en 02

Industrial mobile phone router
with integrated firewall and VPN
User manual
User manual
Industrial mobile phone router with integrated firewall and VPN
2014-10-21
Designation:
UM EN PSI-MODEM-3G/ROUTER
Revision:
02
This user manual is valid for:

Designation
Software release
Order No.
PSI MODEM 3G/ROUTER
1.04.9
2314008
PSI-MODEM-3G-US/ROUTER
1.04.9
2903394
PSI-MODEM-GSM/ETH
1.04.9
2313355
PHOENIX CONTACT
104672_en_02
Please observe the following notes

User group of this manual
The use of products described in this manual is oriented exclusively to:
Qualified electricians or persons instructed by them, who are familiar with applicable
standards and other regulations regarding electrical engineering and, in particular, the
relevant safety concepts.
Qualified application programmers and software engineers, who are familiar with the
safety concepts of automation technology and applicable standards.
Explanation of symbols used and signal words
This is the safety alert symbol. It is used to alert you to potential personal injury
hazards. Obey all safety measures that follow this symbol to avoid possible injury or death.
There are three different categories of personal injury that are indicated with a
signal word.
DANGER
This indicates a hazardous situation which, if not avoided, will result in death or serious injury.
WARNING
This indicates a hazardous situation which, if not avoided, could

result in death or serious injury.
CAUTION
This indicates a hazardous situation which, if not avoided, could

result in minor or moderate injury.
This symbol together with the signal word NOTE and the accompanying text
alert the reader to a situation which may cause damage or malfunction to the
device, hardware/software, or surrounding property.
This symbol and the accompanying text provide the reader with additional information or refer to detailed sources of information.
How to contact us
Internet
Up-to-date information on Phoenix Contact products and our Terms and Conditions can be
found on the Internet at:
phoenixcontact.com
Make sure you always use the latest documentation.
It can be downloaded at:
phoenixcontact.net/products
Subsidiaries
If there are any problems that cannot be solved using the documentation, please contact
your Phoenix Contact subsidiary.
Subsidiary contact information is available at phoenixcontact.com.
Published by
PHOENIX CONTACT GmbH & Co. KG

Flachsmarktstrae 8
32825 Blomberg
GERMANY
Should you have any suggestions or recommendations for improvement of the contents and
layout of our manuals, please send your comments to:
tecdoc@phoenixcontact.com
PHOENIX CONTACT
General terms and conditions of use for technical documentation

Phoenix Contact reserves the right to alter, correct, and/or improve the technical documentation and the products described in the technical documentation at its own discretion and
without giving prior notice, insofar as this is reasonable for the user. The same applies to any
technical changes that serve the purpose of technical progress.
The receipt of technical documentation (in particular user documentation) does not constitute any further duty on the part of Phoenix Contact to furnish information on modifications
to products and/or technical documentation. You are responsible to verify the suitability and
intended use of the products in your specific application, in particular with regard to observing the applicable standards and regulations. All information made available in the technical
data is supplied without any accompanying guarantee, whether expressly mentioned, implied or tacitly assumed.
In general, the provisions of the current standard Terms and Conditions of Phoenix Contact
apply exclusively, in particular as concerns any warranty liability.
This manual, including all illustrations contained herein, is copyright protected. Any
changes to the contents or the publication of extracts of this document is prohibited.
Phoenix Contact reserves the right to register its own intellectual property rights for the
product identifications of Phoenix Contact products that are used here. Registration of such
intellectual property rights by third parties is prohibited.
Other product identifications may be afforded legal protection, even where they may not be
indicated as such.
PHOENIX CONTACT
Table of contents
1
Product description ....................................................................................................................9

1.1
PSI-MODEM-3G...ROUTER.................................................................................. 9
1.1.1
Ordering data ....................................................................................... 10
1.1.2
Technical data ..................................................................................... 10
1.1.3
UL notes .............................................................................................. 13
1.1.4
Dimensions .......................................................................................... 13
1.2
PSI-MODEM-GSM/ETH ...................................................................................... 14
1.2.1
Ordering data ....................................................................................... 15
1.2.2
Technical data ..................................................................................... 15
1.2.3
UL notes .............................................................................................. 18
1.2.4
Dimensions .......................................................................................... 18
For your safety .........................................................................................................................19

2.1
Intended use........................................................................................................ 19
2.2
Safety notes ........................................................................................................ 19
Installation ................................................................................................................................21
3.1
Operating and indication elements ...................................................................... 21

3.1.1
PSI-MODEM-3G...ROUTER ................................................................ 21
3.1.2
PSI-MODEM-GSM/ETH ...................................................................... 22
3.2
Mounting the device on a DIN rail ........................................................................ 23
3.3
Connecting .......................................................................................................... 24
3.3.1
Ethernet network .................................................................................. 24
3.3.2
Antenna ............................................................................................... 25
3.3.3
Inserting the SIM card .......................................................................... 26
3.3.4
Supply voltage ..................................................................................... 28
3.3.5
Switching inputs and switching outputs ................................................ 29
3.4
Resetting the device ............................................................................................ 30
Configuration via web-based management ..............................................................................31
104672_en_02
4.1
Connection requirements .................................................................................... 31
4.2
Starting web-based management (WBM) ........................................................... 31
4.3
Device information............................................................................................... 32
4.3.1
Hardware ............................................................................................. 32
4.3.2
Radio status ......................................................................................... 33
4.4
Local network (setup) .......................................................................................... 37

4.4.1
IP configuration (connection setup) ...................................................... 37
4.4.2
DHCP server ........................................................................................ 38
4.4.3
Static routes (redirection of data packets) ............................................ 39
4.4.4
SNMP configuration (router monitoring) ............................................... 40
4.5
Wireless network (mobile phone settings) ........................................................... 41

4.5.1
Radio setup .......................................................................................... 41
4.5.2
SIM ...................................................................................................... 43
PHOENIX CONTACT
PSI MODEM 3G/ROUTER

4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
Backup SIM ......................................................................................... 44

SMS configuration (SMS settings) ....................................................... 45
Packet data setup ................................................................................ 47
Wireless static routes (redirection of data packets) .............................. 48
DynDNS (address management via dynamic DNS) ............................. 49
Connection check ................................................................................ 50
Monitoring ............................................................................................ 52
4.6
Network security (security settings) ..................................................................... 54

4.6.1
General setup ...................................................................................... 54
4.6.2
Firewall (definition of firewall rules) ...................................................... 56
4.6.3
NAT table (port forwarding setup) ........................................................ 58
4.7
VPN ..................................................................................................................... 60
4.7.1
IPsec connections (setup) .................................................................... 61
4.7.2
IPsec certificates (certificate upload) ................................................... 68
4.7.3
IPsec status (VPN connection status) .................................................. 70
4.7.4
OpenVPN connections (setup) ............................................................ 71
4.7.5
OpenVPN certificates (certificate upload) ............................................ 75
4.7.6
Static keys (pre-shared secret key authentication) .............................. 76
4.7.7
OpenVPN status (VPN connection status) ........................................... 77
4.8
I/O........................................................................................................................ 78
4.8.1
Inputs (configuration) ........................................................................... 78
4.8.2
Outputs (configuration) ........................................................................ 80
4.8.3
Phonebook .......................................................................................... 81
4.8.4
Socket server ....................................................................................... 82
4.9
System ................................................................................................................ 87
4.9.1
System configuration ........................................................................... 87
4.9.2
User (password change) ...................................................................... 88
4.9.3
Log file ................................................................................................. 89
4.9.4
E-mail configuration ............................................................................. 90
4.9.5
Configuration up-/download ................................................................. 91
4.9.6
Date/time ............................................................................................. 92
4.9.7
Reboot (router) .................................................................................... 94
4.9.8
Firmware update .................................................................................. 95
Creating X.509 certificates .......................................................................................................97
PHOENIX CONTACT
5.1
Installing .............................................................................................................. 97
5.2
Creating a new database..................................................................................... 97
5.3
Creating a CA certificate...................................................................................... 98
5.4
Creating templates ............................................................................................ 101
5.5
Creating certificates........................................................................................... 103
5.6
Exporting certificates ......................................................................................... 105
104672_en_02
Table of contents
Technical appendix.................................................................................................................107
A1
XML elements ................................................................................................... 107
A2
Structure of the XML configuration file............................................................... 110

A 2.1
XML file format ................................................................................... 110
A 2.2
Reference to the <entry> element ...................................................... 110
A 2.3
Local network settings ....................................................................... 110
A3
Wireless network ............................................................................................... 113

A 3.1
Network security ................................................................................ 118
A 3.2
VPN ................................................................................................... 119
A 3.3
Inputs and outputs ............................................................................. 126
A 3.4
System ............................................................................................... 128
A4
CIDR (Classless Inter-Domain Routing) ............................................................ 131
Appendixes.............................................................................................................................133
104672_en_02
B1
List of figures ..................................................................................................... 133
B2
Index.................................................................................................................. 137
PHOENIX CONTACT
PSI MODEM 3G/ROUTER
PHOENIX CONTACT
104672_en_02
Product description
Product description
1.1
PSI-MODEM-3G...ROUTER
The 3G routers PSI MODEM 3G/ROUTER and PSI-MODEM-3G-US/ROUTER are highperformance routers for industrial Ethernet networks. The devices are used to securely
transmit sensitive data via mobile phone networks. The integrated firewall and the VPN support (Virtual Private Network) protect your application against unauthorized access.
You can easily integrate remote stations into an IP network via a UMTS/HSPA connection.
If UMTS/HSPA is not available, the system automatically switches to GPRS/EDGE.
No matter where your system or controller is located, you can access the process data via
a secure VPN connection from any location.
EMC, electrical isolation and surge protection are provided for reliable and secure communication. In addition, the data link and mobile phone network quality are monitored. If required, an appropriate message is sent or the mobile phone connection reestablished.
Six configurable switching inputs allow the user to independently send an SMS or e-mail
both to one or several recipients.
The four integrated switching outputs can be activated using a password-protected SMS
message. You will thereby be able to remotely monitor the system state and switch functions.
Features
104672_en_02
GPRS/EDGE quad-band (850 MHz / 900 MHz / 1800 MHz / 1900 MHz)
For PSI MODEM 3G/ROUTER:
UMTS/HSPA tri-band (850 MHz / 1900 MHz / 2100 MHz)
For PSI-MODEM-3G-US/ROUTER:
UMTS/HSPA tri-band (850 MHz / 1900 MHz / 1700 MHz ... 2100 MHz AWS)
GPRS (General Packet Radio Service), EDGE (Enhanced Data Rates for GSM Evolution) and UMTS (Universal Mobile Telecommunications System)
Second SIM card holder for backup mobile phone network
Virtual dedicated line to connect networks via mobile phone network
Integrated firewall
IPsec and OpenVPN support
VPN remote start via SMS or call
Configurable inputs and outputs
Alerting via SMS, e-mail or fax directly via integrated switching input
Wide supply voltage range 10 V DC ... 30 V DC
Temperature range -25C ... +65C
High-quality electrical isolation (VCC // UMTS // Ethernet // PE)
Integrated surge protection
Easy configuration via web-based management (WBM)
PHOENIX CONTACT
PSI MODEM 3G/ROUTER
1.1.1
Ordering data
Description
Type
Order No.
Pcs. / Pkt.
Industrial UMTS/GSM router (850, 900, 1800, 1900, 2100 MHz) with Ether- PSI MODEM 3G/ROUTER
net interface. Firewall, NAT, and IPsec VPN support. SMA-F antenna connector. SMS messaging. 6 digital inputs, 4 digital outputs. Configuration via
web-based management.
2314008
Industrial UMTS/GSM router for the US market (850, 900, 1800, 1900,
1700 ... 2100 MHz) with Ethernet interface. Firewall, NAT, and IPsec VPN
support. SMA-F antenna connector. SMS messaging. 6 digital inputs,
4 digital outputs. Configuration via web-based management.
2903394
Accessories
Type
Order No.
Pcs. / Pkt.
GSM/UMTS antenna, with omnidirectional characteristic, 2 m antenna

cable with SMA round connector
PSI-GSM/UMTS-QB-ANT
2313371
GSM/UMTS antenna cable, 5 m long; SMA (male) -> SMA (female),

50 Ohm impedance
PSI-CAB-GSM/UMTS- 5M
2900980

50 Ohm impedance
PSI-CAB-GSM/UMTS-10M
2900981
GSM/UMTS omnidirectional antenna, 2 dBi gain, 5 m antenna cable with

SMA round connector
PSI-GSM/UMTS-ANT-OMNI-2-5
2900982
Attachment plug with LAMBDA/4 technology as surge protection for

coaxial signal interfaces. Connection: SMA connectors (plug/socket)
CSMA-LAMBDA/4-2.0-BS-SET
2800491
1.1.2
Technical data
Supply
Supply voltage range
10 V DC ... 30 V DC (via plug-in COMBICON screw terminal block)
Typical current consumption
< 200 mA (24 V DC)

< 90 mA (standby)
Maximum current consumption
< 800 mA (at 10 V DC (incl. 4 x 50 mA for the outputs))
Electrical isolation
VCC // UMTS // Ethernet // PE
Test voltage data interface/power supply
1 kV (50 Hz, 1 min.)
Functions
Management
Web-based management, SNMP
Encryption methods
3DES, AES-128, -192, -256
Internet protocol security (IPsec) mode
ESP tunnel
Authentication
X.509v3, PSK
10
PHOENIX CONTACT
104672_en_02
Product description
Ethernet interface, 10/100 BASE-T(X) according to IEEE 802.3u

Connection method
RJ45 socket, shielded
Conductor cross section
0.2 mm ... 2.5 mm (24 AWG ... 14 AWG)
Serial transmission speed
10/100 Mbps, autonegotiation
Transmission length
100 m (twisted pair, shielded)
Test voltage
1 kV (50 Hz, 1 min.)
Supported protocols
TCP/IP, UDP/IP, FTP, HTTP
Secondary protocols
ARP, DHCP, PING (ICMP), SNMP V1, SMTP
Wireless interface
PSI MODEM 3G/ROUTER
Description of the interface

Frequency
GSM / GPRS / EDGE / UMTS

850 MHz (2 W (EGSM))
1800 MHz (1 W (EGSM))
1900 MHz (1 W (EGSM))
850 MHz (0.25 W (UMTS))
1900 MHz (0.25 W (UMTS))
2100 MHz (0.25 W (UMTS))

1800 MHz (1 W (EGSM))
1900 MHz (1 W (EGSM))
850 MHz (0.25 W (UMTS))
1900 MHz (0.25 W (UMTS))
1700 MHz ... 2100 MHz (AWS 0.25 W
(UMTS))
Data rate
7.2 Mbps (HSDPA)

5.7 Mbps (HSUPA)
Antenna
50 impedance SMA female antenna connector
SIM interface
1.8 volt, 3 volt
GPRS
Class 12, Class B

CS1 ... CS4
EDGE
Multislot Class 10
UMTS
Network function
HSPA 3GPP R6
4 time slots for receiving data, 4 time slots for sending data. The PIN is saved in
the device. After a voltage interruption, the system automatically logs back into
the network. Integrated TCP/IP stack, firewall and VPN support, automatic connection establishment.
Network check
LED bar graph to display receive quality
Transmission power
0.25 W
Input/output
Description of the input
Digital input
Number of inputs
Input signal, voltage
10 V DC ... 30 V DC
Description of the output
Digital output
Number of outputs
Output signal, voltage
10 V DC ... 30 V DC (depending on the operating voltage)
Output signal, current
50 mA (short-circuit-proof)
General data
Degree of protection
IP20
Dimensions (W/H/D)
45 mm x 99 mm x 114.5 mm
Weight
226 g
Housing material
PA 6.6-FR, green
Free fall according to IEC 60068-2-32
1m
Shock according to EN 60068-2-27/IEC 60068-2-27
Operation: 15g, 11 ms period, half-sine shock pulse
Storage: 30g, 11 ms period, half-sine shock pulse
104672_en_02
PHOENIX CONTACT
11
PSI MODEM 3G/ROUTER
General data [...]

