SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M- 800 to WAN 1

Size: px

Start display at page:

Download "SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M- 800 to WAN 1"

Coral Cannon
6 years ago
Views:

1 Preface Connecting SCALANCE M- 800 to WAN 1 SIMATIC NET Industrial Remote Communication Remote Networks SCALANCE M-800 as DHCP server 2 VPN tunnel between SCALANCE M-800 and S612 VPN tunnel between SCALANCE M-800 and security CPs 3 4 Getting Started VPN tunnel between SCALANCE M87x and SINEMA RC Server 5 VPN tunnel between two M- 800s 6 NETMAP with SCALANCE M Reporting and switching by SMS 8 07/2017 C79000-G8976-C337-05

2 Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Division Process Industries and Drives Postfach NÜRNBERG GERMANY Document order number: C79000-G8976-C337 P 06/2017 Subject to change Copyright Siemens AG All rights reserved

3 Preface Purpose The configuration of the SCALANCE M is shown based on examples. IP settings for the examples Note The IP settings used in the examples were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. General naming conventions The designation... stands for... SCT PST CP Security Configuration Tool Primary Setup Tool M87x SCALANCE M874-2 CP Advanced GX31, CP Advanced GX30, CP 1628 SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4 M874 SCALANCE M874-2 SCALANCE M874-3 M876 SCALANCE M876-3 SCALANCE M876-4 M812 SCALANCE M812-1 M816 SCALANCE M816-1 M81x SCALANCE M812-1 SCALANCE M816-1 M826 SCALANCE M826-2 M-800 SCALANCE M874-2 SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4 SCALANCE M812-1 SCALANCE M816-1 SCALANCE M826-2 Getting Started, 07/2017, C79000-G8976-C

4 Preface Further documentation "Industrial Remote Communication Remote Networks - SCALANCE M874" operating instructions This document contains information with which you will be able to install and connect up a device of the SCALANCE M874 product line. The configuration and the integration of the device in a network are not described in these instructions "Industrial Remote Communication Remote Networks - SCALANCE M81x" operating instructions This document contains information with which you will be able to install and connect up a device of the SCALANCE M812, M816 product line. The configuration and the integration of the device in a network are not described in these instructions "Industrial Remote Communication Remote Networks - SCALANCE M-800 Web Based Management" configuration manual This document is intended to provide you with the information you require to install, commission and operate the device. It provides you with the information you require to configure the devices. You will find further information about working with the SCT (Security Configuration Tool) in the "Industrial Ethernet Security - Basics and Application" configuration manual. You will find this document on the Internet under the following entry ID: ( The "SIMATIC NET Industrial Ethernet Network Manual" contains information on other SIMATIC NET products that you can operate along with the devices of this product line in an Industrial Ethernet network. There, you will find among other things optical performance data of the communications partners that you require for the installation. You will find this document on the Internet under the following entry ID: ( SIMATIC NET manuals You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support: using the search function: Link to Siemens Industry Online Support ( Enter the entry ID of the relevant manual as the search item. In the navigation panel on the left hand side in the area "Industrial Communication": Link to the area "Industrial Communication" ( Go to the required product group and make the following settings: tab "Entry list", Entry type "Manuals" Training, Service & Support You will find information on Training, Service & Support in the multi--language document "DC_support_99.pdf" on the data medium supplied with the documentation. 4 Getting Started, 07/2017, C79000-G8976-C337-05

5 Preface SIMATIC NET glossary Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary. You will find the SIMATIC NET glossary on the Internet at the following address: ( Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions constitute one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. For additional information on industrial security measures that may be implemented, please visit Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Trademarks The following and possibly other names not identified by the registered trademark sign are registered trademarks of Siemens AG: SCALANCE, SINEMA, CP 343-1, CP 443-1, CP 1628 Getting Started, 07/2017, C79000-G8976-C

6 Preface 6 Getting Started, 07/2017, C79000-G8976-C337-05

7 Table of contents Preface Connecting SCALANCE M-800 to WAN Procedure in principle Setting up the SCALANCE M-800 and the network Connecting M826 to SHDSL Adapting IP settings Configuration with the Primary Setup Tool (PST) Configuration with DCP Discovery Starting Web Based Management Logging in to Web Based Management Specifying device information Setting the time Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configuring access parameters for the SCALANCE M87x Configuring access parameters for the SCALANCE M81x Setting up the DDNS hostname Additional steps in configuration with the SCALANCE M826 in 4-wire operation Configuring SHDSL Additional steps in configuration with the SCALANCE M826 in routing mode Creating IP subnet Configuring routes Allow access SCALANCE M-800 as DHCP server Configuring dynamic IP address assignment Specifying DHCP options Configuring static IP address assignment VPN tunnel between SCALANCE M-800 and S Procedure in principle Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Configuring a tunnel connection Configuring the properties of the S Downloading the configuration to the S612 and saving the M-800 configuration Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Getting Started, 07/2017, C79000-G8976-C

8 Table of contents Configuring a tunnel connection Configuring the properties of the S Downloading the configuration to the S612 and saving the M-800 configuration Configuring SCALANCE M Activating VPN Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Establishing the VPN connection Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Configuring a tunnel connection Configuring the properties of the S Downloading the configuration to the S612 and saving the M-800 configuration Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Configuring a tunnel connection Configuring the properties of the S Downloading the configuration to the S612 and saving the M-800 configuration Configuring SCALANCE M Loading a certificate Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Activating VPN Establishing the VPN connection Firewall with a VPN connection Creating firewall rules automatically Creating firewall rules manually VPN tunnel between SCALANCE M-800 and security CPs Procedure in principle Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Configuring a tunnel connection Downloading the configuration to the CP and saving the M-800 configuration Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Configuring a tunnel connection Downloading the configuration to the CP and saving the M-800 configuration Configuring SCALANCE M Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Activating VPN Establishing the VPN connection Getting Started, 07/2017, C79000-G8976-C337-05

9 Table of contents 4.3 Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Configuring a tunnel connection Downloading the configuration to the CP and saving the M-800 configuration Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Configuring a tunnel connection Downloading the configuration to the CP and saving the M-800 configuration Configuring SCALANCE M Loading a certificate Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Activating VPN Establishing the VPN connection VPN tunnel between SCALANCE M87x and SINEMA RC Server Procedure in principle Configuring access to the SINEMA RC server Activating IP masquerading Allow access Configuring a remote connection on the SINEMA RC Server Creating node groups Create devices Configure communications relations Configuring a remote connection on the M87x Secure VPN connection with fingerprint Secure VPN connection with CA certificate Loading a certificate Configuring a VPN connection to the SINEMA RC Server VPN tunnel between two M-800s Procedure in principle Configuring a VPN tunnel with the SCT Creating the project and modules Configuring a tunnel connection Configuring VPN parameters Saving the configuration Configuring the SCALANCE M81x (VPN server) Loading a certificate Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Activating VPN Establishing the VPN connection Configuring the SCALANCE M87x (VPN client) Getting Started, 07/2017, C79000-G8976-C

10 Table of contents Loading a certificate Configuring the VPN remote end Configuring a VPN connection Configuring VPN authentication Configuring phase 1 and phase Activating VPN Establishing the VPN connection Displaying the status of the VPN connection NETMAP with SCALANCE M NETMAP for the local network Creating a VPN connection Creating NETMAP rules NETMAP for the remote network Creating a VPN connection Creating NETMAP rules NETMAP for the local and remote network Creating a VPN connection Creating NETMAP rules Reporting and switching by SMS Introduction Generating and sending an event SMS message Introduction Configuring an event Configuring the sending of SMS messages Receiving and evaluating a command SMS message Introduction SINEMA RC Server sends a wake-up SMS message Configuring settings on the SINEMA RC Server Configuring receipt of the command SMS message on the M87x Service technician sends a command SMS message Start VPN connection with command SMS message Querying the status of the VPN connection with command SMS message Index Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1 1.1 Procedure in principle This section provides an overview of how a SCALANCE M-800 with the factory settings can be integrated in a network and configured.

11 Connecting SCALANCE M-800 to WAN Procedure in principle This section provides an overview of how a SCALANCE M-800 with the factory settings can be integrated in a network and configured. This can be a mobile wireless network (SCALANCE M87x) or a wired network (SCALANCE M812, SCALANCE M816 or SCALANCE M826). The device is assigned an IP address. Configuration is performed using the Web Based Management (WBM). Structure for SCALANCE M874 and SCALANCE M81x Figure 1-1 Internet access via a mobile wireless network with the SCALANCE M874-3 via ADSL with the SCALANCE M812-1 Required components SCALANCE M-800 Optional if the device is not mounted directly. Standard rail with fittings A power supply 24 VDC or 12 VDC with cable connector and terminal block connector A network cable complying with the IE FC RJ-45 standard for Industrial Ethernet One PC for the configuration Additionally with the SCALANCE M87x A suitable antenna A SIM card of your mobile wireless provider (The required services, for example Internet must be enabled.) Getting Started, 07/2017, C79000-G8976-C

12 Connecting SCALANCE M-800 to WAN 1.1 Procedure in principle Additionally with the SCALANCE M81x Activation for ADSL Steps in configuration The required steps in configuration depend in part on the device you are using. If the SCALANCE M826 is used in 2-wire operation, only the configuration step "Setting up SCALANCE M-800 and the network" is required. After this, the SCALANCE M826 is ready for operation immediately (out of the box). 1. Setting up SCALANCE M-800 and the network. For the SCALANCE M826, note the additional information in the section "Connecting SCALANCE M826 with SHDSL" 2. When necessary configure the device with the Primary Setup Tool (PST) or DCP Discovery 3. If applicable, adapt the IP configuration of the PC. 4. Start Web Based Management. 5. Log in to Web Based Management. 6. Configure the SCALANCE M-800. Specify device information Set the time of day Only with the devices SCALANCE M87x and SCALANCE M81x: Configure access data Only with the devices SCALANCE M87x and SCALANCE M81x: Set up the host name Only with the SCALANCE M826 in 4-wire operation: Configure SHDSL Allow access 12 Getting Started, 07/2017, C79000-G8976-C337-05

13 Connecting SCALANCE M-800 to WAN 1.2 Setting up the SCALANCE M-800 and the network 1.2 Setting up the SCALANCE M-800 and the network Note Note the security instructions in the operating instructions before you commission the device. Procedure 1. Unpack the SCALANCE M-800 and check the device for damage. 2. Only with with the SCALANCE M87x: Insert the SIM card. 3. Connect the power supply. WARNING Use safety extra-low voltage only The SCALANCE M874 is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit for the SCALANCE M power supply must meet NEC Class 2, according to the National Electrical Code(r) (ANSI / NFPA 70). 4. Connect the device to the network. This step depends on the device and the type of network: SCALANCE M87x (mobile wireless network): Mount the antenna. SCALANCE M81x (ADSL): Connect the device to the DSL socket on the splitter. SCALANCE M826 (SHDSL): Wire X1 with X2, for detailed information refer to the section "Connecting SCALANCE M826 to SHDSL". 5. Connect an Ethernet port (P1, P2, P3, P4) to the PC. 6. Turn the device on. After connecting up, the fault LED (F) is lit red 7. Now, turn on the PC. Getting Started, 07/2017, C79000-G8976-C

14 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL 1.3 Connecting M826 to SHDSL The SCALANCE M826 can be operated in two ways: 2-wire operation When supplied, the two SHDSL interfaces are set so that two SCALANCE M826 can be connected via a point-to-point connection. Interface X1 is configured as CO (Central Office) and interface X2 a CPE (Customer Premises Equipment). 4-wire operation Both SHDSL interfaces are put together to form a single connection with a higher transmission rate. The two interfaces X1 and X2 of one device are configured as CO and the two interfaces X1 and X2 of the other device as CPE. When supplied the SCALANCE M826 is configured so that there is no distinction between the internal and external network. The SCALANCE M826 is a transparent bridge and connects network nodes that are in the same IP subnet. 14 Getting Started, 07/2017, C79000-G8976-C337-05

15 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL 2-wire operation with factory settings (out of the box) Figure 1-2 The admin PCs represent network nodes that are connected to an Ethernet interface of the relevant SCALANCE M826. The SCALANCE M826 are connected together via an in-house 2-wire cable. Settings used Figure 1-3 Factory settings for the devices of the configuration example. Getting Started, 07/2017, C79000-G8976-C

16 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL 4-wire operation Figure 1-4 The admin PCs represent network nodes that are connected to an Ethernet interface of the relevant SCALANCE M826. The two SCALANCE M826 are connected together via two in-house 2-wire cables. Settings used IP address Subnet mask Central office M Admin PC Station M Admin PC Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL In routing mode In this example, three different IP subnets will be interconnected via the SCALANCE M826.

