Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode

Size: px

Start display at page:

Download "Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode"

Margaret Chase
5 years ago
Views:

1 Global FW Rulesets SIMATIC NET Industrial Ethernet Security Preface 1 Firewall in standard mode 2 Firewall in advanced mode 3 Configuring a VPN tunnel 4 Configuring remote access via a VPN tunnel 5 Getting Started 04/2012 C79000-G8976-C287-01

2 Legal information Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken. CAUTION without a safety alert symbol, indicates that property damage can result if proper precautions are not taken. NOTICE indicates that an unintended result or situation can occur if the relevant information is not taken into account. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. Trademarks All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Industry Sector Postfach NÜRNBERG GERMANY Order number: C79000-G8976-C P 04/2012 Technical data subject to change Copyright Siemens AG All rights reserved

3 Table of contents 1 Preface Firewall in standard mode Example with a SCALANCE S Overview Set up SCALANCE S and the network Make the IP settings for the PCs Create the project and module Configure the firewall Downloading the configuration to the security module Test the firewall function (ping test) Log firewall data traffic Example with a CP x43-1 Advanced Overview Make the IP settings for the PCs Create the project and module Configure the firewall Downloading the configuration to the security module Test the firewall function (ping test) Log firewall data traffic Example with a CP Overview Make the IP settings for the PCs Create the project and module Configure the firewall Downloading the configuration to the security module Test the firewall function (ping test) Log firewall data traffic Firewall in advanced mode SCALANCE S as firewall and NAT router Overview Set up SCALANCE S and the network Make the IP settings for the PCs Create the project and module Configuring the NAT router mode Configure the firewall Downloading the configuration to the security module Test the NAT router function (ping test) Creating user-specific firewall rules Overview Set up SCALANCE S and the network Make the IP settings for the PCs Create the project and module Creating remote access users...55 Getting Started, 04/2012, C79000-G8976-C

4 Table of contents Creating and assigning user-specific firewall rules Downloading the configuration to the security module Logging in on the Web page Test the firewall function (ping test) CP x43-1 Advanced as firewall and NAT router Overview Make the IP settings for the PCs Create the project and module Configuring the NAT router mode Configure the firewall Downloading the configuration to the security module Test the NAT router function (ping test) Example with a CP 1628 and CP x Overview Make the IP settings for the PCs Create the project and module Configure the firewall Downloading the configuration to the security module Test the firewall function (ping test) Configuring a VPN tunnel VPN tunnel between SCALANCE S and SCALANCE S Overview Set up SCALANCE S and the network Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Download the configuration to the SCALANCE S module Test the tunnel function (ping test) VPN tunnel between CP 1628 and CP x Overview Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Downloading the configuration to the security module Test the tunnel function (ping test) VPN tunnel between SCALANCE S CP Overview Setting up the security module and network Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Downloading the configuration to the security module Test the tunnel function (ping test) VPN tunnel between all security products Overview Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Getting Started, 04/2012, C79000-G8976-C287-01

5 Table of contents Loading the configuration on the security module and saving the SOFTNET Security Client configuration Set up a tunnel with the SOFTNET Security Client Test the tunnel function (ping test) Configuring remote access via a VPN tunnel Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Overview Set up SCALANCE S and the network Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Loading the configuration on the SCALANCE S and saving the SOFTNET Security Client configuration Set up a tunnel with the SOFTNET Security Client Test the tunnel function (ping test) Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Overview Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Loading the configuration on the security module and saving the SOFTNET Security Client configuration Set up a tunnel with the SOFTNET Security Client Test the tunnel function (ping test) Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Overview Setting up SCALANCE M and network Make the IP settings for the PCs Create the project and modules Configuring a tunnel connection Saving the configuration of the SCALANCE M and the SOFTNET Security Client Configuring the SCALANCE M Setting up a tunnel with the SOFTNET Security Client Test the tunnel function (ping test) Getting Started, 04/2012, C79000-G8976-C

6 Table of contents 6 Getting Started, 04/2012, C79000-G8976-C287-01

7 Preface 1 Getting results fast with Getting Started Based on a simple test network, this Getting Started shows you how to work with security modules S and the Security Configuration Tool. You will soon see that you can implement the security functions of security modules in the network without any great project engineering effort. Working through the Getting Started, you will be able to implement the basic functions of the security modules and the SOFTNET security client based on various security examples. IP settings for the Examples Note The IP settings in the examples are freely selected and do not cause any conflicts in the isolated test network. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. This Getting Started applies to the following: Configuration software: STEP 7 classic V5.5 SP2 Hotfix 1 Security Configuration Tool (SCT) as of V3.0 Products: "Security Appliances": SCALANCE S 602 as of V3.0, order number: 6GK BA10-2AA3 SCALANCE S 612 as of V3.0, order number: 6GK BA10-2AA3 SCALANCE S 623 as of V3.0, order number: 6GK BA10-2AA3 SOFTNET Security Client as of V4.0, order number: 6GK VW02-0AA0 "Security Integrated" products: CP Advanced GX30 as of V3.0, order number: 6GK GX31-0XE0 CP Advanced GX31 as of V3.0, order number: 6GK GX30-0XE0 CP 1628 as of V1.0, order number: 6GK1162-8AA00 SCALANCE M 875 as of V1.0, order number: 6GK AA10-1AA2 SINAUT MD741-1 as of 2.x, order number: 6NH9741-1AA00 Getting Started, 04/2012, C79000-G8976-C

8 Preface General terminology "security module" In this documentation, the term "security module" includes the following products: CP Advanced GX31, CP Advanced GX30, CP 1628, SCALANCE S 602 V3/SCALANCE S 612 V3/SCALANCE S 623 V3. The CPs Advanced GX31, and Advanced GX30 are simply called CP x43-1. SCALANCE M 875 and SINAUT MD7x are simply called SCALANCE M. If you want to know more You will find further information on the topic of "Industrial Ethernet Security" in the configuration manual "SIMATIC NET - Basics and Application". This explains the entire functionality and the Security Configuration Tool configuration software in greater detail. You will find a current release on the Internet under the following entry ID: ( You will find hardware descriptions and installation instructions in the documents relating to the individual modules. Global FW Rulesets 8 Getting Started, 04/2012, C79000-G8976-C287-01

9 Firewall in standard mode Example with a SCALANCE S Overview In this example, you configure the firewall in the "standard mode" project engineering view. The standard mode includes predefined sets of rules for data traffic. With this configuration, IP traffic can only be initiated from the internal network; only the response is permitted from the external network. Setting up the test network Getting Started, 04/2012, C79000-G8976-C

10 Firewall in standard mode 2.1 Example with a SCALANCE S Internal network - attachment to the internal port of the security module In the test setup, in the internal network, the network node is implemented by one PC connected to the internal port of the security module. PC2: Represents a node in the internal network Security module: SCALANCE S module for protection of the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC1: PC with the Security Configuration Tool Required devices/components: Use the following components to set up to the network: 1 x SCALANCE S module, (additional option: a suitably installed DIN rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC on which the Security Configuration Tool is installed 1 x PC in the internal network to test the configuration The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Overview of the next steps: 10 Getting Started, 04/2012, C79000-G8976-C287-01

11 Firewall in standard mode 2.1 Example with a SCALANCE S Set up SCALANCE S and the network Follow the steps below: 1. First unpack the SCALANCE S and check that it is undamaged. 2. Connect the power supply to the SCALANCE S. Result: After connecting the power, the Fault LED (F) is lit yellow. WARNING The SCALANCE S is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 3. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC2 with port 2 of module 1. Connect PC1 with port 1 of module Now turn on the PCs. NOTICE The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Port 1 - external network Upper RJ-45 jack, marked red = unprotected network area; Port 2 - Internal Network Lower RJ-45 jack, marked green = network protected by SCALANCE S; If the ports are swapped over, the device loses its protective function Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC Getting Started, 04/2012, C79000-G8976-C

12 Firewall in standard mode 2.1 Example with a SCALANCE S Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel. 12 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in standard mode 2.1 Example with a SCALANCE S 2.1.4 Create the project and module Follow the steps below: 1. Install and start the Security Configuration Tool on PC1. 2. Select the "Project" > "New" menu command.

13 Firewall in standard mode 2.1 Example with a SCALANCE S Create the project and module Follow the steps below: 1. Install and start the Security Configuration Tool on PC1. 2. Select the "Project" > "New" menu command. 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm your entries with "OK". Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 5. Configure the product type, module and firmware release. 6. In the "Configuration" area, enter the MAC address in the required format. The MAC address is printed on the front of the SCALANCE S module (see figure). 7. In the "Configuration" area, enter the external IP address ( ) and the external subnet mask ( ) in the required format and confirm the dialog with "OK". Result: The module will then be displayed in the list of configured modules Configure the firewall In standard mode, the firewall can be set simply with predefined sets of rules. You can activate these sets of rules by clicking on them. Follow the steps below: 1. Select the "Module1" row in the content area. 2. Select the "Edit" > "Properties..." menu command. Getting Started, 04/2012, C79000-G8976-C

14 Firewall in standard mode 2.1 Example with a SCALANCE S 3. Select the "Firewall" tab in the displayed dialog. 4. Enable the option shown below: Result: IP traffic is only initiated from the internal network; only the response is permitted from the external network. Access using HTTPS for online diagnostics from PC1 to PC2 is allowed. 5. You should also select the Logging options to record data traffic. 6. Close the dialog with "OK". 7. Save the project with the menu command "Project" > "Save As..." under a meaningful name Downloading the configuration to the security module Follow the steps below: 1. Select the module in the content area. 14 Getting Started, 04/2012, C79000-G8976-C287-01

15 Firewall in standard mode 2.1 Example with a SCALANCE S 2. Select the "Transfer" > "To module..." menu command. 3. Start the download with the "Start" button. If the download was completed free of errors, the SCALANCE S module is restarted automatically and the new configuration activated. Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault LED being lit green. Commissioning the configuration is now complete and the SCALANCE S is now protecting the internal network (PC2) with the firewall Test the firewall function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the firewall configuration, first with allowed outgoing IP data traffic as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". Getting Started, 04/2012, C79000-G8976-C

16 Firewall in standard mode 2.1 Example with a SCALANCE S 2. Enter the Ping command from PC2 to PC1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Due to the configuration, the ping packets can pass from the internal network to the external network. The PC in the external network has replied to the ping packets. Due to the "stateful inspection" function of the firewall, the reply packets arriving from the external network are automatically passed into the internal network. Test phase 2 Now test the function of the firewall configuration with blocked outgoing IP data traffic as follows: 1. Now reopen the firewall dialog as described above. 2. Deselect the "Allow IP traffic" > "External -> Internal" " option in the "Firewall" tab. Close the dialog with "OK". 16 Getting Started, 04/2012, C79000-G8976-C287-01

