Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Transcription

1 Configuration Example 02/2015 Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address CP Advanced, CP Advanced, SCALANCE M

2 Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ("wesentliche Vertragspflichten"). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens' products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit Entry ID: , V1.0, 02/2015 2

3 Table of Contents Table of Contents Warranty and Liability Task and Solution Task Possible solution Characteristics of the solution Configuration and Project Engineering Setting up the environment Required components and IP address overview SCALANCE M DSL access of the automation cell SIMATIC S7-300 station Setting up the infrastructure Configuring the VPN tunnel Integrating the VPN endpoint CP Advanced Integrating the VPN endpoint SCALANCE M Configuring the VPN tunnel Transferring the configuration data VPN configuration in the SCALANCE M Final steps Status of the VPN connection Testing the Tunnel Function History Entry ID: , V1.0, 02/2015 3

4 1 Task and Solution 1 Task and Solution 1.1 Task A service center connected via the Internet is to be able to perform classical applications such as remote programming, parameterization and diagnostics and monitoring of plants installed worldwide. The following customer requirements have to be considered: Protection against spying and data manipulation. Prevention of unauthorized access. Provision of secure remote access for remote maintenance and remote control. Protection of the S7 station and the connected network. High degree of flexibility and independence of the existing infrastructure 1.2 Possible solution Complete overview The figure below shows one way of implementing these customer requirements: Service PC VPN Tunnel Industrial Ethernet SCALANCE M81x-1 VPN Client Internet Router Static WAN IP Address Automation Cell SIMATIC S7-300 or S7-400 with CP x43-1 Advanced VPN Server The connection between the service PC (or other nodes/network devices) and the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. In this example, the CP 343-1/CP Advanced and a SCALANCE M81x-1 form the tunnel endpoints for the secure connection. The CP 343-1/CP Advanced acts as the VPN server, the SCALANCE M acts as the VPN client. Access to the CP 343-1/CP Advanced from the WAN is predefined by the use of a static WAN IP address. On the client side, ADSL is used for WAN access; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Component SCALANCE M81x CP x43-1 Advanced VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Entry ID: , V1.0, 02/2015 4

5 1 Task and Solution SCALANCE M SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective, secure connection of Ethernet-based subnets and programmable controllers to wired telephone or DSL networks that support ADSL2+ (Asynchronous Digital Subscriber Line). These modules are characterized by the following features: Simultaneous protection of multiple devices by IPsec tunnels (support of up to 20 VPN tunnels at a time). VPN and DSL router in a single device; therefore, it is no longer necessary to use a separate DSL router. Broad range of applications due to high bandwidth, performance and speed. Reduced travel expenses and personnel costs due to remote programming and remote diagnostics via wired telephone or DSL networks. The modules automatically establish and maintain the IP-based online connection to the Internet. CP x43-1 Advanced The CP x43-1 Advanced (version 3 or higher) is a communications processor with security functions. For the SIMATIC S7-300/S7-400, it is the bridge between the field level and the MES level and integrates seamlessly with the security structures of the office and IT world. The module provides protection of the data transmission between devices or network segments against data manipulation/spying and unauthorized access. In addition to the basic communications services, it offers the following functions: Two separate interfaces (integrated network separation): Gigabit interface with one RJ45 port and PROFINET interface with 2 RJ45 ports. High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. HTTPS, FTPS, NTP (secure). IPSec VPN (data encryption and authentication). Protection of the S7 station in which the CP is operated. Protection of the internal networks connected to the PROFINET interface. Support of multiple VPN tunnels at a time. Entry ID: , V1.0, 02/2015 5

6 1 Task and Solution 1.3 Characteristics of the solution Controlled, encrypted data traffic between CP x43-1 Advanced and SCALANCE M. The firewall, VPN server and communication settings are made directly in the CP x43-1 Advanced; the security functions are integrated in the communications processor. Protection of the SIMATIC controller without an additional security module. High degree of security for machines and plants through the implementation of the cell protection concept. Integrated network diagnostics via SNMP, Syslog and Web interface. Worldwide use. Entry ID: , V1.0, 02/2015 6