17 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL In routing mode In this example, three different IP subnets will be interconnected via the SCALANCE M826. For this connection, there must be a one SHDSL interface of a device in the role of CO and the other in the role of CPE. Since the SCALANCE M826 devices operate in routing mode, there is a division into external and internal networks. This means that the SHDSL interfaces and the Ethernet interfaces are located in different IP subnets. In this mode, the security functions (IPsec VPN, firewall, NAT/NAPT) are available. Figure 1-5 SCALANCE M826 in routing mode: The network nodes are in different IP subnets. The SHDSL interfaces are connected together via in-house 2-wire cables. Settings used Interface Central M826 SHDSL office (external) Ethernet (internal) Admin PC Ethernet (internal) Station 1 M826 SHDSL (external) Ethernet (internal) Admin PC Ethernet (internal) IP address Vlan Vlan Vlan Vlan Getting Started, 07/2017, C79000-G8976-C

18 Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Interface Station 2 M826 SHDSL (external) Ethernet (internal) Admin PC Ethernet (internal) IP address Vlan Vlan Adapting IP settings Introduction To ba able to access a SCALANCE M-800 with the Web Based Management, the device must have an IP address. You have the following options for assigning an IP address to devices the first time or changing already assigned IP addresses. Primary Setup Tool (PST) DCP Discovery (as of firmware version V4.3) SCALANCE M826 The SCALANCE M826 is supplied without a preset IP address, because for this device there are applications that require no further configuration (out of the box). In these cases, no access to the Web Based Management is necessary and therefore no IP address either. The device will, however, attempt to obtain an IP address from a DHCP server if it is available in the network. In all other cases, the device must first be assigned an IP address. SCALANCE M87x and SCALANCE M81x The devices SCALANCE M87x and SCALANCE M81x are supplied with the following factory settings: IP address: Subnet mask: If you enter the IP address " " in the address box of a Web browser on a connected PC (in the examples called "admin PC"), you come directly to the WBM of the device. However, a change to the factory settings may be necessary due to address areas already configured in the existing network. 18 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings 1.4.1 Configuration with the Primary Setup Tool (PST) Introduction The following section describes the procedure when using the PST.

19 Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Configuration with the Primary Setup Tool (PST) Introduction The following section describes the procedure when using the PST. Procedure 1. Start the Primary Setter Tool with "Start > SIMATIC > Primary Setup Tool". If several network adapters are installed in the PC, select the network adapter connected to the SCALANCE M-800 in "Settings > Network adapter". 2. Click on the magnifier in the toolbar to start the search. After the search, all devices are listed that can be configured with the PST. 3. Select the entry for the Ethernet interface of the SCALANCE M Select the option button "Assign IP parameters". 5. Enter the required values in the "IP address" und "subnet mask" boxes. Figure 1-6 User interface of the Primary Setup Tool Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Follow the steps below to transfer the parameter assignment to the device: 1. Select the entry for the SCALANCE M-800. 2.

20 Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Follow the steps below to transfer the parameter assignment to the device: 1. Select the entry for the SCALANCE M Click on the second button from left ("Download") or select the Module > Download menu command. Figure 1-7 Transfer the parameters with the "Download" button Configuration with DCP Discovery Introduction This section describes the procedure when using DCP Discovery. Requirement Firmware version V4.3 The device to be configured can be found in the plant network of the SCALANCE M-800. Example: The access point to the network is the SCALANCE M87x. The SCALANCE M826 device to be configured can be reached via the interface of the SCALANCE M87x. 20 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management Procedure 1. Click "System > DCP Discovery" in the navigation area. 2. Click "Discover" button to start the search.

21 Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management Procedure 1. Click "System > DCP Discovery" in the navigation area. 2. Click "Discover" button to start the search. After the search, all devices are listed that can be reached via the interface. With the aid of the table you can check the configuration of the devices. The SCALANCE M826 is supplied without a preset IP address, so it currently has the IP address Enter the required values in the "IP Address" und "Subnet Mask" boxes. The assigned IP address must match your network and should be unique within the network. 4. Click on "Set Values". The status of the IP address changes from "Discovered" to "Configured". Getting Started, 07/2017, C79000-G8976-C

22 Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 1.5 Starting Web Based Management Depending on the device and the example shown, the admin PC is assigned the following IP address: SCALANCE M87x and SCALANCE M81x IP address Subnet mask Admin PC SCALANCE M826 IP address Subnet mask Admin PC Admin PC Procedure 1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Right-click on the "LAN Connection" symbol and select the "Properties" menu command. 4. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 22 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 5. Enter the values assigned to the admin PC from the table in the relevant boxes.

23 Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 5. Enter the values assigned to the admin PC from the table in the relevant boxes. Note The IP address used in the following figure for the standard gateway must be adapted if the factory setting is not used for the IP address of the SCALANCE M Confirm the dialogs with "OK" and close the Control Panel. Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 7. Enter the IP address "192.168.1.1" in the address box of the Internet browser. Access via HTTPS is enabled as default.

24 Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 7. Enter the IP address " " in the address box of the Internet browser. Access via HTTPS is enabled as default. If you access the device via HTTP, the address is automatically redirected to HTTPS. A message relating to the security certificate appears. Acknowledge this message and continue loading the page. Note Information on the security certificate Because the device can only be administered using encrypted access, it is delivered with a self-signed certificate. If certificates with signatures that the operating system does not know are used, a security message is displayed. You can display the certificate. 8. If there is a problem-free connection to the device, the logon page of Web Based Management (WBM)is displayed. 24 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.6 Logging in to Web Based Management 1.6 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin".

25 Connecting SCALANCE M-800 to WAN 1.6 Logging in to Web Based Management 1.6 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2. Confirm the dialog. The "Account Passwords" WBM page is opened automatically. 3. Enter the default password "admin" in "Current User Password". 4. For "New Password", enter the new password. The new password must be at least 8 characters long and contain upper case letters, lower case letters, numbers and special characters. 5. Repeat the new password in "Password Confirmation" as confirmation. The entries must match. Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.7 Specifying device information 6. Click the "Set Values" button. 7. The Basic Wizard starts to support you when configuring the device parameters.

26 Connecting SCALANCE M-800 to WAN 1.7 Specifying device information 6. Click the "Set Values" button. 7. The Basic Wizard starts to support you when configuring the device parameters. Result The password for the "admin" user is changed. The changes take immediate effect. 1.7 Specifying device information To allow better identification of the SCALANCE M-800, specify general device information. Procedure 1. In the navigation area click on "System > General" and in the content area on the "Device" tab. 2. In "System Name", enter a name for the device. 3. Enter the contact person responsible for the device in "System Contact". 4. Enter the identifier for the location at which the device is installed in "System Location", for example the room number. 5. Click the "Set Values" button. Result The general device information for the SCALANCE M-800 has been specified. 26 Getting Started, 07/2017, C79000-G8976-C337-05

27 Connecting SCALANCE M-800 to WAN 1.8 Setting the time 1.8 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of certificates and for the time stamps of log entries. You can set the system time yourself manually or have it synchronized automatically with a time server. There are a number of time servers on the Internet that can be used to obtain the current time precisely. For this example, the time server is configured using NTP. Note Manual time setting - reaction after interrupting the power supply Note that the time is reset to the factory setting if the power supply is interrupted. On return of the power, you need to set the system time again. As result, certificates can lose their validity. Synchronization using a time server Synchronization of the system time using a public time server creates additional data traffic on the connection. This may result in additional costs, depending on your subscriber contract. Requirement The NTP server is reachable. The IP address of the NTP server is known. For this example, a time server (e.g ) of the Physikalisch-Technischen Bundesanstalt (PTB) in Braunschweig is used (Federal Institute of Physical and Technical Affairs - metrology institute). As an alternative the Fully Qualified Domain Name (FQDN) can be specified, for example "pool.ntp.org". Procedure 1. In the navigation area click on "System > System Time" and in the content area on the "NTP Client" tab. Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 2. In "Time zone", enter the local time difference to world time (UTC).

28 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 2. In "Time zone", enter the local time difference to world time (UTC). For Central European Summer time (CEST) +02: Click "Create". A new entry is created in the table. 4. In "NTP Server Address", enter the IP address If necessary, change the port in "NTP Server Port". As default, 123 is set. 6. In "Poll Interval", enter the interval for synchronization. As default, 64 is set. 7. Enable "NTP Client". 8. Click on "Set Values". Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 28 Getting Started, 07/2017, C79000-G8976-C337-05

29 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configuring access parameters for the SCALANCE M87x Requirement The services are enabled, e.g. Internet. The following data is available: PIN number APN User name and password for the APN Enter the PIN number 1. In the navigation area click on "Interfaces" > "Mobile" and in the content area on the "SIM" tab. 2. In "PIN", enter the PIN number. 3. Activate the mobile network interface. 4. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configure APN 1. Click on the "Operator" tab in the content area. 2.

30 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configure APN 1. Click on the "Operator" tab in the content area. 2. Specify the access data for the APN. If your mobile wireless provider is included in the table, no further configuration is necessary. or In "Country List", select the country in which the device will be used. In "Provider List" select the appropriate mobile wireless provider. If a mobile wireless provider is listed more than once for a country, select the entry with the PLMNID that matches the SIM. or If your mobile wireless provider is not included in the table and not in the list of providers, enable the entry "Manual". When the "Manual" entry is enabled, all other entries are automatically ignored. Complete the boxes PLMNID, Operator Name, APN, User Name (optional), Password (optional) and Password Confirmation (optional) manually. To adopt the entry click on "Create" and "Set Values". 30 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Result The PIN number and the APN are configured.

31 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Result The PIN number and the APN are configured. The M87x4 connects to the mobile wireless network after approximately 30 seconds. You can check whether or not the connection is established in "Inforrmation > Mobile > Overview". There the name of your mobile wireless provider should appear in "Provider". For a functioning connection, the signal strength should be higher than 104 dbm. Note This page provides the option of automatic updating. Click on the symbol with the two arrows in the upper display area to enable this function Configuring access parameters for the SCALANCE M81x Requirement The services are enabled, e.g. Internet. The following access data is known from your DSL provider: User name and password for ADSL access DSL parameter Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configuring ADSL 1. Click "Interfaces" > "DSL" in the navigation area 2.

32 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configuring ADSL 1. Click "Interfaces" > "DSL" in the navigation area 2. Enable the DSL interface. 3. Disable PPPoE passthrough to set up the access data for the SCALANCE M81x. The connected devices can use this DSL connection. If "Enable PPPoE Passthrough" is selected, the access data cannot be configured. In this case the SCALANCE M81x is used as a modem. Each individual connected device sends its access data to the SCALANCE M81x and establishes its own Internet connection. 4. Enter the user name and the password for the ADSL access. 5. Enter the settings for VCI / VPI. You will receive the settings from your DSL provider. 6. In "Encapsulation" select the required protocol. 7. Click on "Set Values". 32 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Result The DSL connection is set up.

33 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Result The DSL connection is set up. The device connects to the Internet after approximately 30 seconds. You can check whether or not the connection is established in "Information" > "Start Page". Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x You will find more detailed information on the connection in "Information" > "DSL". 1.9.3 Setting up the DDNS hostname DDNS stands for "dynamic domain name system".