Vibration resistance according to EN 60068-2-6/IEC 60068-2-6
5g, 150 Hz, 2.5 h, in XYZ direction
Noise immunity according to
EN 61000-6-2
Electromagnetic compatibility
Conformance with R&TTE Directive 1999/5/EC
Ambient conditions
Ambient temperature (operation)
-25C ... 65C (not aligned)
Ambient temperature (storage/transport)
-40C ... 85C
Permissible humidity (operation)
30% ... 95% (non-condensing)
Permissible humidity (storage/transport)
Altitude
5000 m (for restrictions see manufacturers declaration)
Approvals
Conformance
CE-compliant
UL, USA/Canada
cULus listed UL 508

Noise immunity according to EN 61000-6-2
Electrostatic discharge
EN 61000-4-2
Electromagnetic HF field
Contact discharge
4 kV (test intensity 3)
Air discharge
Remark
Criterion B
EN 61000-4-3
Frequency range
Fast transients (burst)
80 MHz ... 3 GHz (test intensity 3)
Field strength
10 V/m
Remark
Criterion A
EN 61000-4-4
Surge current loads (surge)
Conducted influence
Input
Signal
1 kV (Ethernet and antenna)
Remark
Criterion B
EN 61000-4-5
Input
1 kV (symmetrical)
2 kV (asymmetrical)
Signal
1 kV (data line, asymmetrical)

1 kV (antenna)
Remark
Criterion B
EN 61000-4-6
Frequency range
0.15 MHz ... 80 MHz
Voltage
10 V
Remark
Criterion A
Noise emission according to EN 61000-6-4

Radio interference voltage according to EN 55011
EN 55011 (EN 55022) Class B, industrial and residential applications
Emitted radio interference according to EN 55011
EN 55011 (EN 55022) Class B, industrial and residential applications
Criterion A
Normal operating behavior within the specified limits
Criterion B
Temporary impairment to operating behavior that is corrected by the device itself
12
PHOENIX CONTACT
104672_en_02
Product description
R&TTE Directive 1999/5/EC

EMC - immunity to interference (electromagnetic compatibility of wireless sys- EN 61000-6-2
tems)
Generic standard for the industrial

sector
Safety - protection of personnel with regard to electrical safety
EN 60950
Health - limitation of exposure of the population to electromagnetic fields
EC Gazette 1999/519/EC
Wireless communication - effective use of the frequency spectrum and prevention of wireless communication interference
DIN EN 301511
1.1.3
UL notes
1.1.4
Dimensions
45
99
POWER
VPN
ALR
RESET
LAN
Recommendation of the Council of

the European Community from
July 12, 1999
114,5
NET
ANT
3G
PD
SIM1
SIM2
PSI-MODEM-3G/ROUTER
Ord.-No.2314008
Figure 1-1
104672_en_02
Dimensions of PSI-MODEM-3G...ROUTER
PHOENIX CONTACT
13
PSI MODEM 3G/ROUTER
1.2
PSI-MODEM-GSM/ETH
The EDGE router PSI-MODEM-GSM/ETH is used for industrial Ethernet networks and securely transmits sensitive data via GSM networks. The integrated firewall and the VPN support (Virtual Private Network) protect your application against unauthorized access.
You can easily integrate remote stations into an IP network via GPRS/EDGE connection.
Quad-band technology allows the router to be used globally in all 850, 900, 1800 and
1900 MHz GSM networks.
No matter where your system or controller is located, you can access the process data via
a secure VPN connection from any location.
EMC, electrical isolation and surge protection are provided for reliable and safe communication. In addition, the GPRS/EDGE service and GSM network quality are monitored. If required, an appropriate message is sent or the GSM connection reestablished.
Features
14
PHOENIX CONTACT
Quad-band (850 MHz / 900 MHz / 1800 MHz / 1900 MHz)

GPRS (General Packet Radio Service) and EDGE (Enhanced Data Rates for GSM
Evolution)
Integrated TCP/IP stack
Virtual dedicated line to connect networks using mobile communication
Integrated firewall
IPsec and OpenVPN support
VPN remote start via SMS or call
Configurable inputs and outputs
Alerting via SMS, e-mail or fax directly via integrated switching input
Wide supply voltage range 10 V DC ... 30 V DC
Temperature range -25C ... +60C
High-quality electrical isolation (VCC // Ethernet // Mobile communication // PE)
Integrated surge protection
Easy configuration via web-based management (WBM)
104672_en_02
Product description
1.2.1
Ordering data
Description
Type
Order No.
Pcs. / Pkt.
Industrial GSM router with GPRS/EDGE for mounting on EN DIN rail. GSM
and GPRS/EDGE. 850 + 900 + 1800 + 1900 MHz. Ethernet interface.
Firewall and VPN support. 6 alarm inputs and 4 switching outputs.
24 V DC supply voltage.
PSI-MODEM-GSM/ETH
2313355
Accessories
Type
Order No.
Pcs. / Pkt.
GSM/UMTS antenna, with omnidirectional characteristic, 2 m antenna

cable with SMA round connector
PSI-GSM/UMTS-QB-ANT
2313371

50 Ohm impedance
PSI-CAB-GSM/UMTS- 5M
2900980

50 Ohm impedance
PSI-CAB-GSM/UMTS-10M
2900981
GSM/UMTS omnidirectional antenna, 2 dBi gain, 5 m antenna cable with

SMA round connector
PSI-GSM/UMTS-ANT-OMNI-2-5
2900982
2800491
Attachment plug with LAMBDA/4 technology as surge protection for coax- CSMA-LAMBDA/4-2.0-BS-SET
ial signal interfaces. Connection: SMA connectors (plug/socket)
1.2.2
Technical data
Supply
Supply voltage range
10 V DC ... 30 V DC (via plug-in COMBICON screw terminal block)
Nominal supply voltage
24 V DC 5% (alternative or redundant, via backplane bus contact and system

power supply)
Typical current consumption
< 360 mA (24 V DC)

< 90 mA (Standby)
Electrical isolation
VCC // GSM // Ethernet // PE
Test voltage data interface/power supply
500 V (50 Hz, 1 min.)
Functions
Management
Web-based management, SNMP
Encryption methods
3DES, AES-128, -192, -256
Internet protocol security (IPsec) mode
ESP tunnel
Authentication
X.509v3, PSK
Ethernet interface, 10/100 BASE-T(X) according to IEEE 802.3u

Connection method
RJ45 socket, shielded
Serial transmission speed
10/100 Mbps, autonegotiation
Transmission length
100 m (twisted pair, shielded)
Test voltage
500 V (50 Hz, 1 min.)
Supported protocols
TCP/IP, UDP/IP, FTP, HTTP
Secondary protocols
ARP, DHCP, PING (ICMP), SNMP V1, SMTP
104672_en_02
PHOENIX CONTACT
15
PSI MODEM 3G/ROUTER
Wireless interface
Description of the interface
GSM / GPRS / EDGE
Frequency

1800 MHz (1 W (EGSM))
1900 MHz (1 W (EGSM))
Data rate
210 kbps (EDGE)
Antenna
50 impedance SMA female antenna connector
SIM interface
1.8 volt, 3 volt
GPRS
Class 12, Class B

CS1 ... CS4
EDGE
Multislot Class 10
Network function
4 time slots for receiving data, 4 time slots for sending data. The PIN is saved in
the device. After a voltage interruption, the system automatically logs back into
the network. Integrated TCP/IP stack, firewall and VPN support, automatic connection establishment.
Network check
LED to display receive quality
Input/output
Description of the input
Digital input
Number of inputs
Input signal, voltage
10 V DC ... 30 V DC
Description of the output
Digital output
Number of outputs
Output signal, voltage
10 V DC ... 30 V DC (depending on the operating voltage)
Output signal, current
250 mA (short-circuit-proof)
General data
Degree of protection
IP20
Dimensions (W/H/D)
35 mm x 99 mm x 114.5 mm
Weight
300 g
Housing material
PA 6.6-FR, green
Free fall according to IEC 60068-2-32
1m
Vibration resistance according to EN 60068-2-6/IEC 60068-2-6
5g, 150 Hz, 1.5 h, in XYZ direction
Operation: 15g, 11 ms period, half-sine shock pulse
Storage: 30g, 11 ms period, half-sine shock pulse
Noise immunity according to
EN 61000-6-2:2005
Electromagnetic compatibility
Ambient conditions
Ambient temperature (operation)
-25C ... 60C
Ambient temperature (storage/transport)
-40C ... 75C
Permissible humidity (operation)
Permissible humidity (storage/transport)
Altitude
5000 m (for restrictions see manufacturers declaration)
Approvals
Conformance
CE-compliant
UL, USA/Canada
cULus listed UL 508
16
PHOENIX CONTACT
104672_en_02
Product description

Noise immunity according to EN 61000-6-2
Electrostatic discharge
EN 61000-4-2
Contact discharge
Electromagnetic HF field
Air discharge
8 kV
Remark
Criterion B
EN 61000-4-3
Frequency range
Fast transients (burst)
6 kV
80 MHz ... 3 GHz
Field strength
10 V/m
Remark
Criterion A
EN 61000-4-4
Surge current loads (surge)
Conducted influence
Input
1 kV
Signal
1 kV
Remark
Criterion A
EN 61000-4-5
Input
1 kV
2 kV
Remark
Criterion B
EN 61000-4-6
Frequency range
0.15 MHz ... 80 MHz
Voltage
10 V
Remark
Criterion A
Noise emission according to EN 61000-6-4

Radio interference voltage according to EN 55011
EN 55011 Class A industrial area of application
Criterion A
Normal operating behavior within the specified limits
Criterion B
Temporary impairment to operating behavior that is corrected by the device itself
R&TTE Directive 1999/5/EC

EMC - immunity to interference (electromagnetic compatibility of wireless sys- EN 61000-6-2
tems)
Safety - protection of personnel with regard to electrical safety
EN 60950
Health - limitation of exposure of the population to electromagnetic fields
EC Gazette 1999/519/EC
Wireless communication - effective use of the frequency spectrum and prevention of wireless communication interference
DIN EN 301511
104672_en_02
Generic standard for the industrial

sector
Recommendation of the Council of

the European Community from
July 12, 1999
PHOENIX CONTACT
17
PSI MODEM 3G/ROUTER
1.2.3
UL notes
1.2.4
Dimensions
35
120
99
PSI-MODEM-GSM/ETH
Ord.-No. 23 13 355
VCC
RD
TD
ALR
NET
DCD
SIM
ANT
AA
VPN
ACT
LNK
LAN
Figure 1-2
18
PHOENIX CONTACT
Dimensions of PSI-MODEM-GSM/ETH
104672_en_02
For your safety
For your safety

Please read this manual before starting up the devices. Keep this manual in a place where
it is accessible to all users.
2.1
Intended use
This device is designed for use in industrial environments.

PSI-MODEM-GSM/ETH only:
The device is Class A equipment and may cause radio interference in residential areas.
In this case, the operator may be required to implement appropriate measures and to pay
the costs incurred as a result.
2.2
Safety notes
WARNING:
Observe the following safety notes when using the device.
104672_en_02
Only qualified specialist personnel may install, start up, and operate the device. National safety and accident prevention regulations must be observed.
Installation should be carried out as described in the installation notes. Access to circuits within the device is not permitted.
The device is maintenance-free. Repairs may only be carried out by the manufacturer.
The device is only intended for operation in the control cabinet and with SELV according to IEC 60950/EN 60950/VDE 0805. The device may only be connected to devices,
which meet the requirements of EN 60950.
PHOENIX CONTACT
19
PSI-MODEM-3G/ROUTER
20
PHOENIX CONTACT
104672_en_02
Installation
Installation
3.1
Operating and indication elements
3.1.1
1
POWER
VPN
ALR
RESET
LAN
NET
Connection terminal block power supply +24 V/0 V
6 switching inputs, digital
SMA female antenna connector
4 switching outputs, digital
RJ45, Ethernet interface (TP port)
Reset button
ANT
3G
PD
SIM1
SIM2
Status and diagnostics indicators
PSI-MODEM-3G/ROUTER
Ord.-No.2314008
Power
Green
Supply voltage present
VPN
Green
VPN tunnel active
ALR
Red
Alarm message
NET
Yellow/green/green
Display of reception quality as bar graph
3G
Green
UMTS/HSPA connection active
PD
Green
Packet data connection active
SIM 1
Green
On: SIM card 1 active

Flashing: No PIN entered
SIM 2
Green
On: SIM card 2 active

On the back:
104672_en_02
SIM card holder
PHOENIX CONTACT
21
PSI MODEM 3G/ROUTER
3.1.2
1
PSI-MODEM-GSM/ETH
Connection terminal block power supply +24 V/0 V
6 switching inputs, digital
4 switching outputs, digital
SMA female antenna connector
RJ45, Ethernet interface (TP port)
PSI-MODEM-GSM/ETH
Ord.-No. 23 13 355
VCC
RD
TD
ALR
NET
DCD
SIM
ANT
AA
VPN
ACT
LNK
LAN
Status and diagnostics indicators

4
VCC
Green
Supply voltage present
RD
Green
n.c.
TD
Yellow
n.c.
ALR
Red
Alarm message
NET
Yellow
Network reception
On: Very good
On, briefly flashing: Good
Off, briefly flashing: Moderate
DCD
Yellow
Packet data connection active
SIM
Red
On: No SIM card

AA
Yellow
n.c.
VPN
Green
VPN tunnel active
ACT
Yellow
Ethernet data transmission
Link
Green
Ethernet link established
Beneath the cover: SIM card slot
22
PHOENIX CONTACT
104672_en_02
Installation
3.2
Mounting the device on a DIN rail
NOTE: Device damage

Only mount and remove devices when the power supply is disconnected.
NOTE: Malfunction
Connect the DIN rail to protective earth ground using a grounding terminal block. The devices are grounded when they are snapped onto the DIN rail (installation according to
PELV).
This ensures that the shielding is effective. Connect protective earth ground with low impedance.
Snap the device onto a 35 mm DIN rail according to EN 60715.
Figure 3-1
104672_en_02
Mounting on the DIN rail
PHOENIX CONTACT
23
PSI MODEM 3G/ROUTER
3.3
Connecting
WARNING: Incorrect connection may result in serious personal injury and/or

damage to equipment.
The electrical connection, startup, and operation of this device may only be performed by
qualified personnel. According to the safety instructions in this text, qualified personnel
are persons who are authorized to start up, to ground, and to mark devices, systems, and
equipment according to the standards of safety technology. In addition, these persons
must be familiar with all warning instructions and maintenance measures provided in this
document.
Disregarding these instructions may result in damage to equipment and/or serious personal injury.
CAUTION: Electrical voltage
The device is only intended for operation in the control cabinet and with SELV according
to IEC 60950/EN 60950/VDE 0805. The device may only be connected to devices, which
meet the requirements of EN 60950.
3.3.1
Ethernet network
NOTE: Malfunction
Only use shielded twisted pair cables and corresponding shielded RJ45 connectors.
An Ethernet interface in RJ45 format is located on the front of the device, to which only
twisted pair cables with an impedance of 100 can be connected.
Insert the Ethernet cable with the RJ45 connector into the TP interface until the connector engages audibly. Observe the connector coding.
Figure 3-2
24
PHOENIX CONTACT
n.c.
n.c.
TD-
n.c.
n.c.
TD+
RD-
RD+
RJ45
RJ45 interface
104672_en_02
Installation
3.3.2
Antenna
24
0V
I1
I2
NE
WE
PO
N
VP
R
AL
RE
SE
LA
AN
T
3G
PD
1
SIM
2
SIM
UTER
RO
-3G/
EM
OD 14008
PSI-MNo.23
Ord.-
Figure 3-3
Connecting the antenna
Connect a suitable antenna to the antenna connection.

If the device indicates good or very good reception, secure the antenna.
Installing the antenna
Select an antenna position providing good wireless network conditions. The LED indicators can be used to determine the receive quality.
When using the PSI-GSM/UMTS-QB-ANT antenna (Order No. 2313371), drill a hole
measuring 16.5 mm in diameter in the top of the control cabinet.
Observe the following during installation: The antenna has a diameter of 76 mm and is
21 mm high. The cable is 2 m long.
Secure the antenna using the washer and nut provided.
Figure 3-4
104672_en_02
Installing the PSI-GSM/UMTS-QB-ANT antenna
PHOENIX CONTACT
25
PSI MODEM 3G/ROUTER
3.3.3
Inserting the SIM card
NOTE: Electrostatic discharge

The device contains components that can be damaged or destroyed by electrostatic discharge. When handling the device, observe the necessary safety precautions against
electrostatic discharge (ESD) according to EN 61340-5-1 and IEC 61340-5-1.
NOTE: Malfunction
The device only supports 1.8 V and 3 V SIM cards. In the event of older SIM cards, please
contact your GSM service provider.
You receive a SIM card from the GSM provider, on which all data and services for your connection are stored. The SIM card can be protected with a 4 or 5-digit PIN code. We recommend entering the PIN code as described in User (password change) on page 88.
For the core functions (VPN router), you need a packet data connection using the mobile
phone network. Select a corresponding SIM card.
A
B
Figure 3-5
26
PHOENIX CONTACT
Removing the SIM card holder - PSI-MODEM-3G...ROUTER
Push the yellow release button with a pointed object.

