SPRECON-E SECURITY EDITOR

USER MANUAL

94.2.912.45 en
Issue B
Version v2.0 SP0
11.04.2018
 Build: 4/4/2019;5:35 PM
© Sprecher Automation GmbH 2018, Sprecher Automation, SPRECON®, the Sprecher Automation logo and
any alternative version thereof are trademarks and service marks of Sprecher Automation. Other names men-
tioned, registered or not, are the property of their respective companies. The reproduction, transmission or use of
this document or its contents is not permitted without express written authority. Offenders will be liable for dam-
ages. All rights, including rights created by patent grant or registration of a utility model or design, are reserved.
Chapter Preface

PREFACE
Purpose of this document This user manual describes the handling of the SPRECON-E Security
Editor.
Applicability This manual applies exclusively to the SPRECON-E Security Editor.
Target Audience Personnel concerned with planning, adjustment, checking, commissioning
and service of substation- and remote control facilities.
Exclusion of Liability The documentation contains instructions for installation, commissioning
and operation of devices of the SPRECON-Eseries. However, the manual
cannot cover all conceivable circumstances or include detailed information
on all topics. In the event of questions or specific problems, do not take any
action without proper authorization. Contact Sprecher Automation GmbH
and request the necessary information.
Any agreements, commitments, and legal relationships and any obligations
on the part of Sprecher Automation GmbH, including settlement of war-
ranties, result solely from the applicable purchase contract, which is not
affected by the contents of the documentation.
Sprecher Automation GmbH has checked the text of this manual for con-
formity with the hardware and software described. However, since devi-
ations cannot be ruled out entirely, Sprecher Automation does not accept
liability for complete conformity or for any errors or omissions.
The information in this manual is checked periodically, and necessary cor-
rections will be included in future editions. Sprecher Automation appre-
ciates any suggestions for improvement. Please direct them to
[email protected].
Sprecher Automation GmbH reserves the right for technical improvements.
Copyright © Sprecher Automation GmbH 2018. Sprecher Automation, SPRECON®,
the Sprecher Automation logo and any alternative version thereof are trade-
marks and service marks of Sprecher Automation. Other names men-
tioned, registered or not, are the property of their respective companies.
The reproduction, transmission or use of this document or its contents is
not permitted without express written authority. Offenders will be liable for
damages. All rights, including rights created by patent grant or registration
of a utility model or design, are reserved.

- SPRECON-E Security Editor - - III -

Chapter Contact address

CONTACT ADDRESS

Sprecher Automation GmbH

Customer service
A-4020 Linz / Franckstraße 51

24 hours service hotline

Tel: +43/(0)732/6908-358

Fax: +43/(0)732/6908-278

[email protected]

www.sprecher-automation.com

- IV - 94.2.912.45 en - Issue B
Chapter Contents

CONTENTS
Preface III
Contact address IV
Contents V

1 - General 1
2 - Menu 3
2.1 - File 3
2.2 - Tunnel 3
2.3 - Help 4
3 - Settings 5
3.1 - Overview 5
3.1.1 - Target 5
3.1.2 - Overview page 6
3.2 - Certificates 7
3.3 - IPsec settings 8
3.3.1 - General IPsec settings 8
3.3.2 - Debug 9
3.4 - Tunnel settings 10
3.4.1 - "Use IP addresses as IDs" 10
3.4.2 - Remote connection 11
3.4.3 - Own connection 12
3.4.4 - IPsec IKE/ESP Settings 13
3.4.5 - Authentication settings 15
3.4.6 - Time/DPD Settings 16
3.4.7 - IPsec Expertmode 17
4 - OpenVPN 19
4.1 - Overview OpenVPN settings 19
4.2 - Tunnel settings 20
4.2.1 - "Use IP addresses as IDs" 20
4.2.2 - "Description" and "Remote IP" 20
4.2.3 - Area "Authentication" 21
4.2.4 - Area "Security" 21
4.2.5 - Area "General Settings" 22
4.2.6 - Configuration example Server – Client 24
5 - Application 27
5.1 - Create and save configuration file 27
5.2 - Integrate configuration (up to vers. 5.77 SP18) 28
5.3 - Integrate configuration (from Vers. 5.77 SP21) 31
5.4 - Process data list 32
5.5 - Analysis via Webserver 33
5.5.1 - IPsec status 34
5.5.2 - OpenVPN status 35

