RTU_Modules.BAT which copies the files to your C disk

2) If the BDE is not installed to your computer (Check the presence of "BDE Administrator" on the Control Panel) then:
- Start the Setup.exe in BDE32_Setup folder

- If the BDE Administrator does not appear on the Control Panel, then restart the computer

- If you have the Windows Vista, then follow the instructions in "Configuring the BDE for Vista.pdf"

3) Add to BDE the needed database descriptions:
- Open the BDE Administrator from the Control Panel
- Choose from menu "Object/Merge configuration" and merge the C:\BDE32_Setup\Add_to_IDAPI32.CFG

GWS ja BDE installeerimine

2019-06-04T10:53:53Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">GWS Setup</h3>
|-
|[[Media:GWS_Setup.zip]] | [[:File:GWS_Setup.zip|Faili ajalugu]
|-
|}

Just start the GWS.EXE, if you don't need to configure the Telem RTU modules
(menu item "Device/RTU modules").

If you wish to configure also the Telem RTU modules with GWS.EXE and you
haven't installed our Telem Data concentrator software (Telem-2000),
then you need to follow the items below.

1) Start GWS_&_RTU_Modules.BAT which copies the files to your C disk

2) If the BDE is not installed to your computer (Check the presence of "BDE Administrator" on the Control Panel) then:
- Start the Setup.exe in BDE32_Setup folder

- If the BDE Administrator does not appear on the Control Panel, then restart the computer

- If you have the Windows Vista, then follow the instructions in "Configuring the BDE for Vista.pdf"

3) Add to BDE the needed database descriptions:
- Open the BDE Administrator from the Control Panel
- Choose from menu "Object/Merge configuration" and merge the C:\BDE32_Setup\Add_to_IDAPI32.CFG

Homework 2

2019-06-04T10:52:54Z

Igor:

Elementary knowledge of GIT, BASH, C++ will be tested.

Task may be completed on any Linux distribution (recommended debian/ubuntu)

== GIT ==
* Save work progress in a repository
** For example [https://github.com/ github.com]
* Use branches ([http://nvie.com/posts/a-successful-git-branching-model/ help])
** One branch for implementing bash script and another branch for c++
** commit often, total number of commits should be 10+
** when checking out a random revision, it should compile.
** Branches start from master and must be merged back into master

== BASH ==
=== Script 1 - Show memory usage ===

Script has 1 optional argument, path to meminfo file (contains current memory status).
If it's not provided use '''/proc/meminfo'''

Use standard unix tools like '''awk''', '''grep''', '''sed''' to parse the input file.

Example of input file

cat /proc/meminfo
MemTotal: 7969612 kB
MemFree: 4582768 kB
Buffers: 707368 kB
Cached: 1122984 kB
SwapCached: 0 kB
Active: 1742408 kB
Inactive: 1203472 kB
[ ... ]

output:
./script1.sh /proc/meminfo
RAM: 4582 MB used / 7969 MB total ( 3387 MB free)

=== Script 2 - compile c++ application ===

Compiles the C++ application
Probably only has 1 useful line, g++ with some linker options.

example:
./script2.sh
Compilation started
Compilation finished

== C++ ==
=== Parse log file for invalid time stamps ===
Write a program that parses the provided example log file, [[Media:Ex_log.gz]] and checks for anomalies in time stamps (if the newer log line has an older time stamp). The normal behavior is that the time increases with each line downwards as shown below

<pre>
2015-02-19 17:33:08.584 [INFO] Gateway.port9.db - (122) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.583703, received
2015-02-19 17:33:08.585 [INFO] Gateway.port6.db - (41) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.585024, received
2015-02-19 17:33:08.586 [INFO] Gateway.port6.db - (42) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.585943, received
2015-02-19 17:33:08.598 [INFO] Gateway.Port15.db - (40) event: 1 flags: GwTime GI time: 2015-Feb-19 17:33:08.551947, sent
2015-02-19 17:33:08.599 [INFO] Gateway.Port15.db - (120) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.528113, sent
2015-02-19 17:33:08.604 [INFO] Gateway.port9.db - (123) event: 1 flags: GwTime GI time: 2015-Feb-19 17:33:08.603814, received
2015-02-19 17:33:08.606 [INFO] Gateway.port6.db - (43) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.586459, received
2015-02-19 17:33:08.607 [INFO] Gateway.port6.db - (44) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.606645, received
2015-02-19 17:33:08.607 [INFO] Gateway.port6.db - (45) event: 2 flags: GwTime GI time: 2015-Feb-19 17:33:08.607344, received
</pre>

An erroneous log would look like the next short example

<pre>
2015-02-19 17:33:08.790 [INFO] Gateway.port10.db - (128) event: 1 time: 2015-Feb-19 17:31:58.520000, received
2015-02-19 17:33:08.792 [INFO] Gateway.WebServer.db - (128) event: 1 time: 2015-Feb-19 17:31:58.520000, sent
2015-02-19 11:23:08.808 [INFO] Gateway.Port15.db - (128) event: 1 time: 2015-Feb-19 17:31:58.520000, sent
2015-02-19 11:23:08.812 [INFO] Gateway.port10.db - (129) event: 1 time: 2015-Feb-19 17:31:58.855000, received
2015-02-19 11:23:08.814 [INFO] Gateway.WebServer.db - (129) event: 1 time: 2015-Feb-19 17:31:58.855000, sent
2015-02-19 11:23:08.815 [INFO] Gateway.port10.db - (130) event: 1 time: 2015-Feb-19 17:31:58.176000, received
2015-02-19 11:23:08.817 [INFO] Gateway.WebServer.db - (130) event: 1 time: 2015-Feb-19 17:31:58.176000, sent
2015-02-19 17:33:08.817 [INFO] Gateway.port10.db - (131) event: 1 time: 2015-Feb-19 17:31:58.091000, received
2015-02-19 17:33:08.837 [INFO] Gateway.Port15.db - (129) event: 1 time: 2015-Feb-19 17:31:58.855000, sent
</pre>

Note that year-month-day could also be 'wrong'.

<pre>
2015-02-19 17:33:08.895 [INFO] Gateway.port7.db - (54) event: -0.058075 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.895493, received
2015-02-19 17:33:08.897 [INFO] Gateway.port8.db - (81) event: 0.771538 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.896834, received
2015-02-19 17:33:08.898 [INFO] Gateway.port8.db - (82) event: 0.541642 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.897743, received
2012-01-15 17:33:08.898 [INFO] Gateway.port8.db - (83) event: -0.523254 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.898286, received
2012-01-15 17:33:08.899 [INFO] Gateway.port8.db - (84) event: -0.142151 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.898931, received
2012-01-15 17:33:08.899 [INFO] Gateway.port8.db - (85) event: 0.0126041 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.899393, received
2015-02-19 17:33:08.900 [INFO] Gateway.port8.db - (86) event: 0.0643635 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.899999, received
2015-02-19 17:33:08.900 [INFO] Gateway.port8.db - (87) event: -0.507019 flags: GwTime GI Normalized time: 2015-Feb-19 17:33:08.900444, received
</pre>

Or both...

Program accepts one out of three '''optional''' arguments: stats, list or all. Examples

<pre>
./a.out filename --stats
./a.out filename
./a.out filename --all
</pre>

<pre>
--stats
Outputs statistical information about time stamp anomalies.

--list
Outputs lines with erroneous time stamps along with line numbers.

