FAQ about Communication

Transcription

1 FAQ about Communication Establishing a VPN Tunnel between PC Station and SCALANCE S 61x via the Internet Using the Microsoft Management Console FAQ

2 Entry ID: Table of Contents Table of Contents The IPsec tunnel Configuration Overview Configuring the gateway in the PLC Configuring the gateway in the PC station Configuration of the standard DSL Routers Configuration of the standard DSL router A (connected to PC station) Configuration of the standard DSL router B (connected to SCALANCE S) Configuration of the IPsec Channel Using the Microsoft Management Console Adding snap-ins Creating IP security policy Adding or editing security methods Adding security rule for the data traffic from the PC station to the SCALANCE S 61x module Creating IP filter Creating and assigning filter action Defining authentication method Defining tunnel settings Adding security rule for the data traffic from the SCALANCE S 61x module to the PC station Creating IP filter Assigning filter action Authentication method Defining tunnel settings SCALANCE S 61x Configuration Establishing VPN Tunnel Checking IPsec services Establishing IPsec tunnel Checking IPsec tunnel status History This entry is from the Internet offer of Siemens AG, Automation and Drives, Service & Support. Clicking the link below directly displays the download page of this document. V1.0 07/13/07 38/38

3 Question VPN Tunnel between PC Station with Win XP SP2 and Entry ID: How is a VPN tunnel between the PC station with Windows XP SP2 and a SCALANCE S 61x V2.1 module configured via the internet using the Microsoft Management Console? Answer It is possible to establish a VPN tunnel from the PC station with Windows XP SP2 to a SCALANCE S 61x V2.1 module in routing mode via the internet. The Microsoft Management Console and the Security Configuration Tool are used for configuring the VPN tunnel. The corresponding prerequisites are listed below: To support the establishment of the tunnel via the internet in routing mode, SCALANCE S 61x with firmware V2.1 and the Security Configuration Tool V2.1 are required. The firmware V2.1 for the SCALANCE S 61x module can be downloaded; the Entry ID is The standard DSL routers A and B must support the NAT-T (network address translation-traversal) and NAPT (network address port translation) functions. A fixed external IP address for the standard DSL router B is required, which has to be parameterized on the passive SCALANCE S 61x module. Passive means here that the SCALANCE S 61x module waits until the partner initiates the establishment of the tunnel. A PC station with Windows XP SP2 is required which initiates the tunnel establishment. V1.0 07/13/07 38/38

4 Entry ID: The IPsec tunnel The SCALANCE S module uses the IPsec protocol for tunneling. The data exchange via an IPsec tunnel in the VPN has the following properties: Authentication only persons with a corresponding authorization can establish a tunnel Integrity ensures that the exchanged data have not been modified Confidentiality the exchanged data are tap-proof Key-based or certificate-based authentication methods are supported: Preshared key Certificate The SCALANCE S module supports the following integrity check methods: SHA-1 Secure Hash Algorithm 1 MD5 Message Digest Version 5 In addition, the SCALANCE S module supports two encryption algorithms: DES Data Encryption Standard 3DES Triple DES AES Advanced Encrypting Standard (this encryption algorithm is supported by the SCALANCE S module only in phase 2 of the data exchange via IPsec.) The data exchange via the IPsec tunnel consists of two phases: Phase1 key exchange (IKE, Internet Key Exchange) Phase2 data exchange (ESP, Encapsulating Security Payload) The IKE protocol is used for the automatic IPsec key management. It uses the Diffie-Hellman key exchange for a secure exchange of keys in an insecure network. One of the following key exchange methods is used for the key exchange: Main mode Aggressive mode The following sections describe the individual configuration steps you have to perform to be able to establish the VPN tunnel via the internet. The following parameters are configured for the key exchange (IKE, Internet Key Exchange): V1.0 07/13/07 38/38

5 Entry ID: Table 1-1 IKE parameters IKE Parameter Authentication method Integrity check method Encryption algorithm Key exchange method Diffie-Hellmann Preshared key SHA-1 3DES Main mode DH2 Value The following parameters are configured for the data exchange (ESP, Encapsulating Security Payload): Table 1-2 ESP parameters ESP parameter Integrity check method Encryption algorithm SHA-1 Triple DES (3DES) Value V1.0 07/13/07 38/38

