Ipsec association – Rockwell Automation 1756-EN2TSC EtherNet/IP Secure Communication User Manual User Manual

Rockwell Automation Publication ENET-UM003B-EN-P - September 2013

13

Secure Communication Architecture

Chapter 1

As part of establishing the secure tunnel, both endpoints must authenticate with
each other and exchange information to ensure secure data transfer. When
security is enabled, the module is able to connect only with the following:

• Upper level systems and user workstations with Windows 7 operating

systems

• Cisco ASA security appliances
• Other 1756-EN2TSC modules

IPsec Association

Once the IPsec association is established, data between the two endpoints is fully
encrypted (except for produced/consumed tags) or optionally sent unencrypted,
but with a cryptographic message integrity code.

As long as the IPsec traffic is received, the connection is considered alive. Your
VPN connection can recover without having to re-authenticate if you lose your
connection for a very short period of time (few seconds). However, if the time
since the last received packet is greater than the timeout interval, the connection
times out. This interval is common to all IPsec connections and is not
configurable. The default keepalive-timeout is 30 seconds.

Capability

Description

Authentication Method

Pre-shared key (PSK). Configure a secret key on each of the endpoints.

Header Format

Encapsulating Security Payload (ESP)

Mode

Tunnel mode, default
Transport mode if the module cannot negotiate tunnel mode (such as a Microsoft Windows 7 client)

Internet Key Exchange

• IKE version 1
• IKE version 2

Lifetime(s)

IKE and IPsec lifetimes user-configurable

PFS Group

None

DH Key Group

Group 2 = modp1024, default
Groups 5,14,15,16,17, and 18 supported

IKE Encryption Algorithm

• AES(128 bit)
• AES(192 bit)
• AES(256 bit)

IKE Authentication Algorithm

SHA-1

IPsec Encryption Algorithm

• AES(128 bit)
• AES(192 bit)
• AES(256 bit)
• None

IPsec Authentication Algorithm

SHA-1