--all
Outputs lines with erroneous time stamps along with line numbers
and statistical information about time stamp anomalies
</pre>

==== Examples ====

A short example log file

<pre>
2015-02-19 13:28:33.778 [INFO] Gateway.Port15.db - (35) event: 2 time: 2015-Feb-19 17:32:02.013000, sent
2015-02-19 13:28:33.778 [INFO] Gateway.Port15.db - (133) event: 2 time: 2015-Feb-19 17:31:52.336000, sent
2015-02-19 13:28:33.788 [INFO] Gateway.WebServer.db - (36) event: 1 time: 2015-Feb-19 17:32:01.386000, sent
2015-02-19 13:28:33.791 [INFO] Gateway.WebServer.db - (134) event: 2 time: 2015-Feb-19 17:31:52.030000, sent
2015-02-19 13:28:33.797 [INFO] Gateway.port10.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, received
2015-02-19 13:28:33.795 [INFO] Gateway.port6.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, received
2015-02-19 13:28:33.804 [INFO] Gateway.WebServer.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
2015-02-19 11:28:33.805 [INFO] Gateway.port10.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, received
2015-02-19 11:28:33.806 [INFO] Gateway.WebServer.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (36) event: 1 time: 2015-Feb-19 17:32:01.386000, sent
2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (134) event: 2 time: 2015-Feb-19 17:31:52.030000, sent
2015-02-19 13:28:33.808 [INFO] Gateway.Port15.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
2015-02-19 13:28:33.810 [INFO] Gateway.port6.db - (38) event: 2 time: 2015-Feb-19 17:32:01.744000, received
2015-02-19 13:28:33.813 [INFO] Gateway.WebServer.db - (38) event: 2 time: 2015-Feb-19 17:32:01.744000, sent
2015-02-19 13:28:33.814 [INFO] Gateway.WebServer.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (38) event: 2 time: 2015-Feb-19 17:32:01.744000, sent
2015-01-19 13:18:33.820 [INFO] Gateway.Port15.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
2015-02-19 13:28:33.821 [INFO] Gateway.port10.db - (137) event: 2 time: 2015-Feb-19 17:31:52.637000, received
2015-02-19 13:28:33.823 [INFO] Gateway.WebServer.db - (137) event: 2 time: 2015-Feb-19 17:31:52.637000, sent
2015-02-19 13:28:33.824 [INFO] Gateway.port6.db - (39) event: 2 time: 2015-Feb-19 17:32:02.451000, received
2015-02-19 13:28:33.826 [INFO] Gateway.WebServer.db - (39) event: 2 time: 2015-Feb-19 17:32:02.451000, sent
</pre>

<pre>
$ ./a.out example_log --stats
Number of lines:
22
Invalid time stamps at line(s):
6
8-11
16-18
</pre>

<pre>
$ ./a.out example_log --list
Lines with invalid time stamps:
[7] 2015-02-19 13:28:33.804 [INFO] Gateway.WebServer.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
[8] 2015-02-19 11:28:33.805 [INFO] Gateway.port10.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, received
[9] 2015-02-19 11:28:33.806 [INFO] Gateway.WebServer.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
[10] 2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (36) event: 1 time: 2015-Feb-19 17:32:01.386000, sent
[11] 2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (134) event: 2 time: 2015-Feb-19 17:31:52.030000, sent
[12] 2015-02-19 13:28:33.808 [INFO] Gateway.Port15.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
---
[15] 2015-02-19 13:28:33.814 [INFO] Gateway.WebServer.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
[16] 2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
[17] 2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (38) event: 2 time: 2015-Feb-19 17:32:01.744000, sent
[18] 2015-01-19 13:18:33.820 [INFO] Gateway.Port15.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
[19] 2015-02-19 13:28:33.821 [INFO] Gateway.port10.db - (137) event: 2 time: 2015-Feb-19 17:31:52.637000, received
</pre>

<pre>
$ ./a.out example_log --all
Number of lines:
22
Invalid time stamps at line(s):
8-11
16-18

Lines with invalid time stamps:
[7] 2015-02-19 13:28:33.804 [INFO] Gateway.WebServer.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
[8] 2015-02-19 11:28:33.805 [INFO] Gateway.port10.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, received
[9] 2015-02-19 11:28:33.806 [INFO] Gateway.WebServer.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
[10] 2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (36) event: 1 time: 2015-Feb-19 17:32:01.386000, sent
[11] 2015-02-19 11:28:33.807 [INFO] Gateway.Port15.db - (134) event: 2 time: 2015-Feb-19 17:31:52.030000, sent
[12] 2015-02-19 13:28:33.808 [INFO] Gateway.Port15.db - (135) event: 2 time: 2015-Feb-19 17:31:52.035000, sent
---
[15] 2015-02-19 13:28:33.814 [INFO] Gateway.WebServer.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
[16] 2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (37) event: 2 time: 2015-Feb-19 17:32:01.157000, sent
[17] 2015-01-19 13:18:33.819 [INFO] Gateway.Port15.db - (38) event: 2 time: 2015-Feb-19 17:32:01.744000, sent
[18] 2015-01-19 13:18:33.820 [INFO] Gateway.Port15.db - (136) event: 1 time: 2015-Feb-19 17:31:52.090000, sent
[19] 2015-02-19 13:28:33.821 [INFO] Gateway.port10.db - (137) event: 2 time: 2015-Feb-19 17:31:52.637000, received
</pre>

If no arguments a given, output an error message: 'Input file missing'.

If no optional arguments are given, output is same as with stats argument.

Note that with list argument one line before and after the invalid time stamp is also output (look closer at the example outputs).

Program is output to 'standard output'.

Use [http://www.boost.org/ boost] libraries: [http://www.boost.org/doc/libs/1_53_0/libs/format/doc/format.html format], [http://www.boost.org/doc/libs/1_53_0/doc/html/date_time.html date_time], [http://www.boost.org/doc/libs/1_53_0/libs/filesystem/doc/index.htm filesystem].

[[Kasutaja:MarkTomm|MarkTomm]] 15. juuli 2015, kell 16:10 (EEST)

Telem-DI20G

2019-06-04T10:45:14Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-DI20G_usermanual.pdf|User Manual]] | [[:File:Telem-DI20G_usermanual.pdf|Faili ajalugu]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|}

Telem-AI12G

2019-06-04T10:44:14Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-AI12G_usermanual.pdf|User Manual]] | [[:File:Telem-AI12G_usermanual.pdf|Faili ajalugu]]
|-
| <h3 align="left">I/O moodulid:</h3>
|-
| [[Telem-AI12G]]
|-
| [[Telem-AI12-T]]
|-
| [[Telem-DI20G]]
|-
| [[Telem-DI24-T]]
|-
| [[Telem-DO8G]]
|-
| [[Telem-DO5-T]]
|}

Telem-RTA

2019-06-04T10:43:29Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-RTA_usermanual.pdf|User Manual]] | [[:File:Telem-RTA_usermanual.pdf|Faili ajalugu]]
|}

Telem-RTA

2019-06-04T10:43:10Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-RTA_usermanual.pdf]] | [[:File:Telem-RTA_usermanual.pdf|faili ajalugu]]
|}

TELEM-GW6e

2019-06-04T10:40:10Z

Igor:

{| border="0" width="500" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">User manual</h3>
|-
|[[Media:Telem-GW6e_usermanual_rev_11_2013Q3_RC2_.pdf|User Manual]] | [[:File:Telem-GW6e_usermanual_rev_11_2013Q3_RC2_.pdf|Faili ajalugu]]
|}
[[Image:Gw6e.jpg|right|thumb|500px|TELEM-GW6e]]
==General==
*[[GwLin Changelog |Firmware changelog]]
*[[GW6Lin software upgrade|Firmware upgrade]]
*[[Telem-RTC firmware upgrade| Telem-RTC Firmware upgrade]]
*[[GW6Lin reading log files|Reading log files]]
*[[GW6Lin configuration through FTP |Configuration through FTP]]
*[[Connect to GW6 over SSH]]
*[[GW6 web schema]]
*[[Gw XML setup]]
*[[Which GWS should I use with my GW6 |Which GWS to use?]]
*[[Telem-GW6e CPU frequency]]
*[[Account Management]]

==Base board==
*[[Telem-GW6Lin]]
==Add-on boards==
* [[TELEM-COM8]]
* [[TELEM-RTC]]

=Using Other Manufacturers Devices with GW6e=
*[[Actaris ACE6000]]
*[[Kuidas konfigureerida IEC61850 serverit GW6e jaoks?]]
*[[VPN(Virtual_Private_Networking)]]
*[[Advanced Networking]] (for GW6 old models that use setup version 3)
*[[Advanced Networking: OpenVPN]] (for GW6 old models that use setup version 3)

=Testing=
*[[IEC61850]]
*[[TELEM-GW6_testing_manual | test procedure]]

=Other=
*[[ GW6e Conformance Test ]] IEC 101
*[[Flashing PXA27M bootloader]]
*[[Bootstrapping PXA27M modules]]
*[[Telem-GW6Lin-build-qtcreator|Qt Creator setup for GW6e]]
*[[Git help]]