Remove the SIM card holder.
104672_en_02
Installation
Figure 3-6
Inserting the SIM card - PSI-MODEM-3G...ROUTER
Insert the SIM card so that the SIM chip remains visible.
Insert the SIM card holder together with the SIM card into the device until this ends flush
with the device.
PSI-MODEM-GSM/ETH
You must open the housing to access the SIM card slot inside.
Use a screwdriver to lever up the cover of the LAN connection.
Align the contact surface to the PCB and slide the SIM card into the holder. The angled
corner must face upwards.
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
LA
C
LA
Figure 3-7
104672_en_02
Opening the housing and inserting the SIM card - PSI-MODEM-GSM/ETH
PHOENIX CONTACT
27
PSI MODEM 3G/ROUTER
3.3.4
Supply voltage
CAUTION: Electrical voltage

The device is only intended for operation in the control cabinet and with SELV according
to IEC 60950/EN 60950/VDE 0805. The device may only be connected to devices, which
meet the requirements of EN 60950.
24
0V
I1
I2
NE
W
PO
N
VP
R
AL
RE
SE
LA
ER
AN
T
T
3G
PD
1
SIM
2
SIM
UTER
RO
-3G/
EM
OD 14008
PSI-M-No.23
Ord.
Figure 3-8
28
PHOENIX CONTACT
Connecting the supply voltage
The supply voltage should be 10 V DC ... 30 V DC.

Connect the supply voltage to 24 V and 0 V on the plug-in screw terminal block. Observe the polarity.
The device is ready for operation as soon as the green LED for the supply voltage lights
up.
104672_en_02
Installation
3.3.5
Switching inputs and switching outputs
+
24V 0V I1 I2
Figure 3-9
104672_en_02
Wiring the inputs
Connect the switching inputs and outputs to the respective plug-in screw terminal
blocks:
To the switching inputs (I1 ... I6) you can connect 10 V DC ... 30 V DC.
The short-circuit-proof switching outputs (O1 ... O4) are designed for max. 50 mA
at 10 V DC ... 30 V DC.
You must connect the 0 V potential of the switching inputs and outputs to the 0 V terminal block of the voltage supply connection.
PHOENIX CONTACT
29
PSI MODEM 3G/ROUTER
3.4
Resetting the device
The 3G routers have a reset button (see Operating and indication elements on page 21,
item 6) that can be used to temporarily reset the routers IP address and the passwords to
the default settings upon delivery.
Press and hold down the reset button.
Disconnect the Ethernet cable from the LAN connection on the router.
Reconnect the Ethernet cable.
Press and hold down the reset button for a further five seconds.
The IP address is now reset to its default address (192.168.0.1).
PSI-MODEM-GSM/ETH
The EDGE router has a covered reset button that can be used to temporarily reset the
routers IP address and the passwords to the default settings upon delivery.
You must open the housing to access the reset button inside.
DC
D
SIM
LA
AA
VP
N
AC
T
LN
K
NE
T
DC
D
SIM
AA
VP
N
AC
T
LN
K
LA
103965a003
Figure 3-10
Opening the housing and pressing the reset button (1)
Disconnect the Ethernet cable from the LAN connection on the router.
Use a screwdriver to lever up the cover of the LAN connection.
Press and hold down the reset button.
Disconnect the Ethernet cable again from the LAN connection on the router.
Press and hold down the reset button for a further five seconds.
The IP address is now reset to its default address (192.168.0.1).
30
PHOENIX CONTACT
104672_en_02
Configuration via web-based management

4.1
Connection requirements
The device must be connected to the power supply.

The computer that is to be used for configuration must be connected to the LAN socket
on the router.
A browser (e.g., Mozilla Firefox, Microsoft Internet Explorer or Apple Safari) must be installed on the configuration computer.
4.2
Starting web-based management (WBM)
The router is configured via web-based management (WBM).
Establish an Ethernet connection from the device to a PC.
Set the IP address of your PC to the network of the router.
Open a browser on the PC.
Enter the IP address 192.168.0.1 in the address field of your browser.
The following page opens in the browser.
Figure 4-1
Login window
This page protects the area in web-based management where router settings are modified.
In order to log in, you need the user name and password.
The user name is admin.
The password is admin.
For security reasons, we recommend you change the password during initial configuration (see User (password change) on page 88).
104672_en_02
PHOENIX CONTACT
31
PSI MODEM 3G/ROUTER

There are two user levels:
User: Read-only access to the Device information menu item
Admin: Full access to all areas
To configure the router, make the desired settings on the individual pages of the router user
interface. Click Apply to accept the settings.
4.3
Device information
You can also access this page via user login. It displays information concerning the
hardware, software and status of the router.
4.3.1
Hardware
Figure 4-2
Device information >> Hardware
Device information >> Hardware

Hardware information
32
PHOENIX CONTACT
Address
Address of the manufacturer
Internet
Internet address of the manufacturer
Type
Router order designation
Order No.
Router order number
Serial number
Router serial number
Hardware
Router hardware version
Release version
Router software release version
Operating system
Operating system version
Web-based
management
Web-based management version
104672_en_02
Device information >> Hardware [...]

MAC address
MAC address for unique identification of an Ethernet device in

a computer network
Radio engine
Type of mobile phone engine used
Radio firmware
Mobile phone engine firmware version
IMEI
IMEI = International Mobile Station Equipment Identity

15-digit serial number that can be used to clearly identify each
GSM or UMTS termination device
4.3.2
Radio status
Current status information regarding the mobile phone network and network connections is
displayed here.
Radio
Figure 4-3
Device Information >> Status >> Radio
Device Information >> Status >> Radio

Radio status
104672_en_02
Provider
Provider name
Network status
Status of the mobile phone network

Registered home: Logged into the providers home network
Roaming: Dial-in via an external mobile phone network
Waiting for PIN: PIN must be entered
Waiting for PUK: SIM card locked because PIN is entered incorrectly three times, PUK entry required
Wrong PIN: Wrong PIN stored in device
No SIM card: SIM card not inserted
Power off: Mobile phone engine not yet started
PHOENIX CONTACT
33
PSI MODEM 3G/ROUTER
Device Information >> Status >> Radio [...]

Signal level
Signal strength as a dBm value and bar
Packet data
SIM #1 IMSI
Offline: No packet data connection in the mobile phone

network
GPRS online: Active packet data connection in the mobile phone network via GPRS. GPRS is a GSM service,
which provides packet-based wireless access for mobile
GSM users.
EDGE online: Active packet data connection in the mobile phone network via EDGE. EDGE is a further development of the GPRS data service with a higher data
transmission rate.
UMTS online: Active high-speed packet data connection
in the 3G mobile phone network via UMTS
HSDPA/UPA online: Active high-speed packet data connection in the 3G mobile phone network via HSDPA/UPA.
HSDPA/UPA is a further development of the UMTS network with a higher data transmission rate.
SIM card or IMSI number used

IMSI = International Mobile Subscriber Identity, number for
unique identification of network devices
34
PHOENIX CONTACT
Local area code
Area code within mobile phone network
Cell ID
Unique mobile phone cell ID
104672_en_02

Network connections
This page displays status information about the local Ethernet interface and the packet data
interface in the mobile phone network.
Figure 4-4
Device information >> Status >> Network connections
Device information >> Status >> Network connections

Network connections
Wireless network Link
IP address
IP address assigned by the provider
Netmask
Netmask assigned by the provider
DNS server
IP address of the DNS server
Sec. DNS server
IP address of the alternative DNS server
RX bytes
Sum of data received since last login to mobile phone network
TX bytes
Sum of data sent since last login to mobile phone network
Local network Link
104672_en_02
TCP/IP connected: Active packet data connection in the

mobile phone network, data can be transmitted via
TCP/IP
VPN connected: Active VPN connection in the mobile
phone network, encrypted data can be transmitted
Not connected: No packet data connection in the mobile
phone network, no data transmission
Connected: Local Ethernet connected

Not connected: Local Ethernet not connected
IP address
Current Ethernet IP address
Netmask
Netmask of the local Ethernet network
PHOENIX CONTACT
35
PSI MODEM 3G/ROUTER

I/O status
This page displays current status information and the configuration of inputs and outputs.
Figure 4-5
Device information >> Status >> I/O status
Routing table
This page displays all entries of the routing table.
Figure 4-6
36
PHOENIX CONTACT
Device information >> Status >> Routing table
104672_en_02
4.4
4.4.1
Local network (setup)

IP configuration (connection setup)
The connection from the router to the local Ethernet can be set up here. You can modify the
IP configuration, e.g., the IP address, the subnet mask, and the type of address assignment.
Confirm your changes to the IP configuration with Apply. The changes will only take effect
after a restart.
Figure 4-7
Local network >> IP configuration
Local network >> IP configuration

IP configuration
Current addresses IP address
Current IP address of the router

Computers connected to the LAN interface can access the
router using this address. You can use the reset button to reset
the IP address to the default address 192.168.0.1 (see Resetting the device on page 30).
Subnet mask
Subnet mask for current IP address
Type of IP address
assignment
Alias addresses
104672_en_02
Static (default): The IP address is assigned permanently

(fixed IP).
DHCP: When the router is started, the IP address and the
subnet mask are assigned dynamically by a DHCP server.
Using alias addresses, up to eight additional IP addresses can

be assigned to the router. This means that the router can be
accessed from various subnetworks. Click on New and enter
the desired IP address and subnet mask.
PHOENIX CONTACT
37
PSI MODEM 3G/ROUTER
4.4.2
DHCP server
The Dynamic Host Configuration Protocol (DHCP) can be used to automatically assign the
network configuration set here to the devices connected directly to the router.
Figure 4-8
Local network >> DHCP server
Local network >> DHCP server

DHCP server
DHCP server
Enabled: Router operates as DHCP server
Domain name
Domain name distributed via DHCP
Lease time (d,h,m,s)
Time for which the network configuration assigned to the client

is valid
The client should renew its assigned configuration shortly before this time expires. Otherwise it may be assigned to other
computers.
Dynamic IP address
allocation
Dynamic IP address pool: When the DHCP server and the dynamic IP address pool have been activated, you can specify
the network parameters to be used by the client.
Begin of IP range
Start of DHCP area: The start of the address area from which
the DHCP server should assign IP addresses to locally connected devices.
End of IP range
End of DHCP area: The end of the address area from which
the DHCP server should assign IP addresses to locally connected devices.
Static IP address allocation
Static assignment based on the MAC address: The static IP of

the client to which the MAC address should be assigned.
Client MAC address
38
PHOENIX CONTACT
MAC address of the client with hyphens
104672_en_02
Local network >> DHCP server [...]

Client IP address
Client IP address
Static assignments must not overlap with the dynamic IP address pool.
Do not use one IP address in multiple static assignments, otherwise multiple MAC addresses will be assigned to this IP address.
4.4.3
Static routes (redirection of data packets)
With local static routes, you can specify alternative routes for data packets from the local
network via other gateways in higher-level networks. You can specify up to eight static routers.
If the entries for the network and gateway are logically incorrect, the incorrect entries will be
displayed with a red frame.
Figure 4-9
Local network >> Static routes
Local network >> Static routes

Local static routes
104672_en_02
Network
Network in CIDR format, see CIDR (Classless Inter-Domain

Routing) on page 131
Gateway
Gateway via which this network can be accessed
PHOENIX CONTACT
39
PSI MODEM 3G/ROUTER
4.4.4
SNMP configuration (router monitoring)
The router supports the reading of information via SNMP (Simple Network Management
Protocol). SNMP is a network protocol that can be used to monitor and control network
elements from a central station. The protocol controls communication between the monitored devices and the central station.
If you do not use SNMP for reasons of security, remove the default password public for
read access under Read only. The SNMP service is then stopped on the router.
Figure 4-10
Local network >> SNMP configuration
Local network>> SNMP configuration

SNMP configuration
System information
Name of device
Name for management purposes, freely assignable
Description
Description of the router
Physical location
Designation for the installation location, freely assignable
Contact
Contact person responsible for the router
Read only
Password for read access via SNMP
Read and write
Password for read/write access via SNMP
SNMPv1/v2 community
Trap configuration
40
PHOENIX CONTACT
In certain cases, the router can send SNMP traps. The traps
correspond to SNMPv1 and are part of the standard MIB.
Trap manager IP
address
IP address to which the trap should be sent
Port
Port to which the trap should be sent
Target community
Name of the SNMP community to which the trap is assigned
104672_en_02
Local network>> SNMP configuration [...]

Sending traps
4.5
Disabled: It is not possible to send traps to the IP address

of the trap manager.
Enabled: The sending of traps to the IP address of the
trap manager has been activated.
Wireless network (mobile phone settings)
Remote stations can be integrated into an IP network via a UMTS/HSPA or GPRS/EDGE

connection. The mobile phone connection can be configured here.
4.5.1
Radio setup
Figure 4-11
Wireless network >> Radio setup
Wireless network >> Radio setup

Radio setup
Frequency
UMTS
freq.1
Frequency range in which the router should work

UMTS frequency range in which the router should work
In addition, you can deactivate the UMTS with UMTS off.
Backup
104672_en_02
SIM2
Decide whether you can use a second SIM card for a backup
mobile phone connection.
Provider timeout2
Period of time (in minutes) following the failure of the primary

mobile phone network, at which the switch will be made to the
backup SIM card.
Backup runtime2
Period of time (in hours) after which there will be a switch back
to the primary mobile phone network.
PHOENIX CONTACT
41
PSI MODEM 3G/ROUTER
Wireless network >> Radio setup [...]

Daily relogin
Disabled: Daily login deactivated

Enabled: Daily login activated
With daily login, the router first attempts to register with the primary mobile phone network.
Time
42
Time at which the router logs out under controlled conditions

and logs in again. During re-login, the router first attempts to
register with the primary mobile phone network.
For the PSI-MODEM-3G...ROUTER only
For the PSI-MODEM-3G...ROUTER only. The PSI-MODEM-GSM/ETH EDGE router has only one SIM interface, so that this option is not available.
PHOENIX CONTACT
104672_en_02
4.5.2
SIM
This is where all the settings for the primary mobile phone connection are.
Figure 4-12
Wireless network >> SIM
Wireless network >> SIM

SIM
104672_en_02
Country
Select the country in which the router is dialing into the GSM
network. This setting limits the selection of providers.
PIN
In the PIN field, enter the PIN for the SIM card. The PIN cannot
be read back, it can only be overwritten.
Roaming
If roaming is activated (default), you can select a specific provider from the Provider pull-down menu.
Enabled: The router can also dial-in via external networks. If Auto is set under Provider, the strongest provider is selected. Additional costs may be incurred in this
case depending on your contract. Alternatively, you can
specify a provider.
Disabled: Roaming is deactivated and only the providers
home network is used. If this network is unavailable, the
router cannot establish an Internet connection.
Provider
Select a provider via which the router is to establish the Internet connection. The country selected under Country limits
the list of providers.
Auto: The router automatically selects the provider based
on the SIM card.
PHOENIX CONTACT
43
PSI MODEM 3G/ROUTER
Wireless network >> SIM [...]

User name
User name for packet data access. You obtain the user name
and password from your provider. This field may be left empty
if the provider does not require a special input.
Password
Password for packet data access

This field may be left empty if the provider does not require a
password.
APN
You can obtain the APN from your provider.