34 Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x You will find more detailed information on the connection in "Information" > "DSL" Setting up the DDNS hostname DDNS stands for "dynamic domain name system". If you log the SCALANCE M-800 on to a DDNS service, the device can be reached from the external network under a hostname, e.g. "example.no-ip.com". The DNS server of the DDNS service manages the assignment of IP address to hostname. The client informs the DNS server of its currently assigned IP address. The DNS name server registers the current hostname - IP address assignment and passes this on to other domain name servers in the Internet. This means that the SCALANCE M-800 can always be reached using its hostname. Requirement User name and password that give you the right to use the DDNS service. Registered hostname, e.g. example.no-ip.com Procedure 1. Click on "System > "DNS" in the navigation area and on the "DDNS Client" tab in the content area In "Host", enter the hostname that you have agreed with your DDNS provider for the device, e.g. example.no-ip.com. 4. For "User name", enter the user data and for "Password / Password Confirmation" the password that allows you to use the DDNS service. Your DDNS provider will give you this information. 34 Getting Started, 07/2017, C79000-G8976-C337-05

35 Connecting SCALANCE M-800 to WAN 1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation 5. Select the appropriate check box in the "enabled" column for one of the two services "No- IP" or "DynDNS". 6. Click on "Set Values". Result The DDNS client is activated. The DDNS client on the SCALANCE M-800 synchronizes the assigned IP address with the hostname registered in the DDNS service Additional steps in configuration with the SCALANCE M826 in 4- wire operation Configuring SHDSL Procedure 1. In the navigation area click "Interfaces" > "SHDSL" > "Configuration". 2. For "Port-Type" leave "Switch-Port VLAN Hybrid" enabled. 3. Specify the role of the interfaces. The two interfaces need to have the same role on both devices. M826 in the master station M826 in the station X1 X2 X1 X2 Central Office (CO) Central Office (CO) Customer Premises Equipment (CPE) Customer Premises Equipment (CPE) 4. For "Predefined Profile", select "Reliability". The following parameters are set automatically. Getting Started, 07/2017, C79000-G8976-C

In the navigation area click "Interfaces" > "SHDSL" > "Overview". 7. Enable the PME aggregation function.

36 Connecting SCALANCE M-800 to WAN 1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation 5. Click on "Set Values". 6. In the navigation area click "Interfaces" > "SHDSL" > "Overview". 7. Enable the PME aggregation function. When enabled, the SHDSL interfaces or the 2-wire cables are put together to form a single connection with a higher transmission rate. 8. Click on "Set Values". 36 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode Result The SHDSL connection is set up. The devices negotiate the connection parameters.

37 Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode Result The SHDSL connection is set up. The devices negotiate the connection parameters. This means that the devices use the transmission rate at which the data can be sent and received reliably Additional steps in configuration with the SCALANCE M826 in routing mode Creating IP subnet In routing mode, the interfaces are handled differently. Ethernet interface: Connection of the internal IP subnet (vlan 1) SHDSL interface: Connection of the external IP subnet (vlan 2) The Ethernet interface or internal IP subnet has already been configured with the PST. For this configuration example, only the IP subnet for the SHDSL interface or for the external IP subnet needs to be configured. The same steps need to be taken on all devices. Procedure 1. Click on "Layer 3 > Subnetsin the navigation area and on the "Configuration" tab in the content area. 2. For "Interface (Name)" select the entry "vlan2". 3. For "Interface Name" you can enter a name. 4. Enter the value assigned to the M826 from the "Settings used (Page 14)" table. 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode Result The IP subnets have been created.

38 Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode Result The IP subnets have been created. The IP subnets are displayed in the "Overview" tab Configuring routes The master station and the stations are in different IP subnets. To allow the master station to communicate with the stations, the appropriate routes need to be created on the M826. M826 in the master station: Configuring routes 1. Click "Layer 3 > Static Routes" in the navigation area. 2. Configure the routes with the following settings: Route to station 1 Destination Network Subnet Mask Gateway external IP address of the M826 in station 1 Administrative Distance -1 Route to station 2 Destination Network Subnet Mask Gateway external IP address of the M826 in station 2 Administrative Distance Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.12 Allow access 3. When you have entered the values, click "Create". 4. To update the display, click "Refresh". M826 in the stations: Configuring routes 1.

39 Connecting SCALANCE M-800 to WAN 1.12 Allow access 3. When you have entered the values, click "Create". 4. To update the display, click "Refresh". M826 in the stations: Configuring routes 1. Click "Layer 3 > Static Routes" in the navigation area. 2. Configure the route to the master station with the following settings: Destination Network Subnet Mask Gateway Administrative Distance When you have entered the values, click "Create". 4. To update the display, click "Refresh". external IP address of the M826 in the master station Result The routes have been created. The SCALANCE M826 in the master station can communicate with the stations. Using the ping function, the communications connection can be tested. For example, can the Admin PC in station 1 be reached by the Admin PC in the master station? Getting Started, 07/2017, C79000-G8976-C

40 Connecting SCALANCE M-800 to WAN 1.12 Allow access 1.12 Allow access The firewall is enabled as default. The following access is nor allowed: Access from internal to external. Access from external to internal. Data exchange between different internal VLANs. Data exchange with the device from different zones. You have the following options for allowing access: Allow globally The predefined firewall rules specify which of the zones (VLAN1, VLAN2,... or PPP) may access which services of the SCALANCE M-800. With predefined rules it is possible to permit data exchange between the zones (internal VLAN1 to external PPP0). The firewall rule for the opposite direction is permitted by stateful packet inspection. Allow certain services Here, you define firewall rules that allow individual services for a single node or all services for the node for access to the station or network. In this example, configure the firewall rules that only allow the device with IP address access to the entire Internet. For the access, the services HTTP (TCP port 80) and DNS (UDP port 53) are required. Predefined rules 1. Click on "Security > Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2. Click on "Set Values". Allow Internet access for a certain device and a certain service (HTTP) Create HTTP and DNS services 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the content area. 2. As the service name, enter e.g. "HTTP" and click "Create". A new entry is created in the table. 40 Getting Started, 07/2017, C79000-G8976-C337-05

Connecting SCALANCE M-800 to WAN 1.12 Allow access 3. Configure HTTP with the following settings: Transportation TCP Destination Port (Range) 80 (standard port) 4. Click on "Set Values". 5.

41 Connecting SCALANCE M-800 to WAN 1.12 Allow access 3. Configure HTTP with the following settings: Transportation TCP Destination Port (Range) 80 (standard port) 4. Click on "Set Values". 5. A new entry is created in the table. 6. As the service name, enter e.g. "DNS" and click "Create". A new entry is created in the table. 7. Configure DNS with the following settings: Transportation UDP Destination Port (Range) 53 (standard port) 8. Click on "Set Values". Only allow the IP service for a specific device 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. 3. Configure the firewall rule for HTTP with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb (the required device) /0 (all addresses) HTTP 4. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

42 Connecting SCALANCE M-800 to WAN 1.12 Allow access 5. Click "Create". A new entry is created in the table. 6. Configure the firewall rule for DNS with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb (the required device) /0 (all addresses) DNS 7. Click on "Set Values". Allow an internal node access to the Internet 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. 3. Configure the firewall rule for HTTP with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb0 (depending on the device) /0 (all addresses) /0 (all addresses) all 4. Click on "Set Values". 42 Getting Started, 07/2017, C79000-G8976-C337-05

43 SCALANCE M-800 as DHCP server 2 If you want to use the device to manage the network configuration, you can use the device as a DHCP server. This allows IP addresses to be assigned automatically to the devices connected to the internal network. In this example, both static and dynamic IP address assignments are configured. Note DHCP client and DHCP server The device can either be only a DHCP client or only a DHCP server. SCALANCE M-800 as DHCP server Required devices/components SCALANCE M-800 as DHCP server 1 x M874, 1 x M812 or M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC with which the SCALANCE M-800 is connected. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Getting Started, 07/2017, C79000-G8976-C

SCALANCE M-800 as DHCP server 2.1 Configuring dynamic IP address assignment Setting used In the configuration example, the SCALANCE M-800 has the following IP address setting: IP address 192.168.100.

44 SCALANCE M-800 as DHCP server 2.1 Configuring dynamic IP address assignment Setting used In the configuration example, the SCALANCE M-800 has the following IP address setting: IP address Subnet mask: Requirement The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as "admin". Steps in configuration 1. Configuring dynamic IP address assignment (Page 44) 2. Specifying DHCP options (Page 45) 3. Configuring static IP address assignment (Page 47) 2.1 Configuring dynamic IP address assignment The devices whose MAC address or whose client ID was not specified specifically, are assigned a random IP address from a specified address range. Procedure 1. Click on "System" > "DHCP" in the navigation area and on the "DHCP Server" tab in the content area. 2. Click "Create". A new row with a unique number (pool ID) is created in the table. 3. Enter the network address range in "Subnet". Since the device being used is operating both as a gateway and a DNS relay, the IP address must be in the network address range. In this example the network address: /24 (= / ) is used. 44 Getting Started, 07/2017, C79000-G8976-C337-05

SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options 4. In "Lower IP Address", enter the IP address 192.168.100.

45 SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options 4. In "Lower IP Address", enter the IP address that specifies the start of the dynamic address band and that is located within the network address range. 5. In "Upper IP Address", enter the IP address that specifies the end of the dynamic address band and that is located within the network address range. 6. Click on "Set Values". 7. To activate the DHCP server, select "DHCP Server". 8. Enable "Probe address with ICMP echo before offer" to enable the ping function. With this ping, the DHCP server checks whether or not the IP address has already been assigned. 9. To enable the configured DHCP pool, select the check box in the "Enable" column. 10.Click on "Set Values". Result The DHCP server can assign up to 100 IP addresses from a set address band. This is only possible if the connected devices are configured so that they obtain the IP address from a DHCP server. 2.2 Specifying DHCP options Further information can be transferred to the DHCP client using DHCP options. The various DHCP options are defined in RFC The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address band is created. With the exception of option 1, the options can be deleted. Getting Started, 07/2017, C79000-G8976-C

46 SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options In this example, the following DHCP options are created. DHCP option Information contained 1 Netmask The subnet mask to match the IP address For this example the subnet mask is: Default gateway IP address of the default gateway Without this information, the DHCP client is only assigned an IP address by the DHCP server and it can only communicate with the nodes in the internal network. 6 DNS server IP address of the DNS server Without this information, the DHCP client is not automatically assigned a DNS server. To allow name resolution, a DNS server must be known to the DHCP client. This can also be configured manually. 66 TFTP server TFTP Server Address This informs the DHCP client of the TFTP server to which it will connect. 67 Bootfile Name The DHCP client uses this file when it boots. Procedure 1. Click on "System > "DHCP" in the navigation area and on the "DHCP Options" tab in the content area. 2. Enable "Use Interface IP" for the DHCP options 3 and 6. Click on "Set Values". The IP address of the device is entered automatically as the value. 3. Enter "42" in "Option Code". 4. Click "Create". A new row is created in the table. 5. In "Value", enter the IP address of the NTP server. 6. Click on "Set Values". 46 Getting Started, 07/2017, C79000-G8976-C337-05

47 SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Result The DHCP options are configured. If a DHCP client requests an IP address, in addition to the host IP address, it also receives the information entered in the DHCP options. See also Configuring static IP address assignment (Page 47) 2.3 Configuring static IP address assignment For nodes in permanent operation, static IP address assignment should be preferred, for example for a local NTP server. The IP address of the NTP server is used in the DHCP option. As long as the NTP server can be reached at the same IP address, the DHCP option will work correctly. If the IP address changes, the DHCP option contains incorrect information. For the example, the IP address is assigned to the MAC address of the NTP server. This means that the NTP server always has the same IP address. In this configuration example, the NTP server can be reached with the following IP address setting: IP address Subnet mask Requirement The NTP server obtains the IP address from a DHCP server and identification is based on the MAC address. Getting Started, 07/2017, C79000-G8976-C

SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Procedure 1. Click on "System > "DHCP" in the navigation area and on the "Static Leases" tab in the content area. 2. For "Pool ID", select "1".

48 SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Procedure 1. Click on "System > "DHCP" in the navigation area and on the "Static Leases" tab in the content area. 2. For "Pool ID", select "1". 3. For "Identification Method" select the entry "Ethernet MAC". 4. In "Value", enter the MAC address of the NTP server. 5. Click "Create". A new row is created in the table. 6. In "IP Address", enter the IP address of the NTP server. 7. Click on "Set Values". Result The NTP server always has the IP address Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 3 and S612 3.1 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and a SCALANCE S.