7 2 Configuration and Project Engineering 2.1 Setting up the environment Required components and IP address overview Software packages This solution requires the following software packages: "Security Configuration Tool V4". This software is included in the scope of delivery of the security modules or available as a download under the following Entry ID: "STEP 7 V5.5", Service Pack 2 or higher, Hotfix 1. The required HSP (HSP 1058) is included in the scope of delivery of the CP Advanced or available as a download under the following Entry ID: Web browser to configure the SCALANCE M. Install these software packages on a PC/PG. Required devices/components: To set up the environment, use the following components: A CP Advanced (article number: 6GK7343-1GX31-0XE0). A CPU PN/DP (article number: 6ES7317-2EK14-0AB0) with an MMC. A SCALANCE M812-1 (optional: A DIN rail installed accordingly, including fitting accessories). ADSL access. DSL access with a static WAN IP address and a DSL router (e.g., SCALANCE M81x-1). One or two 24V power supplies with cable connector and terminal block plug (the modules can also be operated with a shared power supply). DIN rail with fitting accessories for the S7-300 station. PC on which the "Security Configuration Tool" and "STEP 7 V5.5" and a Web browser are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. Note Instead of DSL, you can also use a different Internet access method (e.g., UTMS). The configuration described below refers explicitly to the components listed in "Required devices/components". Note A different S7-300 PROFINET CPU can also be used. For the device environment in which the CP can be operated with the range of functions described here, please refer to the appropriate chapter of the CP Advanced manual: ersionid= &topicid= &guilanguage=en Entry ID: , V1.0, 02/2015 7

8 IP addresses For this example, the IP addresses are assigned as follows: M812-1 DSL Router Automation Cell CP Advanced Dynamic WAN IP Static WAN IP Table 2-1 Component Port IP address Router Subnet mask M812-1 LAN port M812-1 WAN port Dynamic IP address from provider DSL router WAN port Static IP address from provider - Assigned by provider - Assigned by provider DSL router LAN port CP Adv. Gigabit port CP Adv. PROFINET port CPU PROFINET port SCALANCE M812-1 Factory default To make sure that no old configurations and certificates are stored in the SCALANCE M812-1, reset the module to factory default. Press the SET button - for approx. 10 seconds - to reset the device to factory default; it can now be accessed via IP address Requirements for Web Based Management The SCALANCE M features an integrated HTTP server for Web Based Management (WBM). In order to use this function without any restrictions, please note the following: Access via HTTPS is enabled. JavaScript is enabled in the Web browser. When the firewall is enabled, TCP port 443 must be enabled for access via HTTPS. Entry ID: , V1.0, 02/2015 8

9 Physical connection between PC and SCALANCE M Use the PC to connect to the Web user interface of the SCALANCE M. When the SCALANCE M is set to factory default, the IP address of the internal interface of the module is In this case, change the network settings on the PC as follows: IP address: Subnet mask: Use address to open Web Based Management. Web Based Management login When you log on for the first time or after setting to factory default, the login data is defined as follows: Name: admin Password: admin 1. Enter the name and password in the appropriate text boxes. 2. Click the "Login" button or confirm your entries with "Enter". 3. When you log on for the first time or after setting to factory default, you are prompted to change the password. Entry ID: , V1.0, 02/2015 9

10 4. Enter the old and new password. 5. Click the "Set Values" button to complete the operation and activate the new password. 6. After successful logon, the start page appears. Entry ID: , V1.0, 02/

11 Changing the IP address To change the IP address of the internal interface of the SCALANCE M, proceed as follows: 1. In the navigation bar, navigate to "System" > "Agent IP" and change the IP address as listed in Table Apply the setting with "Set Values". 3. Change the network settings on the PC as follows: IP address: Subnet mask: Reload the Web page. Result The internal interface of the SCALANCE M is set to the desired IP address. Entry ID: , V1.0, 02/

12 Setting the time To establish secure communication, it is essential that the current date and time are always set on the SCALANCE M. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. 1. In the navigation bar, navigate to "System" > "System Time". 2. Click the "Use PC Time" button to apply the time setting of the PC. 3. Click the "Set Values" button. Result The date and time are applied and "Manual" is entered in the "Last Synchronization Mechanism" field. Note When manually setting the time, please note that the time is reset to factory default when the power supply is interrupted. When the power supply has been restored, you have to set the system time once again. Due to this, certificates may lose their validity. Note You also have the option to have the system time automatically synchronized with a time server. A number of time servers from which the exact current time can be retrieved can be found on the Internet. Synchronizing the system time using a public time server causes additional traffic on the connection. Entry ID: , V1.0, 02/