17 Firewall in standard mode 2.1 Example with a SCALANCE S 3. Now download the modified configuration to the security module again. 4. If the downloading is completed free of errors, enter the same ping command ("ping ") in the Command Prompt window of PC2. You will then receive the following message (no reply from PC1): Result The IP packets from PC2 cannot reach PC1 since the data traffic from the "internal network" (PC2) to the "external network" (PC1) is not allowed. This is shown in the "Ping statistics for " as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) Log firewall data traffic On the security modules, the local logging of system, audit and packet filter events is enabled as default. While working through this example, you also activated the logging options for the relevant data traffic when configuring the firewall. You can display the recorded events in online mode. Follow the steps below: 1. On PC1, change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the "Edit" > "Online Diagnostics..." menu command. 3. Select the "Packet Filter Log" tab. 4. Click the "Start Reading" button. 5. Acknowledge the displayed dialog with OK. Result: The log entries are read from the security module and displayed here. Getting Started, 04/2012, C79000-G8976-C

18 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 2.2 Example with a CP x43-1 Advanced Overview In this example, you configure the firewall in the "standard mode" project engineering view. The standard mode includes predefined sets of rules for data traffic. With this configuration, IP traffic can only be initiated from the internal network and from the station; only the response is permitted from the external network. Setting up the test network Internal network - attachment to an internal port of the security module In the test setup, in the internal network, the network node is implemented by one PC connected to an internal port of the security module. PC2: Represents a node in the internal network Security module: CP x43-1 to protect the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC1: PC with the Security Configuration Tool and STEP 7 18 Getting Started, 04/2012, C79000-G8976-C287-01

19 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC1. STEP 7 is installed on PC1 and a STEP 7 project with the security module has already been created. The IP address of PC1 must be in the same subnet as the gigabit address of the security module. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Overview of the next steps: Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. Getting Started, 04/2012, C79000-G8976-C

20 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and module Follow the steps below: 1. In the "Security" tab of the object properties, enable the "Enable security" check box. 20 Getting Started, 04/2012, C79000-G8976-C287-01

21 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 3. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The security module will then be displayed in the list of configured modules Configure the firewall In standard mode, the firewall can be set simply with predefined sets of rules. You can activate these sets of rules by clicking on them. Follow the steps below: 1. In the contents area of the Security Configuration Tool, select the row with the CP. 2. Select the "Edit" > "Properties..." menu command. 3. Select the "Firewall" tab in the displayed dialog. 4. Select the "Enable firewall" check box. Getting Started, 04/2012, C79000-G8976-C

22 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 5. Enable the options shown below: Result: IP traffic can only be initiated from the internal network and from the station; only the response is permitted from the external network. Access using HTTPS for online diagnostics from PC1 to PC2 is allowed. 6. You should also select the Logging options to record the relevant data traffic. 7. Close the dialog with "OK" Downloading the configuration to the security module Follow the steps below: 1. Close the Security Configuration Tool. 22 Getting Started, 04/2012, C79000-G8976-C287-01

23 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. Result: Security module in productive mode The commissioning of the configuration is complete. The security module protects the internal network (PC2). Outgoing IP traffic from the internal to the external network is allowed Test the firewall function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the firewall configuration, first with allowed outgoing IP data traffic as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". Getting Started, 04/2012, C79000-G8976-C

24 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 2. Enter the Ping command from PC2 to PC1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Due to the configuration, the ping packets can pass from the internal network to the external network. The PC in the external network has replied to the ping packets. Due to the "stateful inspection" function of the firewall, the reply packets arriving from the external network are automatically passed into the internal network. Test phase 2 Now test the function of the firewall configuration with blocked outgoing IP data traffic as follows: 1. Now reopen the firewall dialog as described above. 2. Deselect the "Allow IP traffic" > "Station => External / Internal => External" option in the "Firewall" tab. Close the dialog with "OK". 24 Getting Started, 04/2012, C79000-G8976-C287-01

25 Firewall in standard mode 2.2 Example with a CP x43-1 Advanced 3. Now download the modified configuration to the security module again. 4. If the downloading is completed free of errors, enter the same ping command ("ping ") in the Command Prompt window of PC2. You will then receive the following message (no reply from PC1): Result The IP packets from PC2 cannot reach PC1 since the data traffic from the "internal network" (PC2) and the station to the "external network" (PC1) is not allowed. This is shown in the "Ping statistics for " as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) Log firewall data traffic On the security modules, the local logging of system, audit and packet filter events is enabled as default. While working through this example, you also activated the logging options for the relevant data traffic when configuring the firewall. You can display the recorded events in online mode. Follow the steps below: 1. On PC1, change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the "Edit" > "Online Diagnostics..." menu command. 3. Select the "Packet Filter Log" tab. 4. Click the "Start Reading" button. 5. Acknowledge the displayed dialog with OK. Result: The log entries are read from the security module and displayed here. Getting Started, 04/2012, C79000-G8976-C

26 Firewall in standard mode 2.3 Example with a CP Example with a CP Overview In this example, you configure the firewall in the "standard mode" project engineering view. The standard mode includes predefined sets of rules for data traffic. With this configuration, IP traffic can only be initiated from PC2; only the response is permitted from the external network. Setting up the test network PC1: PC with the Security Configuration Tool and STEP 7 PC2 and security module: PC with CP 1628 Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC1. STEP 7 is installed on PC1 and a STEP 7 project with the security module has already been created. PC2 with the CP 1628 has the following settings in STEP 7: IP address Industrial Ethernet: , subnet mask: The NDIS IP address is set up in the IP settings of the PC. 26 Getting Started, 04/2012, C79000-G8976-C287-01

27 Firewall in standard mode 2.3 Example with a CP 1628 Overview of the next steps: Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask PC PC2 NDIS: Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. Getting Started, 04/2012, C79000-G8976-C

28 Firewall in standard mode 2.3 Example with a CP Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel. 28 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in standard mode 2.3 Example with a CP 1628 2.3.3 Create the project and module Follow the steps below: 1.

29 Firewall in standard mode 2.3 Example with a CP Create the project and module Follow the steps below: 1. In the "Security" tab of the object properties, enable the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 3. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The security module will then be displayed in the list of configured modules Configure the firewall In standard mode, the firewall can be set simply with predefined sets of rules. You can activate these sets of rules by clicking on them. Follow the steps below: 1. In the contents area of the Security Configuration Tool, select the row with the CP Select the "Edit" > "Properties..." menu command. 3. Select the "Firewall" tab in the displayed dialog. Getting Started, 04/2012, C79000-G8976-C

Firewall in standard mode 2.3 Example with a CP 1628 4. Enable the options shown below: Result: The IP traffic can now be initiated by PC2; only the reply from PC1 is allowed.

30 Firewall in standard mode 2.3 Example with a CP Enable the options shown below: Result: The IP traffic can now be initiated by PC2; only the reply from PC1 is allowed. Access using HTTPS for online diagnostics from PC1 to PC2 is allowed. 5. You should also select the Logging options to record data traffic. 6. Close the dialog with "OK". 30 Getting Started, 04/2012, C79000-G8976-C287-01

31 Firewall in standard mode 2.3 Example with a CP Downloading the configuration to the security module Follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. Result: Security module in productive mode The commissioning of the configuration is complete. The security module protects PC2. Outgoing IP traffic from the external network to PC2 is allowed Test the firewall function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the firewall configuration, first with allowed outgoing IP data traffic as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". Getting Started, 04/2012, C79000-G8976-C

32 Firewall in standard mode 2.3 Example with a CP Enter the ping command from PC2 to PC1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Due to the configuration, the ping packets from PC2 can reach PC1. PC1 has replied to the ping frames. Due to the "stateful inspection" function of the firewall, the reply packets arriving from PC1 are automatically forwarded to PC Log firewall data traffic On the security modules, the local logging of system, audit and packet filter events is enabled as default. While working through this example, you also activated the logging options for the relevant data traffic when configuring the firewall. You can display the recorded events in online mode. Follow the steps below: 1. On PC1, change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the "Edit" > "Online Diagnostics..." menu command. 3. Select the "Packet Filter Log" tab. 32 Getting Started, 04/2012, C79000-G8976-C287-01

33 Firewall in standard mode 2.3 Example with a CP Click the "Start Reading" button. 5. Acknowledge the displayed dialog with OK. Result: The log entries are read from the security module and displayed here. Getting Started, 04/2012, C79000-G8976-C

34 Firewall in standard mode 2.3 Example with a CP Getting Started, 04/2012, C79000-G8976-C287-01

35 Firewall in advanced mode SCALANCE S as firewall and NAT router Overview In this example, you configure the NAT router mode. You configure in the "advanced mode" configuration view. With this configuration, you have the situation that all the packets sent from the internal subnet to the PC1 node in the external network are allowed to pass the firewall. The packets are forwarded to the outside with an IP address translated to the IP address of the security module and with a dynamically assigned port number. Only the replies to these packets is allowed to pass from the external network. Setting up the test network Getting Started, 04/2012, C79000-G8976-C

36 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Internal network - attachment to the internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC2: Represents a node in the internal network Security module: SCALANCE S module for protection of the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC1: PC with the Security Configuration Tool Required devices/components: Use the following components to set up to the network: 1 x SCALANCE S module, (additional option: a suitably installed DIN rail with fittings); 1 x 24 V power supply with cable connector and terminal block plug; 1 x PC on which the Security Configuration Tool is installed; 1 x PC in the internal network to test the configuration; The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet. Overview of the next steps: 36 Getting Started, 04/2012, C79000-G8976-C287-01

37 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Set up SCALANCE S and the network Follow the steps below: 1. First unpack the SCALANCE S and check that it is undamaged. 2. Connect the power supply to the SCALANCE S. Result: After connecting the power, the Fault LED (F) is lit yellow. WARNING The SCALANCE S is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 3. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC2 with port 2 of module 1. Connect PC1 with port 1 of module Now turn on the PCs. NOTICE The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Port 1 - External Network Upper RJ-45 jack, marked red = unprotected network area; Port 2 - Internal Network Lower RJ-45 jack, marked green = network protected by SCALANCE S; If the ports are swapped over, the device loses its protective function Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC For standard gateway, specify the IP addresses that will be assigned to the security module for the internal and external interface in the subsequent project engineering: Getting Started, 04/2012, C79000-G8976-C

38 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router PC1 uses the external interface. PC2 uses the internal interface. Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel. 38 Getting Started, 04/2012, C79000-G8976-C287-01

39 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Create the project and module Follow the steps below: 1. Install and start the Security Configuration Tool on PC1. 2. Select the "Project" > "New" menu command. 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 4. Configure the product type, module and firmware release. 5. In the "Configuration" area, enter the MAC address in the required format. The MAC address is printed on the front of the SCALANCE S module (see figure). Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 6. In the "Configuration" area, enter the external IP address (192.168.10.1) and the external subnet mask (255.

40 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 6. In the "Configuration" area, enter the external IP address ( ) and the external subnet mask ( ) in the required format and confirm the dialog with "OK". Result: The module will then be displayed in the list of configured modules. 40 Getting Started, 04/2012, C79000-G8976-C287-01

41 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Configuring the NAT router mode The common use case in which all internal nodes send packets to the external network and keep their IP addresses hidden by the NAT functionality is preconfigured on the security module. Below, you will see how to enable this behavior. Enabling router mode - follow the steps below: 1. Change the configuration view to advanced mode with the menu command "View" > "Advanced mode". 2. Double-click on the security module. Result: The "Interfaces" tab is opened. 3. Select the "Routing mode" for "Interface routing". 4. In the "Internal (P2)" input area, you add the address information for the interface of the SCALANCE S to the internal subnet: IP address: Subnet mask: Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router To enable NAT router mode for internal nodes - follow the steps below: Configure the required address translation for NAT mode. 1.