TELEM-GW5

2019-06-04T10:39:26Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-GW5_usermanual.pdf|User Manual]] | [[:File:Telem-GW5_usermanual.pdf|Faili ajalugu]]
|}

==Error codes==
'''[[GW5 error codes]]'''

TELEM-GW6

2019-06-04T10:38:55Z

Igor:

{| border="0" width="500" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">User manual</h3>
|-
|[[Media:Telem-GW6_usermanual.pdf|User Manual]] | [[:File:Telem-GW6_usermanual.pdf|Faili ajalugu]]
|}
[[Image:GW6.jpg|right|thumb|500px|TELEM-GW6]]
==General==
*[[GwLin Changelog |Firmware changelog]]
*[[GW6Lin software upgrade|Firmware upgrade]]
*[[Telem-RTC firmware upgrade| Telem-RTC Firmware upgrade]]
*[[GW6Lin reading log files|Reading log files]]
*[[GW6Lin configuration through FTP |Configuration through FTP]]
*[[Connect to GW6 over SSH]]
*[[GW6 web schema]]
*[[Gw XML setup]]
*[[Which GWS should I use with my GW6 |Which GWS to use?]]
*[[Telem-GW6 CPU frequency]]
*[[Account Management]]

==Base board==
*[[Telem-GW6Lin]]
==Add-on boards==
* [[TELEM-COM8]]
* [[TELEM-RTC]]

=Using Other Manufacturers Devices with GW6=
*[[Actaris ACE6000]]
*[[Kuidas konfigureerida IEC61850 serverit GW6 jaoks?]]
*[[Advanced Networking]]
*[[Advanced Networking: OpenVPN]]

=Testing=
*[[IEC61850]]
*[[TELEM-GW6_testing_manual | test procedure]]

=Other=
*[[Flashing PXA27M bootloader]]
*[[Bootstrapping PXA27M modules]]
*[[Telem-GW6Lin-build-qtcreator|Qt Creator setup for GW6]]
*[[Git help]]

TELEM-GW5

2019-06-04T10:35:35Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-GW5_usermanual.pdf|User Manual]] | [[File:Telem-GW5_usermanual.pdf|Faili ajalugu]]
|}

==Error codes==
'''[[GW5 error codes]]'''

TELEM-GW5

2019-06-04T10:35:27Z

Igor:

{| border="0" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">Kasutusjuhend:</h3>
|-
|[[Media:Telem-GW5_usermanual.pdf|User Manual]] | [[File:Telem-GW5_usermanual.pdf|Faili ajalugu]
|}

==Error codes==
'''[[GW5 error codes]]'''

TELEM-GW6

2019-06-04T10:35:14Z

Igor:

{| border="0" width="500" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">User manual</h3>
|-
|[[Media:Telem-GW6_usermanual.pdf|User Manual]] | [[File:Telem-GW6_usermanual.pdf|Faili ajalugu]]
|}
[[Image:GW6.jpg|right|thumb|500px|TELEM-GW6]]
==General==
*[[GwLin Changelog |Firmware changelog]]
*[[GW6Lin software upgrade|Firmware upgrade]]
*[[Telem-RTC firmware upgrade| Telem-RTC Firmware upgrade]]
*[[GW6Lin reading log files|Reading log files]]
*[[GW6Lin configuration through FTP |Configuration through FTP]]
*[[Connect to GW6 over SSH]]
*[[GW6 web schema]]
*[[Gw XML setup]]
*[[Which GWS should I use with my GW6 |Which GWS to use?]]
*[[Telem-GW6 CPU frequency]]
*[[Account Management]]

==Base board==
*[[Telem-GW6Lin]]
==Add-on boards==
* [[TELEM-COM8]]
* [[TELEM-RTC]]

=Using Other Manufacturers Devices with GW6=
*[[Actaris ACE6000]]
*[[Kuidas konfigureerida IEC61850 serverit GW6 jaoks?]]
*[[Advanced Networking]]
*[[Advanced Networking: OpenVPN]]

=Testing=
*[[IEC61850]]
*[[TELEM-GW6_testing_manual | test procedure]]

=Other=
*[[Flashing PXA27M bootloader]]
*[[Bootstrapping PXA27M modules]]
*[[Telem-GW6Lin-build-qtcreator|Qt Creator setup for GW6]]
*[[Git help]]

Gw5 kasutusjuhend

2019-06-04T10:33:01Z

Igor:

[[Media:kasutusjuhend.pdf|Kasutusjuhend]]

Gw5 kasutusjuhend

2019-06-04T10:32:43Z

Igor:

[[Media:kasutusjuhend.pdf]]

TELEM-GW6

2019-06-04T10:32:27Z

Igor:

{| border="0" width="500" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">User manual</h3>
|-
|[[Media:Telem-GW6_usermanual.pdf|User Manual]] | [[Media:Telem-GW6_usermanual.pdf |Faili ajalugu]]
|}
[[Image:GW6.jpg|right|thumb|500px|TELEM-GW6]]
==General==
*[[GwLin Changelog |Firmware changelog]]
*[[GW6Lin software upgrade|Firmware upgrade]]
*[[Telem-RTC firmware upgrade| Telem-RTC Firmware upgrade]]
*[[GW6Lin reading log files|Reading log files]]
*[[GW6Lin configuration through FTP |Configuration through FTP]]
*[[Connect to GW6 over SSH]]
*[[GW6 web schema]]
*[[Gw XML setup]]
*[[Which GWS should I use with my GW6 |Which GWS to use?]]
*[[Telem-GW6 CPU frequency]]
*[[Account Management]]

==Base board==
*[[Telem-GW6Lin]]
==Add-on boards==
* [[TELEM-COM8]]
* [[TELEM-RTC]]

=Using Other Manufacturers Devices with GW6=
*[[Actaris ACE6000]]
*[[Kuidas konfigureerida IEC61850 serverit GW6 jaoks?]]
*[[Advanced Networking]]
*[[Advanced Networking: OpenVPN]]

=Testing=
*[[IEC61850]]
*[[TELEM-GW6_testing_manual | test procedure]]

=Other=
*[[Flashing PXA27M bootloader]]
*[[Bootstrapping PXA27M modules]]
*[[Telem-GW6Lin-build-qtcreator|Qt Creator setup for GW6]]
*[[Git help]]

Custom Web Page for TELEM-GWM

2019-05-31T12:29:12Z

Igor: /* What Features to Enable? */

This is a basic guideline for developing custom web pages for TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]]. An example of custom developement can be found here [[GW6 web schema]].

=== What Features to Enable? ===
On figure 1 there are features than can be configured for web server. Under “IP settings” you can select firewall settings. On which interface the web server should be enabled and if there is a IP address that should have the exclusive access to the web page. Then the TCP port selection.
 
 
Under http one can disable dynamic server features. “Forbid output control” if checked disables control operations through web server. “Enable GW application logs ..” if checked instructs the web server to send content from log files. “Enable syslog” if checked permits sending of /var/log/messages to the web client. “Enable general information ..” if checked permits sending of firmware revision and some additional info about the device to the web client. “Enable configuration ...” if checked permits sending of the configuration file of the main application to the web client. “Enable events ..” if checked permits sending of events to the web client. Events are encoded in XML.
 
 
Under “User” and “Password” an authorization can be enabled. TELEM-GWM uses digest access authentication.
 
 
Under “Custom” a custom web content can be selected. You have to select folder. All content from that folder is sent to the TELEM-GWM to be displayed to the web client.
 
 
Under “SSL” secure socket layer can be enabled. There are two options to use: in device generated keys or, user generated keys.
[[Image:WebServerSettings.png|283px|thumb|center|Figure 1: Web Server Settings]]

=== Caveats ===
==== Three Password Attempts ====
Server uses session ID's to keep track of authenticated accesses to the server. Sessions timeout within 60 seconds. If you connect to server and set password wrongly for three times the used IP gets banned by firewall. Note this IP gets panned not only from web page but from the whole device.
 
 
If user forgets the password he can look it up from setup as it is in plain text. Alternative is to close the browser after two attempts and then retry. However server supports only 200 sessions and 50 connections per IP address(4 clients with 50 sessions each). Per client count can be further minimised by manually configuring the firewall. Note firewall state count differs from server IP count. That is if you remove the restrictions from firewall, web server will only support 50 connections per IP address and total of 200 sessions.
 
