Configuration Example 09/2014 Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address SCALANCE S, SOFTNET Security Client http://support.automation.siemens.com/ww/view/en/99681083
Warranty and liability Warranty and liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Siemens AG 2014 All rights reserved Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 99681083, V1.0, 09/2014 2
Table of Contents Siemens AG 2014 All rights reserved Table of Contents Warranty and liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 SOFTNET Security Client... 8 2.1.3 DSL access for SCALANCE S612... 9 2.1.4 SCALANCE S612... 9 2.1.5 Setting up the infrastructure... 10 2.2 Setting up VPN communication... 10 2.2.1 Integrating the VPN endpoint SCALANCE S612... 11 2.2.2 Integrating the VPN endpoint SOFTNET Security Client... 13 2.2.3 Configuring the VPN tunnel... 14 2.2.4 Loading the components... 16 2.2.5 Final steps... 17 2.3 Establishing the VPN connection... 18 3 Testing the Tunnel Function... 20 4 History... 20 Entry ID: 99681083, V1.0, 09/2014 3
1 Task and Solution 1 Task and Solution 1.1 Task The task is to allow a service employee secure access to automation cells or PCs via the Internet or a company's internal network. The following customer requirements have to be considered: Protection against spying and data manipulation. Prevention of unauthorized access. Provision of secure remote access for remote maintenance and remote control. Flexible access for the service employee (regardless of the user's location). 1.2 Possible solution Complete overview The figure below shows one way of implementing these customer requirements: Service PC with SOFTNET Security Client Automation Cell Siemens AG 2014 All rights reserved VPN Tunnel SSC VPN Client Industrial Ethernet Internet Modem/Router Static WAN IP Address Internet Router SCALANCE S VPN Server SIMATIC S7 Stations Remote access of a service employee to the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. Client access from the PC to the automation cell is established using the SOFTNET Security Client, a VPN client software product. The SCALANCE S612 (here: VPN server) placed in front of the automation cell is used as the endpoint of the VPN tunnel. WAN access to the SCALANCE S from the WAN is implemented using a static public IP address. WAN access on the client side is flexible; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Component SOFTNET Security Client SCALANCE S VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Entry ID: 99681083, V1.0, 09/2014 4
1 Task and Solution SOFTNET Security Client The SOFTNET Security Client allows programming devices, PCs and notebook computers access to network nodes or automation systems protected by SCALANCE S, SCALANCE M or CPs. It is characterized by the following features: Secure access of programming devices or notebook computers to entire automation cells. Easy to use on PCs due to an intuitive graphical user interface. configuration import. Connection control and diagnostics, connection statistics, log files; trace tool for error diagnostics; icons to indicate the connection status. Protection of data transmission against spying and spoofing by means of certified standards. Supports the DNS client function. Siemens AG 2014 All rights reserved SCALANCE S The security modules of the SCALANCE S family are designed specifically for use in automation but integrate seamlessly with the security structures of the office and IT world. They provide the following functions: High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. User-specific IP firewall to distinguish and differentiate access to specific plant parts. Router functionality (PPPoE, DNS). IPSec VPN (data encryption and authentication). Protection of all devices of an Ethernet network. Flexible, reaction-free and protocol-independent protection. Support of multiple VPN tunnels at a time. 1.3 Characteristics of the solution VPN tunnel for flexible access to the automation cell - possible, for example, for a service employee. Controlled, encrypted data traffic between SCALANCE S and SOFTNET Security Client. High degree of security for machines and plants through the implementation of the cell protection concept. Integrated network diagnostics via SNMP or Syslog. Easy integration into existing networks and protection of devices that do not have their own security functions. Entry ID: 99681083, V1.0, 09/2014 5
2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages This solution requires the following software packages: "Security Configuration Tool V4" (included in the scope of delivery of the SCALANCE S or available as a download under the following Entry ID: 84467278) "SOFTNET Security Client V4 HF1" Install this software on a PC/PG. Siemens AG 2014 All rights reserved Required devices/components: Note To set up the environment, use the following components: A SCALANCE S612 (firmware V4) (optional: A DIN rail installed accordingly, including fitting accessories). DSL access with a dynamic WAN IP address and a DSL router. DSL access with a static WAN IP address and a DSL router. A 24V power supply with cable connector and terminal block plug. PC on which the "Security Configuration Tool" and the "SOFTNET Security Client" are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. You can also use a different SCALANCE S type (except SCALANCE S602) or Internet access method (e.g., UMTS). The configuration described below refers explicitly to the components listed in "Required devices/components". Entry ID: 99681083, V1.0, 09/2014 6
IP addresses For this example, the IP addresses are assigned as follows: DSL Router1 DSL Router2 S612 SSC 192.168.2.88 192.168.2.1 Dynamic WAN IP Static WAN IP 172.16.0.1 172.16.47.1 172.12.80.2 Siemens AG 2014 All rights reserved Table 2-1 Component Port IP address Router Subnet mask SSC (SOFTNET Security Client) 192.168.2.88 192.168.2.1 255.255.255.0 DSL router1 LAN port 192.168.2.1-255.255.255.0 DSL router1 WAN port Dynamic IP address from provider DSL router2 WAN port Static IP address from provider - Assigned by provider - Assigned by provider DSL router2 LAN port 172.16.0.1-255.255.0.0 S612 External port 172.16.47.1 172.16.0.1 255.255.0.0 S612 Internal port 172.12.80.2-255.255.255.0 Entry ID: 99681083, V1.0, 09/2014 7