49 VPN tunnel between SCALANCE M and S Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and a SCALANCE S. Example 1: Secure VPN tunnel with pre-shared keys (PSK) Example 2: Secure VPN tunnel with certificates Structure Internal network 1 - connection to SCALANCE M-800 In the test setup, in the internal network, a network node is implemented by an Admin PC connected to an Ethernet interface of the SCALANCE M-800. Admin PC: Represents a node in the internal network M-800: SCALANCE M module for protection of the internal network Connection to the external, public network: Wireless via the antenna of the M874 to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 07/2017, C79000-G8976-C

50 VPN tunnel between SCALANCE M-800 and S Procedure in principle Internal network 2 - attachment to an internal port of the SCALANCE S In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC: Represents a node in the internal network S612: Security module for protection of the internal network Connection to the external, public network via DSL router Access to the Internet is via a DSL modem or a DSL router connected to the external port of the security module. Required devices/components Use the following components for setup: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x SCALANCE S612, (additional option: a suitably installed DIN rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC with which the SCALANCE M-800 is connected. 1 x PC with which the SCALANCE S612 is connected and on which the "Security Configuration Tool" is installed. 1 x DSL modem or DSL router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet 50 Getting Started, 07/2017, C79000-G8976-C337-05

51 VPN tunnel between SCALANCE M-800 and S Procedure in principle Settings used For the configuration example, the devices are given the following IP address settings Internal network 1 Internal network 2 Internal address M Admin PC DSL router S612 Internal port PC External address Fixed IP address, e.g Provider dependent As an alternative, the DDNS hostname can also be used. Fixed IP address (WAN IP address), e.g External port Requirement SCALANCE S612 is connected to the Internet via the DSL router. On the DSL router, the PORT forwarding must be set so that the UDP packets from the Internet addressed to ports 500 and 4500 of the router are sent to ports 500 and 4500 of the connected SCALANCE S612 (passive module). The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration Example 1: Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x 1. Creating the project and modules (Page 53) 2. Configuring a tunnel connection (Page 55) 3. Configuring the properties of the S612 (Page 57) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 58) Configuring a VPN tunnel with the SCT V4.x 1. Creating the project and modules (Page 60) 2. Configuring a tunnel connection (Page 63) 3. Configuring the properties of the S612 (Page 64) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 65) Getting Started, 07/2017, C79000-G8976-C

52 VPN tunnel between SCALANCE M-800 and S Procedure in principle Configuring the SCALANCE M Activating VPN (Page 66) 2. Configuring the VPN remote end (Page 66) 3. Configuring a VPN connection (Page 67) 4. Configuring VPN authentication (Page 68) 5. Configuring phase 1 and phase 2 (Page 68) 6. Establishing the VPN connection (Page 70) Example 2: Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x 1. Creating the project and modules (Page 71) 2. Configuring a tunnel connection (Page 73) 3. Configuring the properties of the S612 (Page 75) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 76) Configuring a VPN tunnel with the SCT V4.x 1. Creating the project and modules (Page 78) 2. Configuring a tunnel connection (Page 81) 3. Configuring the properties of the S612 (Page 82) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 83) Configuring the SCALANCE M Loading a certificate (Page 84) 2. Activating VPN (Page 90) 3. Configuring the VPN remote end (Page 86) 4. Configuring a VPN connection (Page 87) 5. Configuring VPN authentication (Page 88) 6. Configuring phase 1 and phase 2 (Page 88) 7. Establishing the VPN connection (Page 90) 52 Getting Started, 07/2017, C79000-G8976-C337-05

53 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 3.2 Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. Getting Started, 07/2017, C79000-G8976-C

54 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command 54 Getting Started, 07/2017, C79000-G8976-C337-05

55 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the S612 are assigned to the same VPN group. Getting Started, 07/2017, C79000-G8976-C

56 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Result The configuration of the tunnel connection is complete. 56 Getting Started, 07/2017, C79000-G8976-C337-05

57 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router " ". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g Click "Apply" and close the dialog with "OK". 8. Select the "Project" > "Save" menu command. Save the security project under the required name. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Result The security project is configured. The settings are saved in the configuration file: 3.2.1.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1.

58 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Result The security project is configured. The settings are saved in the configuration file: Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M Configuration file IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: Authentication method: Pre Shared Key Settings in WBM Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: /32 Security > IPsec VPN > Authentication > Authentication: PSK 58 Getting Started, 07/2017, C79000-G8976-C337-05

59 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuration file Pre Shared Key: Remote ID: Local ID: Remote net address: Remote subnet mask: Local net address: Local subnet mask: Settings in WBM Security > IPsec VPN > Authentication > PSK and PSK Confirmation: Security > IPSec VPN > Authentication > Remote ID: not required. The external IP address of the S612 is entered in the WBM. In this example, this is Security > IPSec VPN > Authentication > Local ID not required. The entry remains empty in the WBM. Security > IPSec VPN > Remote End > Remote Subnet: /24 Security > IPSec VPN > Connections > Local Subnet: /24 IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Phase 2 - IPSec SA -- IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1 IPsec SA lifetime (seconds): Security > IPsec VPN > Phase 2 > Life Time [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): Nein -- DH/PFS group: DH Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- Getting Started, 07/2017, C79000-G8976-C

60 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 60 Getting Started, 07/2017, C79000-G8976-C337-05

61 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 07/2017, C79000-G8976-C

62 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. 62 Getting Started, 07/2017, C79000-G8976-C337-05

63 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the M-800 and the S612 are assigned to the same VPN group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation panel. 3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Getting Started, 07/2017, C79000-G8976-C

64 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Result The configuration of the tunnel connection is complete Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router " ". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g Getting Started, 07/2017, C79000-G8976-C337-05

65 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the SCALANCE M-800 and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M Follow the instructions in the configuration file. Getting Started, 07/2017, C79000-G8976-C

66 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuring SCALANCE M Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values" Configuring the VPN remote end M81x in the master station: Configuring the VPN remote end 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address /32 WAN IP address of the DSL router Remote Subnet /24 66 Getting Started, 07/2017, C79000-G8976-C337-05

67 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 5. Click on "Set Values" Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 4. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End S612 Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

68 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication PSK Local ID no entry necessary Remote ID External IP address of the S612, e.g PSK / PSK Confirmation The key that you configured in the SCT. 3. Click on "Set Values" Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 68 Getting Started, 07/2017, C79000-G8976-C337-05

69 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

70 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with PSK Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". In the online view of the SCT, you can see the communications status on the S Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3 Secure VPN tunnel with certificates 3.3.1 Configuring a VPN tunnel with the SCT V3.x 3.3.1.1 Creating the project and modules Procedure 1.

71 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 3.3 Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table.

72 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command 72 Getting Started, 07/2017, C79000-G8976-C337-05

73 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the S612 are assigned to the same group. Getting Started, 07/2017, C79000-G8976-C

74 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Result The configuration of the tunnel connection is complete. 74 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 and S612

3 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1.

75 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router " ". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g Click "Apply" and close the dialog with "OK". 8. Select the "Project" > "Save" menu command. Save the security project under the required name. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Result The security project is configured. The settings are saved in the configuration file: 3.3.1.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1.

76 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Result The security project is configured. The settings are saved in the configuration file: Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.S612.cer 76 Getting Started, 07/2017, C79000-G8976-C337-05

77 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Configuration file IPsec VPN > Certificates Upload Remote Site Certificate: Configuration- 1.group1.S612.cer Upload PKCS12 File (.p12): Configuration- Settings in WBM System > Load&Save > HTTP > X509Cert : Download IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: Authentication method: X.509 remote certificate Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: /32 Security > IPsec VPN > Authentication > Authentication: Remote Cert Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Configuration-1.group1.CP.cer Remote ID: U5A634732@GC4D8 Security > IPsec VPN > Authentication > Remote ID: U5A634732@GC4D8 Remote net address: Security > IPsec VPN > Remote End > Remote Subnet: Remote subnet mask: /24 Local net address: Security > IPsec VPN > Connections > Local Subnet: Local subnet mask: /24 IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Phase 2 - IPsec SA -- IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1 IPsec SA lifetime (seconds): Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): No -- DH/PFS group: DH Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): Getting Started, 07/2017, C79000-G8976-C

78 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Configuration file Settings in WBM DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 78 Getting Started, 07/2017, C79000-G8976-C337-05

79 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 07/2017, C79000-G8976-C

80 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. 80 Getting Started, 07/2017, C79000-G8976-C337-05

81 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M and the S612 are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Getting Started, 07/2017, C79000-G8976-C

82 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Result The configuration of the tunnel connection is complete Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router " ". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g Getting Started, 07/2017, C79000-G8976-C337-05

83 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Getting Started, 07/2017, C79000-G8976-C

84 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.S612.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Follow the instructions in the configuration file Configuring SCALANCE M Loading a certificate Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in "Password" and "Password confirmation". 3. Enable the password 84 Getting Started, 07/2017, C79000-G8976-C337-05

85 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Navigate to the remote certificate. Getting Started, 07/2017, C79000-G8976-C

86 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid" Configuring the VPN remote end M81x in the master station: Configuring the VPN remote end 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address /32 WAN IP address of the DSL router Remote Subnet /24 86 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 5. Click on "Set Values". 3.3.3.3 Configuring a VPN connection Requirement The VPN remote end has been created.

87 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 5. Click on "Set Values" Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 4. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End S612 Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

88 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Configuring VPN authentication M81x in the master station: Configuring VPN authentication 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings from the configuration file: Authentication Local certificate Remote Certificate Remote ID Remote Cert projectname.string.m-800.p12 Projectname.group1.S612.cer Remote ID from the configuration file 3. Click on "Set Values" Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 88 Getting Started, 07/2017, C79000-G8976-C337-05

89 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

90 VPN tunnel between SCALANCE M-800 and S Secure VPN tunnel with certificates Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values" Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The SCALANCE M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is established, the LED is lit green on the device. 90 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection You will find more detailed information in "Information" > "IPsec VPN".

91 VPN tunnel between SCALANCE M-800 and S Firewall with a VPN connection You will find more detailed information in "Information" > "IPsec VPN". You can also see the status of the tunnel connection in the online view of the SCT. 3.4 Firewall with a VPN connection You can create firewall rules for IPsec in the following ways: Automatic Here, the firewall rules are created automatically for the specified VPN connection. Manual Here, you define your own firewall rules for the specified VPN connection. Getting Started, 07/2017, C79000-G8976-C

92 VPN tunnel between SCALANCE M-800 and S Firewall with a VPN connection Creating firewall rules automatically For the example, the VPN tunnel described in the section "Secure VPN tunnel with certificates (Page 113)" is used. The devices have the following IP address setting: Internal address Local area network SCALANCE M Remote network S612 internal port Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. The setting "Auto Firewall Rules" is enabled as default. Result If "Auto Firewall Rules" is enabled, the following firewall rules are active. Action From / to Permitted protocols For Source IP addresses Dest. IP addresses Allow Internal network (VLAN1) / remote network (IPsec tunnel x) All services all ports or all ICMP packet types / /24 Allow Remote network (IPsec tunnel x) / internal network (VLAN1) All services all ports or all ICMP packet types / /24 These firewall rules make data exchange between the internal network and the remote network possible, however it is not possible for remote clients to reach the modem although they also belong to the tunnel subnet. Apart from ICMP Echo Request no access to the remote VPN partner. See also Creating firewall rules manually (Page 93) 92 Getting Started, 07/2017, C79000-G8976-C337-05

93 VPN tunnel between SCALANCE M-800 and S Firewall with a VPN connection Creating firewall rules manually Requirement The IP service HTTP has been created, see the section "Allow access (Page 40)". Allow all nodes from the remote subnet HTTP-based access to the SCALANCE M-800. In the following example an additional firewall rules is specified, that applies in addition to the automatic firewall rules. 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Configure the firewall rule for HTTP with the following settings: Action Accept From IPsec VPN-1 To Device Source (Range) /24 (all devices of the remote internal network 2) Destination (Range) (to the required device) Service HTTP 3. Click on "Set Values". The SCALANCE M can be reached through the VPN tunnel and can be configured with WBM. Allow HTTP-based access through the VPN tunnel for a specific device In the following example, a firewall rule is specified manually, the automatic firewall rules are deactivated. 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the content area. 2. As "Service Name", enter "TCP all" and click "Create". A new entry is created in the table. 3. Configure the service with the following setting: Transportation TCP Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection 4. Click on "Set Values". 5.