The APN (Access Point Name) is the name of a terminal point
in a packet data network, which enables access to an external
data network. At the same time, the APN specifies which network is to be used to establish a connection. With a public
APN, the connection is usually established to the Internet. The
device supports public and private APNs.
Authentication
4.5.3
Select the protocols for registration with the provider:

All protocols: All protocols offered by the provider will be
accepted.
Refuse MSCHAP: MSCHAP will not be accepted.
CHAP only: Only CHAP will be accepted.
PAP only: Only PAP will be accepted.
Backup SIM
The PSI-MODEM-3G...ROUTER devices are provided with a second SIM interface for a
backup mobile phone connection. For the backup SIM card, you can set the same options
as for the primary SIM card.
The PSI-MODEM-GSM/ETH EDGE router has only one interface, this means that the
Backup SIM menu will not be available.
44
PHOENIX CONTACT
104672_en_02
4.5.4
SMS configuration (SMS settings)
You can remotely operate the device via SMS messages.
Activate SMS control and enter the SMS password. The password can contain up
to seven alphanumeric characters.
In addition, the device can forward received SMS messages to a recipient via Ethernet.
Open Wireless Network, SMS configuration and activate the SMS forward function.
Enter the recipient IP address and the port with which you would like to communicate.
The default value for the server is port 1432.
The received SMS is forwarded in the following format:
origaddr = Sender telephone number

timestamp = Service Center time stamp in GSM-03.40 format
The SMS syntax for switching inputs, outputs and functions includes the following information:
Password
Function command
Additional subcommands
Table 4-1
Function command
Description
SET:<sub_cmd>
General command for starting functions (ON), subcommand

must be added
CLR:<sub_cmd>
General command for stopping functions (OFF), subcommand

must be added
SEND:STATUS
Request the status of the mobile phone router
RESET
Reset the alarms
REBOOT
Restart the mobile phone router
Table 4-2
104672_en_02
Supported function commands
Subcommands <sub_cmd> for the function commands SET and CLR
Subcommand
<sub_cmd>
Description
GPRS
Start or stop the packet data connection
Output
Switch output 1: ON/OFF
OUTPUT:n
Switch output n: ON/OFF n={1...4}
IPSEC
Start or stop IPsec VPN 1: ON/OFF
IPSEC:n
Start or stop IPsec VPN n: ON/OFF, n={1...3}
PHOENIX CONTACT
45
PSI MODEM 3G/ROUTER
Figure 4-13
Wireless network >> SMS configuration
Wireless network >> SMS configuration

SMS configuration
SMS control
Disabled: Remote operation of router via SMS not possible

Enabled: Remote operation of router via SMS activated
SMS password
SMS password for remote operation
SMS forward
Disabled: Not possible to forward SMS messages via

Ethernet
Enabled: Forwarding of SMS messages via Ethernet activated
Server IP address
IP address to which the SMS message should be forwarded
Server port (default

1432)
Port to which the SMS message should be forwarded
Example
Text of SMS message in order to start the IPsec tunnel #2 using the password 1234:
#1234:SET:IPSEC:2
In order to stop this connection, you have to send the following SMS message:
#1234:CLR:IPSEC:2
46
PHOENIX CONTACT
104672_en_02
4.5.5
Packet data setup
Figure 4-14
Wireless network >> Packet data setup
Wireless network >> Packet data setup

Packet data setup
Packet data
Disabled: Packet data connection deactivated

Enabled: Access permitted to
UMTS/HSPA/GPRS/EDGE
If this packet data connection is activated, there is only a virtual permanent connection to the remote peer. This wireless
area is not used until data is actually transmitted, such as via
VPN tunnel.
Debug mode
When debug mode is activated, detailed information on the

packet data connection is saved in the log file for diagnostic
purposes.
Allow compression
104672_en_02
Enabled: Data compression of packet data connection

activated (default)
Disabled: Data compression of packet data connection
deactivated
MTU (default 1500)
Maximum Transmission Unit (MTU), maximum packet size in

bytes in the mobile phone network
Event
Event that starts the packet data connection:

Initiate: Automatic start after router boot process
Initiate on Input #1 ... #6: Manual start per switching input
Initiate on SMS: Manual start via SMS message
PHOENIX CONTACT
47
PSI MODEM 3G/ROUTER
Wireless network >> Packet data setup [...]

Manual DNS
Disabled: Manual DNS setting deactivated. The DNS

settings are received automatically from the provider.
Enabled: Manual DNS setting permitted
DNS server
IP address of the primary DNS server in the mobile phone network
Sec. DNS server
IP address of the alternative DNS server in the mobile phone

network
4.5.6
Wireless static routes (redirection of data packets)
With static routes, you can specify alternative routes in the mobile phone network for data
packets. If the entries for the network and gateway are logically incorrect, the incorrect entries will be displayed with a red frame.
Figure 4-15
Wireless network >> Wireless static routes
Wireless network >> Wireless static routes

Wireless static routes
48
PHOENIX CONTACT
Network
Network in CIDR format, see CIDR (Classless Inter-Domain

Routing) on page 131
Gateway
Gateway via which this network can be accessed
104672_en_02
4.5.7
DynDNS (address management via dynamic DNS)
Each mobile phone router is dynamically assigned an IP address by the provider, meaning
that the address changes from session to session.
If the mobile phone router is to be accessed via the Internet, you can specify a fixed host
name with the help of a DynDNS provider for the dynamic IP address. The router can then
be accessed using this host name (e.g., www.example.com).
Check whether your mobile phone provider supports dynamic DNS in the mobile phone
network.
Figure 4-16
Wireless network >> DynDNS setup
Wireless network >> DynDNS setup

DynDNS setup
Status
Disabled: DynDNS client deactivated

Enabled: DynDNS client activated
DynDNS provider
Select the name of the provider with whom you are registered,
e.g., DynDNS.org, TZO.com, dhs.org.
DynDNS username
User name of your DynDNS account
DynDNS password
Password of your DynDNS account
DynDNS hostname
Host name specified for this router with the DynDNS service
The router can be accessed via this host name.
104672_en_02
PHOENIX CONTACT
49
PSI MODEM 3G/ROUTER
4.5.8
Connection check
The connection check enables you to verify whether the packet data connection in the mobile phone network is functional. In addition, the connection check serves as a keep-alive
function in order to maintain the packet data connection in the mobile phone network.
Figure 4-17
Wireless network >> Connection check
Wireless network >> Connection check

Connection check
Status
Host #1 ... #3
IP address or host name of the reference point for the connection check
Source
50
PHOENIX CONTACT
Disabled: Packet data connection check deactivated

(default)
Enabled: Packet data connection check activated
Local: The IP packets of the connection check are transmitted via the local network interface with the IP address
of the local interface (LAN).
Wireless network: The IP packets of the connection
check are transmitted via the mobile phone interface with
the IP address assigned by the provider.
Check every
Check interval in minutes
Max. retry
Number of times to retry until the configured action is performed
104672_en_02
Wireless network >> Connection check [...]

Activity
104672_en_02
Reboot: Restart the router

Reconnect: Reestablish the packet data connection
Relogin: Shutdown and restart of the mobile phone interface with new login to the mobile phone network
None: No action
As an option, you can configure status information regarding the connection check via a switching output.
PHOENIX CONTACT
51
PSI MODEM 3G/ROUTER
4.5.9
Monitoring
Monitoring is used to register mobile phone parameters. You can temporarily use this function for startup or troubleshooting purposes, it is not intended for permanent use. All parameters are saved to a separate logradio.txt log file. After the end of the monitoring period,
monitoring needs to be disabled.
Figure 4-18
Wireless network >> Monitoring
Wireless network >> Monitoring

Monitoring
52
PHOENIX CONTACT
Monitoring
Disabled: Mobile phone monitoring deactivated (default)

Enabled: Mobile phone monitoring activated
Log duration
Monitoring time in hours, we recommend a maximum of

30 hours
Log interval
Monitoring interval in minutes (for at least one minute)
Ping host
IP address or host name of the reference point for monitoring
Clear
Delete the log file in the router for renewed monitoring
View
Display current log file
Save
Save log file on the local computer
104672_en_02

Structure of the logradio.txt log file:
Date and time
Network status
creg=
Not logged in, no network search
Logged in, home network
Not logged in, network search
Not logged in, login rejected
Unknown state
Logged in, foreign network
Receive level
0
-113 dBm or worse
-111 dBm
2...30
-109 dBm ... -53 dBm
31
-51 dBm or better
Packet data connection
rssi=
packet=
OFFLINE
ONLINE
GPRS ONLINE
EDGE ONLINE
WCDMA ONLINE
WCDMA HSDPA ONLINE
WCDMA HSUPA ONLINE
WCDMA HSDPA+HSUPA ONLINE
Location
lac= Location area code

ci= Mobile phone cell ID
104672_en_02
Current own IP address
myip=
Reference IP
ping=
Ping times in msd
round-trip min/avg/max= (minimum/average/maximum)
PHOENIX CONTACT
53
PSI MODEM 3G/ROUTER
4.6
Network security (security settings)
4.6.1
General setup
On this page, you can make the fundamental settings for network security.
Figure 4-19
Network security >> General setup
Network security >> General setup

Network security setup
Firewall
Port forwarding via

NAT table
Block outgoing
NetBIOS
54
PHOENIX CONTACT
Disabled: Integrated stateful packet inspection firewall

deactivated, data packets are not filtered
Enabled: Integrated stateful packet inspection firewall
activated (default)
Disabled: Port forwarding from the mobile phone network
to the local network deactivated (default)
Enabled: Port forwarding from the mobile phone network
to the local network activated
If Windows-based systems are installed in the local network,

NetBIOS requests can result in data traffic and its associated
costs, where applicable.
Disabled: Outgoing NetBIOS requests are permitted.
Enabled: Outgoing NetBIOS requests are blocked (default).
104672_en_02
Network security >> General setup [...]

External ping (ICMP)
You can use a ping to check whether a device in an IP network

can be accessed. During normal operation, responding to external ping requests results in data traffic and its associated
costs, where applicable.
Disabled: If a ping request is sent from the external IP
network to the router, it is ignored (default).
Enabled: If a ping request is sent from the external IP network to the router, it is sent back.
External web-based
management
You can use this option to specify whether the router may be
configured via the mobile phone network or the external network using WBM.
Disabled: External configuration via WBM is not possible. Set this option if you want to configure and maintain
the router locally (default).
Enabled: The router can be configured externally via
WBM. Remote maintenance of the router is therefore possible. The router can be accessed via any external IP address. Access cannot be restricted by using a firewall.
External NAT
(Masquerade)
For outgoing data packets, the router can rewrite the specified
sender IP addresses from its internal network to its own external address. This method is used if the internal addresses
cannot be routed externally, e.g., because a private address
area such as 192.168.x.x is used. This method is referred to
as IP masquerading.
Disabled: IP masquerading deactivated
Enabled: IP masquerading is activated and communication from a private, local network to the Internet is supported (default).
Device access via SSH You can use this option to specify whether the router can be
accessed via the SSH service.
Disabled: The SSH service is not available. No access to
the router via SSH (default).
Enabled: Access to the router is possible via SSH service, from local network or via VPN tunnel.
104672_en_02
PHOENIX CONTACT
55
PSI MODEM 3G/ROUTER
4.6.2
Firewall (definition of firewall rules)
The device includes a stateful packet inspection firewall. The connection data of an active
connection is recorded in a database (connection tracking). Rules can thus only be defined
for one direction. This means that data from the other direction of the relevant connection,
and only this data, is automatically allowed through.
The firewall can be enabled and disabled. For example, it can be deactivated for startup. By
default, the firewall is active and blocks incoming data traffic and only permits outgoing data
traffic.
If multiple firewall rules are defined, these are queried starting from the top of the list of
entries until an appropriate rule is found. This rule is then applied.
If the list of rules contains further subsequent rules that could also apply, these rules are
ignored.
The device supports a maximum of 32 rules for incoming data traffic and 32 rules for outgoing data traffic.
Figure 4-20
Network security >> Firewall
Network security >> Firewall

Firewall
Lists the firewall rules that have been set up. They apply for incoming data links that have
been initiated externally.
Incoming traffic Protocol
56
PHOENIX CONTACT
TCP, UDP, ICMP, all
From IP/To IP
0.0.0.0/0 means all IP addresses. To specify an address area,

use CIDR format (see CIDR (Classless Inter-Domain Routing) on page 131).
From Port/To Port
(Only evaluated for TCP and UDP protocols.)

Any: Any port
Startport-endport: Port area (e.g., 110 ... 120)
104672_en_02
Network security >> Firewall [...]

Action
Accept: Data packets may pass through.

Reject: Data packets are sent back, so the sender is informed of their rejection.
Drop: Data packets may not pass through. They are discarded, which means that the sender is not informed of
their whereabouts.
Log
For each individual firewall rule you can specify whether the
event is to be logged if the rule is applied.
Yes: Event will be logged.
No: Event will not be logged (default).
New
New: Add new firewall rule below last rule.

Delete: Delete rule from the table.
The arrows can be used to move the rule one row up or down.
Outgoing traffic Lists the firewall rules that have been set up. They apply for outgoing data links that have
been initiated internally in order to communicate with a remote peer.
Default setting: A rule is defined by default that allows all outgoing connections.
If no rule is defined, all outgoing connections are prohibited (excluding VPN).
Protocol
TCP, UDP, ICMP, all
From IP/To IP
0.0.0.0/0 means all IP addresses. To specify an address area,

use CIDR format (see CIDR (Classless Inter-Domain Routing) on page 131).
From Port/To Port
(Only evaluated for TCP and UDP protocols.)

Any: Any port
Startport-endport: Port area (e.g., 110 ... 120)
Action
Log
104672_en_02
Accept: Data packets may pass through.

Reject: Data packets are sent back, so the sender is informed of their rejection.
Drop: Data packets may not pass through. They are discarded, which means that the sender is not informed of
their whereabouts.
For each individual firewall rule you can specify whether the
event is to be logged if the rule is applied.
PHOENIX CONTACT
57
PSI MODEM 3G/ROUTER
Network security >> Firewall [...]

New

4.6.3
NAT table (port forwarding setup)
The NAT table lists the rules established for NAT (Network Address Translation).
The device has one IP address, which can be used to access the device externally. For incoming data packets, the device can convert the specified sender IP addresses to internal
addresses. This process is referred to as NAT (Network Address Translation). Using the
port number, the data packets can be redirected to the ports of internal IP addresses.
The device supports a maximum of 32 rules for port forwarding.
Figure 4-21
Network security >> NAT table
Network security >> NAT table
58
PHOENIX CONTACT
Protocol
TCP, UDP, ICMP
In Port/To Port
Only evaluated for TCP and UDP protocols.

Any: Any port
Startport-endport: Port area (e.g, 110 ... 120)
To IP
IP address from the local network, incoming packets are forwarded to this address.
104672_en_02
Network security >> NAT table [...]

Masq
For each individual rule you can specify whether IP masquerading should be used.
Yes: IP masquerading activated, incoming packets from
the Internet are assigned the IP address of the router,
possibility of sending a response to the Internet, even
without default gateway
No: Default gateway required to send a response to the
Internet (default)
Log
For each individual rule you can specify whether the event is
to be logged if the rule is applied.
New

104672_en_02
PHOENIX CONTACT
59
PSI MODEM 3G/ROUTER
4.7
VPN
Requirements for a VPN connection

A general requirement for a VPN connection is that the IP addresses of the VPN peers are
known and can be accessed. The device supports up to three IPsec connections and up to
two OpenVPN connections. If the VPN LED of the device is illuminated, the VPN connection
is active.
In order to successfully establish an IPsec connection, the VPN remote peer must support
IPsec with the following configuration:
Authentication via X.509 certificates or pre-shared secret key (PSK)
Diffie-Hellman group 2 or 5
3DES or AES encryption
MD5 or SHA-1 hash algorithms
Tunnel mode
Quick mode
Main mode
SA lifetime (1 second to 24 hours)
With regard to OpenVPN connections, the following functions are supported:
OpenVPN client
TUN device
Authentication via X.509 certificates or pre-shared secret key (PSK)
Static keys
TCP and UDP transmission protocol
Keep Alive
60
PHOENIX CONTACT
104672_en_02
4.7.1
IPsec connections (setup)
IPsec (Internet Protocol Security) is a secure VPN standard that is used for communication
via IP networks.
Figure 4-22
VPN >> IPsec >> Connections
VPN >> IPsec >> Connections

IPsec connections
Monitor DynDNS
Activate this function in order to check accessibility:

If the VPN remote peer does not have a fixed IP address
and
If a DynDNS name is used as the Remote host.
Check interval
Enter a check interval in seconds.
Enabled
Name
Assign a descriptive name to each VPN connection. The VPN

connection can be freely named or renamed.
Settings
Click on Edit to specify the settings for IPsec (see page 62).
IKE
Internet Key Exchange protocol provides automatic key management for IPsec.
Yes: Entire VPN connection activated

No: Entire VPN connection deactivated
Click on Edit to specify the settings for IKE (see page 65).
104672_en_02
PHOENIX CONTACT
61
PSI MODEM 3G/ROUTER

Settings >> Edit
Figure 4-23
VPN >> IPsec >> Connections >> Settings >> Edit
VPN >> IPsec >> Connections >> Settings >> Edit

IPsec connection settings
Name
Name of the VPN connection entered under IPsec connections
VPN
Remote host
IP address or URL of the remote peer to which (or from which)

the tunnel will be created.

