Ipsec association – Rockwell Automation 1756-EN2TSC EtherNet/IP Secure Communication User Manual User Manual
Page 13

Rockwell Automation Publication ENET-UM003B-EN-P - September 2013
13
Secure Communication Architecture
Chapter 1
As part of establishing the secure tunnel, both endpoints must authenticate with
each other and exchange information to ensure secure data transfer. When
security is enabled, the module is able to connect only with the following:
• Upper level systems and user workstations with Windows 7 operating
systems
• Cisco ASA security appliances
• Other 1756-EN2TSC modules
IPsec Association
Once the IPsec association is established, data between the two endpoints is fully
encrypted (except for produced/consumed tags) or optionally sent unencrypted,
but with a cryptographic message integrity code.
As long as the IPsec traffic is received, the connection is considered alive. Your
VPN connection can recover without having to re-authenticate if you lose your
connection for a very short period of time (few seconds). However, if the time
since the last received packet is greater than the timeout interval, the connection
times out. This interval is common to all IPsec connections and is not
configurable. The default keepalive-timeout is 30 seconds.
Capability
Description
Authentication Method
Pre-shared key (PSK). Configure a secret key on each of the endpoints.
Header Format
Encapsulating Security Payload (ESP)
Mode
Tunnel mode, default
Transport mode if the module cannot negotiate tunnel mode (such as a Microsoft Windows 7 client)
Internet Key Exchange
• IKE version 1
• IKE version 2
Lifetime(s)
IKE and IPsec lifetimes user-configurable
PFS Group
None
DH Key Group
Group 2 = modp1024, default
Groups 5,14,15,16,17, and 18 supported
IKE Encryption Algorithm
• AES(128 bit)
• AES(192 bit)
• AES(256 bit)
IKE Authentication Algorithm
SHA-1
IPsec Encryption Algorithm
• AES(128 bit)
• AES(192 bit)
• AES(256 bit)
• None
IPsec Authentication Algorithm
SHA-1