05-6909A01 Rev A

GE MDS Orbit MCR™

Applications Guideline
Via: VPN / IPsec / Port Forwarding / Static (1:1) NAT

GE Technical Information applies to GE MDS products ONLY Page 1

 05-6909A01 Rev A
APPLICATION NOTES
The goal of this document is to provide Orbit MCR users with the means to setup networks involving port
forwarding or IPsec VPN Tunnels. The following examples are meant to assist in the setting up of these
networks or provide insight into the available configurations that the Orbit MCR can provide. Each example will
provide a pictorial representation and bulleted information that will highlight the necessary parameters that
need to be set in order to achieve the setup.

These examples are designed for use via the Cell Interface. A properly provisioned SIM card will need to be
purchased from a cellular provider and installed before Cell configurations can be attempted.

Many of these applications use a 2E1S (2 Ethernet, 1 Serial) hardware configuration.

Units with a 1E2S (1 Ethernet, 2 Serial) hardware configuration may require an additional external Ethernet
Switch or the use of Wi-Fi.

For additional support or additional knowledge on these setups;

GEMDS Website: http://www.gedigitalenergy.com/Communications/

Application Notes on the Orbit MCR Website:

GEMDS Orbit Application Notes:
Topics such as x.509 Certificate Generation, IPsec VPN with RSA Certificates

Technical Manual on the Orbit MCR website; publication 05-6632A01.

GEMDS Learning and Development YouTube Channel

Contact GEMDS directly:

GE Learning and Development Technical Support
Email: training.multilin@ge.com GEMDS.techsupport@GE.com
905-927-7070 1-800-474-0964 Option #3

GE Technical Information applies to GE MDS products ONLY Page 2

 05-6909A01 Rev A
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating
and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication
between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec
can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-
to-network), or between a security gateway and a host (network-to-host).[1]

Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP)
networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality
(encryption), and replay protection.

IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while some other
Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure Shell (SSH), operate in the
upper layers at Application layer. Hence, only IPsec protects any application traffics over an IP network. Applications can be
automatically secured by its IPsec at the IP layer. Without IPsec, the protocols of TLS/SSL must be inserted under each of
applications for protection.

Internet Key Exchange (IKE) Before secured data can be exchanged; a security agreement between two computers must
be established. In this security agreement, called a security association (SA), both agree on how to exchange and protect
information.
To build this agreement between the two computers, the Internet Engineering Task Force (IETF) has established a
standard method of security association and key exchange resolution named Internet Key Exchange (IKE) which:
 Centralizes security association management, reducing connection time.
 Generates and manages shared, secret keys that are used to secure the information.
This process not only protects communication between computers, it also protects remote computers that request secure
access to a corporate network. In addition, this process works whenever the negotiation for the final destination computer
(endpoint) is performed by a security gateway.

Port forwarding is a name given to the combined technique of:

1. Translating the address or port number of a packet to a new destination
2. Possibly accepting such packet(s) in a packet filter (firewall)
3. Forwarding the packet according to the routing table.
The destination may be a predetermined network port (assuming protocols like TCP and UDP, though the process is not
limited to these) on a host within a NAT-masqueraded, typically private network, based on the port number on which it was
received at the gateway from the originating host.
The technique is used to permit communications by external hosts with services provided within a private local
area network

Network address translation (NAT) is a methodology of modifying network address information in Internet
Protocol (IP) datagram packet headers while they are in transit across a traffic routing device for the purpose of remapping
one IP address space into another. 1:1 NAT is a method so devices within the same Subnet (or overlapping Subnets) may
establish a secure connection.

Virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a
computer to send and receive data across shared or public networks as if it is directly connected to the private network,
while benefiting from the functionality, security and management policies of the private network. A VPN is created by
establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or
traffic encryptions.