The Remote host setting is only used if Initiate has been selected under Remote connection, i.e., if the router establishes the connection.
If Remote connection is set to Accept, the value %any is
set internally for Remote host in order to wait for a connection.
62
PHOENIX CONTACT
104672_en_02
VPN >> IPsec >> Connections >> Settings >> Edit [...]
Authentication
X.509 remote certificate - X.509 certificate authentication

method
With the X.509 certificate option, each VPN device has a private (secret) key and a public key in the form of an X.509 certificate, which contains additional information about the certificates owner and the certification authority (CA).
The procedure for creating an X.509 certificate
is described in Section Creating certificates
on page 103.
Pre-shared secret key (PSK) - Authentication method
With a pre-shared secret key, each VPN device knows one
shared private key, one password. Enter this shared key in the
Pre-Shared Secret Key field.
Remote certificate
Certificate used by the router to authenticate the VPN remote

peer (remote certificate, .pem).
The selection list contains the certificates that have been
loaded on the router (see IPsec certificates (certificate upload) on page 68).
Local certificate
Certificate used by the router to authenticate itself to the VPN

remote peer (machine certificate, PKCS#12).
The selection list contains the certificates that have been
loaded on the router (see IPsec certificates (certificate upload) on page 68).
Remote ID
Default: Empty field

The Remote ID can be used to specify the name the router
uses to identify itself to the remote peer. The name must
match the data in the router certificate. If you leave the field
empty, the data from the certificate is used.
Valid values:
Empty, i.e., no entry (default). The Subject entry (previously Distinguished Name) in the certificate is then
used.
The Subject entry in the certificate
One of the Subject Alternative Names, if listed in the certificate. If the certificate contains Subject Alternative
Names, these are specified under Valid values. For example, these can include IP addresses, host names with
@ prefix or e-mail addresses.
104672_en_02
PHOENIX CONTACT
63
PSI MODEM 3G/ROUTER
Local ID
Default: Empty field

The local ID can be used to specify the name the router uses
to identify itself to the remote peer.
For a more detailed explanation, see Remote ID.
Address remote
network
IP address/subnet mask of the remote network to which the

VPN connection is to be established.
Address local network
IP address/subnet mask of the local network

Here, specify the address of the network or computer, which
is connected locally to the router.
NAT to local network set to None (default)
Actual IP address/subnet mask of the local network. Here,
specify the address of the network, which is connected locally to the router.
With activation of Local 1:1 NAT and Remote masquerading
This virtual IP address/subnet mask enables the IP addresses
for the remote network to be accessed via the VPN tunnel. You
must enter the same settings for a remote network on the remote VPN router.
Connection NAT
NAT to local network
64
PHOENIX CONTACT
None: No NAT within the VPN tunnel (default)

Local 1:1 NAT: Virtual IP addresses are used for communication via the VPN tunnel. These addresses are linked
to the real IP addresses for the set network that has been
connected. The subnet mask remains unchanged.
Remote masquerading: Virtual addresses are used for
communication via the VPN tunnel (as with Local 1:1
NAT). In addition, the sender IP address (source IP) of all
incoming packets using the VPN tunnel is replaced with
the router IP address. In this way, devices that cannot use
a default gateway can be accessed in the local network
through the VPN tunnel.
Here, enter the real IP address area for the local network
under which this network is accessed from the remote network
via 1:1 NAT. You can use this function, for example, to access
two machines with the same IP address via a VPN tunnel.
104672_en_02
Remote connection
Side from which the connection can be established

Initiate: VPN connection is started by the router.
Accept: VPN connection is initiated by the remote peer.
Additional settings:
Initiate on Input...: VPN tunnel is started or stopped via
a digital input.
Initiate on SMS: VPN tunnel is started via SMS. You
must also determine after how many minutes the VPN
tunnel will be stopped using the autoreset function.
Initiate on Call: VPN is started via a call. You must also
determine after how many minutes the VPN tunnel will be
stopped using the autoreset function.
IKE >> Edit
Figure 4-24
VPN >> IPsec >> Connections >> IKE >> Edit
VPN >> IPsec >> Connections >> IKE >> Edit

IPsec - Internet key
exchange settings
104672_en_02
Name
Name of the VPN connection entered under IPsec connections
PHOENIX CONTACT
65
PSI MODEM 3G/ROUTER
VPN >> IPsec >> Connections >> IKE >> Edit [...]
Phase 1 ISAKMP SA
Key exchange
ISAKMP SA
encryption
Encryption algorithm
Internet Security Association and Key Management Protocol
(ISAKMP) is a protocol for creating Security Associations (SA)
and exchanging keys on the Internet.
AES128 is preset as standard.
Fundamentally, the following applies: the more bits an encryption algorithm has (specified by the appended number), the
more secure it is. The relatively new AES-256 method is
therefore the most secure, however it is still not used that
widely. The longer the key, the more time-consuming the encryption procedure.
ISAKMP SA hash
Leave this set to all. It then will not make a difference whether
the remote peer is operating with MD5 or SHA-1.
ISAKMP SA lifetime
(sec.)
The keys of an IPsec connection are renewed at defined intervals in order to increase the difficulty of an attack on an IPsec
connection.
ISAKMP SA lifetime
Lifetime in seconds of the keys agreed for ISAKMP SA.
Default setting: 3600 seconds (1 hour)
The maximum lifetime is 86400 seconds (24 hours).
Phase 2 IPsec SA
In contrast to Phase 1 ISAKMP SA (key exchange), the procedure for data exchange is defined here. It does not necessarily
have to differ from the procedure defined for key exchange.
Data exchange
66
PHOENIX CONTACT
IPsec SA encryption
See ISAKMP SA encryption.
IPsec SA hash
See ISAKMP SA encryption.
IPsec SA lifetime
(sec.)
Lifetime in seconds of the keys agreed for IPsec SA
Perfect forward
secrecy (PFS)
Default setting: 28800 seconds (8 hours). The maximum lifetime is 86400 seconds (24 hours).
Yes: Perfect Forward Secrecy activated
No: Perfect Forward Secrecy deactivated
104672_en_02
VPN >> IPsec >> Connections >> IKE >> Edit [...]
DH/PFS group
Key exchange procedure (defined in RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet
Key Exchange (IKE))
Perfect Forward Secrecy (PFS): method for providing increased security during data transmission. With IPsec, the
keys for data exchange are renewed at defined intervals. With
PFS, new random numbers are negotiated with the remote
peer instead of being derived from previously agreed random
numbers.
5/modp1536 2/modp1024
Fundamentally, the following applies: the more bits an encryption algorithm has (specified by the appended number), the
more secure it is. The longer the key, the more time-consuming the encryption procedure.
Dead peer detection
If the remote peer supports the Dead Peer Detection (DPD)

protocol, the relevant peers can detect whether the IPsec connection is still valid or whether it needs to be established
again.
Behavior in the event that the IPsec connection is aborted:
Off: No Dead Peer Detection
On: Dead Peer Detection activated
In Restart mode with VPN Initiate
In Clear mode with VPN Accept
DPD delay (sec.)
Delay between requests for a sign of life

Period of time in seconds after which DPD keep-alive requests
should be sent. These requests test whether the remote peer
is still available.
Default setting: 30 seconds
DPD timeout (sec.)
Period of time after which the connection to the remote peer

should be declared dead, if there has been no response to the
keep-alive requests.
104672_en_02
PHOENIX CONTACT
67
PSI MODEM 3G/ROUTER
4.7.2
IPsec certificates (certificate upload)
A certificate that is loaded on the router is used to authenticate the router at the remote peer.
The certificate acts as an ID card for the router, which it shows to the relevant remote peer.
The procedure for creating an X.509 certificate is described in Section 5.5, Creating certificates.
There are various certificate types:
Remote certificates contain the public key used to decode the encrypted data.
Own or machine certificates contain the private key used to encrypt the data. The private key is kept secret. A PKCS#12 file is therefore protected by a password.
The CA certificate or root certificate is the mother of all certificates used. It is used to
check the validity of the certificates.
By importing a PKCS#12 file, the router is provided with a private key and the corresponding
certificate. You can load multiple PKCS#12 files on the router, enabling the router to show
the desired self-signed or a CA-signed machine certificate to the remote peer for various
connections.
To use an installed certificate, the certificate must be assigned under VPN >> IPsec >>
Connections >> Settings >> Edit. Click on Apply to load the certificate onto the router.
Figure 4-25
68
PHOENIX CONTACT
VPN >> IPsec >> Certificates
104672_en_02
VPN >> IPsec >> Certificates

IPsec certificates
Load Remote
Certificate (.cer .crt)
Here you can upload certificates, which the router can use for
authentication with the VPN remote peer.
The procedure for creating an X.509 certificate
is described in Section 5.5, Creating certificates.
Upload: Import the certificate. Click on Browse to select

the certificate that is to be imported.
Under VPN >> IPsec >> Connections >> Settings >> Edit,
one of the certificates listed under Remote certificate or Local certificate can be assigned to each VPN connection.
Load Own PKCS#12
Certificate (.p12)
Upload: Import the certificate you have received from the provider. The file must be in PKCS#12 format. Click on Browse
to select the certificate that is to be imported.
Under VPN >> IPsec >> Connections >> Settings >> Edit,
one of the certificates listed under Remote certificate or
Local certificate can be assigned to each VPN connection.
Password: Password used to protect the private key of the
PKCS#12 file. The password is assigned when the key is exported.
Remote Certificates
Overview of the imported .cer/.crt certificates of the remote

peers
Click on Delete to delete a certificate.
Own Certificates
Overview of the imported own PKCS#12 certificates

The symbols indicate whether the PKCS#12 file contains a CA
certificate, a machine certificate or a private key (green = present).
104672_en_02
PHOENIX CONTACT
69
PSI MODEM 3G/ROUTER
4.7.3
IPsec status (VPN connection status)
Figure 4-26
VPN >> IPsec >> Status
VPN >> IPsec >> Status

IPsec status
70
PHOENIX CONTACT
Active IPsec
Connections
Status of the active VPN connection
104672_en_02
4.7.4
OpenVPN connections (setup)
OpenVPN is a program for creating a virtual, private network (VPN) via an encrypted connection. The device supports two OpenVPN connections.
Figure 4-27
VPN >> OpenVPN >> Connections
VPN >> OpenVPN >> Connections

OpenVPN connections
104672_en_02
Enabled
Yes: Defined VPN connection active

No: Defined VPN connection not active
Name

Tunnel
Click Edit to specify the settings for OpenVPN (see Tunnel

>> Edit on page 72).
Advanced
Click Edit to make extended settings for OpenVPN (see Advanced >> Edit on page 74).
PHOENIX CONTACT
71
PSI MODEM 3G/ROUTER

Tunnel >> Edit
Figure 4-28
VPN >> OpenVPN >> Connections >> Tunnel >> Edit

OpenVPN tunnel
72
PHOENIX CONTACT
Name

VPN
Remote host
IP address or URL of the remote peer to which the tunnel will

be created.
Remote port
Port of the remote peer to which the tunnel will be created (default: 1194).
Protocol
Choose whether UDP or TCP should be used for transport.
LZO compression
Choose whether data transmission for the OpenVPN connection should be compressed.
Disabled: No OpenVPN compression
Adaptive: Adaptive OpenVPN compression
Yes: OpenVPN compression
Allow remote float
Activate this option in order to accept authenticated packets

from each IP address for the OpenVPN connection. This option is recommended when dynamic IP addresses are used
for communication.
Redirect default
gateway
Activate this option in order to redirect all network communication to external networks (e.g., requests to the Internet) using
this tunnel. The OpenVPN tunnel is used as the default gateway of the local network.

104672_en_02

Local port
Local port from which the tunnel is created (default: 1194).
Authentication
X.509 Certificate - Authentication method: Each VPN device has a private (secret) key in the form of an X.509 certificate, which contains additional information about the certificates owner and the certification authority (CA).
Pre-shared secret key: Each VPN device knows one shared
private key. Load this shared key as a Static key (see
page 76).
Local certificate
Certificate used by the router to authenticate itself to the VPN

remote peer
Check remote
certificate type
Activate this option to check the OpenVPN connection certificates.
Connection NAT
Address local
network1
Virtual IP address/subnet mask of the local network. This virtual IP address enables the IP addresses for the remote network to be accessed via the VPN tunnel. You must enter the
same settings for a remote network on the remote VPN router.
NAT to local network1
Here, enter the real IP address area for the local network
under which this network is accessed from the remote network
via 1:1 NAT. You can use this function, for example, to access
two machines with the same IP address via a VPN tunnel.
Encryption
Choose the encryption algorithm for the OpenVPN connection.
Keep alive
Period of time in seconds after which keep-alive requests

should be sent. These requests test whether the remote peer
is still available.
None: No NAT within the VPN tunnel (default)

Local 1:1 NAT: Virtual addresses are used for communication via the VPN tunnel. The virtual addresses are
linked to the real IP addresses for the set network that has
been connected. The subnet mask remains unchanged.

Restart
Period of time in seconds after which the connection to the remote peer should be restarted, if there has been no response
to the keep-alive requests.
Only if Local 1:1 NAT is activated.
104672_en_02
PHOENIX CONTACT
73
PSI MODEM 3G/ROUTER

Advanced >> Edit
Figure 4-29
VPN >> OpenVPN >> Connections >> Advanced >> Edit
VPN >> OpenVPN >> Connections >> Advanced >> Edit

OpenVPN tunnel advanced
Name
Name of the VPN connection entered under OpenVPN connections.
TUN-MTU
Maximum IP packet size that can be used for the OpenVPN

connection. Default setting: 1500
MTU = Maximum Transfer Unit
Fragment
Maximum size for unencrypted UDP packets to be sent

through the tunnel. Larger packets are transmitted in fragments. Default setting: 1450
Fragment is deactivated if the box is unchecked (default).
MSS fix
Maximum size for TCP packets to be sent via a UDP tunnel.

The maximum packet size in bytes is used for TCP connection
via the OpenVPN tunnel.
MSS fix is deactivated if the box is unchecked (default).
If both Fragment and MSS fix are activated, the value for
MSS fix is set automatically and cannot be changed manually.
Renegotiate key
interval
Lifetime in seconds of the agreed keys

Default setting: 3600 seconds (1 hour)
The keys of an OpenVPN connection are renewed at defined
intervals in order to increase the difficulty of an attack on an
OpenVPN connection.
74
PHOENIX CONTACT
104672_en_02
4.7.5
OpenVPN certificates (certificate upload)
A certificate that is loaded on the router is used to authenticate the router at the remote peer.
The certificate acts as an ID card for the router, which it shows to the relevant remote peer.
Figure 4-30
VPN >> OpenVPN >> Certificates
VPN >> OpenVPN >> Certificates

OpenVPN certificates
Load own PKCS#12 Upload
certificate (.p12)
Certificate you have received from your provider

The file must be in PKCS#12 format. Click on Browse to select the certificate that is to be imported.
Under VPN >> OpenVPN >> Connections >> Tunnel >>
Edit, one of the certificates listed under Local Certificate can
be assigned to each VPN connection.
Password
Own Certificate Name
Password used to protect the private key of the PKCS#12 file.