- SPRECON-E Security Editor - -V-

Chapter 1 - General

1 - GENERAL
IPsec is an extension of encryption- and authentication mechanisms for the
Internet Protocol (IP). With it the Internet Protocol is able to transfer IP
packets cryptographically secured via networks.
The SPRECON-E Security Editor is used to adjust the complex setting of
IPSec comfortable. It generates a compiled ipsec.cfg file, which includes
the defined parameters. Afterwards this file can be loaded along with the
process data list to the system.
Figure 1 shows the program interface of the SPRECON-E Security Editor.
The menus and the different settings are described in the following
chapters.

Figure 1: Program interface

- SPRECON-E Security Editor - -1-

Chapter 2 - Menu

2 - MENU
2.1 - FILE

Figure 2: Menu File

l Open File...
Opens an already existing IPsec configuration file (ipsec.cfg).
l Save
Saves the file.
l Save as...
Saves the file under a specified file name.
l Export as HTML
Saves a summary of the configuration as HTML file.
l Exit
Closes the SPRECON-E Security Editor.

2.2 - TUNNEL

Figure 3: Menu Tunnel

l Add tunnel
Adds another tab for another IPsec or OpenVPN tunnel configuration
(max. four IPsec and one OpenVPN tunnel configurations possible).
l Delete tunnel
Deletes the selected tunnel configuration. The last tunnel configuration
can not be deleted, one has to be available always.
l Activate Ipsec Expertmode
Deletes the current IPsec configuration and changes to Expertmode

- SPRECON-E Security Editor - -3-

Chapter 2 - Menu

2.3 - HELP

Figure 4: Menu Help

l Language
Switches between German and English language.
l About
Shows the version information of the SPRECON-E Security Editor.

-4- 94.2.912.45 en - Issue B

Chapter 3 - Settings

3 - SETTINGS
3.1 - OVERVIEW
3.1.1 - Target

Figure 5: Target settings

l Target node host name

Device name or node name
l Description
Description of the hostname
l Platform
Specifies the hardware platform of the system. The used CPU module
must be selected here.
l Version
Specifies the firmware of the system. The used version must be selec-
ted here.
Depending on the selected platform and version the appropriate function
range is available.

- SPRECON-E Security Editor - -5-

Chapter 3 - Settings

3.1.2 - Overview page

Figure 6: General overview

l Add tunnel (IPsec / OpenVPN )

At IPsec up to four tunnels can be added , at OpenVPN one tunnel can
be added.
l Add certificate
Here a new certificate can be added. which is resided in the certificate
memory. It can be chosen for IPsec or OpenVPN.

-6- 94.2.912.45 en - Issue B

Chapter 3 - Settings

3.2 - CERTIFICATES

Figure 7: Certificate settings

l Add certificate...
Depending on the certificate storage the certificates can be added here;
the own certificate, the counterpart certificate, the private key and the
certification. The certificate is then available at the tunnel settings.

Note: Always consider the validity period of the certificates. This also
applies to the start date, because a system from the production starts
from year 2000.

l Delete certificate
Depending on the certificate storage the appropriate certificate is
deleted.
l View certificate
Shows the meta information of the certificate.
l Use OCSP
Activates the Online Certificate Status Protocol. This is used for check-
ing the validation of the certificates. The use of this technic must be cla-
rified, because it affects the communication directly.
o OCSP-URL:
Entry of the URL for the OCSP query
o CRL verification intervals
Declaration, how often the check shall be done (in seconds)

Certificate format:
OpenVPN: X509 certifikates in PEM format (ASCII, readable) (file exten-
sion e.g. pem,crt ,key)
IPsec: X509 certifikates in DER format (binär) or PEM format. (file exten-
sion e.g. der) The private-key must be in PEM format.

In either case the three required files (CA,certifikate,Key) can be zipped in

a PKCS12 archive file (p12) and loaded from there.

- SPRECON-E Security Editor - -7-

Chapter 3 - Settings

3.3 - IPSEC SETTINGS

3.3.1 - General IPsec settings

Figure 8: IPsec settings

l Client Polling
This option forces an establishment of the connection. Basically, an
IPsec connection is only established if needed. At typical “Road war-
rior” constellations this option is recommended.
l Systime -Fix
When an IPsec connection is established via certificates, an incorrect
system time (year 2000)can cause connection problems while booting.