 
All in all it means that only dummy users hitting 4 times the OK button in loging popup are rejected. Scripts like this work ok:
<syntaxhighlight lang="bash">
#!/bin/bash

echo "Get TELEM-GW content!"

array=( pass 12345 54321 martem123456 password qwerty kjhgfd )

for i in "${array[@]}"
do
echo "Trying $i"

rm index.html
curl -s -S --user martem:$i --digest http://10.0.0.29 -o index.html

status=`diff -s -q index.html error.html`

if [ "$status" = "Files index.html and error.html differ" ]; then
echo "Found, password=$i"
exit 0
fi

done

echo "Done, no password match"

exit -1

</syntaxhighlight>
And the output:
<pre>
$ date ; ./telem-gw.sh ; date
Fri Aug 16 13:43:36 EEST 2013
Get TELEM-GW content!
Trying pass
rm: cannot remove `index.html': No such file or directory
Trying 12345
Trying 54321
Trying martem123456
Trying password
Trying qwerty
Trying kjhgfd
Trying martem
Found, password=martem
Fri Aug 16 13:43:53 EEST 2013
$

</pre>

==== No Automatic index.html from Subfolder(s) ====
Web server will not load automatically index.html or index.htm from subfolder(s).
==== No HTTP to HTTPS Redirection ====
You need to know which protocol is used. Don't worry the browser remembers the url's.

TELEM-GW6e

2019-05-31T12:20:06Z

Igor:

{| border="0" width="500" cellspacing="0" cellpadding="5" align="right" style="background-color:#FFFFCC"
! <h3 align="left">User manual</h3>
|-
|[[Media:Telem-GW6e_usermanual_rev_11_2013Q3_RC2_.pdf|User Manual]] | [[Media:Telem-GW6e_usermanual_rev_11_2013Q3_RC2_.pdf|Faili ajalugu]]
|}
[[Image:Gw6e.jpg|right|thumb|500px|TELEM-GW6e]]
==General==
*[[GwLin Changelog |Firmware changelog]]
*[[GW6Lin software upgrade|Firmware upgrade]]
*[[Telem-RTC firmware upgrade| Telem-RTC Firmware upgrade]]
*[[GW6Lin reading log files|Reading log files]]
*[[GW6Lin configuration through FTP |Configuration through FTP]]
*[[Connect to GW6 over SSH]]
*[[GW6 web schema]]
*[[Gw XML setup]]
*[[Which GWS should I use with my GW6 |Which GWS to use?]]
*[[Telem-GW6e CPU frequency]]
*[[Account Management]]

==Base board==
*[[Telem-GW6Lin]]
==Add-on boards==
* [[TELEM-COM8]]
* [[TELEM-RTC]]

=Using Other Manufacturers Devices with GW6e=
*[[Actaris ACE6000]]
*[[Kuidas konfigureerida IEC61850 serverit GW6e jaoks?]]
*[[VPN(Virtual_Private_Networking)]]
*[[Advanced Networking]] (for GW6 old models that use setup version 3)
*[[Advanced Networking: OpenVPN]] (for GW6 old models that use setup version 3)

=Testing=
*[[IEC61850]]
*[[TELEM-GW6_testing_manual | test procedure]]

=Other=
*[[ GW6e Conformance Test ]] IEC 101
*[[Flashing PXA27M bootloader]]
*[[Bootstrapping PXA27M modules]]
*[[Telem-GW6Lin-build-qtcreator|Qt Creator setup for GW6e]]
*[[Git help]]

VPN(Virtual Private Networking)

2019-05-31T10:06:28Z

Igor: /* VPN Setups */

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]].

=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[File:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]

=== Site to Site With OpenVPN ===

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[File:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[File:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

More info OpenVPN can be found here [http://openvpn.net/index.php/open-source/documentation/howto.html]

=== Site to Site With IPsec ===
In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing.

NB! Remote network & subnet has to match the real remote configuration (LAN network?), otherwise PHASE 2 fails. If you see the following error messages, then this may be the case.
<pre>
ERROR: failed to pre-process ph2 packet (side: 1, status: 1)
ERROR: failed to get sainfo.
</pre>

[[File:IPSec-Default.png|395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog]]
[[File:IPSec-NonDefault.png|420px|thumb|center|Figure 5: IPSec Minimum Configuration]]

In order to view if tunnel is up issue “setkey -D” or use racoonctl. For instance "racoonctl -l show-sa isakmp" for phase 1 and "racoonctl -l show-sa ipsec" for phase 2. Here is an example output form “setkey -D”, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:
<pre>
root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
E: blowfish-cbc 72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
A: hmac-sha1 bc848381 1b957927 615d9700 689dc79e a17ca699
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
E: blowfish-cbc c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
A: hmac-sha1 2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $
</pre>
Here is the syslog output showing racoon setting this tunnel up:
<pre>
root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
</pre>
For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:
<pre>
root@telem-gwm /home/martem $ tail -f /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)
</pre>

More info about racoon, racoonctl and setkey can be found here [http://ipsec-tools.sourceforge.net/]

=== Remote Access with L2TP/IPSec ===
In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box.
[[File:L2TP-IPSec-Default.png|497px|thumb|center|Figure 6: L2TP/IPSec Default Settings]]
[[File:L2TP-IPSec-NonDefault.png|494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings]]
Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.

=== Set up Remote Access with L2TP/IPSec in Windows. ===

Got to "Control Panel" -> "Network and Internet" -> "Network and Sharing Center" and open "Set up a new connection or network" under "Change your networking settings"

[[File:Nasc.jpg|629px|thumb|center|]]

In the "Set Up a Connection or Netwrok" window choose "Connect to a workplace" -> "Use my Interent connection (VPN)"

Type GWM's exteranl IP address in the "Internet address" field and click Next

Type in your L2TP user and password and proceed

'''Windows will try to establish a connection rigth away. Click "Skip" for now'''

Go back to "Network and Sharing Center" and open "Change Adapter Settings"

[[File:Nasc_adapter.jpg|629px|thumb|center|]]

Click on VPN connection with the right mouse button and choose "Properties" in the drop-down menu

[[File:Nasc_adapter_VPN.jpg|629px|thumb|center|]]

In the upcoming menu open the "Security" tab and set the "Type of VPN:" to "Layer 2 Tunneling Protocol with IPsec(L2TP/IPSec)"

[[File:VPN_sectab.jpg|300px|thumb|center|]]

Open "Advanced settings" in the same tab. Pick "Use preshared key for authentication" and enter the IPSec pre-shared key in the "Key:" field

[[File:WIN_VPN_secadv.jpg|300px|thumb|center|]]

Click "OK" to save changes and close "Advanced Settings" window. Click "OK" to close the current "VPN Conection Properties" window.
Now the newly created VPN point should be visible in "Network Connections" window

[[File:Network_connections.jpg|thumb|center|]]

=== Known Working Client or Server Software ===
This is the list of know third party software that is compatible with TELEM-GWM.
 
OpenVPN:
* pfSense 2.0.1-RELEASE [http://www.pfsense.org/]
 
IPsec:
* Ubuntu 12.04 LTS with ipsec-tools, with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon and setkey configurations.
* pfSense 2.0.3-RELEASE [http://www.pfsense.org/]
* Cisco SR520-FE with IOS 12.4(20)T6. A good reference for racoon with third party software can be found here: [http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec]

 
L2TP/IPSec:
* Windows 7
* Mac OS 10.4
* Android 4.1.2 on Nexus 7(Asus tablet), Android 4.0.3 on HTC phone
* Ubuntu 12.04 LTS with ipsec-tools and xl2tpd with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon, setkey and xl2tpd configurations.

=== Caveats ===
Here is a list of some of the known caveats with different VPN setups.
 
* As OpenVPN uses certificates it is essential that device has correct time. It means that at least NTP client needs to be configured for device that uses OpenVPN. This can be done under Common → Time Settings.
* IPSec is probably only usable with fixed IP addresses. If TELEM-GWM has dynamic IP use OpenVPN or L2TP.
* L2TP works only with one LAC(client) behind network address translation device.
* LNS accounts with fixed IP for LAC are usable only by one instance. If two sessions are established all traffic is sent to only one session.