94 VPN tunnel between SCALANCE M-800 and S Firewall with a VPN connection 4. Click on "Set Values". 5. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 6. Click "Create". A new entry is created in the table. 7. Configure the firewall rule with the following settings: Action From To Accept vlan1 (INT) IPsec VPN-1 Source (Range) Destination (Range) Service (only this device is allowed to communicate from internal network 1 through the VPN tunnel with TCP) /0 (to all addresses) TCP 8. Click "Create". A new entry is created in the table. 9. Click on "Set Values". 94 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M-800 4 and security CPs 4.1 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and the CP 1628.

95 VPN tunnel between SCALANCE M and security CPs 4.1 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and the CP Example 1: Secure VPN tunnel with pre-shared keys (PSK) Example 2: Secure VPN tunnel with certificates Instead of the CP 1628, a CP Advanced or CP Advanced can be used. Structure Internal network 1 - connection to SCALANCE M-800 In the test setup, in the internal network, a network node is implemented by an Admin PC connected to an Ethernet interface of the SCALANCE M. Admin PC: Represents a node in the internal network M-800: SCALANCE M module for protection of the internal network Connection to the external, public network. Wireless via the antenna of the M874 to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 07/2017, C79000-G8976-C

96 VPN tunnel between SCALANCE M-800 and security CPs 4.1 Procedure in principle Internal network 2 - attachment to a port of the CP 1628 In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1 with security module 1: PC with CP 1628 for protection of the internal network PC2: PC with the Security Configuration Tool and STEP 7 The PC represents a node in the internal network. Connection to the external, public network via DSL router Access to the Internet is via a DSL modem or a DSL router connected to one of the ports of the security module. Required devices/components Use the following components for setup: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x PC with CP x PC with the Security Configuration Tool and STEP 7. 1 x DSL modem or DSL router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Settings used For the configuration example, the devices are given the following IP address settings Internal network 1 Internal address M Admin PC External address Fixed IP address, e.g Provider dependent As an alternative, the DDNS hostname can also be used. 96 Getting Started, 07/2017, C79000-G8976-C337-05

97 VPN tunnel between SCALANCE M-800 and security CPs 4.1 Procedure in principle Internal network 2 Internal address DSL router PC1 with CP 1628 For CP 1628: The IP address of the NDIS interface, e.g (is configured on PC1) For CP Advanced or CP Advanced: The IP address of the PROFINET interface. PC External address Fixed IP address (WAN IP address), e.g For CP 1628: The IP address of the Industrial Ethernet interface, e.g For CP Advanced or CP Advanced: The IP address of the Gbit interface. Requirement The CP 1628 is connected to the Internet via the DSL router. In the properties of the CP, the internal IP address of the DSL router is configured as a default gateway. the SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration Example 1: Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 98) 2. Configuring a tunnel connection (Page 100) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 101) Configuring a VPN tunnel with the SCT V4.x 1. Creating project and modules with SCT (Page 103) 2. Configuring a tunnel connection (Page 105) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 107) Configuring SCALANCE M Activating VPN (Page 112) 2. Configuring the VPN remote end (Page 108) 3. Configuring a VPN connection (Page 108) 4. Configuring VPN authentication (Page 110) Getting Started, 07/2017, C79000-G8976-C

98 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 5. Configuring phase 1 and phase 2 (Page 110) 6. Establishing the VPN connection (Page 112) Example 2: Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 113) 2. Configuring a tunnel connection (Page 114) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 116) Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 118) 2. Configuring a tunnel connection (Page 120) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 121) Configuring SCALANCE M Loading a certificate (Page 122) 2. Activating VPN (Page 127) 3. Configuring the VPN remote end (Page 124) 4. Configuring a VPN connection (Page 124) 5. Configuring VPN authentication (Page 125) 6. Configuring phase 1 and phase 2 (Page 126) 7. Establishing the VPN connection (Page 128) 4.2 Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 98 Getting Started, 07/2017, C79000-G8976-C337-05

99 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.1.

100 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuring a tunnel connection Procedure A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same VPN group. 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Save the project with the "Project" > "Save" menu command. 100 Getting Started, 07/2017, C79000-G8976-C337-05

101 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP Advanced or CP Advanced: Restart the S7 CPU following the download, to activate the new configuration Saving the SCALANCE M-800 configuration 1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 3. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M Configuration file IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: Authentication method: Pre Shared Key Pre Shared Key: Remote ID: U @GEA32 Settings in WBM Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: /32 Security > IPsec VPN > Authentication > Authentication: PSK Security > IPsec VPN > Authentication > PSK and PSK Confirmation: Security > IPSec VPN > Authentication > Remote ID: not required. The external IP address of the S612 is entered in the WBM. In this example, this is Getting Started, 07/2017, C79000-G8976-C

102 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuration file Local ID: Remote net address: Remote subnet mask: Local net address: Local subnet mask: Settings in WBM Security > IPSec VPN > Authentication > Local ID not required. The entry remains empty in the WBM. Security > IPSec VPN > Remote End > Remote Subnet: /24 Security > IPSec VPN > Connections > Local Subnet: /24 IPSec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Phase 2 - IPSec SA -- IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES IPSec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1 IPSec SA lifetime (seconds): Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): Nein -- DH/PFS group: DH Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: Getting Started, 07/2017, C79000-G8976-C337-05

103 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. Getting Started, 07/2017, C79000-G8976-C

104 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. 104 Getting Started, 07/2017, C79000-G8976-C337-05

105 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same VPN group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation panel. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 6. For this configuration example, configure the group properties with the following settings.

106 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Save the project with the "Project" > "Save" menu command. Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. 106 Getting Started, 07/2017, C79000-G8976-C337-05

107 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP Advanced or CP Advanced: Restart the S7 CPU following the download, to activate the new configuration Saving the SCALANCE M-800 configuration 1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 3. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M Follow the instructions in the configuration file. Getting Started, 07/2017, C79000-G8976-C

108 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuring SCALANCE M Configuring the VPN remote end Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S Click "Create". A new row is created in the table. 4. For the configuration example, configure the VPN remote end with the following settings: Remote Mode Standard Remote Type Manual Remote Address /32 WAN IP address of the DSL router Remote Subnet /24 5. Click on "Set Values" Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 108 Getting Started, 07/2017, C79000-G8976-C337-05

109 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4. For the configuration example, configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

110 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication PSK Local ID no entry necessary Remote ID The IP address of the VPN remote station. PSK / PSK Confirmation The key that you configured in the SCT. 3. Click on "Set Values" Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 110 Getting Started, 07/2017, C79000-G8976-C337-05

111 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

112 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values" Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". 112 Getting Started, 07/2017, C79000-G8976-C337-05

113 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Result The M-800 establishes the VPN tunnel to the CP 128. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". 4.3 Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 5. Generate a second module with the "Insert" > "Module" menu command. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)" table. 7.

114 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. 114 Getting Started, 07/2017, C79000-G8976-C337-05

115 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Select the menu command "Project" > "Save". Save the security project under the required name. Getting Started, 07/2017, C79000-G8976-C

116 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP Advanced or CP Advanced: Restart the S7 CPU following the download, to activate the new configuration. Saving the SCALANCE M configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.CP.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Configuration file IPsec VPN > Certificates Upload Remote Site Certificate: Configuration- 1.group1.S612.cer Upload PKCS12 File (.p12): Configuration- 1.U800CB3FF@G471C.M-800.p12 Settings in WBM System > Load&Save > HTTP > X509Cert : Download IPsec VPN > Connections > VPN Standard Mode - Edit Settings Security > IPsec VPN > Remote End > Remote Mode: Standard 116 Getting Started, 07/2017, C79000-G8976-C337-05

117 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuration file Address of the remote site's VPN gateway: Authentication method: X.509 remote certificate Settings in WBM Security > IPsec VPN > Remote End > Remote Address: /32 Security > IPsec VPN > Authentication > Authentication: Remote Cert Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Configuration-1.group1.CP.cer Remote ID: Remote net address: Remote subnet mask: Local net address: Local subnet mask: Security > IPsec VPN > Authentication > Remote ID: Security > IPsec VPN > Remote End > Remote Subnet: /24 Security > IPsec VPN > Connections > Local Subnet: /24 IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Phase 2 - IPsec SA -- IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1 IPsec SA lifetime (seconds): Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): No -- DH/PFS group: DH Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- Getting Started, 07/2017, C79000-G8976-C

118 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 118 Getting Started, 07/2017, C79000-G8976-C337-05

119 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.2.

120 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 120 Getting Started, 07/2017, C79000-G8976-C337-05

121 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 7. Select the menu command "Project" > "Save". Save the security project under the required name. Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP Advanced or CP Advanced: Restart the S7 CPU following the download, to activate the new configuration. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.CP.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Follow the instructions in the configuration file. Getting Started, 07/2017, C79000-G8976-C

122 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuring SCALANCE M Loading a certificate Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in "Password" and "Password confirmation". 3. Enable the password 4. Click on "Set Values". 122 Getting Started, 07/2017, C79000-G8976-C337-05

123 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Navigate to the remote certificate. 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". Getting Started, 07/2017, C79000-G8976-C

124 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuring the VPN remote end Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S Click "Create". A new row is created in the table. 4. For the configuration example, configure the VPN remote end with the following settings: Remote Mode Standard Remote Type Manual Remote Address /32 WAN IP address of the DSL router Remote Subnet /24 5. Click on "Set Values" Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 124 Getting Started, 07/2017, C79000-G8976-C337-05

125 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4. For the configuration example, configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 5. Click on "Set Values" Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. For the configuration example, configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert projectname.string.m-800.p12 Projectname.group1.CP.cer Remote ID from the configuration file 3. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.3.5 Configuring phase 1 and phase 2 Configuring phase 1 1.

126 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: Getting Started, 07/2017, C79000-G8976-C337-05

127 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4. Click on "Set Values" Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

128 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The SCALANCE M-800 establishes the VPN tunnel to the CP If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". 128 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M87x and 5 SINEMA RC Server 5.1 Procedure in principle In this sample configuration, two distributed stations are connected using the SCALANCE M87x.

129 VPN tunnel between SCALANCE M87x and 5 SINEMA RC Server 5.1 Procedure in principle In this sample configuration, two distributed stations are connected using the SCALANCE M87x. The devices communicate via the SINEMA RC Server located in the master station. The SINEMA RC is addressed using a WAN IP address obtained from a provider. As an alternative, you can also address the SINEMA RC Server using a defined name (FQDN). A KEY-PLUG SINEMA Remote Connect is required for each SCALANCE M87x device. The KEY-PLUG enables the connection from SCALANCE M87x to SINEMA RC. To do this, the devices need to log on to the SINEMA RC Server. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. Depending on the configured communication relations and the security settings, the SINEMA RC server connects the individual VPN tunnels. Structure Getting Started, 07/2017, C79000-G8976-C

130 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Master station - connection to SINEMA RC Server In the test setup in the internal network, a network node is implemented by a PC connected to the LAN interface of the SINEMA RC Server. PC: represents a participant in internal network 3 SINEMA RC Server Connection to the external network via a router Access to the external network is via a router connected to the WAN interface of the SINEMA RC Server. Station 1 / 2 - connection to SCALANCE M87x In the test setup in the internal network, a network node is implemented by a PC connected to the Ethernet interface P1 of the M-800. PC: represents a participant in internal network 1/2 M-87x: SCALANCE M module for protection of the internal network 1/2 Connection to the external, public network Wireless via the antenna of the M87x on the mobile wireless network (as of firmware 4.0) Required devices/components Use the following components for setup: 2 x M874 (additional option: a suitably installed standard rail with fittings) 2 x KEY-PLUG SINEMA RC 2 x 24 V power supply with cable connector and terminal block plug 2 x PC each connected to a SCALANCE M x suitable antennas 2 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. 1 x PC on which the SINEMA RC Server is installed. 1 x PC that is connected to the SINEMA RC Server. 1 x router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Note You can also use a SCALANCE M876. The configuration described below relates specifically to the components mentioned in the section "Required devices/components". 130 Getting Started, 07/2017, C79000-G8976-C337-05