With this option enabled the certificate lifetime check is disabled tem-
porarily while booting. Thereby the connection can be established des-
pite of an incorrect system time.

After the system time has been corrected (e.g. via NTP) a lifetime
check is carried out. For this a time frame can be set (default 600 s).
If no valid system time is available after this time frame the connection
is cut.
Note:
The Systime-Fix option is especially important if the system time is set via
external sources (NTP servers), and this NTP communication to the
SPRECON is realized through an IPsec tunnel!

l Deactivate certificate lifetime check (local)

The local lifetime check is disabled permanently.

For deactivating the certificate lifetime check generally between two

connection partners this option has to be enabled by both.

-8- 94.2.912.45 en - Issue B

Chapter 3 - Settings

3.3.2 - Debug

Figure 9: Debug settings

l Level:
There are different levels which differ in the grade of possible analysis
by the user. This setting is not relevant for operation of IPsec, it is used
only for analysis.
o SILENT
Almost no analysis, but log file is not filled with too many entries.
o BASIC
Very few analysis, but log file is not filled with too many entries.
o STANDARD
Good analysis, but log file is filled with many entries.
o DEBUGGING
Detailed analysis, but log file is filled with many entries.
o RAWDUMPS
This log level includes additional raw values for deeper analysis of
protocols.
o SENSITIVE
This log level includes additional sensitive files in the log and
should be handled with care.

- SPRECON-E Security Editor - -9-

Chapter 3 - Settings

3.4 - TUNNEL SETTINGS

In this section all settings for the tunnel configurations are set.

Figure 10: Tunnel settings

l Tunnel name
The name of the tunnel is set by the system and can not be changed.
l Description
Entry of a description text for the tunnel

3.4.1 - "Use IP addresses as IDs"

With this option the behavior of the ID field changes. The ID is now always
resolved as IP address. When using the ID with IP address the ID hast to
be forwarded as IP address or as string, depending on the counterpart.

- 10 - 94.2.912.45 en - Issue B
Chapter 3 - Settings

3.4.2 - Remote connection

In this section the counterpart of the IPsec connection is defined. The set-
tings must be equal on both sides. If a parameter (e.g. the tunnel network)
is configured wrong on one side, an establishment of connection is not pos-
sible.

Figure 11: Remote connection settings

l Address for IPsec tunnel

IP address of the VPN gateway of the particular region. This address is
not mandatory for a pure server operation.
l Use remote certificate ID
1
o ID
The ID of the tunnel, if it is used. When using certificates the appro-
priate certificate ID can be selected.
o Tunnel network1
The IP network address of the certain region must be entered here.
Because a connection via the IP network segment has to be pos-
sible out to all networks, this parameter has to be defined as 0.0.0.0
/0.
At Host-IPsec this setting is not necessary.
l Restrict traffic selector to single protocol and port
Allows the usage of connection protocols and ports, which differ from
default.
o Port
Port of the restricted connection
o Protocol
Protocol of the restricted connection

1Input mandatory

- SPRECON-E Security Editor - - 11 -

Chapter 3 - Settings

3.4.3 - Own connection

In this section the own IPsec connection is defined. The settings must be
equal on both sides. If a parameter (e.g. the tunnel network) is configured
wrong on one side, an establishment of connection is not possible.

Figure 12: Own connection settings

l Address for IPsec tunnel

Typically, the tunnel is not bound to a certain network interface. A bind-
ing can be forced with this address.
Note: For IPsec another network adapter with the name dummy0 is
available. It can be used for dynamical connection into a GPRS net-
work, if a static network has to be connected. For IEC104 a static net-
work is mandatory and can be realized without using the LAN adapter.

l Use own certificate ID

1
o ID
The ID of the tunnel, if it is used. When using certificates the appro-
priate certificate ID can be selected.
o Tunnel network1
The IP network address of the certain region must be entered here.
Because a connection via the IP network segment has to be pos-
sible out to all networks, this parameter has to be defined as 0.0.0.0
/0. At Host-IPsec this setting is not necessary.
l Restrict traffic selector to single protocol and port
Allows the usage of connection protocols and ports, which differ from
default.
o Port
Port of the restricted connection
o Protocol
Protocol of the restricted connection

1Input mandatory

- 12 - 94.2.912.45 en - Issue B
Chapter 3 - Settings

3.4.4 - IPsec IKE/ESP Settings

A connection always consists of cryptographic parameters of connection
establishment and cryptographic parameters of data exchange. These are
set in this section. The more elaborate the cipher method , the more secure
the connection .