42 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router To enable NAT router mode for internal nodes - follow the steps below: Configure the required address translation for NAT mode. 1. Select the "NAT" tab. 2. Select the options "NAT active" and "Allow all internal nodes access to the outside" in the "NAT" input area. An entry has been added to the end of the address translation list in the "NAT" input area. The "*" entry in the "internal IP address" column stands for all nodes in the internal network. 3. Close the dialog with "OK". Now set the firewall so that the frames are allowed to pass from internal to external. 42 Getting Started, 04/2012, C79000-G8976-C287-01

43 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Configure the firewall In this example, define a set of rules that allows the traffic from the internal node (PC2) to the node in the external network (PC1). You will also see how to define a global set of rules and assign it to a module. Once the rule set has been defined, it can be assigned to other modules in the same project using dragand-drop. To define a global rule set, follow the steps below: 1. Expand the "Global firewall rule sets" in the navigation area and select "Firewall IP rule sets". 2. Select the "Insert rule set" entry in the shortcut menu. Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 3. Enter a rule set in the dialog as shown below: 4. In the row of the new rule set, select the "Log" check box.

44 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 3. Enter a rule set in the dialog as shown below: 4. In the row of the new rule set, select the "Log" check box. Result: Packet filter logging is enabled. Packets to which the defined rule is applied are logged. You will use this log in the example shown here in the final test of the configuration. 5. Close the dialog with "OK". To assign a global rule set, follow the steps below: 1. Select the "Module1" object in the navigation area and holding down the left mouse button, drag it to the newly created global firewall rule set. 44 Getting Started, 04/2012, C79000-G8976-C287-01

45 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 2. You can check the assignment by reopening the dialog for setting the module properties and selecting the "Firewall" tab. The global firewall rule was saved in the "IP rules" tab. 3. If you click the "Expand rule sets" button, you can view the rule set in detail. Result: The offline configuration is complete Downloading the configuration to the security module Follow the steps below: 1. Select the module in the content area. Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 2. Select the "Transfer" > "To module..." menu command. 3. Start the download with the "Start" button.

46 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 2. Select the "Transfer" > "To module..." menu command. 3. Start the download with the "Start" button. If the download was completed free of errors, the SCALANCE S module is restarted automatically and the new configuration activated. Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault display being lit green Test the NAT router function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. To be able to recognize the effects of the NAT router mode, use the packet filter logging on the firewall interface. A reminder: In the definition of the global firewall rule, you have already enabled the packet filter logging option. Note on the ping command: As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". 46 Getting Started, 04/2012, C79000-G8976-C287-01

47 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router Test part 1 - sending the ping command Now test the function of the NAT router mode in IP data traffic from internal to external as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the ping command from PC2 to PC1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Test part 2 - evaluating the result 1. Change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the module you want to edit and then select the menu command "Edit" > "Online diagnostics" to open the online dialog. 3. Select the "Packet Filter Log" tab. Getting Started, 04/2012, C79000-G8976-C

48 Firewall in advanced mode 3.1 SCALANCE S as firewall and NAT router 4. Click the "Start Reading" button. 5. Acknowledge the displayed dialog with "OK". Result: The log entries are read from the security module and displayed here. Result You will see the following in the log output: Output row 1 The IP addresses of the packets from PC2 to PC1 are displayed on the interface to the external network with the external IP address of the security module ( ). This matches the expected address conversion (note: the additional port assignment is not shown here). Output row 2 The reply packets are displayed with the destination address of the node in the internal subnet (PC2: ). You can see that the address conversion had already taken place before the reply packet passed the firewall. 48 Getting Started, 04/2012, C79000-G8976-C287-01

49 Firewall in advanced mode 3.2 Creating user-specific firewall rules 3.2 Creating user-specific firewall rules Overview In this example, you create a user-specific firewall rule and assign it to a user. You configure in the "advanced mode" configuration view. The created user is allowed to access PC2 in the internal network from PC1 in the external network. For other users, access remains blocked. Setting up the test network Internal network - attachment to the internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC2: Represents a node in the internal network Security module: SCALANCE S module for protection of the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC1: PC with the Security Configuration Tool Getting Started, 04/2012, C79000-G8976-C

50 Firewall in advanced mode 3.2 Creating user-specific firewall rules Required devices/components: Use the following components to set up to the network: 1 x SCALANCE S module, (additional option: a suitably installed DIN rail with fittings); 1 x 24 V power supply with cable connector and terminal block plug; 1 x PC on which the Security Configuration Tool is installed; 1 x PC in the internal network to test the configuration; The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet. Overview of the next steps: Set up SCALANCE S and the network Follow the steps below: 1. First unpack the SCALANCE S and check that it is undamaged. 2. Connect the power supply to the SCALANCE S. Result: After connecting the power, the Fault LED (F) is lit yellow. 50 Getting Started, 04/2012, C79000-G8976-C287-01

51 Firewall in advanced mode 3.2 Creating user-specific firewall rules WARNING The SCALANCE S is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 3. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC2 with port 2 of module 1. Connect PC1 with port 1 of module Now turn on the PCs. NOTICE The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Port 1 - external network Upper RJ-45 jack, marked red = unprotected network area; Port 2 - Internal Network Lower RJ-45 jack, marked green = network protected by SCALANCE S; If the ports are swapped over, the device loses its protective function Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. Getting Started, 04/2012, C79000-G8976-C

52 Firewall in advanced mode 3.2 Creating user-specific firewall rules 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and module Follow the steps below: 1. Install and start the Security Configuration Tool on PC1. 2. Select the "Project" > "New" menu command. 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 4. Configure the product type, module and firmware release. 52 Getting Started, 04/2012, C79000-G8976-C287-01

53 Firewall in advanced mode 3.2 Creating user-specific firewall rules 5. In the "Configuration" area, enter the MAC address in the required format. The MAC address is printed on the front of the SCALANCE S module (see figure). 6. In the "Configuration" area, enter the external IP address ( ) and the external subnet mask ( ) in the required format. Getting Started, 04/2012, C79000-G8976-C

54 Firewall in advanced mode 3.2 Creating user-specific firewall rules 7. Enable the "Enable routing" option. 8. Enter the internal IP address ( ) and the internal subnet mask ( ) in the required format and confirm the dialog with "OK". Result: The module will then be displayed in the list of configured modules. 54 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in advanced mode 3.2 Creating user-specific firewall rules 3.2.5 Creating remote access users Creating a remote access user 1.

55 Firewall in advanced mode 3.2 Creating user-specific firewall rules Creating remote access users Creating a remote access user 1. Select the "Options" > "User management" menu command. 2. Click the "Add" button. 3. Enter a new user with the following data: 4. Close the dialog with "OK". Getting Started, 04/2012, C79000-G8976-C

56 Firewall in advanced mode 3.2 Creating user-specific firewall rules Creating and assigning user-specific firewall rules How to access this function 1. Change the configuration view to advanced mode with the menu command "View" > "Advanced mode". 2. Select the "User-specific IP rule sets" object in the navigation area. 3. Select the "Insert rule set" entry in the shortcut menu. 56 Getting Started, 04/2012, C79000-G8976-C287-01

57 Firewall in advanced mode 3.2 Creating user-specific firewall rules 4. Enter a rule set in the dialog as shown below: 5. From the "Available users" list, select the "Remote" user and click the "Add" button. To assign a rule set, follow the steps below: 1. Select the security module in the navigation area and holding down the left mouse button, drag it to the newly created user-specific firewall rule set. Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.2 Creating user-specific firewall rules 2. You can check the assignment by reopening the dialog for setting the module properties and selecting the "Firewall" tab.

58 Firewall in advanced mode 3.2 Creating user-specific firewall rules 2. You can check the assignment by reopening the dialog for setting the module properties and selecting the "Firewall" tab. The user-specific firewall rule was saved in the "IP rules" tab. 3. If you click the "Expand rule sets" button, you can view the rule set in detail. Result: The offline configuration is complete Downloading the configuration to the security module Follow the steps below: 1. Select the module in the content area. 2. Select the "Transfer" > "To module..." menu command. 3. Start the download with the "Start" button. If the download was completed free of errors, the SCALANCE S module is restarted automatically and the new configuration activated. Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault display being lit green. 58 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in advanced mode 3.2 Creating user-specific firewall rules 3.2.8 Logging in on the Web page Logging on via Web page 1. In the Web browser of PC1, enter the address "https://192.168.1.1". 2.

59 Firewall in advanced mode 3.2 Creating user-specific firewall rules Logging in on the Web page Logging on via Web page 1. In the Web browser of PC1, enter the address " 2. In the following window, enter the user name "Remote" and the corresponding password. 3. The predefined firewall rule set is enabled for the "Remote" user. Access from PC1 in the external network to PC2 in the internal network is allowed Test the firewall function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Getting Started, 04/2012, C79000-G8976-C

60 Firewall in advanced mode 3.2 Creating user-specific firewall rules Testing Now test the function of the firewall configuration as follows: 1. On PC1, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the ping command from PC1 to PC2 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position: You will then receive the following message (positive reply from PC2): Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Due to the configuration, the ping packets can pass from the external network to the internal network. The PC in the internal network has replied to the ping packets. Due to the "stateful inspection" function of the firewall, the reply packets arriving from the internal network are automatically passed into the external network. 60 Getting Started, 04/2012, C79000-G8976-C287-01

61 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 3.3 CP x43-1 Advanced as firewall and NAT router Overview In this example, you configure the NAT router mode. You configure in the "advanced mode" configuration view. With this configuration, you have the situation that all the packets sent from the internal subnet to the PC1 node in the external network are allowed to pass the firewall. The packets are forwarded to the outside with an IP address translated to the IP address of the security module and with a dynamically assigned port number. Only the replies to these packets is allowed to pass from the external network. You will also see how to define a global set of rules and assign it to a module. Setting up the test network Getting Started, 04/2012, C79000-G8976-C

62 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router Internal network - attachment to the internal port of the security module In the test setup, in the internal network, the network node is implemented by one PC connected to the internal port of the security module. PC2: Represents a node in the internal network Security module: CP x43-1 to protect the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC1: PC with the Security Configuration Tool and STEP 7 Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC1. STEP 7 is installed on PC1 and a STEP 7 project with the security module has already been created. The IP address of PC1 must be in the same subnet as the gigabit address of the security module. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Overview of the next steps: 62 Getting Started, 04/2012, C79000-G8976-C287-01

63 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC For standard gateway, specify the IP addresses that will be assigned to the security module for the internal and external interface in the subsequent project engineering: PC1 uses the external interface. PC2 uses the internal interface. Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. Getting Started, 04/2012, C79000-G8976-C

64 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and module Follow the steps below: 1. In the "Security" tab of the object properties, enable the "Enable security" check box. 64 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 2. In the dialog that follows, create a new user with a user name and the corresponding password.