13 Setting up DSL access Access to the Internet requires the following access parameters: User name and password for DSL access VCI / VPI Encapsulation These parameters can be obtained from your Internet service provider. 1. In the navigation pane, click "Interfaces" > "DSL". 2. Check "Enable DSL Interface" and uncheck "Enable PPPoE Passthrough". Entry ID: , V1.0, 02/

14 3. Enter the user name (Account) and password for DSL access. If necessary, change the values for "VCI", "VPI" and "Encapsulation". The settings can be obtained from your DSL provider. 4. Click "Set Values". Result The DSL connection has been set up. After approx. 30 seconds, the device connects to the Internet. "Information" > "DSL" allows you to check whether the connection has been established DSL access of the automation cell Static IP address WAN access of the SCALANCE M812-1 to the CP Advanced is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in the DSL router. Port forwarding on the DSL router VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on the DSL router and forward the data packets to the CP Advanced (VPN server; Gigabit port): UDP port 500 (ISAKMP) UDP port 4500 (NAT-T) If the DSL router itself is VPN-capable, make sure that this function is disabled. Entry ID: , V1.0, 02/

15 2.1.4 SIMATIC S7-300 station Connection between PC and controller Factory default Connect the PC to a PROFINET port of the CPU and change the network settings on the PC as follows: IP address: Subnet mask: To make sure that no old configurations and certificates are stored in the CP Advanced, reset the module to factory default. For the appropriate chapter in the CP Advanced manual, please use the following link: sionid= &topicid= &guilanguage=en Changing the IP address of the CPU To download the project data to the CPU, it is useful to first change the IP address of the CPU as shown in Table 2-1. STEP 7 project Configuration dialogs The STEP 7 function "Edit Ethernet Node " is suitable for assigning the IP address. For more information, please refer to the manual, Entry ID: Use the STEP 7 configuration software to create a new project and create a hardware configuration with the modules you are using. For the required IP addresses for the CP Advanced (Gigabit port and PROFINET port) and the CPU (PROFINET port), please refer to Table 2-1. The following figures show the most important configuration dialogs for the S7-300 station. Entry ID: , V1.0, 02/

16 Interface configuration of the CPU: Interface configuration of the CP (VPN server; Gigabit port): Entry ID: , V1.0, 02/

17 Interface configuration of the CP (VPN server; PROFINET port): Time-of-day synchronization In the OFF state, the CP Advanced loses the current time stamp and, by default, is set to To establish secure communication, it is essential that the current date and time are always set on the CP. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. The CP provides the following modes for time-of-day synchronization: SIMATIC Mode (used in this example) NTP Mode (Network Time Protocol) Time-of-day synchronization for the S7-300 station is configured in the hardware configuration. Entry ID: , V1.0, 02/

18 Proceed as follows: 1. In the SIMATIC Manager, open the hardware configuration of the S7-300 station. 2. In the STEP 7 object properties of the CP Advanced, "Time-of-Day Synchronization" tab, check the "Accept time of day on CP" check box and select "Automatic". 3. Click "OK" to close the dialog. Entry ID: , V1.0, 02/

19 4. In the STEP 7 object properties of the CPU, "Diagnostics/Clock" tab, set the "As master" synchronization type and the "1 minute" time interval for synchronization in the automation system. 5. Click "OK" to close the dialog. 6. Select "Station" > "Save and Compile" to save and compile the hardware configuration. 7. Close the hardware configuration. Note More information on these modes and the configuration can be found in Chapter of the Configuration Manual for SIMATIC S7 CPs (Entry ID: ). Loading the controller In the SIMATIC MANAGER, select the S7-300 station. Select "PLC" > "Download " to download the project to the CPU and then start the CPU. The CPU can be accessed via IP address Entry ID: , V1.0, 02/

20 Adjusting the time in the CPU Due to the "SIMATIC Mode" time-of-day synchronization, the CPU cyclically passes on its time to the CP Advanced. The CPU clock must no longer be in the default state. It must have been set once. Time-of-day synchronization as the time-of-day master does not start before the time of day has been set via SFC 0 "SET_CLK" or using the PG function. Note In the following cases, the CPU clock has not yet been set: In the as-supplied state. After resetting to the as-supplied state using the mode selector switch. After a firmware update. 1. In the SIMATIC Manager, open the hardware configuration of the S7-300 station. 2. Select the CPU and select "PLC" > "Set Time of Day" to open the dialog where you can set the time of day. 3. Check the "Take from PG/PC" check box and select "Apply" to confirm your selection. 4. Select "Close" to close the dialog. Result The CPU's time of day has been set to the current PG time. Entry ID: , V1.0, 02/