Figure 13: IKE/ESP settings

l IKE Version
In this menu the version of the protocol for the security relationship and
for the exchange of authenticated keys has to be chosen. IKEv1 and
IKEv2 are supported.
l Enable Aggressive Mode
This option activates the Aggressive Mode in Phase 1 and should not
be used due to security issues.
l Type of IPsec Tunnel
o Transport
Is used typically for Peer-to-Peer (Host-to-Host) communication.
o Tunnel
Is used typically for tunneling between two networks.
o Drop
In this mode the data of the entered tunnel networks is deleted.
o Passthrough
In this mode the data of the entered tunnel networks is not pro-
cessed by IPsec.
l Force encapsulation
Forces UDP encapsulation of ESP packets, even if no NAT situation
has been detected.
l Compress
User data is compressed (IPComp).

- SPRECON-E Security Editor - - 13 -

Chapter 3 - Settings

l Key Parameter IKE

This parameter is used for the connection establishment.
o Encryption Algorithm
The information is encrypted with the PSK via the block cypher pro-
cedure (e.g. AES-256).
o Integrity Algorithm
Via the PSK the selected procedure generates a Hash, which is not
decryptable. In case of communication it is compared by both sides
and must match.
o Diffie Hellmann Groups
A security measure to change the Hash at every query.
l Key Parameter IPsec (ESP)
This parameter is used for the connection establishment.
o Encryption Algorithm
The information is encrypted with the PSK via the block cypher pro-
cedure (e.g. AES-256).
o Integrity Algorithm
Via the PSK the selected procedure generates a Hash, which is not
decryptable. In case of communication it is compared by both sides
and must match.
o Diffie Hellmann Groups (PFS)
A security measure to change the Hash at every query.

Note: It is recommended to use at least AES128, SHA256 and DH5.

Yellow coloured algorithm support legacy systems and are not recom-
mended.

- 14 - 94.2.912.45 en - Issue B
Chapter 3 - Settings

3.4.5 - Authentication settings

This settings contribute to the whole system security.

Figure 14: Auth settings

l Certificate
Trust model, which is accepted/signed manually/automatically.
o Own
If certificates were imported, they can be selected here for the
respective tunnel.
o Remote
If certificates were imported, they can be selected here for the
respective tunnel.

l Pre-SharedKey (PSK)
The authentication is done via a Pre-Shared-Key.
l Enable XAuth
In addition to the PSK a user name and a password can be defined.
o User
User name for XAuth
o Password
Password for XAuth

- SPRECON-E Security Editor - - 15 -

Chapter 3 - Settings

3.4.6 - Time/DPD Settings

The timing parameters control the repetitive connection establishment and -
clearing. In addition, the Dead-Peer-Detection is defined.

Figure 15: Time/DPD Settings

l IKE Lifetime (s)

Time after an established connection phase expires and must be estab-
lished again.
l Lifetime (s)
Time after an established data exchange phase expires and must be
established again.
l Margin time (s)
Time span before the IKE life time and life time, in which the key
exchange has to be started.
l Activate DPD
Activates DPD (Dead-Peed-Detection). This is recommended to use,
to recognize problems in the communication and to re-establish the tun-
nel in case of error.
o DPD Delay (s)
Time which must expire since the last received telegram by the
IPsec connection, until a DPD telegram is sent from SPRECON.
o DPD Timeout (s)
Time which must expire since the last received DPD query/ac-
knowledgement, until SPRECON assumes that the tunnel is
closed (connection loss) and the necessary actions are initiated.

- 16 - 94.2.912.45 en - Issue B
Chapter 3 - Settings

3.4.7 - IPsec Expertmode

Table 1: IPsec Expertmode

The IPsec Expertmode is adapted for experienced users. It is possible to

load an own IPsec configuration.
The three configuration files have to be specified stringently.
A this there is no parameter check.
By clicking on "Download" the chosen file ca be saved locally.
If the IPsec Expertmode is deactivated not saved files will be deleted.