65 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 3. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The security module will then be displayed in the list of configured modules Configuring the NAT router mode The common use case in which all internal nodes send packets to the external network and keep their IP addresses hidden by the NAT functionality is preconfigured on the security module. Below, you will see how to enable this behavior. To enable NAT router mode for internal nodes - follow the steps below: Configure the required address translation for NAT mode. 1. Change the configuration view to advanced mode with the menu command "View" > "Advanced mode". 2. Select the "NAT" tab. Getting Started, 04/2012, C79000-G8976-C

66 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 3. Select the options "NAT active" and "Allow all internal nodes access to the outside" in the "NAT" input area. An entry has been added to the end of the address translation list in the "NAT" input area. The "*" entry in the "internal IP address" column stands for all nodes in the internal network. 4. Close the dialog with "OK". Now set the firewall so that the frames are allowed to pass from internal to external. 66 Getting Started, 04/2012, C79000-G8976-C287-01

67 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router Configure the firewall In this example, define a set of rules that allows the traffic from the internal node (PC2) to the node in the external network (PC1). You will also see how to define a global set of rules and assign it to a module. Once the rule set has been defined, it can be assigned to other modules in the same project using dragand-drop. To define a global rule set, follow the steps below: 1. Expand the "Global firewall rule sets" in the navigation area and select "Firewall IP rule sets". 2. Select the "Insert rule set" entry in the shortcut menu. Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 3. Enter a rule set in the dialog as shown below: 4. In the row of the new rule set, select the "Log" check box.

68 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 3. Enter a rule set in the dialog as shown below: 4. In the row of the new rule set, select the "Log" check box. Result: Packet filter logging is enabled. Packets to which the defined rule is applied are logged. You will use this log in the example shown here in the final test of the configuration. 5. Close the dialog with "OK". To assign a global rule set, follow the steps below: 1. Select the security module in the navigation area and holding down the left mouse button, drag it to the newly created global firewall rule set. 68 Getting Started, 04/2012, C79000-G8976-C287-01

69 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 2. You can check the assignment by reopening the dialog for setting the module properties and selecting the "Firewall" tab. The global firewall rule was saved in the "IP rules" tab. 3. If you click the "Expand rule sets" button, you can view the rule set in detail. 4. Select the "Enable firewall" check box. Result: The offline configuration is complete Downloading the configuration to the security module Follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. Getting Started, 04/2012, C79000-G8976-C

70 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router Result: Security module in productive mode The commissioning of the configuration is complete. The security module protects the internal network (PC2). Outgoing IP traffic from the internal to the external network is allowed Test the NAT router function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. To be able to recognize the effects of the NAT router mode, use the packet filter logging on the firewall interface. A reminder: In the definition of the global firewall rule, you have already enabled the packet filter logging option. Note on the ping command: As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test part 1 - sending the ping command Now test the function of the NAT router mode in IP data traffic from the internal to the external network as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 70 Getting Started, 04/2012, C79000-G8976-C287-01

Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 2. Enter the Ping command from PC2 to PC1 (IP address 140.

71 Firewall in advanced mode 3.3 CP x43-1 Advanced as firewall and NAT router 2. Enter the Ping command from PC2 to PC1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Test part 2 - evaluating the result 1. Change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the module you want to edit and then select the menu command "Edit" > "Online diagnostics" to open the online dialog. 3. Select the "Packet Filter Log" tab. 4. Click the "Start Reading" button. 5. Acknowledge the displayed dialog with "OK". Result: The log entries are read from the security module and displayed here. Getting Started, 04/2012, C79000-G8976-C

72 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x Example with a CP 1628 and CP x Overview In this example, configuration is in the "Advanced mode" configuration view. With this configuration, you have the situation that all the frames sent by the PC2 node to security module 1 and vice versa are allowed to pass the firewall. In addition to this, PC1 is allowed to access PC2 and security module 1. Setting up the test network Security module 1: CP x43-1 Advanced PC1: PC with the Security Configuration Tool and STEP 7 PC2 with security module 2: PC with CP 1628 Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC1. STEP 7 is installed on PC1 and a STEP 7 project has already been created. In the STEP 7 project, a specified TCP/IP S7 connection between the CP 1628 (PC2) and CP x43-1 has been created. The CP 1628 is the active node. 72 Getting Started, 04/2012, C79000-G8976-C287-01

73 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x43-1 CP 1628 has the following settings in STEP 7: IP address Industrial Ethernet: , subnet mask: The NDIS IP address is set up in the IP settings of the PC. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Overview of the next steps: Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask PC PC2 NDIS: Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. Getting Started, 04/2012, C79000-G8976-C

74 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and module Follow the steps below: 1. In the "Security" tab of the object properties of the CP 1628, enable the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 74 Getting Started, 04/2012, C79000-G8976-C287-01

75 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x Change to the object properties of the CP x43-1 and select the "Enable security" check box on the "Security" tab. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The security modules will then be displayed in the list of configured modules Configure the firewall In this example, define the required firewall rules: To define firewall rules for the CP follow the steps below: 1. Select the "CP 1628" row in the content area. 2. Select the "Edit" > "Properties..." menu command. Getting Started, 04/2012, C79000-G8976-C

Firewall in advanced mode 3.4 Example with a CP 1628 and CP x43-1 3. Select the "Firewall" tab in the displayed dialog. 4. Enable the option shown below.

Select the "CP 443-1-Advanced" row in the content area. 2. Select the "Edit" > "Properties..." menu command. 3. Select the "Firewall" tab in the displayed dialog. 4. Enable the option shown below.

76 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x Select the "Firewall" tab in the displayed dialog. 4. Enable the option shown below. The first two rules are created automatically for the configured connection. To define firewall rules for the CP x follow the steps below: 1. Select the "CP Advanced" row in the content area. 2. Select the "Edit" > "Properties..." menu command. 3. Select the "Firewall" tab in the displayed dialog. 4. Enable the option shown below. The first two rules are created automatically for the configured connection. Result: The offline configuration is complete Downloading the configuration to the security module Follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. 4. Perform steps 2-3 for the second CP. 76 Getting Started, 04/2012, C79000-G8976-C287-01

77 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x43-1 If the download was completed free of errors, the security modules restart automatically and the new configuration is activated. Result: Security module in productive mode The commissioning of the configuration is complete. The security module 2 protects PC2. Outgoing IP traffic from the CP 1628 (security module 2) to the CP x43-1 (security module 1) is permitted Test the firewall function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the firewall configuration, first with allowed outgoing IP data traffic as follows: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the ping command from PC2 to the CP x43-1 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from CP x43-1): Getting Started, 04/2012, C79000-G8976-C

78 Firewall in advanced mode 3.4 Example with a CP 1628 and CP x43-1 Result If the IP packets have reached the CP x43-1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Due to the configuration, the ping frames from PC2 can reach the CP x43-1. The CP x43-1 has replied to the ping frames. Due to the "stateful inspection" function of the firewall, the reply frames arriving from the CP x43-1 are automatically forwarded to PC2. Test part 2 - evaluating the result 1. Change to online mode in the Security Configuration Tool with the "View" > "Online" menu command. 2. Select the module you want to edit and then select the menu command "Edit" > "Online diagnostics" to open the online dialog. 3. Select the "Packet Filter Log" tab. 4. Click the "Start Reading" button. 5. Acknowledge the displayed dialog with "OK". Result: The log entries are read from the security module and displayed here. 78 Getting Started, 04/2012, C79000-G8976-C287-01

79 Configuring a VPN tunnel VPN tunnel between SCALANCE S and SCALANCE S Overview In this example, the tunnel function is configured in the "standard mode" project engineering view. Security module 1 and security module 2 are the two tunnel endpoints for the secure tunnel connection in this example. With this configuration, IP traffic and layer 2 traffic (bridge mode only) is possible only over the established tunnel connections with authorized partners. Setting up the test network Getting Started, 04/2012, C79000-G8976-C

80 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S Internal network - attachment to an internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1: Represents a node in internal network 1 PC2: Represents a node in internal network 2 Security module 1: SCALANCE S module (not S602) for protection of the internal network 1 Security module 2: SCALANCE S module (not S602) for protection of the internal network 2 External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC3: PC with the Security Configuration Tool Required devices/components: Use the following components to set up to the network: 2 x SCALANCE S modules (not S602), (optional: one or two suitably installed standard rails with fittings); 1 x or 2 x 24 V power supplies with cable connections and terminal block plugs (both modules can also be operated from a common power supply); 1 x PC on which the "Security Configuration Tool" is installed; 2 x PCs in the internal networks to test the configuration; 1 x network hub or switch to set up the network connections with the two security modules and the PCs/PGs; The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet. Overview of the next steps: 80 Getting Started, 04/2012, C79000-G8976-C287-01

81 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S Set up SCALANCE S and the network Follow the steps outlined below: 1. First unpack the SCALANCE S devices and check that they are undamaged. 2. Connect the power supply to the SCALANCE S. Result: After connecting the power, the Fault LED (F) is lit yellow. WARNING The SCALANCE S is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 1. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC1 with port 2 of module 1 and PC2 with port 2 of module 2. Connect port 1 of module 1 and port 1 of module 2 with the hub/switch. Connect PC3 to the hub/switch as well. 2. Now turn on the PCs. NOTICE The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Port 1 - external network Upper RJ-45 jack, marked red = unprotected network area; Port 2 - internal network Lower RJ-45 jack, marked green = network protected by SCALANCE S; If the ports are swapped over, the device loses its protective function. Getting Started, 04/2012, C79000-G8976-C

82 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask PC PC PC Follow the steps below for PC1, PC2, and PC3: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 4. Click the "Properties" button. 82 Getting Started, 04/2012, C79000-G8976-C287-01

83 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Follow the steps below: 1. Install and start the Security Configuration Tool on PC3. 2. Select the "Project" > "New" menu command. 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 4. Configure the product type, module and firmware release and close the dialog with "OK". 5. Create a second module. Result: The modules will then be displayed in the list of configured modules. The name and parameters are assigned automatically based on the default settings of the project. 6. In the navigation area, click on "All Modules" and then on the row with "Module1" in the content area. Getting Started, 04/2012, C79000-G8976-C

84 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S 7. Click on the "MAC Address" column and enter the MAC address in the specified format. The MAC address is printed on the front of the SCALANCE S module (see figure). 8. Click in the "IP address ext." column and enter this along with the external subnet mask in the required format: For module 1: IP address: subnet mask: For module 2: IP address: subnet mask: Repeat steps 6 to 8 for "Module 2". 84 Getting Started, 04/2012, C79000-G8976-C287-01

85 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S Configuring a tunnel connection Two security modules can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the first security module in the content area and drag it to "Group1" in the navigation area. The module is now assigned to this group (is a member of the group). The color of the key symbol changes from gray to blue. 3. Select the second security module in the content area and drag it to "Group1" in the navigation area. The module is now also assigned to this group. 4. Save the project with the menu command "Project" > "Save As..." under a meaningful name. The configuration of the tunnel connection is complete Download the configuration to the SCALANCE S module Follow the steps below: 1. Using the menu command "Transfer" > "To all modules...", open the following dialog: Getting Started, 04/2012, C79000-G8976-C