131 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Settings used For the configuration example, the devices are given the following IP address settings: Station -1 LAN1 Station-2 LAN2 Master station LAN3 Name Interface IP address M874-2 #1 LAN interface P (vlan1) WAN interface Dynamic IP address from provider (ppp0) PC1 LAN interface M874-2 #2 LAN interface P (vlan1) WAN interface Dynamic IP address from provider (ppp0) PC2 Ethernet (LAN 2) SINEMA WAN interface RC Server The WAN IP address via which the SINEMA RC Server can be reached is the WAN IP address of the router in this example The default gateway is the LAN IP address of the router As an alternative, the SINEMA RC Server can also be addressed using a defined host name (FQDN). PC3 Ethernet (LAN3) Router 3 LAN interface WAN interface Static IP address from the provider e.g Note The IP settings used in the configuration example were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. Getting Started, 07/2017, C79000-G8976-C

132 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Requirement SINEMA RC Server The SINEMA RC Server is connected to the WAN. You will find the configuration steps in the Getting Started "SINEMA Remote Connect". Note Port forwarding at the router By using a router as a gateway you must enable the following ports on the router and forward the data packets to the SINEMA RC Server: TCP 443 TCP 5443 UDP 1194 Router with VPN capability If your router itself has VPN capability, make sure that the ports do not overlap or this function is disabled. You will find further information on this in the documentation of the router. SCALANCE M874 The M874 is connected to the WAN, refer to "Connecting SCALANCE M800 to the WAN". The steps in configuration are the same for all devices, the only difference being the settings, see table "Settings used (Page 129)". The M874 can be reached via PC1 or PC2 and you are logged in to the WBM as a user with the role "admin". A valid KEY-PLUG SINEMA Remote Connect is inserted in the SCALANCE M. Steps in configuration Configuring access to the SINEMA RC Server For the PC to be able to access the WBM of the SINEMA RC Server via the M874, the following steps are necessary on the M874: 1. Activate IP masquerading (Page 133) 2. Allow access (Page 133) Configure a remote connection on the SINEMA RC Server 1. Creating participant groups (Page 134) 2. Create devices (Page 136) 3. Configure communication relations (Page 138) 132 Getting Started, 07/2017, C79000-G8976-C337-05

133 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.2 Configuring access to the SINEMA RC server Configure a remote connection on the M874 Secure VPN connection with fingerprint (Page 140) Secure VPN connection with CA certificate Loading a certificate (Page 143) Configuring a VPN connection to the SINEMA RC Server (Page 144) 5.2 Configuring access to the SINEMA RC server Activating IP masquerading IP masquerading is used so that the internal IP addresses are not forwarded to external. In addition to this, no further routing settings are necessary on the router. Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "Masquerading" tab in the content area. 2. Activate "Enable Masquerading" on the WAN interface. M874, M876-3: ppp0 M876-4: usb0 M826-2: vlan1 3. Click on "Set Values". Result Masquerading is enabled on the WAN interface. When a packet is sent via this interface, the source address is rewritten to the IP address assigned to the WAN interface Allow access So that the PC can access the SINEMA RC Server, on the device access from vlan1 to the WAN interface is enabled. Procedure 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. Getting Started, 07/2017, C79000-G8976-C

134 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server 3. Configure the firewall rule with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (internal) external M874, M876-3: ppp0 M876-4: usb (all IP addresses) (all IP addresses) all As default, the service is always available 4. Click on "Set Values". Result Due to this firewall rule, all services between vlan1 and ppp0 or usb0 are possible without restrictions, e.g. HTTPS 5.3 Configuring a remote connection on the SINEMA RC Server Creating node groups Users and devices can be put together in participant groups. You can also specify whether the communication between the participants of an individual group is permitted or forbidden. For this sample configuration, the following groups are created. Station1 Station2 Service The Service group is required for the configuration example "OpenVPN tunnel between SINEMA RC Client and SINEMA RC Server". You will find this example in the Getting Started SINEMA RC Server. 134 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Requirement The SINEMA RC Server is connected to the WAN. Procedure 1.

135 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Requirement The SINEMA RC Server is connected to the WAN. Procedure 1. In the address box of the Web browser, enter the WAN IP address of the SINEMA RC Server " IP address>", see table "Settings used (Page 129)". 2. Log in as the "admin" user and with the corresponding password. 3. In the navigation area, click "Remote connections" > "Participant groups". The participant groups that have already been created are listed in the content area. 4. Click "Create". The page "New participant group" is opened. 5. For group name enter "Station1". Enable the setting "Members may communicate" and click "Save". 6. Repeat steps 1-3 for the groups "Station2" and "Service" Result The participant groups have been created. Getting Started, 07/2017, C79000-G8976-C

136 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Create devices Procedure 1. In the navigation area, click "Remote connections" > "Devices". The devices that have already been created are listed in the content area. 2. Click "Create" button to create a new device. 3. Enter the device name for the device e.g. "M874_1" for station 1 and "M874_2" for station Click "Continue". 5. For "VPN connection mode", select "OpenVPN". Click "Continue". 6. Enable the parameter "Connected local subnets". 7. Enable the parameter "Device is a network gateway". 8. Configure the devices with the following settings: Local LAN IP address Network mask IP address for vlan1 according to the table "Settings used (Page 129)". 9. Click "Continue". The "Group memberships" tab is displayed. 10.Enable the appropriate group. For the device "M874_1" the group "Station1" For the device "M874_2"" the group "Station2" 11.Click "Continue". The "Password" tab is displayed. 12.Specify the password for the access e.g. An:t_010 for M874_1 and An:t_020 for M874_2. The password must be made up of uppercase and lowercase letters, numbers and special characters. 13.Click "Exit". Result The devices are listed with the devices that have already been created. Device password Device ID Fingerprint You will find the device ID and the fingerprint in the device information. Click on the symbol to open the device information. 136 Getting Started, 07/2017, C79000-G8976-C337-05

137 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Getting Started, 07/2017, C79000-G8976-C

138 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Configure communications relations So that participant groups can communicate with each other, communication relations are necessary. A communication relation can be created for every direction. For this sample configuration, the following communication relations are created: from group Service Station1 to the destination group Station1 Station2 Station2 In this configuration example, communication is only from the group "Station 1" to the group "Station 2". In the opposite direction, no communication is possible. For the communication from the group "Station2" to the group "Station1" another communication relation is necessary. The group "Service" can also communicate with the groups "Station1" and "Station2" but they cannot communicate with "Service". Procedure 1. In the navigation area, click "Remote connections" > "Participant groups". The participant groups that have already been created are listed in the content area. 2. For "Station1" in the "Actions" column click on the icon. The page "Destination group" is opened. 3. Enable "Station2" and click on "Save". 4. Click "Exit dialog". 5. For "Service", click the symbol in the "Actions" column. The page "Destination group" is opened. 6. Enable "Station1" and "Station2". Click "Save". 7. Click "Exit dialog". 138 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Result The communication relations have been created.

139 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configuring a remote connection on the SINEMA RC Server Result The communication relations have been created. Click "Remote connections" > "Communication relations" in the navigation area. The created relations are listed in the content area. Getting Started, 07/2017, C79000-G8976-C

140 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 5.4 Configuring a remote connection on the M87x Secure VPN connection with fingerprint Requirement On PC1/2 there are two Web browser windows open. Web browser 1 for access to Web Based Management of SCALANCE M874. Web browser 2 for access to SINEMA RC. A valid KEY-PLUG is inserted in the M87x. Procedure 1. Change to the Web browser for access to Web Based Management of the SCALANCE M874. In the address box of the Web browser, enter the LAN IP address of the SCALANCE M874, see table "Settings used (Page 129)". Log in as the "admin" user and with the corresponding password. Click "System" > "SINEMA RC" in the navigation area. For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 129)". 2. Change to the Web browser for access to SINEMA RC. In the address box of the Web browser, enter the WAN IP address of the server, see table "Settings used (Page 129)". Log in as the "admin" user and the corresponding password. In the navigation area, click "Remote connections" > "Devices". Click on the symbol in "Actions" to open the device information. Holding down the left mouse button, select the entry for device ID. Right-click on the selection and in the shortcut menu, select the copy command. 3. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Device ID". In the shortcut menu, select the menu command for inserting. For "Device Password" enter the password that you configured for access, An:t_010 for M874-1 and An:t_020 for M Enable "Auto Firewall / NAT Rules". When enabled, the suitable NAT and firewall rules are created automatically. For "Verification Type" select "Fingerprint". 140 Getting Started, 07/2017, C79000-G8976-C337-05

141 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 4. Change to the Web browser for access to SINEMA RC. Holding down the left mouse button, select the entry for fingerprint. Right-click on the selection and in the shortcut menu, select the copy command. 5. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Fingerprint". In the shortcut menu, select the menu command for inserting. Select "Enable SINEMA RC". Click "Set Values". Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. In the Web browser for access to Web Based Management of SCALANCE M874: In the navigation area, click "Information" > "SINEMA RC". Getting Started, 07/2017, C79000-G8976-C

142 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Web browser for access to SINEMA RC: Click "Remote connections" > "Devices" in the navigation area. 142 Getting Started, 07/2017, C79000-G8976-C337-05

143 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Secure VPN connection with CA certificate Loading a certificate Requirement The correct time is set on the M874 and the SINEMA RC Server. On PC1/2 there are two Web browser windows open. Procedure 1. Change to the Web browser for access to SINEMA RC. In the address box of the Web browser, enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 129)". Log in as the "admin" user and the corresponding password. Click "Security" > "Certificates" in the navigation area. Click on the symbol in "Actions" to export the certificate. 2. Change to the Web browser for access to Web Based Management of the SCALANCE M874. In the address box of the Web browser, enter the LAN IP address of the M874, see table "Settings used (Page 129)". Log in as the "admin" user and with the corresponding password. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. Enter the device password in "X509Cert". Enable the entry and click on "Set Values". Click on the "HTTP" tab in the content area. Click the "Load" button next to "X509Cert". The dialog for loading a file is opened. Navigate to the exported server certificate. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Result The certificates are loaded. Certificates are displayed in "Security" > "Certificates".

144 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Result The certificates are loaded. Certificates are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid" Configuring a VPN connection to the SINEMA RC Server Requirement A valid SINEMA RC KEY-PLUG is inserted in the M87x. Procedure 1. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Click "System > SINEMA RC" in the navigation area. For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 129)". 2. Change to the Web browser for access to SINEMA RC. In the navigation area, click "Remote connections" > "Devices". Click on the symbol in "Actions" to open the device information. Holding down the left mouse button, select the entry for device ID. Right-click on the selection and in the shortcut menu, select the copy command. 144 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 3. Change to the Web browser for access to Web Based Management of the SCALANCE M874.

145 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 3. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Device ID". In the shortcut menu, select the menu command for inserting. For "Device Password" enter the password that you configured for access, An:t_010 for M874-1 and An:t_020 for M Enable "Auto Firewall / NAT Rules". When enabled, the suitable NAT and firewall rules are created automatically. For "Verification Type" select "CA Certificate". In "CA Certificate" select the server certificate. Only loaded certificates can be selected. Activate "Enable SINEMA RC" and click on "Set Values". Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. Getting Started, 07/2017, C79000-G8976-C

146 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Web browser 1: In the navigation area, click "Information" > "SINEMA RC". Web browser 2: Click "Remote connections" > "Devices" in the navigation area. 146 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between two M-800s 6 6.1 Procedure in principle In this example a secure VPN connection with certificates is established between two SCALANCE M-800 devices.