The password is assigned when the key is exported.
Overview of the imported PKCS#12 certificates
The symbols indicate whether a CA certificate, a machine certificate or a private key was found in the PKCS#12 file (green
= present).
104672_en_02
PHOENIX CONTACT
75
PSI MODEM 3G/ROUTER
4.7.6
Static keys (pre-shared secret key authentication)
Static key authentication is based on a symmetrical encryption method where the communication partners first exchange a shared key via a secure channel. All tunnel network traffic
is then encrypted using this key and can be decoded by anyone who has the key.
Figure 4-31
VPN >> OpenVPN >> Static keys
VPN >> OpenVPN >> Static keys

Status
76
PHOENIX CONTACT
Generate static key
Generates a key for the OpenVPN connection. This key can

be saved locally on the computer.
Load static key
Loads the key on the mobile phone router
Static keys > Name
Names of the keys that are saved in the router
104672_en_02
4.7.7
Figure 4-32
OpenVPN status (VPN connection status)
VPN >> OpenVPN >> Status
VPN >> OpenVPN >> Status

Open VPN status
104672_en_02
Active OpenVPN
Connections
Status of the active VPN connection
PHOENIX CONTACT
77
PSI MODEM 3G/ROUTER
4.8
I/O
The router has six integrated digital switching inputs and four integrated digital switching
outputs for alarms and switching.
4.8.1
Inputs (configuration)
The inputs can be used for SMS or e-mail alerts. Each input can be configured individually.
Please note that inputs that are, for example, used to start a VPN connection, cannot also
be used for alerts.
Figure 4-33
I/O >> Inputs
I/O >> Inputs

Inputs
High
Activate High when a message should be sent at a High

input level. Click on Apply and choose whether you want to
be alerted by SMS or e-mail.
Click on Edit.
For an SMS message, enter the following:
Recipient from the telephone book
Message text
For an e-mail alert, enter the following:
To: Recipient
Cc: Copy recipient
Subject: Subject
Message text
78
PHOENIX CONTACT
104672_en_02
I/O >> Inputs [...]

Low
Activate Low when a message should be sent at a Low

input level. Click on Apply and choose whether you want to
be alerted by SMS or e-mail.
Click on Edit.
For an SMS message, enter the following:
Recipient from the telephone book
Message text
For an e-mail alert, enter the following:
To: Recipient
Cc: Copy recipient
Subject: Subject
Message text
Alarm
104672_en_02
Activate the ALR LED and set the light duration for the LED in
minutes.
PHOENIX CONTACT
79
PSI MODEM 3G/ROUTER
4.8.2
Outputs (configuration)
The outputs can be switched remotely or, alternatively, provide information about the status
of the router. Each output can be configured individually.
Figure 4-34
I/O >> Outputs
I/O >> Outputs

Outputs
Function
Manual: Manual switching of the output via WBM

Remote controlled: Remote switching via SMS or socket
server. Automatic reset of the output can be used as an option.
Activate Auto reset and set the time duration in minutes.
Radio network: The output is switched when the router is
logged into a mobile phone network.
Packet service: The output is switched when the router has
established a packet data connection and received a valid IP
address from the provider.
VPN service: The output is switched if the router has established a VPN connection.
Incoming call: The output is switched when the router is
called by a call number entered into the phone book.
Connection lost: The output is switched when the router connection check does not reach the configured reference address.
Autoreset
80
PHOENIX CONTACT
Period of time in minutes until the output is reset automatically
104672_en_02
4.8.3
Phonebook
Enter here the call numbers:

For the recipients of SMS alarm messages
For those entitled to switch outputs
Figure 4-35
104672_en_02
I/O >> Phonebook
PHOENIX CONTACT
81
PSI MODEM 3G/ROUTER
4.8.4
Socket server
The router has a socket server that can accept operating commands via Ethernet interface.
These commands must be sent in XML format.
Basic communication is initiated by a client from the local network. A TCP connection must
therefore be established to the set server port. The socket server responds to the client requests and then terminates the PCP connection. For another request, a TCP connection
must be newly established. Only one request is permitted for each connection.
Figure 4-36
I/O >> Socket server

Socket configuration
Socket server
Disabled: Operation via Ethernet interface not possible

Enabled: Operation via Ethernet interface possible
Server Port
(default 1432)
Socket server port (default: 1432)

Please note that port 80 cannot be used for the socket server.
To use the router, a TCP socket connection must be established to the configured port. The data format must conform to
XML Version 1.0.
XML newline char
82
PHOENIX CONTACT
Character to insert a line break in an XML file

LF: Line feed, line break after 0x0A (hex)
CR: Carriage return, line break after 0x0D (hex)
CR+LF: Line break after carriage return, followed by line
feed
104672_en_02

XML bool values
Format to respond to requests using XML

Verbose: Response in words (e.g., on/off)
Numeric: Short numerical response (e.g., 1/0)
In general, each XML file starts with the header <?xml version="1.0"?> or
<?xml version="1.0" encoding="UTF-8"?>, followed by the basic entry. The following basic
entries are available:
<io>
...........
</io>
I/O system
<info>
...........
</info>
Request general device information
<cmgs> ...........
</cmgs>
Send SMS messages
<cmgr>
</cmgr>
Receive SMS messages
<cmga> ...........
</cmga>
Confirm receipt of SMS
<email> ...........
</email>
Send e-mails
...........
I/O system (switching outputs and requesting input states)

Outputs can be set or inputs read using XML socket servers. The outputs used must previously be configured to Remote Controlled.
Make sure that the XML files do not contain any line breaks.
Request state of output 1

Enable output 2
Request state of input 1
On/off or 0/1 can be output as a value, depending on the settings for XML bool values.
Response from router (shown with line break):
State of output 1
State of output 2
State of input 1
104672_en_02
PHOENIX CONTACT
83
PSI MODEM 3G/ROUTER

Requesting general device information
You can read status information from the device:
Request device data

Data regarding the mobile phone connection (mobile
phone devices only)
Request data regarding the Internet connection
Logical states regarding the connections
84
PHOENIX CONTACT
104672_en_02

You can use the Select attribute in order to read an individual value. The following example
shows the request of an RSSI value:
Sending SMS messages

Send XML data with the following structure via Ethernet to the device IP address:
Make sure that the XML data does not contain any line breaks and that the text is
UTF-8-encoded.
The ASCII characters 34dec, 38dec, 39dec, 60dec and 62dec must be entered as "
' & < and >.
If the XML data is received correctly, the device answers with the sending status:
Receiving SMS messages

In order to receive SMS messages via Ethernet, enter the following:
The response means that there is currently no received SMS message available. The following error codes are possible:
104672_en_02
Empty = No SMS message received
Busy = Busy, try again later
System error = Problem related to communication with the mobile phone engine
PHOENIX CONTACT
85
PSI MODEM 3G/ROUTER

If the router has received an SMS message and this message is available, the following
message is issued:
Confirming receipt of SMS

In order to confirm that the SMS has been received correctly via Ethernet, the following command must be used:
The SMS message is then marked as read in the router.

Sending e-mails
Send XML data with the following structure via Ethernet to the device IP address:
Router response in the event of an error:
86
PHOENIX CONTACT
104672_en_02
4.9
System
4.9.1
System configuration
Enter here the basic options for the router with regard to web-based management and logging. The router can store log files on an external log server via UDP.
Figure 4-37
System >> System configuration
System >> System configuration

System configuration
Web configuration
Server port
Web-based management for the router is accessible using
this port (default: 80).
104672_en_02
Log configuration
Remote UDP logging

Disabled: No external logging
Enabled: Logging on external server activated
Server IP address
IP address of the log server
Server port
(default 514)
Port of the log server (default: 514)
PHOENIX CONTACT
87
PSI MODEM 3G/ROUTER
4.9.2
Figure 4-38
User (password change)
System >> User
System >> User

User setup
Admin
Unrestricted access to all areas

Old password
New password
Retype new password: Enter new password again
User
Restricted access (read-only)

Default setting: public
Old password
New password
Retype new password: Enter new password again
88
PHOENIX CONTACT
104672_en_02
4.9.3
Log file
With the help of the router log file, you can diagnose different events and operating states.
The log file is a circulating memory where the oldest entries are overwritten first.
Figure 4-39
System >> Log file
System >> Log file

Log file
104672_en_02
Clear
Delete all entries in the log file.
View
Show the log file in the browser window.
Save
Save the log file as a text file on the local computer.
PHOENIX CONTACT
89
PSI MODEM 3G/ROUTER
4.9.4
E-mail configuration
For e-mail alerts, you can configure the mail server via which these alerts are sent. The mail
server must support the SMTP protocol. SMTP stands for Simple Mail Transfer Protocol.
Figure 4-40
System >> E-mail configuration
System >> E-mail configuration

E-mail configuration
SMTP server
Host name or IP address of the mail server
Server port
(default 25)
Mail server port (default: 25)
Transport layer
security
Authentication
90
PHOENIX CONTACT
None: Unencrypted connection to mail server

STARTTLS: Encrypted connection to mail server using
STARTTLS
SSL/TLS: Encrypted connection to mail server using
SSL/TLS
No authentication: No authentication required
Plain password: Authentication with user name and
password. User name and password are transmitted in
unencrypted form.
Encrypted password: Authentication with user name
and password. User name and password are transmitted
in encrypted form.
User name
User name for login to mail server
Password
Corresponding password for login to mail server
From
E-mail address of sender
104672_en_02
4.9.5
Configuration up-/download
You can save the active configuration to a file and load prepared configurations via WBM.
Figure 4-41
System >> Configuration up-/download
System >> Configuration up-/download

Configuration
up-/download
104672_en_02
Download
Click on Save to save the active configuration locally to a file.

Activate the XML format option to save the router configuration as an editable XML structure.
Upload
Import a saved configuration. Click on Browse to select the

configuration to be imported. Click on Apply to load the selected configuration (cfg format or XML format).
Reset to factory
defaults
Click on Apply to reset the router to the default settings. This

will reset all settings, including IP settings. Imported certificates remain unaltered.
PHOENIX CONTACT
91
PSI MODEM 3G/ROUTER
4.9.6
Date/time
Figure 4-42
System >> Date/time
System >> Date/time

Date/time
92
PHOENIX CONTACT
System time
Here you can set the time manually if no NTP server has been
set up (see below) or the NTP server cannot be reached.
Time synchronization
Enabled: The router synchronizes the time and date with

a time server. Initial time synchronization can take up to
15 minutes. During this time, the router continuously compares the time data of the external time server and that of
its own clock so that this can be adjusted as accurately as
possible. Only then can the router act as the NTP server
for the devices connected to its LAN interface. The router
provides the system time.
104672_en_02
System >> Date/time [...]

NTP server
NTP = Network Time Protocol

The router can act as the NTP server for devices that are connected to the LAN interface. In this case, you have to configure
the devices so that the local address of the router is specified
as the NTP server address. For the router to act as the NTP
server, it must obtain the current date and the current time
from an NTP server (time server). You must therefore specify
the address of a time server. In addition, NTP synchronization must be set to Enabled.
If the time has been synchronized successfully with the time
server, a green symbol with a checkmark will be displayed.
Local: The specified NTP server can be accessed with the IP
address of the local interface (LAN). Activate this option if the
NTP server can be reached in the local LAN or via the VPN
tunnel.
Wireless network: Activate this option if the NTP server is on
the Internet (default).
Time zone
Select the time zone.
Daylight saving time
Enabled: Daylight savings is taken into account.

Disabled: Daylight savings is not taken into account.
104672_en_02
PHOENIX CONTACT
93
PSI MODEM 3G/ROUTER
4.9.7
Reboot (router)
Figure 4-43
System >> Reboot
System >> Reboot

Reboot
Reboot NOW!
Reboot the router.

Any active data transmissions will be aborted.
Do not trigger a reboot while data transmission
is active.
Daily reboot
Define the days of the week on which the router will be restarted at the specified time.
Following a reboot, another login is made into the mobile
phone network. The provider resets the data link and calculates charges. Regular rebooting provides protection against
the provider aborting and reestablishing the connection at an
unforeseeable point in time.
Time
Time specified in Hours:Minutes
Event
Choose the digital input with the High signal which will be
used to restart the router if required.
Make sure that following a restart the signal is Low again so
that the router starts up normally.
94
PHOENIX CONTACT
104672_en_02
4.9.8
Figure 4-44
Firmware update
System >> Firmware update
System >> Firmware update

Firmware update modem
Update web-based
management
Updates ensure that you can benefit from function extensions

and product updates.
Updates can be downloaded at phoenixcontact.net/products.
To install updates:
Click on Browse and select the update file with the *.fw
extension.
Click on Apply.
Wait until the update has been performed and the router
restarts automatically.
Do not start the router manually and do not interrupt the power supply during the update process.
104672_en_02
PHOENIX CONTACT
95
PSI MODEM 3G/ROUTER
96
PHOENIX CONTACT
104672_en_02
Creating X.509 certificates

You need certificates for a secure VPN connection. Certificates can be acquired from certification authorities or you can create them using the appropriate software. The following example shows how to create X.509 certificates using Version 0.9.3 of the XCA program.
The XCA program can be downloaded at http://xca.sourceforge.net.
5.1
Installing
Start the setup file and follow the on-screen instructions of the setup program.
5.2
Start the XCA program.

Create a new database via File, New Database.
Figure 5-1
104672_en_02
Creating a new database
Creating a new database
PHOENIX CONTACT
97
PSI MODEM 3G/ROUTER
Assign a password to encrypt the database.
Figure 5-2
5.3
Assigning a password
Creating a CA certificate
You first create a CA (Certificate Authority) certificate. This root certificate acts as your own
certification body and is used for signing all certificates that are derived from it, thereby
proving the authenticity of these certificates.
Switch to the Certificate tab and create a new certificate.

In the program window shown, there is already a preset self-signed certificate with the signature algorithm SHA-1.
Figure 5-3
98
PHOENIX CONTACT
Creating a new CA certificate
104672_en_02
Enter information about the owner of the root certificate via the Subject tab.
Figure 5-4
Create a key for this certificate. You can retain the preset name, key type and key size.
Figure 5-5
104672_en_02
Entering information with regard to the owner
Creating a key
PHOENIX CONTACT
99
PSI MODEM 3G/ROUTER

The period of validity of the certificate is specified on the Extensions tab. The root certificate should have a longer period of validity than the machine certificates that are to be created later. In this example, the period of validity is set to 10 years.
Set the certificate type to Certification Authority.
Activate all the options as shown in Figure 5-6.
Figure 5-6
Setting the CA certificate validity and type
Click OK.
The certificate is now created. A new root certificate from which you can derive further machine certificates appears in the overview.
Figure 5-7
100
PHOENIX CONTACT
CA certificate created
104672_en_02
5.4
Creating templates
When using templates, you can create machine certificates quickly and easily.
Switch to the Templates tab and create a new template for an end entity certificate.
When prompted for the Preset template values, select Nothing.
Figure 5-8
You can make presettings for certificates that are to be created later using the Subject
tab. The names must be assigned in the corresponding certificates. The entry in angular brackets represents a placeholder that will be replaced when using the template.
Figure 5-9
104672_en_02
Creating a new template
Creating a template - entering information with regard to the owner
PHOENIX CONTACT
101
PSI MODEM 3G/ROUTER
In the Extensions tab, set the certificate type to End Entity, as the template is to be
used for machine certificates.
In this example, the validity of the certificates to be created is 365 days. After expiry of
the end date, the certificates can no longer be used.
Figure 5-10
Creating a template - specifying the certificate validity and type
Click OK.
The template is created. Based on this template, you can now create certificates signed by
the root certificate.
102
PHOENIX CONTACT
104672_en_02
5.5
Creating certificates
Switch to the Certificates tab to create certificates based on the template.