Note:
For a data point query of an IPsec connection the connection must be
named "ipscon1". Multiple connections have to be numbered consecutively
(e.g. "ipscon2".

- SPRECON-E Security Editor - - 17 -

Chapter 4 - OpenVPN

4 - OPENVPN
4.1 - OVERVIEW OPENVPN SETTINGS

Figure 16: Overview OpenVPN settings

- SPRECON-E Security Editor - - 19 -

Chapter 4 - OpenVPN

4.2 - TUNNEL SETTINGS

In this section all settings for the tunnel configurations are set.

Figure 17: Tunnel settings

l Tunnel name
The name of the tunnel is set by the system and can not be changed.
l Description
Entry of a description text for the tunnel

4.2.1 - "Use IP addresses as IDs"

With this option the behavior of the ID field changes. The ID is now always
resolved as IP address. When using the ID with IP address the ID hast to
be forwarded as IP address or as string, depending on the counterpart.

4.2.2 - "Description" and "Remote IP"

l Description: This field can contain information about the device.
l Remote IP: This field contains the Remote IP of the Open VPN con-
nection.

- 20 - 94.2.912.45 en - Issue B
Chapter 4 - OpenVPN

4.2.3 - Area "Authentication"

l Type
There are three types of authentication:
o Certificates
User certificate, CA certificate and Private key must be imported
and chosen in the appropriate field.
o Password
The authentication is implemented via username and password.
Additionally a CA certificate has to be imported and set.

Remark:
The Remote IP (server) must verify the password. For this purpose server
setting must be "--client-cert-not-required" or "--verify-client-cert none"
(from OpenVPN 2.4).

A script performs check of password and username. This must be

defined at "--auth-user-pass-verify". This method is not as safe as
using certificates.
o Password with certificates
Authentication is done via username, password and certificate.

A script performs check of password an username.This must be

defined at "--auth-user-pass-verify" (at server).

4.2.4 - Area "Security"

l Cipher
Data channel encoding algorithm
l HMAC Authentication
Authentication algorithm für data
l TLS-Version min.
Minimum TLS-Version, which is accepted (default: 1.2)
l TLS-Crypt
Encodes additionaly the TLS Control channel, available in OpenVPN
from version 2.4.
The Keyfile (.key) must be set at server and client.
l Use option „remote-cert-tls server“
Check of the server certificates, protects from „Man-in-the-Middle“
attacks

Requirement is that server certificate is signed.

- SPRECON-E Security Editor - - 21 -

Chapter 4 - OpenVPN

l Use custom "TLS-Cipher-List" (optional)

Use of custom "TLS-Cipher-List" is possible, which can increase secur-
ity, but requires high expertise. Otherwise use may cause connection
problems!
Default setting is the „DEFAULT“ Cipherlist of OpenVPN.
In the "Expertmode" a custom "TLS-Cipher-String" can be set.

Note:
Yellow coloured algorithm (Cipher, HMAC) support legacy systems and
are not recommended.

4.2.5 - Area "General Settings"

l Mode
OpenVPN Dienst runs in „Client“ mode,pushed options of the server
are accepted (--pull option)
l Use customised port
TCP/UDP port number (Default: 1194)
l Use data compression
o lz0: usual compression method, downward compatible
o lz4 faster compression algorithm, available from OpenVPN 2.4
o lz4-v2 optimised LZ4 algorithm (recommended)
l Use a TAP device
o Standard: TUN
o Dynamic device: A requested TUN device can be defined (tun0-
tun3)
Note:
l TUN devices“ tunnel IPv4 or IPv6 (OSI Layer 3)
l „TAP devices“ tunnel Ethernet 802.3 (OSI Layer 2) .
l Use a TCP connection
Standard: UDP (recommended)
l Use adapted Max Transmission Unit (MTU)
o Maximum size of data packet in Bytes, which can be sent without
fragmentation via network
o Standard: 1500
l Fragment Size
o Maximum internal data packet fragmentation
o Standard: 1450
l Restrict Tunnel Maximum Segment Size (MSS)
Restricts size of TCP packets, which run through OpenVPN tunnel,
option should be used together with "Fragment Size“.
Note:
Setting for connection problems: "Fragment Size" 1300, MSS enabled