147 VPN tunnel between two M-800s Procedure in principle In this example a secure VPN connection with certificates is established between two SCALANCE M-800 devices. In this example of a configuration the SCALANCE M81x in the master station is the VPN server and this can be reached from the WAN via its fixed IP address. The SCALANCE M87x in the station is the VPN client that establishes the connection to the VPN server when necessary. Layout Internal network 1 / 2 - connection to SCALANCE M In the test setup in the internal network, a network node is implemented by an Admin PC or SIMATIC station connected to an Ethernet interface of the SCALANCE M-800. Admin PC: Represents a node in the internal network M87x\M81x: SCALANCE M module for protection of the internal network Connection to the external, public network: Wireless via the antenna of the M87x to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 07/2017, C79000-G8976-C

148 VPN tunnel between two M-800s 6.1 Procedure in principle Required devices/components Use the following components to set up the network: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x PC with which the SCALANCE M is connected. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Settings used For the configuration example, the devices are given the following IP address settings Master station M81x Interface ADSL (external) Ethernet (internal) Admin PC Ethernet (internal) Station 1 M87x Mobile wireless (external) Ethernet (internal) Admin PC Ethernet (internal) IP address Vlan 2 Fixed IP address, e.g (VPN server) Provider dependent As an alternative, the DDNS hostname can also be used. Vlan Vlan 2 Dynamic IP address (VPN client) Vlan Getting Started, 07/2017, C79000-G8976-C337-05

149 VPN tunnel between two M-800s 6.1 Procedure in principle Note For the devices located in the internal network, the IP address of the internal port must be entered as the standard gateway. Requirement The SCALANCE M87x/SCALANCE M81x is connected to the WAN, refer to "Connecting SCALANCE M to the WAN (Page 11)". The SCALANCE M87x/SCALANCE M81x can be reached via the Admin PC and you are logged in to the WBM as "admin". The "Security Configuration Tool V4.x" is installed Steps in configuration 1. Configuring a VPN tunnel with the SCT Creating the project and modules (Page 150) Configuring a tunnel connection (Page 153) Configuring VPN parameters (Page 155) Saving the M-800 configuration (Page 155) 2. Configuring the SCALANCE M81x (VPN server) Loading a certificate (Page 156) Configuring the VPN remote end (Page 158) Configuring a VPN connection (Page 159) Configuring VPN authentication (Page 159) Configuring phase 1 and phase 2 (Page 160) Activating VPN (Page 162) Establishing the VPN connection (Page 162) 3. Configuring the SCALANCE M87x (VPN client) Loading a certificate (Page 163) Configuring the VPN remote end (Page 165) Configuring a VPN connection (Page 166) Configuring VPN authentication (Page 166) Configuring phase 1 and phase 2 (Page 167) Activating VPN (Page 169) Establishing the VPN connection (Page 169) 4. Displaying the status of the VPN connection (Page 170) Getting Started, 07/2017, C79000-G8976-C

150 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 6.2 Configuring a VPN tunnel with the SCT Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 150 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 5. Enter the values assigned to the M87x from the "Settings used (Page 147)" table.

151 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 5. Enter the values assigned to the M87x from the "Settings used (Page 147)" table. With the M87x, the external IP address is not relevant. For the IP address (ext) use the default settings. 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 8. Enter the values assigned to the M81x from the "Settings used (Page 147)" table.

152 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 8. Enter the values assigned to the M81x from the "Settings used (Page 147)" table. 9. Close the dialog with "OK". Result The devices will then be displayed in the list of configured modules. 152 Getting Started, 07/2017, C79000-G8976-C337-05

153 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M81x and the SCALANCE M87x are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the two entries in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. Getting Started, 07/2017, C79000-G8976-C

154 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT 6. For this configuration example, configure the group properties with the following settings. 7. Close the dialog with "OK". Result The configuration of the tunnel connection is complete. 154 Getting Started, 07/2017, C79000-G8976-C337-05

155 VPN tunnel between two M-800s 6.2 Configuring a VPN tunnel with the SCT Configuring VPN parameters In this configuration example, the M81x (VPN server) is "passive". The M81x waits for the partner M87x to initiate the connection establishment. Procedure Configuring VPN parameters for M81x (VPN server) 1. Select the "M81xServer" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "VPN" tab. 3. Click on the "VPN" tab. 4. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 5. Enter the WAN IP address e.g Click "Apply" and close the dialog with "OK". Configuring VPN parameters for M87x (VPN client) 1. Select the "M81xServer" in the content area. 2. Select the menu command "Edit" > "Properties". Click on the "VPN" tab. 3. Click on the "VPN" tab. 4. For "Permission to initiate connection establishment", select the "Start connection to partner (initiator/responder)" entry. 5. Click "Apply" and close the dialog with "OK". 6. Select the "Project" > "Save" menu command. Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file Saving the configuration Procedure 1. In the content area, select the "M81xServer" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M81xServer.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. 3. In the content area, select the "M87xClient" and select the menu command "Transfer" > "To module(s) ". 4. Save the configuration file "Projectname.M87xClient.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Getting Started, 07/2017, C79000-G8976-C

156 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) Result The following files will be saved in the project directory: Configuration file: Project name of the module.txt PKCS12 file: Project name.string.name of the module.p12 Remote certificate: Projectname.group1module name.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 devices including information on the additionally generated certificates. Follow the instructions in the configuration file. 6.3 Configuring the SCALANCE M81x (VPN server) Loading a certificate The certificates are necessary to authenticate the VPN node and therefore for the establishment of a secure VPN connection. You obtain the information which certificate is to be loaded on which device from the configuration file. Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. To load the file successfully on the SCALANCE M enter the password specified for the file in the line "X509Cert" in "Password" and "Password confirmation" When you saved the configuration files of the SCALANCE M from the Security Configuration Tool, you were requested to assign a password for the private key of the certificate or to use the project name for this. 3. Enable the password 156 Getting Started, 07/2017, C79000-G8976-C337-05

157 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Getting Started, 07/2017, C79000-G8976-C

158 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid" Configuring the VPN remote end In this example of a configuration the M81x in the master station is the VPN server that accepts the connection of VPN partners with any IP address. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. VPN_Client_M87x. 3. Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Any Accepts the connection from VPN partners with any IP address address from the remote subnet. Remote Subnet /24 The subnet that can be reached through the VPN tunnel 5. Click on "Set Values". 158 Getting Started, 07/2017, C79000-G8976-C337-05

159 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv2 Remote End VPN_Client_M87x Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 4. Click on "Set Values" Configuring VPN authentication For secure communication via VPN, all VPN partners need to authenticate themselves with each other. In this configuration example, the certificate of the VPN remote station. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert The precise names of the certificates and the remote ID can be found in the relevant configuration file. Getting Started, 07/2017, C79000-G8976-C

160 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) 3. Click on "Set Values" Configuring phase 1 and phase 2 The settings must match on both devices. Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES 128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". 160 Getting Started, 07/2017, C79000-G8976-C337-05

161 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) Configuring phase 2 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. 2. Leave the "Default Ciphers" check box enabled. When enabled, a preset list is transferred to the VPN connection partner during connection establishment. The list contains a combination of the three algorithms (Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner must support at least one of the combinations. The selection depends on the key exchange method. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN connection. 6. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) 6.3.6 Activating VPN Procedure 1.

162 VPN tunnel between two M-800s 6.3 Configuring the SCALANCE M81x (VPN server) Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values" Establishing the VPN connection The M81x (VPN server) is configured as the reponder. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "wait" and click "Set Values". 162 Getting Started, 07/2017, C79000-G8976-C337-05

163 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) 6.4 Configuring the SCALANCE M87x (VPN client) Loading a certificate The certificates are necessary to authenticate the VPN node and therefore for the establishment of a secure VPN connection. You obtain the information which certificate is to be loaded on which device from the configuration file. Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. To load the file successfully on the SCALANCE M enter the password specified for the file in the line "X509Cert" in "Password" and "Password confirmation" When you saved the configuration files of the SCALANCE M from the Security Configuration Tool, you were requested to assign a password for the private key of the certificate or to use the project name for this. 3. Enable the password Getting Started, 07/2017, C79000-G8976-C

164 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. 164 Getting Started, 07/2017, C79000-G8976-C337-05

VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) 7. Click the "Open" button in the dialog. The file is now loaded on the device.

165 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid" Configuring the VPN remote end In the configuration example, the M87x in the station is the VPN client that establishes the connection to the VPN server with a fixed IP address. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. VPN_Server_M81x. 3. Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address Fixed external IP address of the M81x e.g Remote Subnet /24 The subnet that can be reached through the VPN tunnel 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

166 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv2 Remote End VPN_Server_M81x Name of the VPN remote station Local Subnet /24 The local subnet 1 in CIDR notation. 4. Click on "Set Values" Configuring VPN authentication For secure communication via VPN, all VPN partners need to authenticate themselves with each other. In this configuration example, the certificate of the VPN remote station. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert The precise names of the certificates and the remote ID can be found in the relevant configuration file. 166 Getting Started, 07/2017, C79000-G8976-C337-05

167 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) 3. Click on "Set Values" Configuring phase 1 and phase 2 The settings must match on both devices. Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES 128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

168 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) Configuring phase 2 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. 2. Leave the "Default Ciphers" check box enabled. When enabled, a preset list is transferred to the VPN connection partner during connection establishment. The list contains a combination of the three algorithms (Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner must support at least one of the combinations. The selection depends on the key exchange method. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN connection. 6. Click on "Set Values". 168 Getting Started, 07/2017, C79000-G8976-C337-05

169 VPN tunnel between two M-800s 6.4 Configuring the SCALANCE M87x (VPN client) Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values" Establishing the VPN connection The M87x (VPN client) is configured as the initiator of the VPN tunnel and establishes the VPN connection to the SCALANCE M87x (VPN server) Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "start" and click "Set Values". Getting Started, 07/2017, C79000-G8976-C

170 VPN tunnel between two M-800s 6.5 Displaying the status of the VPN connection 6.5 Displaying the status of the VPN connection The devices are configured and connected to the Internet. The M87x (VPN client) starts connection establishment to the M81x (VPN server). To display the status of the VPN connection, you have the following options: Status display in the WBM LED display Status display in the WBM In the navigation area, click "Information" > "IPsec VPN". "Status" displays the status of the configured VPN connection. LED display If the VPN connection is established, the LED is lit green on the device. 170 Getting Started, 07/2017, C79000-G8976-C337-05

NETMAP with SCALANCE M-800 7 In these examples, two different IP subnets are connected together via a SCALANCE M- 800. Between the two SCALANCE M devices a VPN tunnel is established.

171 NETMAP with SCALANCE M In these examples, two different IP subnets are connected together via a SCALANCE M Between the two SCALANCE M devices a VPN tunnel is established. The VPN connection is initiated by the M876. Via the established tunnel, the addresses are translated with NETMAP. In this translation, the subnet part of the IP address is changed and the host part remains. NETMAP can translate both the source IP address and the destination IP address. Local area network - connection to SCALANCE M-800 In the test setup, in the local network, a network node is implemented by a PC connected to an Ethernet interface of the SCALANCE M-800. PC: represents a node in the local network M-800: SCALANCE M module for protection of the internal network Connection to the external network: Wireless via the antenna of the M87x to the mobile wireless network. Getting Started, 07/2017, C79000-G8976-C

172 NETMAP with SCALANCE M-800 Remote network - connection to M-800 In the test setup, in the remote network, the network node is implemented by a PC in each case connected to an Ethernet interface of the SCALANCE M-800. PC: represents a node in the remote network M-800: SCALANCE M module for protection of the external network Connection to the external network Wired via the RJ-45 jack of the M816 to ADSL. Required devices/components Use the following components to set up the network: Connection to the mobile wireless network 1 x M876 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M816 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 2 x PCs connected to the SCALANCE M-800. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Note You can also use other SCALANCE M-800 devices. The configuration described below relates explicitly to the components mentioned in the Section "Required devices/components". 172 Getting Started, 07/2017, C79000-G8976-C337-05

173 NETMAP with SCALANCE M-800 Settings used For the configuration example, the devices are given the following IP address settings: Station IP subnet 1 Master station IP subnet 2 Name Interface IP address M876 LAN interface P (vlan1) WAN interface Dynamic IP address from the provider (ppp0) The device is, however, reachable via a dynamic DNS service, e.g. example.no-ip.com PC1 LAN interface M816 LAN interface P (vlan1) WAN interface Fixed IP address (WAN IP address), e.g. (ppp0) PC2 Ethernet (LAN 2) Examples There are the following examples of NETMAP 1. NETMAP for the local network (Page 174) 2. NETMAP for the remote network (Page 178) 3. NETMAP for the local and remote network (Page 183) Getting Started, 07/2017, C79000-G8976-C