6 VPN Tunnel between PC Station with Win XP SP2 and 2 Configuration Overview Figure 1-1 shows the configuration. Figure 2-1 Configuration Internet ISP 1 ISP 2 PC station with Windows XP SP2 and optionally STEP 7 External IP address of ISP 1: Internal IP address: Standard DSL router A Standard DSL router B Fixed external IP address of ISP2: Internal IP address: SCALANCE S 61x CPU 315-2DP with CP343-1 IP address: Default gateway: Protected automation cell IP address: Default gateway: VPN tunnel (IPsec) External IP address: Internal IP address: Default gateway: V1.0 07/13/07 6/38

7 2.1 Configuring the gateway in the PLC The CPU 315-2DP with the CP is located in the internal Ethernet network that is protected by the SCALANCE S 61x V2.1 module. SCALANCE S 61x V2.1 is the router or gateway for the CP For this reason, you have to enter the internal IP address of the SCALANCE S 61x V2.1 module as a router or gateway in the Ethernet interface properties of the CP Figure 2-2. Specifying gateway or router in the S7-300 controller Internal IP address of SCALANCE S 61x 2.2 Configuring the gateway in the PC station The PC station with the IP address is located in the external Ethernet network of the SCALANCE S 61x V2.1 module. The standard router A is the gateway or router for the PC station. For this reason, in the Windows Network Connections in the Local Area Connection Properties, enter the internal IP address of the standard router A for the default gateway. In addition, the standard router A is used as a DNS server for the PC station. Figure 2-3 Specifying default gateway in the PC station IP address of the PC station Internal IP address of the standard router A V1.0 07/13/07 7/38

8 Note When the standard router A is DHCP-capable, the PC can automatically obtain its IP and DNS server address from router A. V1.0 07/13/07 8/38

9 3 Configuration of the standard DSL Routers 3.1 Configuration of the standard DSL router A (connected to PC station) The standard DSL router A is on the active side, i.e., the PC station initiates the establishment of the VPN tunnel. It is thus not required to configure PORT forwarding rules for the PC station s IPsec packages in the standard DSL router A. However, with fixed IP addresses on the PC station, the PORT forwarding can optionally be set in such a way that UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected PC station. This means: The IP address is indicated on the standard DSL router A of the PC station. Figure 3-1. Port forwarding for standard DSL router A IP address of PC station 3.2 Configuration of the standard DSL router B (connected to SCALANCE S) On the standard DSL router B the PORT forwarding has to be set in such a way that the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected SCALANCE S 61x module. This means: The external IP address of the SCALANCE S 61x module is indicated on the standard DSL router B. Figure 3-2 Port forwarding for standard DSL router B External IP address of SCALANCE S 61x V1.0 07/13/07 9/38

10 4 Configuration of the IPsec Channel Using the Microsoft Management Console Use the Microsoft Management Console (MMC) for configuring the IPsec tunnel in the PC station. Open the MMC via the Windows START menu Run... with the mmc command. Figure 4-1 Opening Microsoft Management Console 4.1 Adding snap-ins At first the following snap-ins are inserted into the MMC console root via the File Add/Remove Snap-in... menu: IP Security Monitor IP Security Policy Management Services The Add/Remove Snap-in window opens. Select the Add... button to go to the Add Standalone Snap-in window. In this window, select the corresponding snap-in and add it using the Add button. V1.0 07/13/07 10/38

11 Figure 4-2 Adding snap-in In the Add Standalone Snap-in window, select the IP Security Monitor snap-in and add it using the Add button. Figure 4-3 Adding IP Security Monitor snap-in V1.0 07/13/07 11/38

12 Subsequently, add the IP Security Policy Management snap-in. You indicate the local computer when selecting the computer or domain to be managed. Figure 4-4 Adding IP Security Policy Management snap-in You also specify the local computer during the selection of the computer to be managed when adding the Services snap-in. Figure 4-5 Adding Services snap-in After adding the necessary snap-ins, exit the Add Standalone Snap-in window by selecting the Close button and the Add/Remove Snap-in button by using the OK button. The added snap-ins are now included in the console root of the MMC so that a new IP security policy can be created. V1.0 07/13/07 12/38

13 Figure 4-6 Console root with inserted snap-in 4.2 Creating IP security policy To create a new IP security policy, select the IP Security Policies on Local Computer snap-in in the console root and create a new IP security policy via the Action Create IP Security Policy... menu. Figure 4-7 Creating IP security policy The wizard for creating a new IP security policy opens. At first name the new IP security policy. In this example, the name is VPNtunnel_PC_ScalanceS. Figure 4-8 Naming IP security policy V1.0 07/13/07 13/38