- 22 - 94.2.912.45 en - Issue B
Chapter 4 - OpenVPN

l Keepalive
o ping-intervall: Count how often a ping packet is sent to counterpart.
o timeout-restart: Triggers a restart, if no packet is received after
defined time.
For detecting connection problems at UDP, a ping-intervall must be
set.
Pushed values for ping and ping-restart by the server have higher pri-
ority than local values .
l Logging
If a webserver is configured, adaption of the Logging value is possible
while operation (only with appropriate permission). After a restart the
value will be reset to the configured value.
o Standard 1 adjustable values:
n SILENT (0) : Only report of fatal errors
n DEFAULT (1) : Primary report of errors
n BASIC (3) : Standard informationen and report of errors
n DEBUG_RW (5) : Output of read und write packets
n DEBUG (6) : e.g. additional TUN/TAP driver informationen
n DEBUG_SENSITIV (7) : e.g. Encryption Keys
n DEBUG_ALL (11) : Recommended only for experts
l Nobind
No link to local addresse and port.
l Renegotiate Interval
New determination of data channel keys (in sekonds)
Standard: 3600s
l Float
Permission for counterpart for changing its IP address and / or port num-
ber
Useful at DHCP or mobile connections
l Use Notify on Exit
A message is sent if tunnel was restarted or connection was disrupted.
l Redirect-Gateway (def1)
Forces outgoing data of the IP to be on the way through the tunnel.
This can be set at server too: push "redirect-gateway def1"
The advantage is that changes can be cancelled easier.

- SPRECON-E Security Editor - - 23 -

Chapter 4 - OpenVPN

4.2.6 - Configuration example Server – Client

Server:
#####################################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
##
# This file is for the server side #
# of a many-clients <-> one-server OpenVPN configuration. #
#                                                                                                                                                                        #
# Comments are preceded with '#' or ';' #
#####################################################################
port 1194
server 192.168.4.0 255.255.255.0
dev tun
proto udp
fragment 1300
mssfix
keepalive 10 120
max-clients 5
persist-key
persist-tun
# ------------------------------------------------ Zertifikate ------------------------------------------------ #
dh server_keys\\dh.pem
ca server_keys\\ca.crt
cert server_keys\\ovpn3_server.crt
key server_keys\\ovpn3_server.key
# ---------------------------------------------------------------------------------------------------------------- #
script-security 3 #needed for password, auth-user-pass-verify
auth-user-pass-verify verify.bat via-env #verification of client-password via verify.bat skript
# ---------------------------------------------------------------------------------------------------------------- #
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
# ---------------------------------------------------------------------------------------------------------------- #
comp-lzo
verb 3
#askpass server_keys\\certPass.pass #used only if certificate is password-protected
#client-cert-not-required #ignore client cert and key, use only password and ca
#push "redirect-gateway def1" #routes the IP traffic from the client to the server
#tls-crypt mystatic.key

Example:

verify.bat – Verifikations-Skript Windows (einfaches Bsp.

@echo off
IF "%username%" == "User1" IF "%password%" == "User1Pwd!" (
EXIT 0
)
EXIT 1

- 24 - 94.2.912.45 en - Issue B
Chapter 4 - OpenVPN

Adapted client:

Figure 18: Konfiguration OpenVPN

Notes:
l Certifikates can be generated e.g. with OpenVPN program „EasyRSA“

l A static key for „TLS-Crypt“ can be generated with the following com-
mand: „openvpn --secret mystatic.key --genkey“

- SPRECON-E Security Editor - - 25 -

Chapter 5 - Application

5 - APPLICATION
5.1 - CREATE AND SAVE CONFIGURATION FILE
After successful configuration the parameter file hast to be saved to the
parameter storage path of the SPRECON-E Engineering Center (example:
folder “des” -> folder “S01*”). "S01” stands for the system number used in
the project.

Figure 19: Saving the configuration file

The configuration file must always be saved as “ipsec.cfg”.

- SPRECON-E Security Editor - - 27 -

Chapter 5 - Application

5.2 - INTEGRATE CONFIGURATION (UP TO VERS. 5.77 SP18)

This method applies up to version SPRECON-E Designer 5.77 SP18.
After the IPsec connection has been configured and saved it must be
loaded to the system.

Therefore, the SPRECON- E Designer has to be started out of the

SPRECON-E Engineering Center. Regardless of the IPsec connection
both tools are necessary for the system configuration.