21 2.1.5 Setting up the infrastructure Connect all the components involved in this solution. M812-1 DSL Router Automation Cell CP Advanced LAN Port WAN Port WAN Port LAN Port Gigabit Port PROFINET Port Table 2-2 Component Local port Partner Partner port SCALANCE M812-1 LAN port E.g., an automation network (does not exist in this solution) SCALANCE M812-1 WAN port ADSL2+ port for operation on public DSL networks CP Advanced Gigabit port DSL router LAN port CP Advanced PROFINET port E.g., other network nodes (do not exist in this solution) Note In all devices in the internal network of the CP Advanced or SCALANCE M812-1 (e.g., controllers, panels, etc.), please make sure to enter the IP address of the internal port as the default gateway. Entry ID: , V1.0, 02/

22 2.2 Configuring the VPN tunnel SCT project Components used The VPN tunnel configuration is performed using the Security Configuration Tool V4 integrated in STEP 7 and started when enabling the security function in the CP Advanced. This solution uses the following security components: CP Advanced (version 3 or higher) SCALANCE M Integrating the VPN endpoint CP Advanced Overview To integrate the CP into the Security Configuration Tool, perform the following steps: Enable the security function of the CP. Create a user and password for the SCT project integrated in STEP 7. Proceed as follows: 1. Open your STEP 7 project and in the SIMATIC Manager, open the hardware configuration of the S7-300 station. 2. In the STEP 7 object properties of the CP Advanced, "Security" tab, check the "Enable security" check box. 3. In the following dialog, create a new user with a user name and the associated password. The user is automatically assigned the "Administrator" role. Entry ID: , V1.0, 02/

23 4. Confirm your entries with "OK". 5. Close the STEP 7 object properties with "OK". 6. Confirm the following security message with "OK". 7. Select "Station" > "Save and Compile" to save and compile the hardware configuration. 8. Close the hardware configuration. Result You have created a new security project. Entry ID: , V1.0, 02/

24 Opening the SCT project In the hardware configuration, select the "Edit" > "Security Configuration Tool" menu command to open the Security Configuration Tool and log in. Result The security module is displayed in the list of configured modules. Entry ID: , V1.0, 02/

25 2.2.2 Integrating the VPN endpoint SCALANCE M812-1 To integrate the SCALANCE M812-1 component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module: Product type: SOFTNET configuration Module: SCALANCE M87x/MD74x Firmware release: SCALANCE M874-x 2. Assign a name to the module. Enter the internal IP address and subnet mask as listed in Table 2-1. Note: The external IP address is irrelevant; you can keep the default setting. Click "OK" to close the dialog. Entry ID: , V1.0, 02/

26 Result The M812-1 appears as an additional module Configuring the VPN tunnel Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. 2. One after the other, select the security modules from the "All modules" list and use drag and drop to insert them into the VPN group. Result The two security modules have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: , V1.0, 02/

27 Defining the VPN parameters To establish the VPN tunnel, you have to enter the following information: VPN role WAN IP address of the DSL router Parameterize this information as follows: 1. In the "All modules" project tree, select the CP Advanced and double-click to open its properties dialog. 2. In the "VPN" tab, select the "Responder" VPN role for the CP Advanced. In the WAN IP address / FQDN field, enter the WAN IP address of your DSL access point. In addition, enable access to the internal network. 3. Click "OK" to close the dialog and select "OK" to confirm the message. 4. Save the project. Result The VPN configuration is complete. Entry ID: , V1.0, 02/

28 2.2.4 Transferring the configuration data SCALANCE M812-1 The transfer of the configuration data to the appropriate security components is implemented in different ways: CP Advanced: Download via the STEP 7 project. SCALANCE M812-1: The Security Configuration Tool creates a configuration guide and exports the required data to a specified location. To transfer the configuration data of the SCALANCE M, proceed as follows: 1. In the "All modules" project tree, select the "M812" module and select the "Transfer" > "To module(s) " menu command. 2. Save the "<Project name>.m812.txt" configuration guide and the certificates to your project directory. 3. Enter a password for the.p12 certificate. If you do not assign a password, the project name (not the password of the logged in user) is applied as the password. 4. Close the Security Configuration Tool. Result The following files are saved to the project directory: Configuration guide: "<Project name>.m812.txt" Certificate: "<Project name>.<string>.m812.p12" Group certificate: "<Project name>.group1.cp advanced.cer" Entry ID: , V1.0, 02/