86 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S 2. Select the two modules using the "Select All" button. 3. Start the download with the "Start" button. If the download was completed free of errors, the SCALANCE S is restarted automatically and the new configuration activated. Result: SCALANCE S in productive operation The SCALANCE S is now in productive operation. This mode is indicated by the Fault LED being lit green. The configuration has now been commissioned and the two SCALANCE S modules can now establish a communication tunnel over which network nodes from the two internal networks can communicate Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". 86 Getting Started, 04/2012, C79000-G8976-C287-01

87 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S Test phase 1 Now test the function of the tunnel connection established between PC1 and PC2: 1. On PC1, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the Ping command from PC1 to PC2 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC2): Result If the IP packets have reached PC2, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. Test phase 2 Repeat the test by sending a ping command from PC3. 1. On PC3, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". Getting Started, 04/2012, C79000-G8976-C

88 Configuring a VPN tunnel 4.1 VPN tunnel between SCALANCE S and SCALANCE S 2. Send the same ping command again ("ping ") in the Command Prompt window of PC3. You will then receive the following message (no reply from PC2): Result The IP frames from PC3 cannot reach PC2 since neither tunnel communication between these two devices is configured nor is normal IP data traffic permitted. This is shown in the "Ping statistics" for as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) 88 Getting Started, 04/2012, C79000-G8976-C287-01

89 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x VPN tunnel between CP 1628 and CP x Overview In this example, the tunnel function is configured in the "standard mode" project engineering view. Security module 1 and security module 2 are the two tunnel endpoints for the secure tunnel connection in this example. With this configuration, IP traffic and layer 2 traffic is possible only over the established tunnel connections with authorized partners of a VPN group. Setting up the test network PC1 with security module 1: PC with CP 1628 PC2: PC with the Security Configuration Tool and STEP 7 Security module 2: CP x43-1 Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC2. STEP 7 is installed on PC2 and a STEP 7 project has already been created. The CPs have the current time of day and the current date. Getting Started, 04/2012, C79000-G8976-C

90 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x43-1 CP 1628 has the following settings in STEP 7: IP address Industrial Ethernet: , subnet mask: The NDIS IP address is set up in the IP settings of the PC. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Overview of the next steps: Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask PC1 NDIS: PC Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 90 Getting Started, 04/2012, C79000-G8976-C287-01

91 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Follow the steps below: 1. In the "Security" tab of the object properties of the CP 1628, enable the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". 3. Result: A new security project is created. Getting Started, 04/2012, C79000-G8976-C

Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x43-1 4. Change to the object properties of the CP x43-1 and select the "Enable security" check box on the "Security" tab. 5.

4.2.4 Configuring a tunnel connection Two security modules can establish an IPsec tunnel for secure communication when they are assigned to the same VPN group in the project.

92 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x Change to the object properties of the CP x43-1 and select the "Enable security" check box on the "Security" tab. 5. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The security modules will then be displayed in the list of configured modules Configuring a tunnel connection Two security modules can establish an IPsec tunnel for secure communication when they are assigned to the same VPN group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. In the navigation area, click "All Modules" and then on the row with the first CP. 3. Drag the CP to "Group1" in the navigation area. The module is now assigned to this group (is a member of the group). The color of the key symbol changes from gray to blue. 4. Select the second CP in the content area and drag it to "Group1" in the navigation area. Result: The second CP is now also assigned to this group and the configuration of the tunnel connection is complete. 92 Getting Started, 04/2012, C79000-G8976-C287-01

93 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x Downloading the configuration to the security module Follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. 4. Perform steps 2-3 for the second CP. If the download was completed free of errors, the security modules restart automatically and the new configuration is activated. Result: Security modules in productive mode Commissioning the configuration is therefore completed and the two security modules can establish a communications tunnel Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the tunnel connection established between PC1 and security module 2: 1. On PC1, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". Getting Started, 04/2012, C79000-G8976-C

94 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x Enter the ping command from PC1 to security module 2 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from security module 2): Result If the IP packets have reached security module 2, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. Test phase 2 Repeat the test by sending a ping command from PC2. 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 94 Getting Started, 04/2012, C79000-G8976-C287-01

95 Configuring a VPN tunnel 4.2 VPN tunnel between CP 1628 and CP x Send the same ping command again ("ping ") in the Command Prompt window of PC2. You will then receive the following message (no reply from security module 2): Result The IP frames from PC2 cannot reach security module 2 since neither tunnel communication between these two devices is configured nor is normal IP data traffic permitted. This is shown in the "Ping statistics" for as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) Getting Started, 04/2012, C79000-G8976-C

96 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP 4.3 VPN tunnel between SCALANCE S and CP Overview In this example, the tunnel function is configured in the "standard mode" project engineering view. Security module 1 and security module 2 are the two tunnel endpoints for the secure tunnel connection in this example. With this configuration, IP traffic and layer 2 traffic is possible only over the established tunnel connections with authorized partners. Setting up the test network 96 Getting Started, 04/2012, C79000-G8976-C287-01

97 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP Internal network - attachment to the internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1: Represents a node in internal network 1 PC2: Represents a node in internal network 2 Security module 1: SCALANCE S module (not S602) for protection of the internal network 1 Security module 2: CP x43-1 to protect the internal network 2 External network - attachment to an external port of the security module The public, external network is connected to an external port of the security module. PC3: PC with the Security Configuration Tool and STEP 7 Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC3. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Overview of the next steps: Getting Started, 04/2012, C79000-G8976-C

98 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP Setting up the security module and network Follow the steps outlined below: 1. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC1 to an internal port of security module 1 and PC2 to an internal port of security module 2. Connect the external port of security module 1 and the external port of security module 2 to the hub/switch. Connect PC3 to the hub/switch as well. 2. Now turn on the PCs. NOTICE The Ethernet attachments at internal and external port are handled differently by the security module and must not be swapped over when connecting to the communication network: If the ports are swapped over, the device loses its protective function Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: PC IP address Subnet mask Default gateway PC PC PC Follow the steps below for PC1, PC2, and PC3: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 98 Getting Started, 04/2012, C79000-G8976-C287-01

99 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Follow the steps below: 1. In the "Security" tab of the object properties, enable the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new project is created. Getting Started, 04/2012, C79000-G8976-C

Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP 3. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command.

100 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP 3. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The created CP will then be displayed in the list of configured modules. 4. In the Security Configuration Tool, use the "Insert" > "Module" menu command to create a SCALANCE S module with the following parameters: IP address (ext.): , subnet mask (ext.): In addition to this, enter the MAC address printed on the front of the security module. Result: The CP and the SCALANCE S module are displayed in the Security Configuration Tool in the list of configured modules Configuring a tunnel connection Two security modules can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. In the navigation area, click on "All Modules" and then on the SCALANCE S module in the content area. 100 Getting Started, 04/2012, C79000-G8976-C287-01

101 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP 3. Drag it to "Group1" in the navigation area. The module is now assigned to this group (is a member of the group). The color of the key symbol changes from gray to blue. 4. Select the CP in the content area and drag it to "Group1" in the navigation area. Result: The CP is now also assigned to this group and the configuration of the tunnel connection is complete Downloading the configuration to the security module SCALANCE S - follow the steps below: 1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. Using the menu command "Transfer" > "To all modules...", open the following dialog: The SCALANCE S module is displayed in the list. 1. Select the SCALANCE S module. 2. Start the download with the "Start" button. If the download was completed free of errors, the SCALANCE S module is restarted automatically and the new configuration activated. CP - follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. Getting Started, 04/2012, C79000-G8976-C

102 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. Result: Security modules in productive mode The configuration has now been commissioned and the two security modules can now establish a communication tunnel over which network nodes from the two internal networks can communicate Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the tunnel connection established between PC1 and PC2: 1. On PC1, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the Ping command from PC1 to PC2 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC2): 102 Getting Started, 04/2012, C79000-G8976-C287-01

103 Configuring a VPN tunnel 4.3 VPN tunnel between SCALANCE S and CP Result If the IP frames have reached PC2, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. Test phase 2 Repeat the test by sending a ping command from PC3. 1. On PC3, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Send the same ping command again ("ping ") in the Command Prompt window of PC3. You will then receive the following message (no reply from PC2): Result The IP frames from PC3 cannot reach PC2 since neither tunnel communication between these two devices is configured nor is normal IP data traffic permitted. This is shown in the "Ping statistics" for as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) Getting Started, 04/2012, C79000-G8976-C

104 Configuring a VPN tunnel 4.4 VPN tunnel between all security products 4.4 VPN tunnel between all security products Overview In this example, the tunnel function is configured in the "standard mode" project engineering view. With this configuration, IP traffic is possible only over the established VPN tunnel connections between authorized partners or the individual VPN groups. Access from the service PG on which the SOFTNET Security Client is installed is allowed for all four security modules. 104 Getting Started, 04/2012, C79000-G8976-C287-01

105 Configuring a VPN tunnel 4.4 VPN tunnel between all security products VPN group VPN node 1 SCALANCE S 612 V3.0 CP Advanced GX30 V3.0 SOFTNET Security Client 2 CP Advanced GX31 V3.0 CP Advanced GX30 V3.0 SOFTNET Security Client 3 CP 1628 V1.0 CP Advanced GX31 V3.0 SOFTNET Security Client Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software and the SOFTNET Security Client are installed on PC2. All security modules have the current time of day and the current date. STEP 7 is installed on PC1 and a STEP 7 project with the following security modules has already been created. Security module IP address Subnet mask CP Advanced GX30 V3.0 Gigabit: PROFINET: CP Advanced GX31 V3.0 Gigabit: PROFINET: CP 1628 V1.0 Industrial Ethernet: Getting Started, 04/2012, C79000-G8976-C

106 Configuring a VPN tunnel 4.4 VPN tunnel between all security products Overview of the next steps: Make the IP settings for the PCs For the test, the PCs are given the following IP address settings: IP address Subnet mask PC PC Follow the steps below for PC1 and PC2: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 106 Getting Started, 04/2012, C79000-G8976-C287-01

107 Configuring a VPN tunnel 4.4 VPN tunnel between all security products 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Now enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Enabling security for the CPs 1. In the "Security" tab of the object properties of the CP 443- Advanced GX30, enable the "Enable security" check box. Getting Started, 04/2012, C79000-G8976-C

108 Configuring a VPN tunnel 4.4 VPN tunnel between all security products 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 3. In the "Security" tab of the object properties of the CP Advanced GX31 and CP 1628, enable the "Enable security" check box one after the other. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. Result: The created CPs on which security is activated are displayed in the list of configured modules. Creating SCALANCE S and SOFTNET Security Client 1. Create a new module with the "Insert" > "Module" menu command. Configure: Product type: SCALANCE S Module: S612 Firmware release V3 IP address (ext.): , subnet mask (ext.): Select the "Enable routing" check box and enter the following data: IP address (int.): , subnet mask (int.): Result: The created SCALANCE S module will be displayed in the list of configured modules as "Module1". 3. In the "Configuration" area, enter the MAC address in the required format. The MAC address is printed on the front of the SCALANCE S module 4. Generate a second module with the "Insert" > "Module" menu command. Configure: Product type: SOFTNET Configuration (SOFTNET Security Client, SCALANCE M87x, MD74x) Module: SOFTNET Security Client Firmware release: V4 Result: The created SOFTNET security client will then be displayed in the list of configured modules as "Module2". 5. In the navigation area, click on "All Modules" and then on the row with "Module1" in the content area. 6. Click in the "Name" column and enter the name "SCA612". 7. Click on the row with "Module2". 8. Click in the "Name" column and enter the name "SSC-PC2". Result: The CPs, the SCALANCE S module and the SOFTNET Security Client are displayed in the Security Configuration Tool in the list of configured modules. 108 Getting Started, 04/2012, C79000-G8976-C287-01

Configuring a VPN tunnel 4.4 VPN tunnel between all security products 4.4.4 Configuring a tunnel connection Security modules can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project.