VPN(Virtual Private Networking)

2019-05-31T10:06:17Z

Igor: /* Site to Site With OpenVPN */

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]].

=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[Pilt:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]

=== Site to Site With OpenVPN ===

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[File:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[File:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

More info OpenVPN can be found here [http://openvpn.net/index.php/open-source/documentation/howto.html]

=== Site to Site With IPsec ===
In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing.

NB! Remote network & subnet has to match the real remote configuration (LAN network?), otherwise PHASE 2 fails. If you see the following error messages, then this may be the case.
<pre>
ERROR: failed to pre-process ph2 packet (side: 1, status: 1)
ERROR: failed to get sainfo.
</pre>

[[File:IPSec-Default.png|395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog]]
[[File:IPSec-NonDefault.png|420px|thumb|center|Figure 5: IPSec Minimum Configuration]]

In order to view if tunnel is up issue “setkey -D” or use racoonctl. For instance "racoonctl -l show-sa isakmp" for phase 1 and "racoonctl -l show-sa ipsec" for phase 2. Here is an example output form “setkey -D”, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:
<pre>
root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
E: blowfish-cbc 72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
A: hmac-sha1 bc848381 1b957927 615d9700 689dc79e a17ca699
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
E: blowfish-cbc c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
A: hmac-sha1 2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $
</pre>
Here is the syslog output showing racoon setting this tunnel up:
<pre>
root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
</pre>
For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:
<pre>
root@telem-gwm /home/martem $ tail -f /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)
</pre>

More info about racoon, racoonctl and setkey can be found here [http://ipsec-tools.sourceforge.net/]

=== Remote Access with L2TP/IPSec ===
In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box.
[[File:L2TP-IPSec-Default.png|497px|thumb|center|Figure 6: L2TP/IPSec Default Settings]]
[[File:L2TP-IPSec-NonDefault.png|494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings]]
Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.

=== Set up Remote Access with L2TP/IPSec in Windows. ===

Got to "Control Panel" -> "Network and Internet" -> "Network and Sharing Center" and open "Set up a new connection or network" under "Change your networking settings"

[[File:Nasc.jpg|629px|thumb|center|]]

In the "Set Up a Connection or Netwrok" window choose "Connect to a workplace" -> "Use my Interent connection (VPN)"

Type GWM's exteranl IP address in the "Internet address" field and click Next

Type in your L2TP user and password and proceed

'''Windows will try to establish a connection rigth away. Click "Skip" for now'''

Go back to "Network and Sharing Center" and open "Change Adapter Settings"

[[File:Nasc_adapter.jpg|629px|thumb|center|]]

Click on VPN connection with the right mouse button and choose "Properties" in the drop-down menu

[[File:Nasc_adapter_VPN.jpg|629px|thumb|center|]]

In the upcoming menu open the "Security" tab and set the "Type of VPN:" to "Layer 2 Tunneling Protocol with IPsec(L2TP/IPSec)"

[[File:VPN_sectab.jpg|300px|thumb|center|]]

Open "Advanced settings" in the same tab. Pick "Use preshared key for authentication" and enter the IPSec pre-shared key in the "Key:" field

[[File:WIN_VPN_secadv.jpg|300px|thumb|center|]]

Click "OK" to save changes and close "Advanced Settings" window. Click "OK" to close the current "VPN Conection Properties" window.
Now the newly created VPN point should be visible in "Network Connections" window

[[File:Network_connections.jpg|thumb|center|]]

=== Known Working Client or Server Software ===
This is the list of know third party software that is compatible with TELEM-GWM.
 
OpenVPN:
* pfSense 2.0.1-RELEASE [http://www.pfsense.org/]
 
IPsec:
* Ubuntu 12.04 LTS with ipsec-tools, with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon and setkey configurations.
* pfSense 2.0.3-RELEASE [http://www.pfsense.org/]
* Cisco SR520-FE with IOS 12.4(20)T6. A good reference for racoon with third party software can be found here: [http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec]

 
L2TP/IPSec:
* Windows 7
* Mac OS 10.4
* Android 4.1.2 on Nexus 7(Asus tablet), Android 4.0.3 on HTC phone
* Ubuntu 12.04 LTS with ipsec-tools and xl2tpd with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon, setkey and xl2tpd configurations.

=== Caveats ===
Here is a list of some of the known caveats with different VPN setups.
 
* As OpenVPN uses certificates it is essential that device has correct time. It means that at least NTP client needs to be configured for device that uses OpenVPN. This can be done under Common → Time Settings.
* IPSec is probably only usable with fixed IP addresses. If TELEM-GWM has dynamic IP use OpenVPN or L2TP.
* L2TP works only with one LAC(client) behind network address translation device.
* LNS accounts with fixed IP for LAC are usable only by one instance. If two sessions are established all traffic is sent to only one session.

VPN(Virtual Private Networking)

2019-05-31T10:06:02Z

Igor: /* Site to Site With IPsec */

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]].

=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[Pilt:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]

=== Site to Site With OpenVPN ===

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[Pilt:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[Pilt:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

More info OpenVPN can be found here [http://openvpn.net/index.php/open-source/documentation/howto.html]

=== Site to Site With IPsec ===
In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing.

NB! Remote network & subnet has to match the real remote configuration (LAN network?), otherwise PHASE 2 fails. If you see the following error messages, then this may be the case.
<pre>
ERROR: failed to pre-process ph2 packet (side: 1, status: 1)
ERROR: failed to get sainfo.
</pre>

[[File:IPSec-Default.png|395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog]]
[[File:IPSec-NonDefault.png|420px|thumb|center|Figure 5: IPSec Minimum Configuration]]

In order to view if tunnel is up issue “setkey -D” or use racoonctl. For instance "racoonctl -l show-sa isakmp" for phase 1 and "racoonctl -l show-sa ipsec" for phase 2. Here is an example output form “setkey -D”, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:
<pre>
root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
E: blowfish-cbc 72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
A: hmac-sha1 bc848381 1b957927 615d9700 689dc79e a17ca699
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
E: blowfish-cbc c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
A: hmac-sha1 2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $
</pre>
Here is the syslog output showing racoon setting this tunnel up:
<pre>
root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
</pre>
For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:
<pre>
root@telem-gwm /home/martem $ tail -f /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)
</pre>

More info about racoon, racoonctl and setkey can be found here [http://ipsec-tools.sourceforge.net/]

=== Remote Access with L2TP/IPSec ===
In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box.
[[File:L2TP-IPSec-Default.png|497px|thumb|center|Figure 6: L2TP/IPSec Default Settings]]
[[File:L2TP-IPSec-NonDefault.png|494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings]]
Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.

=== Set up Remote Access with L2TP/IPSec in Windows. ===

Got to "Control Panel" -> "Network and Internet" -> "Network and Sharing Center" and open "Set up a new connection or network" under "Change your networking settings"

[[File:Nasc.jpg|629px|thumb|center|]]

In the "Set Up a Connection or Netwrok" window choose "Connect to a workplace" -> "Use my Interent connection (VPN)"

Type GWM's exteranl IP address in the "Internet address" field and click Next

Type in your L2TP user and password and proceed

'''Windows will try to establish a connection rigth away. Click "Skip" for now'''

Go back to "Network and Sharing Center" and open "Change Adapter Settings"

[[File:Nasc_adapter.jpg|629px|thumb|center|]]

Click on VPN connection with the right mouse button and choose "Properties" in the drop-down menu

[[File:Nasc_adapter_VPN.jpg|629px|thumb|center|]]

In the upcoming menu open the "Security" tab and set the "Type of VPN:" to "Layer 2 Tunneling Protocol with IPsec(L2TP/IPSec)"

[[File:VPN_sectab.jpg|300px|thumb|center|]]

Open "Advanced settings" in the same tab. Pick "Use preshared key for authentication" and enter the IPSec pre-shared key in the "Key:" field

[[File:WIN_VPN_secadv.jpg|300px|thumb|center|]]

Click "OK" to save changes and close "Advanced Settings" window. Click "OK" to close the current "VPN Conection Properties" window.
Now the newly created VPN point should be visible in "Network Connections" window

[[File:Network_connections.jpg|thumb|center|]]

=== Known Working Client or Server Software ===
This is the list of know third party software that is compatible with TELEM-GWM.
 