174 NETMAP with SCALANCE M NETMAP for the local network 7.1 NETMAP for the local network With NETMAP of the local network, the source address 1 e.g is translated. In this translation, the subnet part of the IP address is changed and the host part remains. In the example, the subnet part is This subnet part is replaced by The source IP address is translated by the M876 2 and forwarded to the destination 3. With incoming queries 3, the destination IP address is replaced by The destination IP address is translated by the M876 2 and forwarded to the destination 1. Only the NETMAP rules for the direction of the query are necessary. The NETMAP rules for the replies are added implicitly. When PC1 sends a query to PC2, the reply is translated based on it. This, however, does not apply to queries from PC2 to PC1. For this, the following NETMAP rules are created on the M876 (initiator): Local network > remote network: The source IP subnet /24 is replaced by /24. Remote network > local network: The destination IP subnet /24 is replaced by /24 The two devices also communicate via a VPN tunnel. 174 Getting Started, 07/2017, C79000-G8976-C337-05

175 NETMAP with SCALANCE M NETMAP for the local network Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 43)". The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary to create NETMAP rules: 1. Creating a VPN connection (Page 175) 2. Creating NETMAP rules (Page 177) Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet / /24 Fixed IP address (WAN IP address) of the M816, e.g Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876 M876_to_M816 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet / /24 Getting Started, 07/2017, C79000-G8976-C

176 NETMAP with SCALANCE M NETMAP for the local network 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g e. g Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M816) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices. 176 Getting Started, 07/2017, C79000-G8976-C337-05

177 NETMAP with SCALANCE M NETMAP for the local network Creating NETMAP rules Requirement The VPN connection M876_to_M816 is configured, see Creating a VPN connection (Page 175). Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Source Source Interface vlan1 Destination Interface IPsec M876_to_M816 Source IP Subnet /24 Translated Source IP Subnet /24 Destination IP Subnet /24 3. Click "Create". A new row is created in the table with the settings. 4. Specify the NETMAP rule for the incoming queries with the following settings: Type Destination Source Interface IPsec M876_to_M816 Destination Interface vlan1 Source IP Subnet /24 Destination IP Subnet /24 Translated Destination IP Subnet /24 5. Click "Create". A new row is created in the table with the settings. 6. Click on "Set Values". Getting Started, 07/2017, C79000-G8976-C

178 NETMAP with SCALANCE M NETMAP for the remote network Result The rules for the outgoing and incoming queries have been created. 7.2 NETMAP for the remote network 178 Getting Started, 07/2017, C79000-G8976-C337-05

179 NETMAP with SCALANCE M NETMAP for the remote network With NETMAP of the remote network, the destination 1 e.g is translated. In the example, the subnet part is and this is replaced by This means that the remote network can also be reached in addition to also via The destination IP address is translated by the M876 2 and forwarded to the destination 3. With incoming queries 3, the source IP address is replaced by The source IP address is translated by the M876 2 and forwarded to the destination 1. Only the NETMAP rules for the direction of the query are necessary. The NETMAP rules for the replies are added implicitly. When PC1 sends a query to PC2, the reply is translated based on it. This, however, does not apply to queries from PC2 to PC1. For this, the following NETMAP rules are created on the M876 (initiator): Local network > remote network: The destination IP subnet /24 is replaced by /24. Remote network > local network: The source IP subnet /24 is replaced by /24 The two devices should also communicate with each other via a VPN tunnel. Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration The following steps are necessary 1. Creating a VPN connection (Page 180) 2. Creating NETMAP rules (Page 181) Getting Started, 07/2017, C79000-G8976-C

180 NETMAP with SCALANCE M NETMAP for the remote network Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet / /24 Fixed IP address (WAN IP address) of the M816, e.g Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876_2 M876_to_M816_2 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet / /24 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g e. g Getting Started, 07/2017, C79000-G8976-C337-05

181 NETMAP with SCALANCE M NETMAP for the remote network 6. Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices Creating NETMAP rules Requirement The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 180). Getting Started, 07/2017, C79000-G8976-C

NETMAP with SCALANCE M-800 7.2 NETMAP for the remote network Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2.

182 NETMAP with SCALANCE M NETMAP for the remote network Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Destination Source Interface vlan1 Destination Interface IPsec M876_to_M816_2 Source IP Subnet /24 Destination IP Subnet /24 Translated Destination IP Subnet /24 3. Click "Create". A new row is created in the table with the settings. 4. Specify the NETMAP rule for the incoming queries with the following settings: Type Source Source Interface IPsec M876_to_M816_2 Destination Interface vlan1 Source IP Subnet /24 Translated Source IP Subnet /24 Destination IP Subnet /24 5. Click "Create". A new row is created in the table with the settings. 6. Click on "Set Values". Result The rules for the outgoing and incoming queries have been created. 182 Getting Started, 07/2017, C79000-G8976-C337-05

183 NETMAP with SCALANCE M NETMAP for the local and remote network 7.3 NETMAP for the local and remote network In this example, the NETMAP rules from NETMAP for the local network (Page 174)and from NETMAP for the remote network (Page 178) are combined. There is, however, a special feature with the outgoing queries. Outgoing queries, whose source IP address is translated from to , must be able to have both the IP address as well as as the destination IP address. For translating the destination IP address a further NETMAP rule is required. The addresses are translated by the M876 2 and forwarded to the destination 3. With the incoming query both IP addresses are exchanged. Local network > remote network: The source IP subnet /24 is replaced by /24. The destination IP subnet /24 is replaced by /24. With queries with the destination IP subnet /24 the source IP subnet /24 is replaced by /24. Getting Started, 07/2017, C79000-G8976-C

184 NETMAP with SCALANCE M NETMAP for the local and remote network Remote network > local network: The destination IP subnet /24 is replaced by /24 The source IP subnet /24 is replaced by /24 The two devices should also communicate with each other via a VPN tunnel. Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary 1. Creating a VPN connection (Page 184) 2. Creating NETMAP rules (Page 186) Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet / /24 Fixed IP address (WAN IP address) of the M816, e.g Getting Started, 07/2017, C79000-G8976-C337-05

185 NETMAP with SCALANCE M NETMAP for the local and remote network 4. Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876 M876_to_M816 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet / /24 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g e. g Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M816) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Getting Started, 07/2017, C79000-G8976-C

186 NETMAP with SCALANCE M NETMAP for the local and remote network Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices Creating NETMAP rules Requirement The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 184). The NETMAP rules for the local network (Page 181)have been created. The NETMAP rules for the remote network (Page 177)have been created. Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Source Source Interface vlan1 Destination Interface IPSec M876_to_M816_2 Source IP Subnet /24 Translated Source IP Subnet /16 Destination IP Subnet /24 3. Click "Create". A new row is created in the table with the settings. 4. Click on "Set Values". 186 Getting Started, 07/2017, C79000-G8976-C337-05

187 NETMAP with SCALANCE M NETMAP for the local and remote network Result The rules for the outgoing and incoming queries have been created. Getting Started, 07/2017, C79000-G8976-C

188 NETMAP with SCALANCE M NETMAP for the local and remote network 188 Getting Started, 07/2017, C79000-G8976-C337-05

189 Reporting and switching by SMS Introduction A SCALANCE M87x should be able to send important information about the plant status, alarm messages or warnings to a service employee or a master station as an event SMS message. In the other direction the device should be able to receive and interpret command SMS messages. Examples For the SMS there are the following configuration examples 1. The SCALANCE M87x generates an event SMS message and sends this to certain recipients. 2. The SCALANCE M87x receives a command SMS message and evaluates it. 8.2 Generating and sending an event SMS message Introduction A service technician wants to monitor the connection on the Ethernet interface from a distance. If the Ethernet interface changes from "Link up" to "Link down" the technician should receive a corresponding event SMS message (event link). In addition to this the technician wants to monitor the digital input. Each time the door in the station is opened (event Door), the signal at the digital input changes from 0 (LOW) to 1 (HIGH) (rising edge). Getting Started, 07/2017, C79000-G8976-C

190 Reporting and switching by SMS 8.2 Generating and sending an event SMS message Requirement The SCALANCE M87x is connected to the WAN, refer to "Connecting SCALANCE M87x to the WAN (Page 11)". The access parameters for the SCALANCE M87x are configured. The SCALANCE M87x can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary: 1. Configuring an event (Page 190) 2. Configuring sending of an SMS message (Page 191) Configuring an event Enabling fault monitoringr check Link Change 1. Click on "System > "Fault Monitoring" in the navigation area and on the "Link Change" tab in the content area. 2. For P1 and P2 select the entry "Down". 3. Click on "Set Values". Enabling SMS for an event 1. Click on "System" > "Events" in the navigation area and on the "Configuration" tab in the content area. 2. For the event enable "Link Change" and "Digital Input" "SMS" 3. Click on "Set Values". Result Event link: When the Ethernet interface loses the connection to the node, this causes the fault LED to light up on the device and the sending of an event SMS message. Event Door: Each time the digital input switches, an event SMS message is sent. So that the SMS message is sent, you need to configure the sending of SMS messages. 190 Getting Started, 07/2017, C79000-G8976-C337-05

Reporting and switching by SMS 8.2 Generating and sending an event SMS message 8.2.3 Configuring the sending of SMS messages Configuring the sending of SMS messages 1.

191 Reporting and switching by SMS 8.2 Generating and sending an event SMS message Configuring the sending of SMS messages Configuring the sending of SMS messages 1. Click "System" > "SMS" in the navigation area. 2. On the "General" tab only change the phone number of the SMS master station if you do not use the standard SMS master station. The standard SMS master station is stored on the SIM card. 3. Click the "Event SMS" tab. 4. Enable the "Event SMS " function. 5. In "Phone Number" enter the full telephone number of the recipient including the country dialing code e.g. +49xxxxxxxx. 6. Click "Create". A new row with a unique number is created in the table. You can also specify several recipients. To do this repeat steps 5 and Enable the setting "Send" for the required recipient. The recipient only receives an event SMS message when the setting is enabled. 8. Click on "Set Values". Result The service technician is configured as the recipient. When the Ethernet interface changes from "Link up" to "Link down", the device generates an event SMS message and sends this to the configured recipient. Getting Started, 07/2017, C79000-G8976-C

192 Reporting and switching by SMS 8.3 Receiving and evaluating a command SMS message Adapting an SMS message for the digital input 1. Enter the required SMS text. A maximum of 160 characters are permitted as SMS text. On a "Rising edge" e.g. Door open. On a "Falling edge" e.g. Door closed. Note Characters permitted for the SMS text The following characters are permitted in the text: A...Z a...z Space! % & / ( ) = * + < > ', So that the service technician receives an event SMS message for both switching operations select "Both" for "Sending Option". 3. Click on "Set Values". 8.3 Receiving and evaluating a command SMS message Introduction This configuration example is based on the section "VPN tunnel between an M87x and a SINEMA RC server (Page 129)". The VPN tunnel should be established as the result of a command SMS message. The configuration example contains the following descriptions. To wake a station, the SINEMA RC Server sends an . The is sent to an SMS gateway via an SMTP server. The SMS gateway converts the into a wake-up SMS message and transfers this to the M87x device. When the SMS message is accepted, the device establishes the connection to the SINEMA RC Server. The service technician sends a wake-up SMS message to the M87x in station 2. The device starts the VPN connection and establishes the VPN tunnel to SINEMA RC Server. To check whether the VPN connection to the SINEMA RC Server still exists, it checks the status with a command SMS message. 192 Getting Started, 07/2017, C79000-G8976-C337-05

Reporting and switching by SMS 8.3 Receiving and evaluating a command SMS message Requirement Configuration example VPN tunnel between an M87x and a SINEMA RC Server (Page 129).

193 Reporting and switching by SMS 8.3 Receiving and evaluating a command SMS message Requirement Configuration example VPN tunnel between an M87x and a SINEMA RC Server (Page 129). Steps in configuration The SINEMA RC Server sends a wake-up SMS message 1. Configure settings on the SINEMA RC Server V1.2 Configure SMS message & (Page 194) Change device settings (Page 195) 2. Configure receipt of the command SMS message on the M87x (Page 195) Service technician sends a command SMS message 1. Start VPN connection with command SMS message (Page 196) 2. Query status of the VPN connection with command SMS message (Page 197) Getting Started, 07/2017, C79000-G8976-C

SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M-800 to WAN 1

SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M-800 to WAN 1 Preface Connecting SCALANCE M-800 to WAN 1 SIMATIC NET Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started Getting Started SCALANCE M-800 as DHCP server 2 Configuring a VPN tunnel