Add two further groups. The groups are automatically given the names "Group2" and "Group3". 3.

109 Configuring a VPN tunnel 4.4 VPN tunnel between all security products Configuring a tunnel connection Security modules can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Add two further groups. The groups are automatically given the names "Group2" and "Group3". 3. One after the other, drag the SCALANCE S module, the CP Advanced GX30 and the SOFTNET Security Client to "Group1" in the navigation area. The modules are now assigned to Group1 or are members of this group. The color of the key symbol changes from gray to blue. Getting Started, 04/2012, C79000-G8976-C

110 Configuring a VPN tunnel 4.4 VPN tunnel between all security products 4. One after the other, drag the CP Advanced GX31, the CP Advanced GX30 and the SOFTNET Security Client to "Group2" in the navigation area. The modules are now assigned to Group2 or are members of this group. The color of the key symbol changes from gray to blue. 5. One after the other, drag the CP 1628, the CP Advanced GX31 and the SOFTNET Security Client to "Group3" in the navigation area. The modules are now assigned to Group3 or are members of this group. The color of the key symbol changes from gray to blue. 6. Close SCT. The configuration of the tunnel connection is complete Loading the configuration on the security module and saving the SOFTNET Security Client configuration SCALANCE S and SOFTNET Security Client - follow the steps below: 1. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. Using the menu command "Transfer" > "To all modules...", open the following dialog: 3. Start the download with the "Start" button. 4. Save the configuration file "projectname.ssc-pc2.dat" in your project folder and assign a password for the private key of the certificate. 110 Getting Started, 04/2012, C79000-G8976-C287-01

111 Configuring a VPN tunnel 4.4 VPN tunnel between all security products If the download was completed free of errors, the SCALANCE S module is restarted automatically and the new configuration activated. CPs - follow the steps below: 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu for the CP Advanced. 3. Download the new configuration to the security module using the "PLC" > "Download to Module" menu. 4. Perform steps 2-3 for the CP and CP If the download was completed free of errors, the security modules restart automatically and the new configuration is activated. Result: Security modules in productive mode Commissioning the configuration is therefore completed and the two security modules within a VPN group can establish a communications tunnel and communicate with each other securely Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC2. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-PC2.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. Confirm the "Enable all statically configured nodes?" dialog with "Yes". 5. Click the "Tunnel Overview" button. 6. To allow the learned subnets to communicate, enable this using the shortcut menu. Result: Active tunnel connection The tunnel between the SOFTNET Security Client and the security modules was established. This status is indicated by the green circle. In the log console of the tunnel overview of the SOFTNET Security Client, you can see several messages from your system indicating what happened during the connection attempt and whether or not a policy for the communication connection was created. Getting Started, 04/2012, C79000-G8976-C

112 Configuring a VPN tunnel 4.4 VPN tunnel between all security products Commissioning the configuration is now complete and the security modules of the configured VPN groups and the SOFTNET Security Client have established communications tunnels via which they can communicate. 112 Getting Started, 04/2012, C79000-G8976-C287-01

113 Configuring a VPN tunnel 4.4 VPN tunnel between all security products Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Testing Now test the function of the tunnel connection established between PC2 and PC3: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the Ping command from PC2 to PC3 (IP address ) In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Result If the IP frames have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. Getting Started, 04/2012, C79000-G8976-C

114 Configuring a VPN tunnel 4.4 VPN tunnel between all security products Repeating the test section One after the other, test the functionality of the tunnel connections established between PC2 and PC1, PC2 and CP Advanced GX30 and PC2 and CP Advanced GX31 as described in the section "Test section". If the tunnel connection is correctly established, you will receive a positive response to the ping query from each PC or security module. 114 Getting Started, 04/2012, C79000-G8976-C287-01

115 Configuring remote access via a VPN tunnel Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Overview In this example, the VPN tunnel function is configured in the "standard mode" configuration view. In this example, a security module and the SOFTNET Security Client form the two tunnel endpoints for the secure tunnel connection via a public network. With this configuration, IP traffic is possible only over the established VPN tunnel connections with authorized partners. Setting up the test network Getting Started, 04/2012, C79000-G8976-C

116 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Internal network - attachment to the internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1: Represents a node in the internal network Security module: SCALANCE S module (not S602) for protection of the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of the security module. PC2: PC with Security Configuration Tool configuration software and the SOFTNET Security Client software for secure VPN access to the internal network PC3: Test PC for test phase 2 Note In the example, a local area network is used as a substitute for an external public WAN to illustrate the principles of the functionality. Explanations relating to the use of a WAN are provided where necessary. Required devices/components: Use the following components to set up to the network: 1 x SCALANCE S module, (not S602), (optional: a suitably installed DIN rail with fittings); 1 x 24 V power supply with cable connector and terminal block plug; 1 x PC on which the "Security Configuration Tool" and VPN client "SOFTNET Security Client" are installed; 1 x PC in the internal network to test the configuration; 1 x PC in the external network to test the configuration; 1 x network hub or switch to set up the network connections with the SCALANCE S module and the PCs; The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet. 116 Getting Started, 04/2012, C79000-G8976-C287-01

117 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Overview of the next steps: Set up SCALANCE S and the network Follow the steps outlined below: 1. First unpack the SCALANCE S device and check that it is undamaged. 2. Connect the power supply to the SCALANCE S module. Result: After connecting the power, the Fault LED (F) is lit yellow. WARNING The SCALANCE S is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit to supply the SCALANCE S must comply with NEC Class 2 (voltage range V, current requirement approx. 250 ma). 1. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Getting Started, 04/2012, C79000-G8976-C

118 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Connect PC1 with port 2 of module 1. Connect port 1 of module 1 with the hub/switch. Connect PC2 and PC3 to the hub/switch as well. 2. Now turn on the PCs. Note To use a WAN as an external public network, the connections to the hub/switch must be replaced by the connections to the WAN (Internet access). NOTICE The Ethernet attachments at port 1 and port 2 are handled differently by the SCALANCE S and must not be swapped over when connecting to the communication network: Port 1 - "external network" Upper RJ-45 jack, marked red = unprotected network area; Port 2 - "internal network" Lower RJ-45 jack, marked green = network protected by SCALANCE S; If the ports are swapped over, the device loses its protective function Make the IP settings for the PCs For the test, the PCs should be given the following IP address settings. PC IP address Subnet mask Default gateway PC PC PC For standard gateway, specify the IP addresses that will be assigned to the security module for the internal and external interface in the subsequent project engineering: PC1 uses the internal interface. PC2 and PC3 use the external interface. Note To use a WAN as an external public network, the relevant IP settings for the connection to the WAN (Internet) must be made on PC2 and PC3. Follow the steps below for PC1, PC2, and PC3: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 118 Getting Started, 04/2012, C79000-G8976-C287-01

119 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Follow the steps below: 1. Select the "Project" > "New" menu command. Getting Started, 04/2012, C79000-G8976-C

120 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm your entries. Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 4. Configure the product type, module and firmware release and close the dialog with "OK" 5. Generate a second module with the "Insert" > "Module" menu command. Configure: Product type: SOFTNET Configuration (SOFTNET Security Client, SCALANCE M87x/MD74x) Module: SOFTNET Security Client Firmware release: Depending on the SOFTNET Security Client version you are using. Close the dialog with "OK". Result: The module will then be displayed in the list of configured modules. The name is assigned automatically based on the default settings of the project. 120 Getting Started, 04/2012, C79000-G8976-C287-01

121 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client 6. Double-click on "Module1". Result: The "Interfaces" tab is opened. 7. Enter the following values in the "External (P1) box: IP address: , Subnet mask: MAC: the MAC address printed on the front of the SCALANCE S module (see figure). Note To use a WAN as an external, public network, enter the IP address you received from the provider as "IP address ext." via which the security module will then be reachable in the WAN (Internet). To allow the security module to send packets via the WAN (Internet), you need to enter your DSL router as "Standard router". If you use a DSL router as Internet gateway, the following ports (at least) must be opened on it: Port 500 (ISAKMP) Port 4500 (NAT-T) With SCALANCE S, for configuration downloads (via the WAN without active tunnel), port 443 (HTTPS) must also be open. Configuring routing 1. Select the "Routing mode" for "Interface routing" in the "Interfaces" tab. Getting Started, 04/2012, C79000-G8976-C

122 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client 2. In the input area "Internal (P2), add the following to the address information for the SCALANCE S as follows and confirm your entries with "OK": Internal module IP address: Internal subnet mask: In the navigation area, click on "All Modules" and then on the row with "Module2" in the content area. 4. Click in the "Name" column and enter the name "SSC-PC2". Result: The settings are complete and should match the following figure: 122 Getting Started, 04/2012, C79000-G8976-C287-01

123 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Getting Started, 04/2012, C79000-G8976-C

124 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Configuring a tunnel connection A SCALANCE S and the SOFTNET Security Client can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the SCALANCE S module "Module1" in the content area and drag it to "Group1" in the navigation area. The module is now assigned to this group (is a member of the group). The color of the key symbol changes from gray to blue. This indicates that an IPsec connection has been configured for the module. 3. Select the SOFTNET Security Client in the content area and drag it to "Group1" in the navigation area. The module is now also assigned to this group. 4. Save the project with the menu command "Project" > "Save As..." under a meaningful name. The configuration of the tunnel connection is complete. 124 Getting Started, 04/2012, C79000-G8976-C287-01

125 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Loading the configuration on the SCALANCE S and saving the SOFTNET Security Client configuration Follow the steps outlined below: 1. Using the menu command "Transfer" > "To all modules...", open the following dialog: 2. Start the download with the "Start" button. 3. Save the configuration file "projectname.ssc-pc2.dat" in your project folder and assign a password for the private key of the certificate. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Result: SCALANCE S in productive operation The security module is in productive mode. This mode is indicated by the Fault LED being lit green. The configuration has been commissioned and the security module and the SOFTNET Security Client can now establish a communication tunnel over which network nodes from the internal networks can communicate securely with PC2 from within the internal network. Note To use a WAN as an external public network, you cannot configure a security module with the factory settings via the WAN. In this case, configure the security module from within the internal network. Getting Started, 04/2012, C79000-G8976-C