14 In the next step, deactivate the default response rule since the authentication method will be defined later. In the last step, the Edit properties option is activated to be able to edit and configure the IP security policy. Figure 4-9 Deactivating default response rule and activating Edit properties 4.3 Adding or editing security methods After exiting the IP Security Policy Wizard by selecting Finish, the Properties window of the just created VPNtunnel_PC_ScalanceS IP security policy is displayed. In this window, the policy is configured and edited. At first configure the key exchange settings between PC station and SCALANCE S. In the Properties window of the VPNtunnel_PC_ScalanceS IP security policy, select the General tab. Select the Advanced... button to go to the Key Exchange Settings window. In this window, use the Methods button to add or edit the security methods (encryption and integrity) that are supported during the authentication. The following security methods are to be supported during the authentication: Table 4-1 Security methods Encryption Integrity Diffie-Hellmann 3DES SHA1 Low 3DES SHA1 Medium DES MD5 Low DES MD5 Medium V1.0 07/13/07 14/38

15 Figure 4-10 Key exchange settings After configuring the key exchange settings, the IP security rules are defined. A total of two IP security rules are defined. The first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module. The second IP security rule determines the data traffic from the network protected by the SCALANCE S module to the PC station. 4.4 Adding security rule for the data traffic from the PC station to the SCALANCE S 61x module To add the first IP security rule, select the Rules tab of the IP security policy Properties window. The Add button is used to add a new IP security rule. The New Rule Properties window opens. V1.0 07/13/07 15/38

16 Figure 4-11 Adding IP security rule Creating IP filter The IP filter determines the data traffic of an IP security rule. In the New Rule Properties window in the IP Filter List tab, use the Add button to create a new IP filter. Figure 4-12 Creating IP filter V1.0 07/13/07 16/38

17 The new IP filter is named channel_from_pc_to_scalance. Select the Add... button to go to the Filter Properties window. The data traffic direction is defined here. Since the first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module, enter the following parameters: Source address: IP address of the PC station Destination address: Subnet connected to the internal SCALANCE S PORT The Mirrored. Also match packets with the exact opposite source and destination addresses option is deactivated. A second security rule with corresponding IP filter determining the data traffic from the SCALANCE S module to the PC will be added later. Figure 4-13 Defining name and properties of the IP filter The channel_from_pc_to_scalance IP filter is now included in the IP filter list. Select the channel_from_pc_to_scalance IP filter and subsequently select the Filter Action tab in the New Rule Properties window to add a new filter action and to assign it to the IP filter. V1.0 07/13/07 17/38

18 Figure 4-14 Selecting IP filter Creating and assigning filter action Use the Add... button to go to the New Filter Action Properties window. Since a new security method for this filter action does not yet exist, a new security method has to be created. In the New Filter Action Properties window in the Security Methods tab, activate the Negotiate security: option and select the Add button. Figure 4-15 Creating filter action V1.0 07/13/07 18/38

19 Create a user-defined security method. Make the following settings for your user-defined security method with data integrity and encryption: Integrity algorithm: SHA1 Encryption algorithm: 3DES Figure 4-16 Security method settings After creating the user-defined security method with the corresponding settings, this method is visible in the New Filter Action Properties window in the Security Methods tab. The newly created security method is applied to the filter action. Figure 4-17 Applying security method V1.0 07/13/07 19/38

20 In the New Filter Action Properties window, select the General tab. Name the filter action, e.g. IPSec Configuration, and apply this name. Figure 4-18 Naming filter action Subsequently, in the New Rule Properties window in the Filter Action tab, select the IPSec Configuration filter action. Figure Selecting filter action V1.0 07/13/07 20/38

21 4.4.3 Defining authentication method Now define the preshared key authentication method. In the New Rule Properties window, select the Authentication Methods tab. In this example, the preshared key is scalance. Figure 4-20 Configuring authentication method Finally the authentication method is applied to the security rule. Figure 4-21 Applying authentication method V1.0 07/13/07 21/38

