Moxa EDR-810-VPN-2GSFP [122/139] Overview

Industrial Secure Router User's Manual Virtual Private Network (VPN)

9-2

Overview

In this section we describe how to use the Industrial Secure Router to build a secure Remote Automation

network with the VPN (Virtual Private Network) feature. A VPN provides a highly cost effective solution of

establishing secure tunnels, so that data can be exchanged in a secure manner.

There are two common applications for secure remote communication in an industrial automation network:

IPSec (Internet Protocol Security) VPN for LAN to LAN Security: Data communication only in a

pre-defined IP range between two different LANs.

L2TP (Layer 2 Tunnel Protocol) VPN for Remote roaming User: Secure data communication for remote

roaming users with dynamic IP. L2TP is a popular choice for remote roaming users for VPN applications because

the L2TP VPN protocol is already built in to the Microsoft Windows operating system.

IPSec uses IKE (Internet Key Exchange) protocol for Authentication, Key exchange and provides a way for the

VPN gateway data to be protected by different encryption methods.

There are 2 phases for IKE for negotiating the IPSec connections between 2 VPN gateways:

Key Exchange (IPSec Phase 1): The 2 VPN gateways will negotiate how IKE should be protected. Phase 1

will also authenticate the two VPN gateways by the matched Pre-Shared Key or X.509 Certificate.

Data Exchange (IPSec Phase 2): In Phase 2, the VPN gateways negotiate to determine additional IPSec

connection details, which include the data encryption algorithm.

IPSec Configuration

IPSec configuration includes 5 parts:

• Global Setting: Enable / Disable all IPSec Tunnels and NAT-Traversal function

• Tunnel Setting: Set up the VPN Connection type and VPN network plan

• Key Exchange: Authentication for 2 VPN gateways

• Data Exchange: Data encryption between VPN gateways

• Dead Peer Detection: The mechanism for VPN Tunnel maintenance.