GE Technical Information applies to GE MDS products ONLY Page 3

 05-6909A01 Rev A
Table of Contents

Contents
Orbit to Orbit via Cell with Port Forwarding ...........................................................................................................................6
Orbit to Orbit via Cell with IPsec (1 Tunnel).............................................................................................................................8
Orbit to Orbit via Cell with IPsec (1 Tunnel) 1 to 1 NAT .................................................................................................. 10
PC to Orbit via Cell with IPsec (1 Tunnel) VPN..................................................................................................................... 12
PLC to Orbit via Cell via Port Forwarding Rules ................................................................................................................. 14
External Firewall to Orbit via Cell w/IPsec (2 Tunnels).................................................................................................... 16
External Firewall to ORBIT via Cell w/IPsec (3 Tunnels) ................................................................................................. 17
Orbit to Multiple Orbits via Cell w/Port Forwarding ........................................................................................................ 19
Orbit to Multiple Orbits via Cell w/IPsec Tunnel(s) ............................................................................................................ 22

YouTube Channel Videos to reference

(w/mouse: Ctrl + Click to follow the link)

Orbit™ MCR | Device Management

v1.0

Orbit™ MCR | Static IP Configuration

v1.2

Orbit™ MCR 4G | Adding and Deleting

Firewall Rules

Orbit MCR l Network Address

Translation NAT

GE Technical Information applies to GE MDS products ONLY Page 4

 05-6909A01 Rev A
Orbit MCR™ l Cellular Interface
Firewall and Nat Verification

Orbit™ MCR | Port Forwarding

Orbit MCR IPsec Windows IKEv2 Video

Refer to IPsec Videos

Static NAT

GE Technical Information applies to GE MDS products ONLY Page 5

 05-6909A01 Rev A

Orbit to Orbit via Cell with Port Forwarding

Orbit-2

RTU

Cell Tower

Management PC

Orbit-1

PLC

 This configuration allows a PLC connected to Orbit-1 to communicate

with the RTU on the “LAN” side of Orbit-2.
 This also allows a Management PC to communicate with Orbit-1, Orbit-2,
and the RTU through port forwarding rules.

GE Technical Information applies to GE MDS products ONLY Page 6

 05-6909A01 Rev A
The following must be configured to both Orbit-1 and Orbit-2;

Orbit to Orbit via Cell w/Port Forwarding

Manual Single topic
Configuration Steps
Section YouTube Channel Videos

Configure LAN side of Orbit to meet

Bridging Orbit™ MCR | Static IP Configuration
IP address requirements

Packet Filtering Orbit™ MCR 4G | Adding and Deleting

Configure Firewall Service Rules:
(Firewall) Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
Source Network
Orbit MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for outgoing
Cell traffic

Configure Port Forwarding Rules Destination NAT Orbit™ MCR | Port Forwarding

Configure Cell to use: Cell Orbit MCR™ l Cellular Interface Firewall

and Nat Verification
Correct Firewall Service Rules for
INPUT and OUTPUT

Correct Firewall Service NAT Rules

(Including Source Rule and
Destination Rule)

GE Technical Information applies to GE MDS products ONLY Page 7

 05-6909A01 Rev A
Orbit to Orbit via Cell with IPsec (1 Tunnel)

Orbit-2

RTU

Cell Tower

Orbit-1 KEY
Management PC IPSEC Tunnel

PLC

 This configuration allows a PLC connected to Orbit-1 to communicate

with the RTU on the “LAN” side of Orbit-2 through a secure IPsec VPN
Tunnel.
 This also allows a Management PC to communicate with Orbit-1, Orbit-2,
and the RTU through a secure IPsec VPN Tunnel.

GE Technical Information applies to GE MDS products ONLY Page 8

 05-6909A01 Rev A

Orbit to Orbit via Cell w/IPsec (1 Tunnel)

Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules:
(Firewall) Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN
Allow IPsec Traffic IN
Allow IPsec Traffic OUT
Source Network
Orbit MCR l Network Address Translation
Configure NAT to: Address
NAT
Translation(NAT)
Change Source Address for outgoing
Cell traffic
Have no effect on IPsec Traffic
('not' rule within NAT)

Configure Cell to use: Cell Orbit MCR™ l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule
VPN &
Certificate
Configure IPsec Service: Management and Orbit™ MCR | IPsec Command Line
802.1X
Authentication
Need to Configure:
IKE Policy
IKE Peer
IPsec Policy
IPsec Connection

GE Technical Information applies to GE MDS products ONLY Page 9

 05-6909A01 Rev A

Orbit to Orbit via Cell with IPsec (1 Tunnel) 1 to 1 NAT

Orbit-2

RTU

Cell Tower

Orbit-1 KEY
Management PC IPSEC Tunnel

PLC

 This configuration allows a PLC connected to Orbit-1 to communicate with the RTU
on the “LAN” side of Orbit-2 through a secure IPsec VPN Tunnel.
 This also allows a Management PC to communicate with Orbit-1, Orbit-2, and the RTU
through a secure IPsec VPN Tunnel.
 This configuration also allows both sides of the tunnel to have overlapping subnets.