29 CP Advanced To transfer the configuration data of the CP Advanced, perform the following steps: 1. Select "Station" > "Save and Compile" to save and compile the hardware configuration. 2. Select "Options" > "Configure Network" to start NetPro and here, too, compile the entire configuration using "Network" > "Save and Compile ". 3. Close the output to check the consistency. 4. Close NetPro and the hardware configuration. 5. In the SIMATIC MANAGER, select the S7-300 station and select "PLC" > "Download " to download the configuration data to your CPU. Then start the CPU. 6. If downloading has completed without errors, the security module starts automatically and the new configuration has been activated. Result The security module is configured and in productive mode. Entry ID: , V1.0, 02/

30 2.3 VPN configuration in the SCALANCE M812-1 Configuration guide Use the Web user interface of the SCALANCE M to configure it with the aid of the saved "<Project name>.m812.txt" configuration guide. The configuration includes the following steps shown below: Table 2-3 No. Configuration step 1. Enter the certificate password. 2. Load the certificates to the SCALANCE M. 3. Define the VPN remote end. 4. Create the connection. 5. Define the authentication method for the connection. 6. Define the VPN parameters for Phase Define the VPN parameters for Phase 2. Entry ID: , V1.0, 02/

31 No. Configuration step 8. Define the SCALANCE M as the initiator. 9. Enable the VPN function. Physical connection between PC and SCALANCE M Use the PC to connect to the Web user interface of the SCALANCE M (address: For this purpose, change the network settings on the PC as follows: IP address: Subnet mask: After successful logon, the start page appears. Managing the certificate password There are files whose access is password-protected. When saving the configuration files of the SCALANCE M from the Security Configuration Tool, you were prompted to assign a password for the private key of the certificate or use the project name as the password. To successfully download the file to the SCALANCE M, enter the password defined for the file on the WBM page. 1. In the navigation bar, navigate to "System" > "Load&Save" > "Passwords". 2. In the "Password" text box, enter the password. In "Password Confirmation", reenter the password to confirm it. Check the "Enabled" option. 3. Click the "Set Values" button. Result The password for the private key of the certificate has been defined. Entry ID: , V1.0, 02/

32 Loading the certificates The certificates are required to authenticate the VPN user and therefore to establish a secure VPN connection. Load the two required certificates to the SCALANCE M as described in the following section: 1. In the navigation bar, navigate to "System" > "Load&Save" > "HTTP". 2. In "IPSecCert", click the "Load" button to start loading. 3. The dialog for loading a file opens. Navigate to your project directory with the configuration files of the SCALANCE M. 4. Select a certificate. For the exact certificate name, please refer to your configuration guide. 5. In the dialog, click the "Open" button. The file is loaded. 6. Repeat steps 2 through 5 with the other certificate. Result The certificates "<Project name>.<string>.m812.p12" and "<Project name>.group1.cp advanced.cer" have been loaded to the SCALANCE M. Entry ID: , V1.0, 02/

33 Defining the VPN remote end The VPN tunnel is always established to one or more users. In this example, the only endpoint is the CP Advanced. Configure the remote end as follows: 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Remote End". 2. In the "Remote End Name" text box, enter a name for the VPN remote end (e.g., CP343). Click "Create" to create a new remote end. 3. Set the parameters for the VPN remote end as described in your configuration guide: Remote Mode: Standard Remote Type: manual Remote Address: WAN IP address of your DSL access point Remote Subnet: /24 4. Click the "Set Values" button. Result The access address of the remote end and the subnet - reachable through the tunnel - have been made known to the SCALANCE M. Entry ID: , V1.0, 02/

34 Creating the VPN connection In this section, you configure the basic settings for the VPN connection. Then you define the security settings. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Connections". 2. In "Connection Name", enter a name for the VPN connection. Click "Create" to create a new entry. 3. Set the parameters for the VPN connection as described in your configuration guide: Keying Protocol: IKEv1 Remote End: Name of the VPN remote end (here: CP343) Local Subnet: /24 4. Click the "Set Values" button. Result A VPN connection has been created, the remote end for this connection has been selected and the subnet allowed to communicate with the remote end has been defined. Entry ID: , V1.0, 02/