22 4.4.4 Defining tunnel settings The standard DSL router B, which is connected to the external SCALANCE S port, has a fixed external IP address known on the internet and is located on the passive side of the IPsec tunnel. This means: The fixed external IP address of the standard DSL router B is the tunnel endpoint for the PC station. The standard DSL router B now has to send the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, to ports 500 and 4500 of the connected SCALANCE S module. Define the tunnel endpoint in the Edit Rule Properties window in the Tunnel Setting tab. Enter the fixed external IP address of the standard router B for the tunnel endpoint. Figure 4-22 Defining tunnel endpoint Fixed external IP address of the standard router B After defining the tunnel endpoint and applying it to the IP security rule, exit the Edit Rule Properties window by selecting the OK button. The Properties window of the VPNtunnel_PC_ScalanceS IP security policy is displayed. The second IP security rule for the data traffic from the network protected by the SCALANCE S module to the PC station is now created. V1.0 07/13/07 22/38

23 4.5 Adding security rule for the data traffic from the SCALANCE S 61x module to the PC station In the Properties window of the VPNtunnel_PC_ScalanceS IP security policy, use the Add button to create the second IP security rule. Figure 4-23 Adding security rule Creating IP filter The New Rule Properties window opens. In the IP Filter List tab, use the Add button to create a new IP filter. This filter determines the data traffic of the second security rule. V1.0 07/13/07 23/38

24 Figure 4-24 Creating IP filter The IP filter is named channel_from_scalance_to_pc. Select the Add... button to go to the Filter Properties window. The data traffic direction is defined here. Since the second IP security rule determines the data traffic from the network that is protected by the SCALANCE S module to the PC station, enter the following parameters: Source address: Subnet connected to the internal SCALANCE S PORT Destination address: IP address of the PC station The Mirrored. Also match packets with the exact opposite source and destination addresses option is deactivated. A separate security rule exists for the data traffic from the PC to the SCALANCE S module. V1.0 07/13/07 24/38

25 Figure 4-25 Defining name and properties of the IP filter The channel_from_scalance_to_pc IP filter is now included in the IP filter list. Select the channel_from_scalance_to_pc IP filter and subsequently select the Filter Action tab in the New Rule Properties window to assign the already defined IPSec Configuration filter action to the IP filter. Figure 4-26 Selecting IP filter Assigning filter action In the Filter Action tab of the New Rule Properties window, the IPSec Configuration filter action is selected. V1.0 07/13/07 25/38

26 Figure 4-27 Selecting filter action Authentication method Now define the authentication method for the second security rule as described in chapter Defining tunnel settings The PC station initiates the establishment of the IPsec tunnel. This means: The IP address of the PC station is the tunnel endpoint for the SCALANCE S module. Define the tunnel endpoint in the New Rule Properties window in the Tunnel Setting tab. Enter the IP address of the PC station for the tunnel endpoint. V1.0 07/13/07 26/38

27 Figure 4-28 Defining tunnel setting IP address of the PC station After defining the tunnel endpoint, exit the New Rule Properties window by selecting the OK button. The Properties window of the VPNtunnel_PC_ScalanceS IP security policy is displayed. Select the two following created security rules and apply the selection: channel_from_pc_to_scalance channel_from_scalance_to_p V1.0 07/13/07 27/38

28 Figure 4-29 Selecting security rules Use the Close button to exit the Properties window of the VPNtunnel_PC_ScalanceS IP security policy. Subsequently, configure SCALANCE S 61x V2.1 using the Security Configuration Tool V2.1. V1.0 07/13/07 28/38

29 5 SCALANCE S 61x Configuration The SCALANCE S 61x V2.1 module is configured using the Security Configuration Tool V2.1. Open the Security Configuration Tool (SCT) via the Windows START menu -> SIMATIC -> SCALANCE -> Security. After creating a new project in the SCT, insert one module of the S612 V2 type and one of the MD740-1 type via the Insert Module menu. The module of the MD740-1 type is inserted to model the part of the configuration that is created by the standard DSL router A and the PC station. Figure 5-1 Inserting module The external IP address in subnet is assigned to the SCALANCE S module. In addition, you have to enter the MAC address of SCALANCE S in the SCT. The standard DSL router B is the gateway for SCALANCE S. For this reason, the internal IP address of the standard DSL router B is specified for the default gateway of the S612 V2 module. The external and internal IP address of the standard DSL router A is entered for the module of the MD740-1 type. In this example, the external IP address of the standard DSL router A is The internal IP address of the standard DSL router A is In addition, the module names SCALANCE and RouterA are assigned. Figure 5-2 Inserted modules V1.0 07/13/07 29/38