Create a new certificate.
A program window opens. The root certificate is specified in the Source tab that is to
be used for signing. In addition, you can select one of the existing templates. Click on
Apply all to read in the data.
Figure 5-11
104672_en_02
Creating a certificate
PHOENIX CONTACT
103
PSI MODEM 3G/ROUTER

The fields on the Subject tab will now either be empty or they will contain the presettings
from the loaded template. With regard to the entries made on this tab page, please note that
the certificates must have at least different names (internal name and common name). For
example, you can use the equipment identification of the machine or the location as the
name.
Figure 5-12
Create a new private key for this certificate.
Figure 5-13
Creating a certificate - subject
Creating a key for the certificate
Click OK.
You have now created a machine certificate signed by the Certificate Authority (CA).
104
PHOENIX CONTACT
104672_en_02
5.6
Exporting certificates
In order to use the machine certificate for a router, it must first be exported.
Select the required certificate from the list and click on Export.
Figure 5-14
Selecting the certificate to be exported
The entire certificate including the private key and the CA certificate must be in PKCS #12
with Certificate Chain format. The certificate can then be uploaded to the relevant device
as a machine certificate.
Figure 5-15
104672_en_02
Exporting the certificate
PHOENIX CONTACT
105
PSI MODEM 3G/ROUTER

For security reasons, the machine certificate is protected by using a freely selectable password.
Enter the password. You need the password to load the machine certificate to the respective device.
Figure 5-16
In addition, you need to export the remote certificate. This certificate is stored in PEM
format without the private keys.
Figure 5-17
106
PHOENIX CONTACT
Entering the password
Exporting the remote certificate
104672_en_02
A Technical appendix
A1
Table A-1
Data definition of the XML elements used
Category
XML element
Info
Device group
Info
XML elements
Description
serialno
Device serial number
hardware
Device hardware revision
firmware
Firmware release
wbm
Web-based management version
imei
SIM card IMEI
Radio group
provider
Provider name (text)
rssi
Receive field strength (decimal number 0 ... 99)

0 -113 dBm or less
1 -111 dBm
2 ... 30 -109 dBm ... -53 dBm
31 -51 dBm or more
99 Not yet measured or cannot be determined
creg
Status of mobile phone network registration (decimal number 0 ... 5)

0 Not registered, no network search
1 Registered in the home network
2 Not yet registered, network search
3 Registration rejected
4 Not used
5 Registered in a different network (roaming)
104672_en_02
lac
Location Area Code (LAC), location area of the device in a mobile phone
network (hexadecimal number, maximum of 4 digits)
ci
Cell ID, unique radio cell identification within the LAC (hexadecimal number,
maximum of 8 digits)
PHOENIX CONTACT
107
PSI MODEM 3G/ROUTER

Table A-1
Category
XML element [...]
Description [...]
Info
packet
Packet data status (decimal number 0 ... 8)

0 Offline (no Internet connection)
1 Online (Internet connection)
2 GPRS online
3 EDGE online
4 UMTS online
5 HSDPA online
6 HSUPA online
7 HSDPA + HSUPA online
8 LTE online
simstatus
SIM card status (decimal number 0 ... 5)

0 Unknown
1 No SIM card
2 Waiting for PIN
3 Incorrect PIN entered
4 Waiting for PUK
5 Ready
simselect
SIM card selection (decimal number 0 ... 2)

0 Unknown/none
1 SIM card in slot 1
2 SIM card in slot 2
Info
Info
Inet group
ip
IP address of packet data connection to the Internet
rx_bytes
Number of data bytes received so far

(decimal number 0 ... 4294967295)
tx_bytes
Number of data bytes sent so far

(decimal number 0 ... 4294967295)
mtu
Maximum Transmission Unit (MTU), maximum packet size, in bytes, in the

packet data network (decimal number 128 ... 1500)
IO group
Data type returned depending on the server configuration

Verbose Response in words (e.g., on/off)
Numeric Short numerical response (e.g., 1/0)
108
gsm
Binary state of the GSM/UMTS connection
inet
Binary state of the Internet connection (packet data connection)
vpn
Binary state of the VPN tunnel
PHOENIX CONTACT
104672_en_02
XML elements
Table A-1
Category
XML element [...]
SMS
Send SMS (cmgs)
Description [...]
destaddr
National or international phone number of the recipient (160 characters,

maximum)
The UTF-8-encoded text is entered in the content area of the element. The
text may consist of characters that are specified in the GSM 03.38 6.2.1 default alphabet. However, UTF-8 encoding is required following the XML
rules.
SMS
Receive SMS (cmgr,

UTF-8 text)
origaddr
National or international phone number of the sender
timestamp
Time specification for SMS transmission
error
Error type (decimal number 1 ... 3)

1 Empty = No SMS message received
2 Busy = Busy, try again later
3 System error = Problem related to communication with the mobile phone engine
SMS
Confirm SMS receipt

(cmga, text)
If communication is possible with the GSM/UMTS control program, an ok

will always be sent back.
error
Error type (decimal number 8)

Only be returned in the event of an error. In this case, the system error error
test will be returned in the cmga element.
E-Mail
IO
E-mail
to
E-mail address
cc
E-mail subject, UTF-8-encoded text
body
E-mail message, UTF-8-encoded text
Input element (input)

no
IO
Decimal number 1 ... 6
Output element
(output)
no
Decimal number 1 ... 6
value
Data type returned depending on the server configuration. In order to set or

reset the outputs, both variants are detected:
Verbose Response in words (e.g., on/off)
Numeric Short numerical response (e.g., 1/0)
104672_en_02
PHOENIX CONTACT
109
PSI MODEM 3G/ROUTER
A2
Structure of the XML configuration file
You can configure the device using an XML file. XML files can be output and read in by the
device.
A 2.1
XML file format
A valid XML file contains:

A header characterizing this file as an XML file
A root element <config>
Only the <entry> element is placed below the <config> element, in order to specify settings:
In the <entry> element, only the name attribute will be used. This attribute determines how
to store data in the file tree. As defined in the header, all data must be encoded using the
UTF-8 character set.
Line breaks within the data are indicated as escape sequences:
.
A 2.2
Reference to the <entry> element
The reference described is valid as of release 1.04.8.
A 2.3
Local network settings
LAN interface
The elements ./devlist, ./ifname, ./mode and ./type must not be modified. Even when making
settings on the configuration page, they will not be changed.
110
PHOENIX CONTACT
./ipaddr
IPv4 address of the device
./netmask
IPv4 netmask
./proto
Type of address assignment: static or dhcp
./ipalias
This value represents a special list and should only be modified from
the configuration page.
104672_en_02
Structure of the XML configuration file

DHCP server
./enable
DHCP server
0 Off
1 On
./domain
Local domain name, maximum of 64 characters
./lease
Time after which the IP address will be regenerated automatically
./dynamic
Dynamic address assignment in the specified area

0 Off
1 On
./addr1
Dynamic address assignment area
./addr2
Dynamic address assignment area
./hosts
Static MAC list for IP assignments
./names
Not in use at present, must not be changed
./options
Not in use at present, must not be changed
This list should only be modified from the configuration page.
Static routes
./sroute
List of local static routes

This list should only be modified from the configuration page.
104672_en_02
PHOENIX CONTACT
111
PSI MODEM 3G/ROUTER

SNMP
./device
Text descriptions of the same name with a maximum of

250 characters each
./description

250 characters each
./location

250 characters each
./contact

250 characters each
./rocommunity
Password for read access. If the password is left blank, the SNMP
service will not be started.
./rouser
User name for read access, not used, should remain blank
./rwcommunity
Password for write access
./rwuser
User name for write access, not used, should remain blank
./trap_addr
IPv4 trap manager address
./trap_port
IPv4 trap manager port
./trap_community
Password for traps
./trap_enable
Send traps
0 No
1 Yes
112
PHOENIX CONTACT
104672_en_02
Wireless network
A3
Wireless network
General settings
./band_setup
Bit mask to select the band for the GSM/UMTS engine
./sim_backup
Selection field regarding the secondary SIM card function

0 Secondary SIM card will not be used.
1 Secondary SIM card will be used as backup SIM card.
2 Only the secondary SIM card will be used.
3 ... 8 Use of secondary SIM card controlled via inputs 1 ... 6

./sim_timeout
Provider timeout in minutes
./bak_runtime
Maximum runtime in hours of backup SIM card
Primary SIM card
./mcc
Code for country selection
./cpin
SIM card PIN
./roaming
Roaming allowed
0 No
1 Yes
./provider
Code of selected provider

0 Auto
104672_en_02
./username
User name for packet data network access
./password
Password for packet data network access
./apn
APN of the provider
./authrefuse
Bit mask of access protocols that are not permitted
PHOENIX CONTACT
113
PSI MODEM 3G/ROUTER

Secondary SIM card (backup)
Explanation: see Primary SIM card on page 113

SMS configuration
./sms_control
Control the device via SMS

0 No
1 Yes
./sms_password
Password used for control
./sms_forward
Forward the received SMS message to a server

0 No
1 Yes
114
PHOENIX CONTACT
./sms_server
IP address of the SMS server
./sms_port
SMS server port
104672_en_02
Wireless network
Packet data
./enable
Activate packet data

0 No
1 Yes
./debug
Activate debug mode for PPP connection establishment

0 No
1 Yes
./noccp
Allow data compression

0 No
1 Yes
./mtu
Selected MTU on PPP interface
./restart
Restart interval in seconds
./echo-interval
Echo interval in seconds
./echo-failure
Number of missing echo responses after which the connection will be

terminated
./event
Selection for starting the packet data connection

0 Immediate start
1 Control via SMS message
2 Reserved (do not use)
3 ... 8 Control via inputs 1 ... 6
Static routes
./sroute
104672_en_02
List of local static routes. This list should only be modified from the
configuration page.
PHOENIX CONTACT
115
PSI MODEM 3G/ROUTER

DynDNS
./enable
Activate DynDNS client

0 No
1 Yes
./provider
Selection list of supported providers

0 DynDNS.org
1 TZO.com
2 dhs.org
3 selfHOST.de
4 custom DynDNS
116
PHOENIX CONTACT
./server
Server URL for custom-DynDNS server
./username
User name for DynDNS service
./password
Password for DynDNS service
./hostname
Own host name registered at the DynDNS service
104672_en_02
Wireless network
Connection check
./enable
Activate connection check

0 No
1 Yes
./host[n]
URL or IP address of the host which should respond to the echo

request
./local[n]
Wireless network or local network as sending interface

0 Wireless
1 Local
./interval
Transmission interval in minutes
./retry
Maximum number of missing responses after which an action will be

triggered
./event
Action selection
0 None
1 Reboot the device
2 Reconnect the packet data
3 Reconnect to the GSM/UMTS network
Monitoring
./log_enable
Activate monitoring
0 No
1 Yes
./log_duration
104672_en_02
Monitoring duration in hours
./log_interval
Time between echo requests
./log_ping
URL or IP address of a host which should respond to echo requests
PHOENIX CONTACT
117
PSI MODEM 3G/ROUTER
A 3.1
Network security
General settings
./fw_enable
State of the entire firewall function

0 Off
1 On
./nat_enable
State of the NAT table (port forwarding)

0 Off
1 On
./fw_netbios
Block outgoing NetBIOS broadcasts

0 No
1 Yes
./icmp
Respond to echo requests on the external interface

0 No
1 Yes
./masq_enable
Masquerading on the external interface

0 No
1 Yes
Firewall
The values represent a special list and should only be modified from the configuration page.
./fw_in
List of firewall rules for incoming data
./fw_out
List of firewall rules for outgoing data
NAT table
The values represent a special list and should only be modified from the configuration page.
118
PHOENIX CONTACT
./nat_fw
List of firewall rules for the NAT table (port forwarding)
./nat_vs
List of forwarding rules for the NAT table (port forwarding)
104672_en_02
Wireless network
A 3.2
VPN
A 3.2.1
IPsec
Higher-level settings
./enableupdate
Monitor changes of IP addresses

0 Off
1 On
./autoupdate
Monitoring interval in seconds
Connection settings 1 ... n
./name
Connection description
./enable
Connection active
0 No
1 Yes
./rightallowany
Accept connection with any remote peer

0 No
1 Yes
./host
URL or IP address of remote peer
./auth
Selected authentication method

0 X.509 certificates
1 Pre-shared key
104672_en_02
./remote_cert
Remote certificate
./local_cert
Local certificate
./remote_id
Remote peer identification
./local_id
Own identification
./remote_addr
Remote tunnel end
PHOENIX CONTACT
119
PSI MODEM 3G/ROUTER
./local_addr
Local tunnel end
./psk
Pre-shared key
./nat
Connection NAT
0 None
1 Local 1:1 NAT
5 Remote masquerading
./local_net
Local NAT destination
./mode
Connection type
0 Wait for connection
1 Always establish the connection
2 Control via SMS message
3 Control via call
4 ... 9 Control via inputs 1 ... 66
./autoreset
Automatic connection termination

0 No
1 Yes
./resettime
120
PHOENIX CONTACT
Time in minutes after which the connection is reestablished
104672_en_02
Wireless network
IKE settings (1 ... n)
./ike_crypt
Phase 1 ISAKMP encryption

Valid values: 3des, aes128, aes192, aes256
./ike_hash
Phase 1 ISAKMP hash

0 All
1 MD5
2 SHA-1
./ike_life
Time in seconds after which the key will be renegotiated
./esp_crypt
Phase 2 IPsec SA encryption

Valid values: 3des, aes128, aes192, aes256
./esp_hash
Phase 2 IPsec SA Hash

0 All
1 MD5
2 SHA-1
./esp_life
Time in seconds after which the key will be renegotiated
./pfs
Perfect forward secrecy

0 No
1 Yes
./pfsgroup
DH/PFS group
Valid values: modp1024, modp1536, modp2048
./rekey
Renew the key

0 No
1 Yes
./dpd
Dead peer detection (DPD)

0 No
1 Yes
104672_en_02
./dpddelay
Time in seconds between requests
./dpdtimeout
Time in seconds after which the connection is considered to be interrupted
PHOENIX CONTACT
121
PSI MODEM 3G/ROUTER
./keyingtries
Number of attempts made for connection establishment

0 Unrestricted
./rekeyfuzz
Value in percent
./rekeymargin
Time in seconds
A 3.2.2
122
PHOENIX CONTACT
Certificates
./cacerts/*
CA certificates
./certs/local/*
Local certificates
./certs/remote/*
Remote certificates
./private/*
Private keys
./ldir/*
Bit mask for certificate validity
104672_en_02
Wireless network
A 3.2.3
Open VPN
Connections 1 ... n
./name
Connection description
./enable
Connection active
0 No
1 Yes
./host
URL or IP address of remote peer
./rport
Port used by remote peer
./proto
Protocol
0 UDP
1 TCP
./complzo
Data compression settings

0 Disabled
1 Adaptive compression
2 No compression active
3 Compression active
4 Compression allowed
./float
Remote peer may change its IP address

0 No
1 Yes
104672_en_02
PHOENIX CONTACT
123
PSI MODEM 3G/ROUTER
./redir
The entire data traffic should be directed through the tunnel.

0 No
1 Yes
./bind
Specify outgoing port

0 No
1 Yes
./lport
Outgoing port
./auth
Authentication
0 X.509 certificates
1 Pre-shared key
./certificate
Certificate name
./nscert
Check remote certificate type

0 No
1 Yes
./psk
Pre-shared key
./remote_ifc
Remote tunnel end
./local_ifc
Local tunnel end
./remote_addr
Tunnel network at remote peer
./nat
Connection NAT
0 None
1 Local 1:1 NAT
./local_masq
Reserved, must be set to 0
./local_addr
Local tunnel network
./local_net
Local NAT destination
./cipher
Encryption type
Valid values: BF-CBC, AES-128-CBC, AES-192-CBC, AES-256CBC, DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC,
CAST5-CBC, RC2-40-CBC, RC2-64-CBC, RC2-CBC, none
./keepalive
Send keep-alive packets

0 No
1 Yes
124
PHOENIX CONTACT
./ping
Time in seconds between packets
./restart
Time in minutes after which the connection is reestablished
104672_en_02
Wireless network
Further connection settings (1 ... n)
./tun_mtu
MTU for the TUN device
./frag_enable
Data packet fragmentation

0 No
1 Yes
./float
Remote peer may change its IP address

0 No
1 Yes
./frag_size
Size of fragmented packets
./mssfix_enable
mssfix option
0 No
1 Yes
./mssfix_size
Packet size using mssfix
./reneg_sec
Time in seconds for key renewal
Certificates
./cacerts/*
CA certificates
./certs/
Certificates
./private/
Private keys
./ldir/*
Bit mask for certificate validity
Static keys
./ keys/*
Static keys
Diffie-Hellman parameters
104672_en_02
./dh1024.pem
DH parameters, 1024 bits
./dh2048.pem
DH parameters, 2048 bits
PHOENIX CONTACT
125
PSI MODEM 3G/ROUTER
A 3.3
Inputs and outputs
Inputs 1 ... 6
./in_[n]/0/*
Refers to input [n], falling edge
./in_[n]/1/*
Refers to input [n], rising edge
./enable
Enable action for the input

0 No
1 Yes
./action
Action triggered by the event

0 No action
1 Send SMS message
3 Send e-mail
./sms/phonebook
Bit mask for phonebook selection
./sms/message
SMS text
./email/to
Recipient of message
./email/cc
Recipient of copy of the message
./email/subject
Subject line
./email/message
Text message
./alarm_enable
Activate alarm
0 No
1 Yes
./alarm_time
126
PHOENIX CONTACT
Time in minutes for automatic alarm resetting
104672_en_02
Wireless network
Outputs 1 ... 4
./out_[n]
Refers to output [n]
./function
Function tied to the alarm

0 Manual
1 Remote controlled
2 Radio network
3 Packet service
4 VPN service
5 Incoming call
6 Connection lost
9 Alarm
./autoreset
Reset alarm automatically

0 No
1 Yes
./time
Time in minutes for alarm resetting
Phonebook
./n[xx]
104672_en_02
Phone number in national or international format
PHOENIX CONTACT
127
PSI MODEM 3G/ROUTER