35 Defining the authentication method For secure communication via VPN, all VPN partners must authenticate each other. This example uses the certificate of the remote end as the authentication method. Note For the exact names of your certificates, please refer to your configuration guide. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Authentication". 2. Configure authentication with the settings described in your configuration guide. Authentication: Remote Cert Local Certificate: <see configuration guide> Remote Certificate: <see configuration guide> Remote ID: <see configuration guide> 3. Click the "Set Values" button. Result The SCALANCE M can authenticate for the shared VPN tunnel with the loaded certificates and accept the remote end as the VPN partner. Entry ID: , V1.0, 02/

36 Defining Phase 1 Phase 1 of authentication involves the encryption agreement and authentication between the VPN users via the standardized IKE (Internet Key Exchange) protocol. For IPSec key management, you have to enter defined protocol parameters. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Phase 1". 2. Set the protocol parameters as described in your configuration guide: Encryption: 3DES Authentication: SHA1 Key Derivation: DH group 2 Keying Tries: 0 Lifetime [min]: DPD: restart DPD Delay [sec]: default DPD Timeout [sec]: default Aggressive Mode: No 3. Click the "Set Values" button. Entry ID: , V1.0, 02/

37 Defining Phase 2 Phase 2 is data exchange via the standardized ESP (Encapsulating Security Payload) security protocol. For IPSec data exchange, you have to enter defined protocol parameters. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Phase 2". 2. Set the protocol parameters as described in your configuration guide: Encryption: 3DES Authentication: SHA1 Key Derivation: DH group 2 Lifetime [min]: 2880 Lifebytes: 0 3. Click the "Set Values" button. Result You have defined all the necessary parameters for the IKE and ESP protocols. Entry ID: , V1.0, 02/

38 Establishing the VPN connection The SCALANCE M is configured as the initiator of the VPN tunnel and actively establishes the connection to the CP Advanced. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Connections". 2. In the "Operation" column, change the mode to "Start". 3. Click the "Set Values" button. Result The SCALANCE M812-1 is the initiator of the VPN connection. Entry ID: , V1.0, 02/

39 Activating IPSec For the secure connection between SCALANCE M and CP Advanced, a VPN tunnel is established with IPSec. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "General". 2. Check the "Activate IPSec VPN" check box to activate IPSec. 3. Click the "Set Values" button. Result IPSec is active and used for the VPN tunnel. 2.4 Final steps Connect the internal port of the CP Advanced and SCALANCE M812-1 to your network (e.g., an automation network). For all devices on the internal port of the devices, set the appropriate standard router (IP address of the internal port). Entry ID: , V1.0, 02/

40 2.5 Status of the VPN connection When all security modules have been parameterized, loaded and connected to the Internet, the SCALANCE M812-1 initializes the VPN tunnel to the CP Advanced. Diagnostics in the Security Configuration Tool or SCALANCE M's Web Based Management allow you to view the status. In addition, the housing of the SCALANCE M features diagnostic LEDs for modem status and connection control. Security Configuration Tool For diagnostics via the Security Configuration Tool, proceed as described below: 1. Open your STEP 7 project. 2. Connect the PC to the PROFINET port of the CP and change the network settings on the PC as follows: IP address: Subnet mask: In the hardware configuration, select the "Edit" > "Security Configuration Tool" menu command to open the Security Configuration Tool and log in if necessary. 4. Use the "View" > "online" menu command to activate "Online" mode. 5. In the content area, select the module you want to edit and select the "Edit" > "Online diagnostics " menu command. Entry ID: , V1.0, 02/

41 6. The "Communications status" tab displays the communication status. Web Based Management Status indication via Web Based Management can be accessed as follows: 1. Use the PC to connect to the Web user interface of the SCALANCE M (address: For this purpose, change the network settings on the PC as follows: IP address: Subnet mask: After successful logon, the start page appears. 2. In the navigation bar, navigate to "Information" > "IPSec VPN". 3. The "Status" column shows the status of the configured VPN connection. Entry ID: , V1.0, 02/

42 3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the CP Advanced and the SCALANCE M812-1 have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (e.g., by opening the internal Web page of the CP Advanced with address or loading the S7 controller from STEP 7). 1. Connect the PC to the internal port of the SCALANCE M Change the network settings on the PC as follows: IP address: Subnet mask: Default gateway: On the PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 4. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node of remote end>" command at the cursor position. Result You get a positive response from the internal node. Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. Entry ID: , V1.0, 02/

43 4 History 4 History Table 4-1 Version Date Modifications V1.0 02/2015 First version Entry ID: , V1.0, 02/