126 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC2. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-PC2.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. Confirm the "Enable all statically configured nodes?" dialog with "Yes". 5. Click the "Tunnel Overview" button. Result: Active tunnel connection The tunnel between SCALANCE S and SOFTNET Security Client was established. This status is indicated by the green circle beside the "Module1" entry. In the log console of the tunnel overview of the SOFTNET Security Client, you can see several messages from your system indicating what happened during the connection attempt and whether or not a policy for the communication connection was created. 126 Getting Started, 04/2012, C79000-G8976-C287-01

127 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client The configuration has now been commissioned and the SCALANCE S module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network. Getting Started, 04/2012, C79000-G8976-C

128 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the tunnel connection established between PC1 and PC2: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the ping command from PC2 to PC1 (IP address ). In the command line of the "Command Prompt" window, enter the command ping at the cursor position. You will then receive the following message: (positive reply from PC1). Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. 128 Getting Started, 04/2012, C79000-G8976-C287-01

129 Configuring remote access via a VPN tunnel 5.1 Remote access - VPN tunnel example with SCALANCE S612 and SOFTNET Security Client Test phase 2 Now repeat the test by sending a ping command from PC3. 1. On PC3, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Send the same ping command (ping ) in the Command Prompt window of PC3. You will then receive the following message: (no reply from PC1). Result The IP frames from PC3 cannot reach PC1 since neither tunnel communication between these two devices is configured nor is normal IP data traffic permitted. This is shown in the "Ping statistics" for as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) Getting Started, 04/2012, C79000-G8976-C

130 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Overview In this example, the VPN tunnel function is configured in the "standard mode" configuration view. In this example, a security module and a SOFTNET Security Client form the two tunnel endpoints for the secure tunnel connection via a public network. With this configuration, IP traffic is possible only over the established VPN tunnel connections with authorized partners. Setting up the test network 130 Getting Started, 04/2012, C79000-G8976-C287-01

131 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Internal network - attachment to the internal port of the security module In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1: Represents a node in the internal network Security module: CP x43-1 to protect the internal network External network - attachment to the external port of the security module The public, external network is connected to the external port of a security module. PC2: PC with Security Configuration Tool configuration software and the SOFTNET Security Client software for secure VPN access to the internal network PC3: Test PC for test phase 2 Note In the example, a local area network is used as a substitute for an external public WAN to illustrate the principles of the functionality. Explanations relating to the use of a WAN are provided where necessary. Requirement: To be able to work through the example, the following requirements must be met: The Security Configuration Tool configuration software is installed on PC2. STEP 7 is installed on PC2 and a STEP 7 project has already been created. The security module has the current time of day and the current date. CP x43-1 has the following settings in STEP 7: Gigabit IP address: , subnet mask: PROFINET IP address: , subnet mask: Getting Started, 04/2012, C79000-G8976-C

132 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Overview of the next steps: Make the IP settings for the PCs For the test, the PCs should be given the following IP address settings. PC IP address Subnet mask Default gateway PC PC PC For standard gateway, specify the IP addresses that will be assigned to the security module for the internal and external interface in the subsequent project engineering: PC1 uses the internal interface. PC2 and PC3 use the external interface. Note To use a WAN as an external public network, the relevant IP settings for the connection to the WAN (Internet) must be made on PC2 and PC3. Follow the steps below for PC1, PC2, and PC3: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 132 Getting Started, 04/2012, C79000-G8976-C287-01

133 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel Create the project and modules Follow the steps below: 1. In the "Security" tab of the STEP 7 object properties of the security module, enable the "Enable security" check box. Getting Started, 04/2012, C79000-G8976-C

134 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. Confirm your entries with "OK". Result: A new security project is created. 3. Select the "Edit" > "Security Configuration Tool" menu. Result: The security module will then be displayed in the list of configured modules. 1. Generate a second module with the "Insert" > "Module" menu command. Configure: Product type: SOFTNET Configuration (SOFTNET Security Client, SCALANCE M87x/MD74x) Module: SOFTNET Security Client Firmware release: Depending on the SOFTNET Security Client version you are using. 2. Close the dialog with "OK". Result: The module will then be displayed in the list of configured modules. The name is assigned automatically based on the default settings of the project. Note To use a WAN as an external, public network, enter the IP address you received from the provider as "IP address ext." via which the security module will then be reachable in the WAN (Internet). To allow the security module to send packets via the WAN (Internet), you need to enter your DSL router as "Standard router". If you use a DSL router as Internet gateway, the following ports (at least) must be forwarded on it: Port 500 (ISAKMP) Port 4500 (NAT-T) For configuration downloads (not through an active tunnel), port 443 (HTTPS) must also be forwarded. 134 Getting Started, 04/2012, C79000-G8976-C287-01

Result: The settings are complete and should match the following figure: 5.2.

135 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client 3. In the navigation area, click on "All Modules" and then on the row with "Module2" in the content area. 4. Click in the "Name" column and enter the name "SSC-PC2". Result: The settings are complete and should match the following figure: Configuring a tunnel connection The security module and the SOFTNET Security Client can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the security module in the content area and drag it to "Group1" in the navigation area. The module is now assigned to this group (is a member of the group). The color of the key symbol changes from gray to blue. This indicates that an IPsec connection has been configured for the module. 3. Select the SOFTNET Security Client in the content area and drag it to "Group1" in the navigation area. The module is now also assigned to this group. The configuration of the tunnel connection is complete. Getting Started, 04/2012, C79000-G8976-C

Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client 5.2.5 Loading the configuration on the security module and saving the SOFTNET Security Client configuration Follow the steps outlined below: 1.

136 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Loading the configuration on the security module and saving the SOFTNET Security Client configuration Follow the steps outlined below: 1. Using the menu command "Transfer" > "To all modules...", open the following dialog: 2. Start the download with the "Start" button. 3. Save the configuration file "projectname.ssc-pc2.dat" in your project folder and assign a password for the private key of the certificate. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Result: Security module in productive mode The configuration has been commissioned and the security module and the SOFTNET Security Client can now establish a communication tunnel over which network nodes from the internal networks can communicate securely with PC2 from within the internal network. Note To use a WAN as an external public network, you cannot configure a security module with the factory settings via the WAN. In this case, configure the security module from within the internal network. 136 Getting Started, 04/2012, C79000-G8976-C287-01

137 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Set up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC2. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-PC2.dat" configuration file. 3. Enter the password for the private key of the certificate and confirm with "Next". 4. Confirm the "Enable all statically configured nodes?" dialog with "Yes". 5. Click the "Tunnel Overview" button. Result: Active tunnel connection The tunnel between the security module and the SOFTNET Security Client was established. This status is indicated by the green circle beside the "Module1" entry. In the log console of the tunnel overview of the SOFTNET Security Client, you can see several messages from your system indicating what happened during the connection attempt and whether or not a policy for the communication connection was created. Getting Started, 04/2012, C79000-G8976-C

138 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client The configuration has now been commissioned and the security module and the SOFTNET Security Client have established a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network. 138 Getting Started, 04/2012, C79000-G8976-C287-01

139 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Test the tunnel function (ping test) How can you test the configured function? The function can be tested as described below using a ping command. As an alternative, you can also use other communication programs to test the configuration. NOTICE In Windows, the firewall can be set so that as default the ping commands do not pass through. If necessary, you will need to enable the ICMP services of the type "Request" and "Response". Test phase 1 Now test the function of the tunnel connection established between PC1 and PC2: 1. On PC2, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Enter the ping command from PC2 to PC1 (IP address ). In the command line of the "Command Prompt" window, enter the command "ping " at the cursor position. You will then receive the following message (positive reply from PC1): Result If the IP packets have reached PC1, the "Ping statistics for " display the following: Sent = 4 Received = 4 Lost = 0 (0% loss) Since no other communication is permitted, these packets must have been transported through the VPN tunnel. Getting Started, 04/2012, C79000-G8976-C

140 Configuring remote access via a VPN tunnel 5.2 Remote access - VPN tunnel example with CP x43-1 Advanced and SOFTNET Security Client Test phase 2 Now repeat the test by sending a ping command from PC3. 1. On PC3, call up the menu command "Start" >"All Programs" > "Accessories" > "Command Prompt". 2. Send the same ping command ("ping ") in the Command Prompt window of PC3. You will then receive the following message (no reply from PC1): Result The IP frames from PC3 cannot reach PC1 since neither tunnel communication between these two devices is configured nor is normal IP data traffic permitted. This is shown in the "Ping statistics" for as follows: Sent = 4 Received = 0 Lost = 4 (100% loss) 140 Getting Started, 04/2012, C79000-G8976-C287-01

A SCALANCE M and the SOFTNET Security Client form the two tunnel endpoints for the secure tunnel connection via a public network.

141 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Overview In this example, the VPN tunnel function is configured in the "advanced mode" project engineering view. A SCALANCE M and the SOFTNET Security Client form the two tunnel endpoints for the secure tunnel connection via a public network. With this configuration, IP traffic is possible only over the established VPN tunnel connection with authorized partners. Note To configure this example, you need a public, fixed IP address from your provider (mobile wireless provider) for the SIM card of the SCALANCE M that can also be reached from the Internet. (As an alternative, it is also possible to work with a DynDNS address for the SCALANCE M.) Setting up the test network: Getting Started, 04/2012, C79000-G8976-C

142 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Internal network - attachment to SCALANCE M port X2 ("internal network") In the test setup, in the internal network, a network node is implemented by a PC connected to the "internal network" port (port X2) of a SCALANCE M module. PC1: Represents a node in the internal network SCALANCE M: SCALANCE M module for protection of the internal network External, public network - connection via SCALANCE M antenna ("external network") The external, public network must be a GSM or mobile wireless network that can be selected by the user at the provider (mobile wireless provider) and is reached via the antenna of the SCALANCE M. PC2: PC with Security Configuration Tool configuration software and the SOFTNET Security Client software for secure VPN access to the internal network Required devices/components: Use the following components to set up to the network: 1 x SCALANCE M module with SIM card, (optional: a suitably installed DIN rail with fittings); 1 x 24 V power supply with cable connector and terminal block plug; 1 x PC on which the "Security Configuration Tool" and VPN client "SOFTNET Security Client" are installed; 1 x PC in the internal network of the SCALANCE M with a browser for configuring the SCALANCE M and testing the configuration; 1 x DSL router (connection to the Internet for the PC with the VPN client (ISDN, DSL, UMTS etc.)) The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet. 142 Getting Started, 04/2012, C79000-G8976-C287-01

143 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Overview of the next steps Setting up SCALANCE M and network Follow the steps outlined below: 1. First unpack the SCALANCE M device and check that it is undamaged. 2. Follow the step-by-step commissioning as described in the SCALANCE M system manual up to the point at which you need to set it up to suit your own requirements. To do this, use PC1; for setting up the SCALANCE M, refer to the section Configuring the SCALANCE M (Page 150). 3. Now establish the physical network connections by plugging the network cable connectors into the ports being used (RJ-45 jacks): Connect PC1 with Port X2 ("internal network") of the SCALANCE M Connect PC2 with the DSL router 4. Now turn on the PCs Make the IP settings for the PCs For the test, the PCs should be given the following IP address settings. PC IP address Subnet mask Default gateway PC PC Getting Started, 04/2012, C79000-G8976-C