GE Technical Information applies to GE MDS products ONLY Page 10

 05-6909A01 Rev A

Orbit to Orbit via Cell w/IPsec (1 Tunnel) 1 to 1 NAT

Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet Orbit™ MCR | Static IP
Bridging
IP address requirements Configuration
Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules: Firewall and NAT
Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN
Allow IPsec Traffic IN
Allow IPsec Traffic OUT
Source Network
Orbit™ MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for outgoing
Cell traffic
Have no effect on IPsec Traffic
('not' rule within NAT)

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule
VPN & Certificate
Management and
Configure IPsec Service: Orbit™ MCR | IPsec Command Line
802.1X
Authentication
Need to Configure:
IKE Policy
IKE Peer
IPsec Policy
IPsec Connection

Static NAT Static NAT Orbit™ MCR | Static NAT over IPsec VPN

GE Technical Information applies to GE MDS products ONLY Page 11

 05-6909A01 Rev A

PC to Orbit via Cell with IPsec (1 Tunnel) VPN

Orbit-1

RTU

Cell Tower

Internet KEY
Management PC VPN/IPSEC Tunnel

 This configuration allows a PC to connect to both the Orbit and any

devices on the “LAN” side of the Orbit.
 This can be used in conjunction with other existing IPsec Tunnels.

GE Technical Information applies to GE MDS products ONLY Page 12

 05-6909A01 Rev A

PC to Orbit via Cell w/IPsec (1 Tunnel) VPN

Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules:
(Firewall) Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN
Allow IPsec Traffic IN
Allow IPsec Traffic OUT

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule
VPN & Certificate
Management and
Configure IPsec Service: Orbit™ MCR | IPsec Command Line
802.1X
Authentication
Need to Configure:
IKE Policy
IKE Peer
IPsec Policy
IPsec Connection
Install Computer Certificates on PC
Orbit™ MCR | IPsec Windows IKEv2
Configure IKEv2 VPN Connection
Video
on PC (Win 7)

GE Technical Information applies to GE MDS products ONLY Page 13

 05-6909A01 Rev A

PLC to Orbit via Cell via Port Forwarding Rules

Orbit-2
Orbit-1

Cell Tower

Internet
Ethernet Switch

Management
PC

PLC

 This configuration allows a PLC connected to the internet to

communicate with an RTU on the “LAN” side of the Orbit(s) through port
forwarding rules.
 This also allows a Management PC to communicate with Orbit-1, Orbit-2,
and the RTUs through port forwarding rules.

GE Technical Information applies to GE MDS products ONLY Page 14

 05-6909A01 Rev A

PLC to Orbit via Cell w/Port Forwarding Rules

Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules:
(Firewall) Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
Source Network
Orbit™ MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for outgoing
Cell traffic

Configure Port Forwarding Rules Destination NAT Orbit™ MCR | Port Forwarding

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT

Correct Firewall Service NAT Rules

(Including Source Rule and
Destination Rule)

GE Technical Information applies to GE MDS products ONLY Page 15

 05-6909A01 Rev A
External Firewall to Orbit via Cell w/IPsec (2 Tunnels)

Orbit-1 Orbit-2

RTU RTU

Cell Tower

Management PC

Internet

Ethernet Switch
KEY
IPSEC Tunnel 1
IPSEC Tunnel 2 External Firewall
PLC

The following must be configured to both Orbit-1 and Orbit-2;

GE Technical Information applies to GE MDS products ONLY Page 16

 05-6909A01 Rev A

External Firewall to Orbit via Cell w/IPsec (2 Tunnels)

Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules:
(Firewall) Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN
Allow IPsec Traffic IN
Allow IPsec Traffic OUT
Source Network
Orbit™ MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for
Public Traffic
Have no effect on IPsec Traffic
('not' rule within NAT)