OpenVPN:
* pfSense 2.0.1-RELEASE [http://www.pfsense.org/]
 
IPsec:
* Ubuntu 12.04 LTS with ipsec-tools, with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon and setkey configurations.
* pfSense 2.0.3-RELEASE [http://www.pfsense.org/]
* Cisco SR520-FE with IOS 12.4(20)T6. A good reference for racoon with third party software can be found here: [http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec]

 
L2TP/IPSec:
* Windows 7
* Mac OS 10.4
* Android 4.1.2 on Nexus 7(Asus tablet), Android 4.0.3 on HTC phone
* Ubuntu 12.04 LTS with ipsec-tools and xl2tpd with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon, setkey and xl2tpd configurations.

=== Caveats ===
Here is a list of some of the known caveats with different VPN setups.
 
* As OpenVPN uses certificates it is essential that device has correct time. It means that at least NTP client needs to be configured for device that uses OpenVPN. This can be done under Common → Time Settings.
* IPSec is probably only usable with fixed IP addresses. If TELEM-GWM has dynamic IP use OpenVPN or L2TP.
* L2TP works only with one LAC(client) behind network address translation device.
* LNS accounts with fixed IP for LAC are usable only by one instance. If two sessions are established all traffic is sent to only one session.

VPN(Virtual Private Networking)

2019-05-31T10:05:47Z

Igor: /* Remote Access with L2TP/IPSec */

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]].

=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[Pilt:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]

=== Site to Site With OpenVPN ===

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[Pilt:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[Pilt:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

More info OpenVPN can be found here [http://openvpn.net/index.php/open-source/documentation/howto.html]

=== Site to Site With IPsec ===
In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing.

NB! Remote network & subnet has to match the real remote configuration (LAN network?), otherwise PHASE 2 fails. If you see the following error messages, then this may be the case.
<pre>
ERROR: failed to pre-process ph2 packet (side: 1, status: 1)
ERROR: failed to get sainfo.
</pre>

[[Pilt:IPSec-Default.png|395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog]]
[[Pilt:IPSec-NonDefault.png|420px|thumb|center|Figure 5: IPSec Minimum Configuration]]

In order to view if tunnel is up issue “setkey -D” or use racoonctl. For instance "racoonctl -l show-sa isakmp" for phase 1 and "racoonctl -l show-sa ipsec" for phase 2. Here is an example output form “setkey -D”, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:
<pre>
root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
E: blowfish-cbc 72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
A: hmac-sha1 bc848381 1b957927 615d9700 689dc79e a17ca699
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
E: blowfish-cbc c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
A: hmac-sha1 2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $
</pre>
Here is the syslog output showing racoon setting this tunnel up:
<pre>
root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
</pre>
For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:
<pre>
root@telem-gwm /home/martem $ tail -f /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)
</pre>

More info about racoon, racoonctl and setkey can be found here [http://ipsec-tools.sourceforge.net/]

=== Remote Access with L2TP/IPSec ===
In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box.
[[File:L2TP-IPSec-Default.png|497px|thumb|center|Figure 6: L2TP/IPSec Default Settings]]
[[File:L2TP-IPSec-NonDefault.png|494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings]]
Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.

=== Set up Remote Access with L2TP/IPSec in Windows. ===

Got to "Control Panel" -> "Network and Internet" -> "Network and Sharing Center" and open "Set up a new connection or network" under "Change your networking settings"

[[File:Nasc.jpg|629px|thumb|center|]]

In the "Set Up a Connection or Netwrok" window choose "Connect to a workplace" -> "Use my Interent connection (VPN)"

Type GWM's exteranl IP address in the "Internet address" field and click Next

Type in your L2TP user and password and proceed

'''Windows will try to establish a connection rigth away. Click "Skip" for now'''

Go back to "Network and Sharing Center" and open "Change Adapter Settings"

[[File:Nasc_adapter.jpg|629px|thumb|center|]]

Click on VPN connection with the right mouse button and choose "Properties" in the drop-down menu

[[File:Nasc_adapter_VPN.jpg|629px|thumb|center|]]

In the upcoming menu open the "Security" tab and set the "Type of VPN:" to "Layer 2 Tunneling Protocol with IPsec(L2TP/IPSec)"

[[File:VPN_sectab.jpg|300px|thumb|center|]]

Open "Advanced settings" in the same tab. Pick "Use preshared key for authentication" and enter the IPSec pre-shared key in the "Key:" field

[[File:WIN_VPN_secadv.jpg|300px|thumb|center|]]

Click "OK" to save changes and close "Advanced Settings" window. Click "OK" to close the current "VPN Conection Properties" window.
Now the newly created VPN point should be visible in "Network Connections" window

[[File:Network_connections.jpg|thumb|center|]]

=== Known Working Client or Server Software ===
This is the list of know third party software that is compatible with TELEM-GWM.
 
OpenVPN:
* pfSense 2.0.1-RELEASE [http://www.pfsense.org/]
 
IPsec:
* Ubuntu 12.04 LTS with ipsec-tools, with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon and setkey configurations.
* pfSense 2.0.3-RELEASE [http://www.pfsense.org/]
* Cisco SR520-FE with IOS 12.4(20)T6. A good reference for racoon with third party software can be found here: [http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec]

 
L2TP/IPSec:
* Windows 7
* Mac OS 10.4
* Android 4.1.2 on Nexus 7(Asus tablet), Android 4.0.3 on HTC phone
* Ubuntu 12.04 LTS with ipsec-tools and xl2tpd with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon, setkey and xl2tpd configurations.

=== Caveats ===
Here is a list of some of the known caveats with different VPN setups.
 
* As OpenVPN uses certificates it is essential that device has correct time. It means that at least NTP client needs to be configured for device that uses OpenVPN. This can be done under Common → Time Settings.
* IPSec is probably only usable with fixed IP addresses. If TELEM-GWM has dynamic IP use OpenVPN or L2TP.
* L2TP works only with one LAC(client) behind network address translation device.
* LNS accounts with fixed IP for LAC are usable only by one instance. If two sessions are established all traffic is sent to only one session.

VPN(Virtual Private Networking)

2019-05-31T10:05:23Z

Igor: /* Set up Remote Access with L2TP/IPSec in Windows. */

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in [[Basic Security]].

=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[Pilt:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]

=== Site to Site With OpenVPN ===

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[Pilt:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[Pilt:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

More info OpenVPN can be found here [http://openvpn.net/index.php/open-source/documentation/howto.html]

=== Site to Site With IPsec ===
In order to configure site to site VPN with IPSec open Common → IPSec and click on Add. From drop down menus select Encryption, Authentication and other parameters for phase 1 and 2 to suit your needs. Parameter Local select which local networks to tunnel over IPSec. “Remote networks” selects “Remote Peers” local networks to tunnel over IPSec. Figure 4 shows default configuration dialog for IPsec and figure 5 setup used in testing.

NB! Remote network & subnet has to match the real remote configuration (LAN network?), otherwise PHASE 2 fails. If you see the following error messages, then this may be the case.
<pre>
ERROR: failed to pre-process ph2 packet (side: 1, status: 1)
ERROR: failed to get sainfo.
</pre>

[[Pilt:IPSec-Default.png|395px|thumb|center|Figure 4: Default IPsec Tunnel Configuration Dialog]]
[[Pilt:IPSec-NonDefault.png|420px|thumb|center|Figure 5: IPSec Minimum Configuration]]