Socket server
./sock_enable
Socket server
0 Off
1 On
./sock_port
Server listener port
./sock_xml_nl
Character used to generate a line break in an XML file

0 None
1 Line feed
2 Carriage return
3 Carriage return + line feed
./sock_xml_io
Representation of Boolean values

0 Text
1 Numeric
A 3.4
System
General system configuration
./httpport
Port used for the web server
./logremote
Send log data to a log server

0 No
1 Yes
./logserver
IP address of the log server
./logport
Log server port
./lognvm
User authentication
By default, the passwords are stored in plain text for the users admin and user. When assigning a new password, the hash values will only be stored.
128
PHOENIX CONTACT
104672_en_02
Wireless network
E-mail configuration (SMTP)
./server
SMTP server address
./port
SMTP server port
./auth
Authentication to server
0 None
1 STARTTLS
2 Encrypted password
./tls
AT commands (default settings)
104672_en_02
./gsm/at1cmd
Commands before entering the PIN (without a preceding AT)
./gsm/at2cmd
Commands after entering the PIN (without a preceding AT)
./gprs/at1cmd
Commands before PPP dial-in (without a preceding AT)
./gprs/dialup
Dial-up number used to access the packet data network
PHOENIX CONTACT
129
PSI MODEM 3G/ROUTER

Date and time
./newtime
Time in seconds on device startup,

since January 1, 1970 00:00 (UNIX time)
./ntpenable
Synchronize with a time server

0 No
1 Yes
./ntpserver
URL or IP address of an Internet time server
./ntpiface
Wireless network or local network as sending interface

0 Wireless
1 Local
./daylight
Consider daylight saving time

0 No
1 Yes
./timezone
Select time zone
./ntplocal
Make the own time available to the local network

0 No
1 Yes
Reboot
./rebootenable
Bit mask of weekdays on which a reboot should be executed
./reboottime
Time for a reboot
./rebootevent
Selected event for a reboot

0 None
1 ... 6 Triggered by the respective input
130
PHOENIX CONTACT
104672_en_02
CIDR (Classless Inter-Domain Routing)
A4
CIDR (Classless Inter-Domain Routing)
IP netmasks and CIDR are methods of notation that combine several IP addresses to create
an address area. An area comprising consecutive addresses is handled like a network.
To specify an area of IP addresses for the router, e.g., when configuring the firewall, it may
be necessary to specify the address area in CIDR format. In the table below, the left-hand
column shows the IP netmask, while the far right-hand column shows the corresponding
CIDR notation.
IP netmask binary
CIDR
Example: 192.168.1.0/255.255.255.0 corresponds to CIDR: 192.168.1.0/24
104672_en_02
PHOENIX CONTACT
131
PSI MODEM 3G/ROUTER
132
PHOENIX CONTACT
104672_en_02
B Appendixes
B1
104672_en_02
List of figures
Figure 1-1:
Dimensions of PSI-MODEM-3G...ROUTER ....................................... 13
Figure 1-2:
Dimensions of PSI-MODEM-GSM/ETH .............................................. 18
Figure 3-1:
Mounting on the DIN rail ..................................................................... 23
Figure 3-2:
RJ45 interface .................................................................................... 24
Figure 3-3:
Connecting the antenna ...................................................................... 25
Figure 3-4:
Installing the PSI-GSM/UMTS-QB-ANT antenna ................................ 25
Figure 3-5:
Removing the SIM card holder - PSI-MODEM-3G...ROUTER ............ 26
Figure 3-6:
Inserting the SIM card - PSI-MODEM-3G...ROUTER ......................... 27
Figure 3-7:
Opening the housing and inserting the SIM card - PSI-MODEM-GSM/

ETH .................................................................................................... 27
Figure 3-8:
Connecting the supply voltage ............................................................ 28
Figure 3-9:
Wiring the inputs ................................................................................. 29
Figure 3-10:
Opening the housing and pressing the reset button (1) ...................... 30
Figure 4-1:
Login window ...................................................................................... 31
Figure 4-2:
Device information >> Hardware ........................................................ 32
Figure 4-3:
Device Information >> Status >> Radio .............................................. 33
Figure 4-4:
Device information >> Status >> Network connections ....................... 35
Figure 4-5:
Device information >> Status >> I/O status ......................................... 36
Figure 4-6:
Device information >> Status >> Routing table ................................... 36
Figure 4-7:
Local network >> IP configuration ....................................................... 37
Figure 4-8:
Local network >> DHCP server ........................................................... 38
Figure 4-9:
Local network >> Static routes ............................................................ 39
Figure 4-10:
Local network >> SNMP configuration ................................................ 40
Figure 4-11:
Wireless network >> Radio setup ....................................................... 41
Figure 4-12:
Wireless network >> SIM .................................................................... 43
Figure 4-13:
Wireless network >> SMS configuration ............................................. 46
Figure 4-14:
Wireless network >> Packet data setup .............................................. 47
Figure 4-15:
Wireless network >> Wireless static routes ........................................ 48
Figure 4-16:
Wireless network >> DynDNS setup ................................................... 49
Figure 4-17:
Wireless network >> Connection check .............................................. 50
Figure 4-18:
Wireless network >> Monitoring .......................................................... 52
Figure 4-19:
Network security >> General setup ..................................................... 54
Figure 4-20:
Network security >> Firewall ............................................................... 56
PHOENIX CONTACT
133
PSI MODEM 3G/ROUTER
134
PHOENIX CONTACT
Figure 4-21:
Network security >> NAT table ........................................................... 58
Figure 4-22:
VPN >> IPsec >> Connections ........................................................... 61
Figure 4-23:
VPN >> IPsec >> Connections >> Settings >> Edit ............................ 62
Figure 4-24:
VPN >> IPsec >> Connections >> IKE >> Edit .................................... 65
Figure 4-25:
VPN >> IPsec >> Certificates ............................................................. 68
Figure 4-26:
VPN >> IPsec >> Status ..................................................................... 70
Figure 4-27:
VPN >> OpenVPN >> Connections .................................................... 71
Figure 4-28:
VPN >> OpenVPN >> Connections >> Tunnel >> Edit ....................... 72
Figure 4-29:
VPN >> OpenVPN >> Connections >> Advanced >> Edit .................. 74
Figure 4-30:
VPN >> OpenVPN >> Certificates ...................................................... 75
Figure 4-31:
VPN >> OpenVPN >> Static keys ....................................................... 76
Figure 4-32:
VPN >> OpenVPN >> Status .............................................................. 77
Figure 4-33:
I/O >> Inputs ....................................................................................... 78
Figure 4-34:
I/O >> Outputs .................................................................................... 80
Figure 4-35:
I/O >> Phonebook ............................................................................... 81
Figure 4-36:
I/O >> Socket server ........................................................................... 82
Figure 4-37:
System >> System configuration ........................................................ 87
Figure 4-38:
System >> User .................................................................................. 88
Figure 4-39:
System >> Log file .............................................................................. 89
Figure 4-40:
System >> E-mail configuration .......................................................... 90
Figure 4-41:
System >> Configuration up-/download .............................................. 91
Figure 4-42:
System >> Date/time .......................................................................... 92
Figure 4-43:
System >> Reboot .............................................................................. 94
Figure 4-44:
System >> Firmware update ............................................................... 95
Figure 5-1:
Creating a new database .................................................................... 97
Figure 5-2:
Assigning a password ......................................................................... 98
Figure 5-3:
Creating a new CA certificate .............................................................. 98
Figure 5-4:
Entering information with regard to the owner ..................................... 99
Figure 5-5:
Creating a key ..................................................................................... 99
Figure 5-6:
Setting the CA certificate validity and type ........................................ 100
Figure 5-7:
CA certificate created ....................................................................... 100
Figure 5-8:
Creating a new template ................................................................... 101
Figure 5-9:
Creating a template - entering information with regard to the owner . 101
Figure 5-10:
Creating a template - specifying the certificate validity and type ....... 102
Figure 5-11:
Creating a certificate ......................................................................... 103
Figure 5-12:
Creating a certificate - subject .......................................................... 104
Figure 5-13:
Creating a key for the certificate ....................................................... 104
104672_en_02
List of figures
104672_en_02
Figure 5-14:
Selecting the certificate to be exported ............................................. 105
Figure 5-15:
Exporting the certificate .................................................................... 105
Figure 5-16:
Entering the password ...................................................................... 106
Figure 5-17:
Exporting the remote certificate ........................................................ 106
PHOENIX CONTACT
135
PSI MODEM 3G/ROUTER
136
PHOENIX CONTACT
104672_en_02
B2
Index
A
Accessories
PSI-MODEM-3G...ROUTER ................................. 10
PSI-MODEM-GSM/ETH ........................................ 15
Alarm alert
E-mail .............................................................. 78, 90
SMS ...................................................................... 78
Antenna ...................................................................... 25
Approvals
PSI-MODEM-GSM/ETH ........................................ 16
Dimensions
PSI-MODEM-3G...ROUTER .................................
PSI-MODEM-GSM/ETH........................................
DIN rail ........................................................................
DPD (Dead Peer Detection) ........................................
DynDNS (Dynamic DNS) ............................................
13
18
23
67
49
E
Electrical connection............................................. 24, 28
E-mail configuration .................................................... 90
F
B
Backup mobile phone connection ............................... 41
Backup SIM card......................................................... 44
Firewall ....................................................................... 56
Firmware update ......................................................... 95
I
C
CA certificate............................................................... 98
Certificate.................................................................... 68
Creating............................................................... 103
Exporting ............................................................. 105
Template ............................................................. 101
Class A........................................................................ 19
Configuration download
See Configuration up-/download
Configuration up-/download ........................................ 91
Configuration upload
See Configuration up-/download
Configuring via web-based management.................... 31
Connecting
Antenna................................................................. 25
Ethernet network ................................................... 24
Supply voltage................................................. 24, 28
Switching input ...................................................... 29
Switching output .................................................... 29
Connection check ....................................................... 50
D
Data packet redirection
See Redirecting data packets
Date/time .................................................................... 92
Device information ...................................................... 32
DHCP server ............................................................... 38
104672_en_02
I/O status.....................................................................
IKE (Internet Key Exchange).......................................
Input............................................................................
See Switching input
Installing......................................................................
Intended use ...............................................................
IP configuration ...........................................................
IPsec certificate...........................................................
IPsec connection ........................................................
IPsec status ................................................................
36
65
78
24
19
37
68
61
70
K
Key
See Static key
L
Local network.............................................................. 37
See Local network
Local static route
See Static route
Log file ........................................................................ 89
Structure................................................................ 53
M
Mobile phone settings
See Wireless network
PHOENIX CONTACT
137
PSI MODEM 3G/ROUTER

Monitoring ................................................................... 52
Mounting ..................................................................... 23
N
NAT (Network Address Translation) ...........................
NAT table ....................................................................
Network connection ....................................................
Network security .........................................................
58
58
35
54
O
OpenVPN certificate ...................................................
OpenVPN connection .................................................
OpenVPN status .........................................................
OpenVPN tunnel
See VPN tunnel
Operating and indication elements
PSI-MODEM-GSM/ETH ........................................
Ordering data
PSI-MODEM-GSM/ETH ........................................
Output .........................................................................
See Switching output
75
71
77
21
22
10
15
80
P
Packet data setup ....................................................... 47
Password .............................................................. 31, 88
Phonebook.................................................................. 81
Port forwarding
See NAT table
Power supply
See Supply voltage
Pre-shared secret key
See Static key
Product description
PSI-MODEM-3G...ROUTER ................................... 9
PSI-MODEM-GSM/ETH ........................................ 14
R
Radio setup.................................................................
Radio status ................................................................
Reboot ........................................................................
Redirecting data packets ............................................
41
33
94
39
Reset
PSI-MODEM-GSM/ETH........................................
Resetting to default upon delivery
See Reset
Restart
See Reboot
RJ45 interface.............................................................
Root certificate
See CA certificate
Routing table...............................................................
30
30
24
36
S
Safety notes ................................................................
Security settings
See Network security
SIM .............................................................................
SIM card insertion
PSI-MODEM-GSM/ETH........................................
Size
See Dimensions
SMS settings...............................................................
SNMP configuration ....................................................
Socket server ..............................................................
Stateful packet inspection firewall
See Firewall
Static key ....................................................................
Static key authentication
See Static key
Static route..................................................................
Subcommand .............................................................
Supply voltage ............................................................
Switching input
Configuring............................................................
Connecting............................................................
Switching output
Configuring............................................................
Connecting............................................................
Synchronization ..........................................................
System configuration ..................................................
19
43
26
27
45
40
82
76
39
45
28
78
29
80
29
92
87
T
Technical data
PSI-MODEM-GSM/ETH........................................ 15
138
PHOENIX CONTACT
104672_en_02
Index
Tunnel
See VPN Tunnel
Twisted pair cable ....................................................... 24
U
UL notes
PSI-MODEM-GSM/ETH ........................................
Update
See Firmware update
User ............................................................................
User level ....................................................................
User name ..................................................................
13
18
88
32
31
V
VPN (Virtual Private Network) ..................................... 60
VPN tunnel .................................................................. 72
W
Web-based management
Logging in..............................................................
Starting..................................................................
Wireless network.........................................................
Wireless static route....................................................
31
31
41
48
X
X.509 certificate .................................................... 68, 97
XCA ............................................................................ 97
104672_en_02
PHOENIX CONTACT
139
PSI MODEM 3G/ROUTER
140
PHOENIX CONTACT
104672_en_02

en 02

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

en 02

Загружено:

Авторское право:

Доступные форматы

Industrial mobile phone router

with integrated firewall and VPN

This user manual is valid for:

PSI MODEM 3G/ROUTER

Please observe the following notes

This indicates a hazardous situation which, if not avoided, could

This indicates a hazardous situation which, if not avoided, could

PHOENIX CONTACT GmbH & Co. KG

General terms and conditions of use for technical documentation

Product description ....................................................................................................................9

For your safety .........................................................................................................................19

Safety notes ........................................................................................................ 19

Operating and indication elements ...................................................................... 21

Mounting the device on a DIN rail ........................................................................ 23

Resetting the device ............................................................................................ 30

Configuration via web-based management ..............................................................................31

Connection requirements .................................................................................... 31

Starting web-based management (WBM) ........................................................... 31

Local network (setup) .......................................................................................... 37

Wireless network (mobile phone settings) ........................................................... 41

PSI MODEM 3G/ROUTER

Backup SIM ......................................................................................... 44

Network security (security settings) ..................................................................... 54

Creating X.509 certificates .......................................................................................................97

Creating a new database..................................................................................... 97

Creating templates ............................................................................................ 101

Creating certificates........................................................................................... 103

Exporting certificates ......................................................................................... 105

XML elements ................................................................................................... 107

Structure of the XML configuration file............................................................... 110

Wireless network ............................................................................................... 113

CIDR (Classless Inter-Domain Routing) ............................................................ 131

List of figures ..................................................................................................... 133

PSI MODEM 3G/ROUTER

PSI MODEM 3G/ROUTER

GSM/UMTS antenna, with omnidirectional characteristic, 2 m antenna

GSM/UMTS antenna cable, 5 m long; SMA (male) -> SMA (female),

GSM/UMTS antenna cable, 10 m long; SMA (male) -> SMA (female),

GSM/UMTS omnidirectional antenna, 2 dBi gain, 5 m antenna cable with

Attachment plug with LAMBDA/4 technology as surge protection for

10 V DC ... 30 V DC (via plug-in COMBICON screw terminal block)

Typical current consumption

< 200 mA (24 V DC)

Maximum current consumption

< 800 mA (at 10 V DC (incl. 4 x 50 mA for the outputs))

VCC // UMTS // Ethernet // PE

Test voltage data interface/power supply

1 kV (50 Hz, 1 min.)

Web-based management, SNMP

3DES, AES-128, -192, -256

Internet protocol security (IPsec) mode

Ethernet interface, 10/100 BASE-T(X) according to IEEE 802.3u

RJ45 socket, shielded

Conductor cross section

0.2 mm ... 2.5 mm (24 AWG ... 14 AWG)

Serial transmission speed

10/100 Mbps, autonegotiation

100 m (twisted pair, shielded)

1 kV (50 Hz, 1 min.)

TCP/IP, UDP/IP, FTP, HTTP

ARP, DHCP, PING (ICMP), SNMP V1, SMTP

PSI MODEM 3G/ROUTER

Description of the interface