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule
VPN & Certificate
Management and
Configure IPsec Service: Orbit™ MCR | IPsec Command Line
802.1X
Authentication
Need to Configure:
IKE Policy
IKE Peers (2 Peers MUST be
configured 1/Tunnel)
IPsec Policy
IPsec Connections (2 Connections
MUST be configured 1/Tunnel)

GE Technical Information applies to GE MDS products ONLY Page 17

 05-6909A01 Rev A
External Firewall to ORBIT via Cell w/IPsec (3 Tunnels)

Orbit-1 Orbit-2

PLC RTU

Cell Tower

Management PC

Internet

Ethernet Switch
KEY
IPSEC Tunnel 1
IPSEC Tunnel 2 External Firewall
IPSEC Tunnel 3

GE Technical Information applies to GE MDS products ONLY Page 18

External Firewall to ORBIT via Cell w/IPsec (3 Tunnels)
Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and
Configure Firewall Service Rules:
(Firewall) Deleting Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN
Allow IPsec Traffic IN
Allow IPsec Traffic OUT
Source Network
Orbit™ MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for
Public Traffic
Have no effect on IPsec Traffic
('not' rule within NAT)

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule
VPN & Certificate
Management and
Configure IPsec Service: Orbit™ MCR | IPsec Command Line
802.1X
Authentication
Need to Configure:
IKE Policy
IKE Peers (3 Peers MUST be
configured 1/Tunnel)
IPsec Policy
IPsec Connections (3 Connections
MUST be configured 1/Tunnel)
 Orbit to Multiple Orbits via Cell w/Port Forwarding

Orbit-2
Orbit-3

RTU
RTU

Orbit-4

Cell Tower RTU

Orbit-1
Management
PC

PLC
Orbit to Multiple Orbits via Cell w/Port Forwarding
Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Bridging Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR 4G | Adding and Deleting
Configure Firewall Service Rules:
(Firewall) Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
Source Network
Orbit™ MCR l Network Address
Configure NAT to: Address
Translation NAT
Translation(NAT)
Change Source Address for outgoing
Cell traffic

Configure Port Forwarding Rules Destination NAT Orbit™ MCR | Port Forwarding

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Need to verify the correct Firewall
Service Rules for:

INPUT and OUTPUT

Correct Firewall Service NAT Rules
(Including Source Rule and
Destination Rule)
 Orbit to Multiple Orbits via Cell w/IPsec Tunnel(s)

Orbit-2 Orbit-3

RTU

RTU

Orbit-4

RTU

Cell Tower

Orbit-1 KEY
IPSEC Tunnel 1
Management
IPSEC Tunnel 2
PC IPSEC Tunnel 3

PLC
Orbit to Multiple Orbits via Cell w/IPsec Tunnel(s)
Manual Single topic YouTube
Configuration Steps
Section Channel Videos
Configure LAN side of Orbit to meet
Orbit™ MCR | Static IP Configuration
IP address requirements
Packet Filtering Orbit™ MCR | Adding and Deleting
Configure Firewall Service Rules:
(Firewall) Firewall Rules
It is recommended to modify
IN_UNTRUSTED and
OUT_UNTRUSTED
Orbit™ MCR l Cellular Interface
Configure LOCAL-NETS:
Firewall and Nat Verification
LOCAL-NETS must match
Local Subnet(s)
REMOTE-NETS must match Remote
Subnet(s)
Configure IKE: VPN Refer to IPsec Videos
Allow IKE Destination Traffic IN

Allow IPsec Traffic IN

Allow IPsec Traffic OUT

Configure Cell to use: Cell Orbit™ MCR l Cellular Interface

Verification
Correct Firewall Service Rules for
INPUT and OUTPUT
Correct Firewall Service NAT Rule

VPN & Certificate

Management and
Configure IPsec Service: Orbit™ MCR | IPsec Command Line
802.1X
Authentication

Need to Configure:
IKE Policy
IKE Peers (1 Peer MUST be
configured for each Tunnel)
IPsec Policy
IPsec Connections (1 Connection
MUST be configured for each
Tunnel)
References:
1. Kent, S.; Atkinson, R. (November 1998). IP Encapsulating Security Payload (ESP). IETF. RFC 2406.

GE MDS, LLC
175 Science Parkway
Rochester NY, 14610
Telephone: +1 585 242-9600
FAX: +1 585 242-9620
www.gemds.com