In order to view if tunnel is up issue “setkey -D” or use racoonctl. For instance "racoonctl -l show-sa isakmp" for phase 1 and "racoonctl -l show-sa ipsec" for phase 2. Here is an example output form “setkey -D”, which shows an open tunnel between 10.0.0.111(Telem-GWM) and 10.0.0.86:
<pre>
root@telem-gwm /home/martem $ setkey -D
10.0.0.111 10.0.0.86
esp mode=tunnel spi=30607459(0x01d30863) reqid=16384(0x00004000)
E: blowfish-cbc 72dce7f9 a84cb8bf 8a8d2e68 53779039 781eb0c9
A: hmac-sha1 bc848381 1b957927 615d9700 689dc79e a17ca699
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=17474 refcnt=0
10.0.0.86 10.0.0.111
esp mode=tunnel spi=137118544(0x082c4350) reqid=16385(0x00004001)
E: blowfish-cbc c322fad3 5d74cfb9 929123fc beafbd64 0975acd6
A: hmac-sha1 2d8bb180 68e67033 be2f2e52 608c4a45 939bde84
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Apr 25 10:16:40 2013 current: Apr 25 11:14:45 2013
diff: 3485(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=17474 refcnt=0
root@telem-gwm /home/martem $
</pre>
Here is the syslog output showing racoon setting this tunnel up:
<pre>
root@telem-gwm /home/martem $ cat /var/log/messages | grep racoon | more
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon needs to be started
Apr 25 09:08:55 telem-gwm user.notice root: IPSec: racoon error, restarting
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Apr 25 09:08:55 telem-gwm daemon.info racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[500] used as isakmp port (fd=8)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.2.111[4500] used as isakmp port (fd=9)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[500] used as isakmp port (fd=10)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 10.0.0.111[4500] used as isakmp port (fd=11)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[500] used as isakmp port (fd=12)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 192.168.1.111[4500] used as isakmp port (fd=13)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=14)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=15)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=16)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used for NAT-T
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=17)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[500] used as isakmp port (fd=18)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::20d:15ff:fe00:af98%eth0[4500] used as isakmp port (fd=19)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[500] used as isakmp port (fd=20)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e1%eth1[4500] used as isakmp port (fd=21)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[500] used as isakmp port (fd=22)
Apr 25 09:08:57 telem-gwm daemon.info racoon: INFO: fe80::250:b6ff:fe0d:66e6%eth2[4500] used as isakmp port (fd=23)
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: respond new phase 1 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: begin Identity Protection mode.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: received Vendor ID: DPD
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Selected NAT-T version: RFC 3947
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #0 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT-D payload #1 verified
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: NAT not detected
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: Hashing 10.0.0.86[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.111] INFO: Hashing 10.0.0.111[500] with algo #2
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: Adding remote and local NAT-D payloads.
Apr 25 09:28:38 telem-gwm daemon.info racoon: INFO: ISAKMP-SA established 10.0.0.111[500]-10.0.0.86[500] spi:842249519def9f59:ff13cdb628283bc3
Apr 25 09:28:38 telem-gwm daemon.info racoon: [10.0.0.86] INFO: received INITIAL-CONTACT
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=179131318(0xaad53b6)
Apr 25 09:28:39 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=179131318(0xaad53b6)
Apr 25 10:16:39 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=193541716(0xb893654)
</pre>
For troubleshooting use command “tail -f /var/log/messages | grep racoon”. This shows real time racoon messages. Here is the example output:
<pre>
root@telem-gwm /home/martem $ tail -f /var/log/messages | grep racoon
Apr 25 11:04:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.86[500]->10.0.0.111[500] spi=137118544(0x82c4350)
Apr 25 11:16:40 telem-gwm daemon.info racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=30607459(0x1d30863)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: respond new phase 2 negotiation: 10.0.0.111[500]<=>10.0.0.86[500]
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=165979047(0x9e4a3a7)
Apr 25 11:22:58 telem-gwm daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.0.111[500]->10.0.0.86[500] spi=20748511(0x13c98df)
</pre>

More info about racoon, racoonctl and setkey can be found here [http://ipsec-tools.sourceforge.net/]

=== Remote Access with L2TP/IPSec ===
In order to configure L2TP/IPSec open Common → L2TP, check “LNS Enable” check box and turn on IPSec protection for L2TP by checking the IPSec check box.
[[Pilt:L2TP-IPSec-Default.png|497px|thumb|center|Figure 6: L2TP/IPSec Default Settings]]
[[Pilt:L2TP-IPSec-NonDefault.png|494px|thumb|center|Figure 7: Minimal L2TP/IPSec Settings]]
Figure 6 shows default settings and figure 7 minimal settings. Note the IP column and selection under Users. This is needed in order to limit access with firewall. If IP is not selected then device assigns an IP from pool that starts with “Remote Start IP” and ends with “Remote Stop IP”. As this assignment is dynamic it is not possible to configure firewall by username. This means that users without assigned IP cannot access the TELEM-GWM but can probably access other resources on the local LAN. Needless to say that systems on production networks should not have an account with “Password” pass and “IPSec pre-shared key” pass.

=== Set up Remote Access with L2TP/IPSec in Windows. ===

Got to "Control Panel" -> "Network and Internet" -> "Network and Sharing Center" and open "Set up a new connection or network" under "Change your networking settings"

[[File:Nasc.jpg|629px|thumb|center|]]

In the "Set Up a Connection or Netwrok" window choose "Connect to a workplace" -> "Use my Interent connection (VPN)"

Type GWM's exteranl IP address in the "Internet address" field and click Next

Type in your L2TP user and password and proceed

'''Windows will try to establish a connection rigth away. Click "Skip" for now'''

Go back to "Network and Sharing Center" and open "Change Adapter Settings"

[[File:Nasc_adapter.jpg|629px|thumb|center|]]

Click on VPN connection with the right mouse button and choose "Properties" in the drop-down menu

[[File:Nasc_adapter_VPN.jpg|629px|thumb|center|]]

In the upcoming menu open the "Security" tab and set the "Type of VPN:" to "Layer 2 Tunneling Protocol with IPsec(L2TP/IPSec)"

[[File:VPN_sectab.jpg|300px|thumb|center|]]

Open "Advanced settings" in the same tab. Pick "Use preshared key for authentication" and enter the IPSec pre-shared key in the "Key:" field

[[File:WIN_VPN_secadv.jpg|300px|thumb|center|]]

Click "OK" to save changes and close "Advanced Settings" window. Click "OK" to close the current "VPN Conection Properties" window.
Now the newly created VPN point should be visible in "Network Connections" window

[[File:Network_connections.jpg|thumb|center|]]

=== Known Working Client or Server Software ===
This is the list of know third party software that is compatible with TELEM-GWM.
 
OpenVPN:
* pfSense 2.0.1-RELEASE [http://www.pfsense.org/]
 
IPsec:
* Ubuntu 12.04 LTS with ipsec-tools, with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon and setkey configurations.
* pfSense 2.0.3-RELEASE [http://www.pfsense.org/]
* Cisco SR520-FE with IOS 12.4(20)T6. A good reference for racoon with third party software can be found here: [http://www.admin-magazine.com/Articles/Cross-Vendor-IPsec]

 
L2TP/IPSec:
* Windows 7
* Mac OS 10.4
* Android 4.1.2 on Nexus 7(Asus tablet), Android 4.0.3 on HTC phone
* Ubuntu 12.04 LTS with ipsec-tools and xl2tpd with direct configuration not using any of the GUI software. Hint: use gws.exe to get racoon, setkey and xl2tpd configurations.

=== Caveats ===
Here is a list of some of the known caveats with different VPN setups.
 
* As OpenVPN uses certificates it is essential that device has correct time. It means that at least NTP client needs to be configured for device that uses OpenVPN. This can be done under Common → Time Settings.
* IPSec is probably only usable with fixed IP addresses. If TELEM-GWM has dynamic IP use OpenVPN or L2TP.
* L2TP works only with one LAC(client) behind network address translation device.
* LNS accounts with fixed IP for LAC are usable only by one instance. If two sessions are established all traffic is sent to only one session.