Figure 20: Start SPRECON-E Designer

Afterwards the context menu hast to be opened by right click on the wanted
component in the system configuration and the settings must be opened in
the process data list.

Figure 21: Open settings

- 28 - 94.2.912.45 en - Issue B
Chapter 5 - Application

The “ipsec.cfg” has to be added to the configuration files as follows:

l Open the search dialog

l Selection of the “ipsec.cfg” and applying with button “open”

l Afterwards the “ipsec.cfg” is added to the configuration files. The set-

ting must be applied via the button “OK”.

- SPRECON-E Security Editor - - 29 -

Chapter 5 - Application

- 30 - 94.2.912.45 en - Issue B
Chapter 5 - Application

5.3 - INTEGRATE CONFIGURATION (FROM VERS. 5.77 SP21)

This method applies from version SPRECON-E Designer 5.77 SP21.
Using this newer SPRECON-E Designer versions the "ipsec.cfg" file has
to be added in system configuration menu (via yellow flash symbol, see Fig-
ure 22). After this a process data list can be generated (see chapter 5.4).

Figure 22: Adding the "ipsec.cfg" file

- SPRECON-E Security Editor - - 31 -

Chapter 5 - Application

5.4 - PROCESS DATA LIST

Via selection of the component and subsequent activation of button “Gen-
erate Process data list” the process data list of the system is generated.

Figure 23: Generate process data list

Figure 24: Process data list generated

Afterwards it must be loaded into the system via the SPRECON-E Service
Program. After successful startup and activation all configuration actions
for the operation with IPsec at the SPRECON-E system are finished.

Figure 25: Starting SPRECON-E Service Program

The IPsec configuration file is deleted with the same procedure as it was
added. Via new generation and loading of the process data list without
“ipsec.cfg” the IPsec function is deactivated.

- 32 - 94.2.912.45 en - Issue B
Chapter 5 - Application

5.5 - ANALYSIS VIA WEBSERVER

The Webserver is suitable for clear network analysis via the browser.For
this purpose the IP address of the system has to be entered as URL to the
browser.

Figure 26: Webserver login

After successful login the state of the IPsec connection can be found under
Network -> IPsec.

- SPRECON-E Security Editor - - 33 -

Chapter 5 - Application

5.5.1 - IPsec status

Status of IPsec connection is shown in SPRECON-E Webserver:

Figure 27: IPsec-status in SPRECON-E Webserver

Following states are possible:

IPsec function runs and connection is established.

IPsec function runs, but not all connection are established.

IPsec function is disabled.

- 34 - 94.2.912.45 en - Issue B
Chapter 5 - Application

5.5.2 - OpenVPN status

Analogous to IPsec the status of OpenVPN connection is displayed.
The Logging value can be adapted while operation (only with the appro-
priate permission). The value is reset to the configured value at restart.

Tunnel parameters (tun/tap interface, IP address) are shown in "Network /

Interfaces“.

Figure 28: OpenVPN status display

- SPRECON-E Security Editor - - 35 -

SPRECON-E Security Editor

94.2.912.45 en
Issue B
Version v2.0 SP0
11.04.2018

HEADQUARTERS LOCATIONS
Sprecher Automation GmbH AUSTRIA POLAND
Sprecher Automation GmbH Sprecher Automation Polska Sp z o.o.
Franckstraße 51 (Linz, Wien) (Łódź, Świdnica)
4020 Linz
Austria
T: +43 732 6908-0 GERMANY SWITZERLAND
F: +43 732 6908-278 Sprecher Automation Deutschland GmbH Sprecher Automation Schweiz AG
(Berlin, Erfurt, Dortmund, München) (Aarau)
[email protected]
NETHERLANDS SLOVAKIA
Sprecher Automation Nederland B.V. Sprecher Automation spol. s r.o.
(Oud Gastel) (Bratislava)

© Sprecher Automation GmbH 2018

Sprecher Automation, the Sprecher Automation logo and any alternative version thereof are trademarks and service marks of
Sprecher Automation. Other names mentioned, either registered or not, are the property of their respective companies

Any liability regarding the correctness and completeness of any information and/or specifications in the brochure is excluded. All rights are reserved
to alter specifications, make modifications, or terminate models without prior notice. The specifications of a model may vary from country to country.