144 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client For the default gateway for PC1, specify the IP address that you will assign to the SCALANCE M module (for the internal network interface) in the subsequent configuration. For PC2, specify the IP address of the DSL router (for the internal network interface). Follow the steps below with PC1 and PC2 to open the network connections on the relevant PC: 1. On the relevant PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 3. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 4. Click the "Properties" button. 5. In the "Internet Protocol Version 4 (TCP/IPv4) Properties" dialog, select the "Use the following IP address" radio button: off. 6. Enter the values assigned to the PC from the table "Make the IP settings for the PCs" in the relevant boxes. 7. Close the dialogs with "OK" and close the Control Panel. 144 Getting Started, 04/2012, C79000-G8976-C287-01

145 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Create the project and modules Follow the steps below: 1. Install and start the Security Configuration Tool on PC2. 2. Select the "Project" > "New" menu command. 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm your entries. Result: A new project is created. The "Selection of a module or software configuration" dialog opens. 5. Configure: Product type: SOFTNET Configuration (SOFTNET Security Client, SOFTNET Security Client, SCALANCE M87x/MD74x) Module: SOFTNET Security Client Firmware release: V3 Assign the module name "SSC-PC2" and close the dialog with "OK". 6. Generate a second module with the "Insert" > "Module" menu command. Configure: Product type: SOFTNET Configuration (SOFTNET Security Client, SOFTNET Security Client, SCALANCE M87x/MD74x) Module: SCALANCE M87x/MD74x Firmware release: V3 Assign the module name "SCALANCE-M". Getting Started, 04/2012, C79000-G8976-C

146 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 7. In the "Configuration" area, enter the external IP address and the external subnet mask in the required format. Note To configure this example, you need a public, fixed IP address from your provider (mobile wireless provider) for the SIM card of the SCALANCE M that can also be reached from the Internet. Enter this IP address as the external IP address for your module. If you work with dynamic addresses for the SCALANCE M, you require a DynDNS address for the module. In this case, you do not need to adapt the external IP address at this point. The IP address entered therefore serves simply as a placeholder. When configuring the SOFTNET Security Client later, specify a DNS name instead of an external IP address. 8. In the "Configuration" area, enter the internal IP address ( ) and the internal subnet mask ( ) in the required format and confirm the dialog with "OK". Result: The settings are complete and should match the following figure: Configuring a tunnel connection A SCALANCE M and the SOFTNET Security Client can establish an IPsec tunnel for secure communication when they are assigned to the same group in the project. Follow the steps outlined below: 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group": 146 Getting Started, 04/2012, C79000-G8976-C287-01

147 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client The group is automatically given the name "Group1". 2. Select the SCALANCE M module in the content area and drag it to "Group1" in the navigation area. The module is now assigned to this group or is a member of this group. The color of the key symbol changes from gray to blue. This indicates that an IPsec connection has been configured for the module. 3. Select the SOFTNET Security Client module "SSC-PC2" in the content area and drag it to "Group1" in the navigation area. The module is also assigned to this group. 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. Getting Started, 04/2012, C79000-G8976-C

148 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 6. Change the SA lifetime for phase 1 and phase 2 to 1440 minutes and leave all other settings. NOTICE A successful tunnel connection between a SCALANCE M and the SOFTNET Security Client can only be established if you keep exactly to the following parameters. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Authentication method: Certificate Advanced Settings Phase 1: IKE mode: Main Phase 1 DH group: Group2 Phase 1 Encryption: 3DES-168 SA lifetime (minutes): 1440 minutes Phase 1 Authentication: SHA1 Advanced Settings Phase 2: SA lifetime type: Time Phase 2 Encryption: 3DES-168 SA lifetime: 1440 minutes Phase 2 Authentication: SHA1 148 Getting Started, 04/2012, C79000-G8976-C287-01

Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 7. Save the project with the menu command "Project" > "Save As.

149 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 7. Save the project with the menu command "Project" > "Save As..." under a meaningful name. The configuration of the tunnel connection is complete Saving the configuration of the SCALANCE M and the SOFTNET Security Client Follow the steps outlined below: 1. Using the menu command "Transfer" > "To all modules...", open the following dialog: 2. Start the download with the "Start" button. Getting Started, 04/2012, C79000-G8976-C

150 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 3. Save the configuration file "projectname.ssc-pc2.dat" in the project folder and assign a password for the private key of the certificate. The following files will be saved in the project directory: "Projectname.SSC-PC2.dat" "Projectname.string.SSC-PC2.p12" "Projectname.group1.cer" 4. Save the configuration file "projectname.scalance-m.txt" in your project folder and assign a password for the private key of the certificate. The following files will be saved in the project directory: "Projectname.SCALANCE-M.txt" "Projectname.string.SCALANCE-M.p12" "Projectname.group1.SCALANC- M.cer" You have now saved all the necessary files and certificates and can put the SCALANCE M and the SOFTNET Security Client into operation Configuring the SCALANCE M The using the saved text file "projectname.scalance-m.txt", you can create the configuration of the SCALANCE M very simply based on its Web-based management. Below, this example shows you the configuration of the SCALANCE M step-by-step. The following is assumed for the configuration: SCALANCE M has a public, fixed IP address that can be reached via the Internet; The SOFTNET Security Client has a dynamic IP address assigned by the provider. At the relevant points, you will also be given information about configuring a DynDNS name for the SCALANCE M. Follow the steps outlined below: 1. Connect to the Web user interface of the SCALANCE M via PC1. Note: If the SCALANCE M has its factory settings, the internal interface of the module has the IP address Go to the "IPSec VPN" > "Certificates" folder. 150 Getting Started, 04/2012, C79000-G8976-C287-01

151 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 3. You saved the required certificates on PC2 in the last section and assigned a password for the private key. Transfer the certificates ("projectname.string.scalance-m.p12", "projectname.group1.scalance-m.cer") for the SCALANCE M initially to PC1. 4. Now upload the certificates of the partners "projectname. group1.scalance-m.cer" and the PKCS 12 file "projectname.string.scalance-m.p12" to the module. VPN Roadwarrior mode of the SCALANCE M Since the SOFTNET Security Client has a dynamic IP address, the VPN Roadwarrior mode of the SCALANCE M is used to establish a secure connection. Roadwarrior mode of the SCALANCE M: In the VPN Roadwarrior mode, the SCALANCE M can accept VPN connections from partners with an unknown address. These can, for example, be mobile partners that obtain their IP address dynamically. The VPN connection must be established by the partner. Only one VPN connection is possible in Roadwarrior mode. VPN connections in standard mode can be operated at the same time. Follow the steps outlined below: 1. Go to the "IPSec VPN" > "Connections" folder. 2. Under "Settings", click the "Edit" button. Getting Started, 04/2012, C79000-G8976-C

152 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 3. Edit the settings of the Roadwarrior VPN as shown in the following figure and save your entries. You can get the "Remote ID" from the "projectname.scalance-m.txt" text file. As an option, you can enter the "Remote ID" here. 4. In the "IPSec VPN - Connections" window, click the "Edit" button below IKE. 152 Getting Started, 04/2012, C79000-G8976-C287-01

153 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 5. Edit the IKE settings of the Roadwarrior VPN as shown in the following figure and save your entries. NOTICE Getting Started, 04/2012, C79000-G8976-C

154 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client A successful tunnel connection between SCALANCE M and the SOFTNET Security Client can only be established if you keep exactly to the parameters listed below. If you use different parameter settings, the two tunnel partners will not be able to set up a VPN connection between them. You should therefore always keep to the settings in the exported text file (as shown extra below). Authentication method: X.509 remote certificate Phase 1 - ISKAMP SA: ISAKMP SA encryption: 3DES-168 ISAKMP-SA hash: SHA-1 ISAKMP-SA mode: Main mode ISAKMP-SA Lifetime (seconds): Phase 2 - IPSec SA: IPSec SA encryption: 3DES-168 IPSec SA hash: SHA-1 IPSec SA lifetime (seconds): DH/PFS group: DH Getting Started, 04/2012, C79000-G8976-C287-01

155 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client 6. To be able to use the diagnostics function of the SOFTNET Security Client for successfully established VPN tunnels in conjunction with the SCALANCE M, you need to allow a ping from the external network of the SCALANCE M. To do this, go to the directory "Security" > "Advanced". Set the "External ICMP to the SCALANCE M" function to the value "Allow ping" and save your entry. Note also the following figure. Note If you do not enable this function, you will not be able to use the diagnostics function of the SOFTNET Security Client for successfully established VPN tunnels in conjunction with the SCALANCE M. You then do not receive any feedback as to whether the tunnel was successfully established but can nevertheless communicate securely via the tunnel. 7. To allow you to access the Web interface of the SCALANCE M via the external interface as well, enable the HTTPS remote access. This gives you the opportunity of configuring and diagnosing the SCALANCE M remotely via an established tunnel. To do this, go to the directory "Access" > "HTTPS". Set in the "Enable HTTPS remote access" function to the value "Yes" as shown in the following figure and save your entry. Getting Started, 04/2012, C79000-G8976-C

156 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client Note If you want to access the SCALANCE M using a DNS name, make the settings for the DynDNS server connection in the following directory: "External Network" > "Advanced Settings" >"DynDNS" 1. Change the setting "Log this SCALANCE M on to a DynDNS server" to the value "Yes". 2. Specify your username and the password of your DynDNS account. 3. Enter the full DynDNS address in the "DynDNS hostname" box. Enter the domain for this address as well (e.g. "mydns.dyndns.org"). 156 Getting Started, 04/2012, C79000-G8976-C287-01

Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client The commissioning of the SCALANCE M is now complete.

157 Configuring remote access via a VPN tunnel 5.3 Remote access - VPN tunnel example with SCALANCE M and SOFTNET Security Client The commissioning of the SCALANCE M is now complete. The module and the SOFTNET Security Client can establish a communication tunnel over which network nodes can communicate securely with PC2 from within the internal network Setting up a tunnel with the SOFTNET Security Client Follow the steps outlined below: 1. Start the SOFTNET Security Client on PC2. 2. Click the "Load Configuration" button, change to your project folder and load the "Projectname.SSC-PC2.dat" configuration file. 3. For a SCALANCE M configuration, the SOFTNET Security Client opens the dialog "IP- /DNS settings SCALANCE M". In this dialog, enter the public IP address of the SCALANCE M module that you received from your provider. Confirm the dialog with "OK". Note: If you work with a DNS name, you can configure this instead of an IP address in this dialog. 4. Enter the password for the certificate and confirm with "Next". Getting Started, 04/2012, C79000-G8976-C

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional Setting up security in STEP 7 Professional SIMATIC NET Industrial Ethernet Security Setting up security in STEP 7 Professional Preface 1 User interface and menu commands 2 Basic configuration 3 Firewall