Kontakt

2019-02-13T13:40:44Z

Igor:

{| border="1" cellpadding="5" class="sortable"
|+ Telefoni numbrid, e-mailid
! Nimi !! class="unsortable" | Telefon !! class="unsortable" | e-mail !! Amet !! Märkmed
|-
| Peter Nobel || +372 5119694 || [mailto:peter@martem.ee töö]
|-
| Jaan Eilart || +372 55654090 || [mailto:jaan.eilart@martem.ee töö]
|-
| Talvi Mäeunt || +372 6397979 || [mailto:martem@martem.ee töö]
|-
| Ülo Proode || +372 55691543 || [mailto:ylo@martem.ee töö] [mailto:ylo.proode@mail.ee isiklik]
|-
| Janek Sarjas || +372 53446127 || [mailto:janek@martem.ee töö]
|-
| Alfred Liin || +372 56959795 || [mailto:alfred.liin@martem.ee töö]
|-
| Harri Trampärk || +372 5083780 || [mailto:harri@martem.ee töö]
|-
| Mark Tomm || +372 58426909 || [mailto:mark.tomm@martem.ee töö]
|-
| Kermo Basov || +372 56925894 || [mailto:kermo.basov@martem.ee töö]
|-
| Igor Nehoroshev || +375 58310622 || [mailto:igor.nehoroshev@martem.ee töö]
|-
| Aleksandr Koskin || +372 58131851 || [mailto:aleksandr.koskin@martem.ee töö]
|-
| Hannes Metsalu || +372 59816818 || [mailto:hannes.metsalu@martem.ee töö]
|-
| Robert Putnik || +372 56095670 || [mailto:robert.putnik@martem.ee töö]
|-
| Kristjan Kruuser || +372 56902884 || [mailto:kristjan.kruuser@martem.ee töö]
|}

<!-- Uue rea lisamiseks tabelisse kopeeri ja muuda järgnevad 2 rida.
|-
| Sinu nimi || telefoni number || [mailto:sinumeiliaadress@martem.ee kirjeldus-töö/kodu/vms]
--!>

Kontakt

2019-02-13T13:35:11Z

Igor:

{| border="1" cellpadding="5" class="sortable"
|+ Telefoni numbrid, e-mailid
! Nimi !! class="unsortable" | Telefon !! class="unsortable" | e-mail !! Amet !! Märkmed
|-
| Peter Nobel || +372 5119694 || [mailto:peter@martem.ee töö]
|-
| Ülo Proode || +372 55691543 || [mailto:ylo@martem.ee töö] [mailto:ylo.proode@mail.ee isiklik]
|-
| Janek Sarjas || +372 53446127 || [mailto:janek@martem.ee töö]
|-
| Alfred Liin || +372 56959795 || [mailto:alfred.liin@martem.ee töö]
|-
| Harri Trampärk || +372 5083780 || [mailto:harri@martem.ee töö]
|-
| Mark Tomm || +372 58426909 || [mailto:mark.tomm@martem.ee töö]
|-
| Kermo Basov || +372 56925894 || [mailto:kermo.basov@martem.ee töö]
|-
| Igor Nehoroshev || +375 58310622 || [mailto:igor.nehoroshev@martem.ee töö]
|-
| Aleksandr Koskin || +372 58131851 || [mailto:aleksandr.koskin@martem.ee töö]
|-
| Hannes Metsalu || +372 59816818 || [mailto:hannes.metsalu@martem.ee töö]
|-
| Robert Putnik || +372 56095670 || [mailto:robert.putnik@martem.ee töö]
|-
| Kristjan Kruuser || +372 56902884 || [mailto:kristjan.kruuser@martem.ee töö]
|}

<!-- Uue rea lisamiseks tabelisse kopeeri ja muuda järgnevad 2 rida.
|-
| Sinu nimi || telefoni number || [mailto:sinumeiliaadress@martem.ee kirjeldus-töö/kodu/vms]
--!>

Kontakt

2018-12-07T15:33:10Z

Igor: Remove data of person who no longer works at Martem

{| border="1" cellpadding="5" class="sortable"
|+ Telefoni numbrid, e-mailid
! Nimi !! class="unsortable" | Telefon !! class="unsortable" | e-mail !! Amet !! Märkmed
|-
| Peter Nobel || +372 5119694 || [mailto:peter@martem.ee töö]
|-
| Ülo Proode || +372 55691543 || [mailto:ylo@martem.ee töö] [mailto:ylo.proode@mail.ee isiklik]
|-
| Aldur Järvalt || +372 5077430 || [mailto:aldur.jarvalt@martem.ee töö]
|-
| Janek Sarjas || +372 53446127 || [mailto:janek@martem.ee töö]
|-
| Alfred Liin || +372 56959795 || [mailto:alfred.liin@martem.ee töö]
|-
| Harri Trampärk || +372 5083780 || [mailto:harri@martem.ee töö]
|-
| Mark Tomm || +372 58426909 || [mailto:mark.tomm@martem.ee töö]
|-
| Kermo Basov || +372 56925894 || [mailto:kermo.basov@martem.ee töö]
|-
| Igor Nehoroshev || +375 58310622 || [mailto:igor.nehoroshev@martem.ee töö]
|-
| Aleksandr Koskin || +372 58131851 || [mailto:aleksandr.koskin@martem.ee töö]
|}

<!-- Uue rea lisamiseks tabelisse kopeeri ja muuda järgnevad 2 rida.
|-
| Sinu nimi || telefoni number || [mailto:sinumeiliaadress@martem.ee kirjeldus-töö/kodu/vms]
--!>

Kontakt

2018-09-19T13:56:23Z

Igor:

{| border="1" cellpadding="5" class="sortable"
|+ Telefoni numbrid, e-mailid
! Nimi !! class="unsortable" | Telefon !! class="unsortable" | e-mail !! Amet !! Märkmed
|-
| Peter Nobel || +372 5119694 || [mailto:peter@martem.ee töö]
|-
| Ülo Proode || +372 55691543 || [mailto:ylo@martem.ee töö] [mailto:ylo.proode@mail.ee isiklik]
|-
| Aldur Järvalt || +372 5077430 || [mailto:aldur.jarvalt@martem.ee töö]
|-
| Janek Sarjas || +372 53446127 || [mailto:janek@martem.ee töö]
|-
| Alfred Liin || +372 56959795 || [mailto:alfred.liin@martem.ee töö]
|-
| Harri Trampärk || +372 5083780 || [mailto:harri@martem.ee töö]
|-
| Andrus Kaljumäe || +372 56213684 || [mailto:andrus.kaljumae@martem.ee töö]
|-
| Mark Tomm || +372 58426909 || [mailto:mark.tomm@martem.ee töö]
|-
| Kermo Basov || +372 56925894 || [mailto:kermo.basov@martem.ee töö]
|-
| Igor Nehoroshev || +375 58310622 || [mailto:igor.nehoroshev@martem.ee töö]
|-
| Aleksandr Koskin || +372 58131851 || [mailto:aleksandr.koskin@martem.ee töö]
|}

<!-- Uue rea lisamiseks tabelisse kopeeri ja muuda järgnevad 2 rida.
|-
| Sinu nimi || telefoni number || [mailto:sinumeiliaadress@martem.ee kirjeldus-töö/kodu/vms]
--!>

Kontakt

2018-09-19T13:56:09Z

Igor:

{| border="1" cellpadding="5" class="sortable"
|+ Telefoni numbrid, e-mailid
! Nimi !! class="unsortable" | Telefon !! class="unsortable" | e-mail !! Amet !! Märkmed
|-
| Peter Nobel || +372 5119694 || [mailto:peter@martem.ee töö]
|-
| Ülo Proode || +372 55691543 || [mailto:ylo@martem.ee töö] [mailto:ylo.proode@mail.ee isiklik]
|-
| Aldur Järvalt || +372 5077430 || [mailto:aldur.jarvalt@martem.ee töö]
|-
| Janek Sarjas || +372 53446127 || [mailto:janek@martem.ee töö]
|-
| Alfred Liin || +372 56959795 || [mailto:alfred.liin@martem.ee töö]
|-
| Harri Trampärk || +372 5083780 || [mailto:harri@martem.ee töö]
|-
| Andrus Kaljumäe || +372 56213684 || [mailto:andrus.kaljumae@martem.ee töö]
|-
| Mark Tomm || +372 58426909 || [mailto:mark.tomm@martem.ee töö]
|-
| Kermo Basov || +372 56925894 || [mailto:kermo.basov@martem.ee töö]
|-
| Igor Nehoroshev || +375 58310622 || [mailto:igor.nehoroshev@martem.ee töö]
|-
| Priit Reinmets || +375 5115209 || [mailto:priit.reinmets@martem.ee töö]
|-
| Aleksandr Koskin || +372 58131851 || [mailto:aleksandr.koskin@martem.ee töö]
|}

<!-- Uue rea lisamiseks tabelisse kopeeri ja muuda järgnevad 2 rida.
|-
| Sinu nimi || telefoni number || [mailto:sinumeiliaadress@martem.ee kirjeldus-töö/kodu/vms]
--!>