30 Select the View menu and activate Advanced Mode. Figure 5-3 Activating Advanced Mode Activate the routing mode for the SCALANCE S module in the SCALANCE Module Properties window in the Routing Modus tab. Enter the internal IP address and the subnet mask of SCALANCE S. Figure 5-4 Activating Routing Modus V1.0 07/13/07 30/38

31 Subsequently, create a new group by selecting Insert Group. Figure 5-5 Group Use drag & drop to assign the two modules of the type S612 V2 and MD740-1 to this group. Figure 5-6 Assigning modules to group Drag & drop In the Group Properties, make the settings for authentication and security method. The settings for authentication and security method are made analogously to the configuration in the MMC, i.e.: Enter the preshared key scalance. Enter the integrity algorithm SHA1 for phase 1 and 2 of the data exchange via IPsec. Enter the encryption algorithm 3DES for phase 1 and 2 of the data exchange via IPsec. V1.0 07/13/07 31/38

32 Figure 5-7 Group properties In the SCALANCE Module Properties window in the VPN tab, make the settings for establishing the VPN tunnel. SCALANCE S 61x V2.1 is parameterized as a passive module. In addition, you have to enter a fixed external IP address of the connected standard DSL router via which the active module initiates the tunnel establishment. In this example, enter the fixed external IP address of the standard DSL router B. V1.0 07/13/07 32/38

33 Figure 5-8 Module Properties VPN tab To complete the SCALANCE S configuration, transfer the configuration data from the Security Configuration Tool to the SCALANCE S 61x V2.1 module. In All Modules, select the corresponding module of the S612 V2 type and use the Load button. Figure 5-9 Loading the configuration into the SCALANCE S 61x module V1.0 07/13/07 33/38

34 6 Establishing VPN Tunnel 6.1 Checking IPsec services After configuring the IPsec tunnel using the MMC and the Security Configuration Tool, the VPN tunnel between PC station and SCALANCE S can be established via the internet. It is required that the IPSEC Services service is started and active. This can be checked in the Microsoft Management Console. In the MMC console root, select the Services (Local) snap-in. You see an overview of the services provided by your PC station. In this overview, search for IPSEC Services. Figure 6-1 IPSEC Services Now double-click IPSEC Services. The IPSEC Services Properties window opens. In the General tab, check the service status. The service status must be Started. V1.0 07/13/07 34/38

35 Figure 6-2. IPSEC Services Properties window, General tab In the Log On tab, you can check whether the IPSEC Services service is activated on your PC station. Figure 6-3 IPSEC Services Properties window, Log On tab V1.0 07/13/07 35/38

36 6.2 Establishing IPsec tunnel The establishment of the IPsec tunnel between the PC station with Windows XP SP2 and the SCALANCE S61x V2.1 module is initiated using the MMC. In the MMC console root, select the IP Security Policies on Local Computer snap-in. Now select the VPNtunnel_PC_ScalanceS IP security policy and assign it to the PC station by selecting Action Assign. Figure 6-4 Assigning IP security policy to the PC station 6.3 Checking IPsec tunnel status When the IPsec tunnel between the PC station and the SCALANCE S module has been established via the internet, the protected automation cell (CP 343-1) can be accessed from the PC station, i.e. You can access SCALANCE S 61x V2.1 online using the Security Configuration Tool. To do this, use the Online button. If this online access has been successful, you can access the SCALANCE S 61x module via the VPN tunnel. In the Online View of the SCALANCE module Communication Status tab, the enabled tunnel status is displayed. Figure 6-5 Online access to SCALANCE S 61x V2.1 using SCT V1.0 07/13/07 36/38

37 Figure 6-6 IPsec tunnel status A ping can be sent from the PC station to the IP address of the CP In addition, a ping can be sent to the internal IP address of the SCALANCE S 61x module. In STEP 7, you can use the PG/OP functions for the online access to the S7-300 controller so that you can load the STEP 7 project or the configuration into the CPU of the S7 300 controller or read out the CPU diagnostics buffer. Note Layer2 protocols such as the Accessible Nodes function in STEP 7 are not possible via the VPN tunnel. A firewall that is additionally installed on the PC may cause problems. ATTENTION This configuration was tested on several standard PCs with Windows XP SP2. It cannot be guaranteed that this example works correctly in all PC configurations. V1.0 07/13/07 37/38

38 7 History Version Date Modification V 1.0 First edition V1.0 07/13/07 38/38