2.1.2 SOFTNET Security Client Network The subnet on the local network adapter of the SOFTNET Security Client and the internal subnet on the SCALANCE S must be different. If the PC has multiple network adapters, please note the following: A default gateway must only be entered for a single network adapter. If necessary, remove any other default gateways or replace them with static routes. The other connected networks on the PC where the SOFTNET Security Client is installed and the internal network of the VPN remote end must be different. Even if no cable is plugged in, the routing function is impaired. Change the subnet of the other network adapter or disable it completely. VPN software VPN software from third-party manufacturers may cause incompatibilities and prevent the SOFTNET Security Client from functioning properly. Uninstall this software if disabling is not sufficient. Siemens AG 2014 All rights reserved Firewall Time When the SOFTNET Security Client is run on the Windows Vista or Windows 7 operating system, establishing a VPN connection requires that the Windows firewall be enabled. Make sure that the current date and time is always set on the SOFTNET Security Client PC. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. Entry ID: 99681083, V1.0, 09/2014 8
2.1.3 DSL access for SCALANCE S612 Static IP address WAN access of the SOFTNET Security Client to the SCALANCE S612 is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in DSL router2. Port forwarding on DSL router2 VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on DSL router2 and forward the data packets to the S612 (VPN server; external IP address): UDP Port 500 (ISAKMP) UDP Port 4500 (NAT-T) If the DSL routers themselves are VPN-capable, make sure that this function is disabled. 2.1.4 SCALANCE S612 Siemens AG 2014 All rights reserved To make sure that no old configurations and certificates are stored in the SCALANCE S, reset the module to factory default. For the appropriate chapter in the SCALANCE S manual, please use the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57280996235&guiLanguage=en. The configured state is indicated by the fact that the Fault LED lights up orange. If problems occur when accessing the SCALANCE S or rebooting, please refer to the appropriate troubleshooting chapter: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57279890699&guiLanguage=en Entry ID: 99681083, V1.0, 09/2014 9
2.1.5 Setting up the infrastructure Connect all the components involved in this solution. DSL Router 1 DSL Router 2 S612 SSC LAN Port LAN Port WAN Port WAN Port LAN Port External Port Internal Port Table 2-2 Component Local port Partner Partner port SOFTNET Security Client LAN port DSL router1 LAN port SCALANCE S612 External (unprotected) port DSL router2 LAN port SCALANCE S612 Internal (protected) port E.g., an automation network (does not exist in this solution) Siemens AG 2014 All rights reserved Note In all devices in the internal network of the S612 (e.g., controllers, panels, etc.), please make sure to enter the IP address of the internal port as the default gateway. 2.2 Setting up VPN communication SCT project Component overview The VPN tunnel is configured using the Security Configuration Tool V4. Open the tool and select "Project" > "New " to create a new project. Define a user name and password. This solution uses the following security components: SCALANCE S612 (firmware V4) SOFTNET Security Client V4 HF1 Entry ID: 99681083, V1.0, 09/2014 10
2.2.1 Integrating the VPN endpoint SCALANCE S612 To integrate the SCALANCE S612 component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Note: If you have created a new project, this dialog opens automatically. Define the following module: Product type: SCALANCE S Module: S612 Firmware release: V4 2. Assign a name to the module and apply the MAC address from the S612 housing to the appropriate text box. Enter the external IP address and subnet mask as listed in Table 2-1. Siemens AG 2014 All rights reserved Entry ID: 99681083, V1.0, 09/2014 11
3. Change the mode of the SCALANCE S to Routing. Enter the internal IP address and subnet mask as listed in Table 2-1. Close the dialog with "OK". Siemens AG 2014 All rights reserved Result Now the SCALANCE S612 appears as a new module. Entry ID: 99681083, V1.0, 09/2014 12
2.2.2 Integrating the VPN endpoint SOFTNET Security Client To integrate the SOFTNET Security Client component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module: Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release:v4 2. Assign a name to the module. Siemens AG 2014 All rights reserved 3. Close the dialog with "OK". Result Now the SSC appears as an additional module. Entry ID: 99681083, V1.0, 09/2014 13
2.2.3 Configuring the VPN tunnel Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. Siemens AG 2014 All rights reserved 2. One after the other, select the SCALANCE S612 and the SOFTNET Security Client from the "All modules" list and use drag and drop to insert them into the VPN group. Result The SCALANCE S612 and the SOFTNET Security Client have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: 99681083, V1.0, 09/2014 14
Defining the VPN parameters To establish the VPN tunnel, you have to enter the following information: Standard router WAN IP address of the DSL router VPN role Parameterize this information as follows: 1. In the "All modules" project tree, select the S612 and double-click to open its properties dialog. 2. In the "Routing" tab, enter the standard router as listed in Table 2-1. Siemens AG 2014 All rights reserved 3. In the "VPN" tab, select the "Responder" VPN role for the S612. In the WAN IP address / FQDN field, enter the WAN IP address of your DSL access point. 4. Close the dialog with "OK". 5. Confirm the message with "OK". 6. Save the project. Result The VPN configuration is complete. Entry ID: 99681083, V1.0, 09/2014 15
2.2.4 Loading the components The transfer of the configuration data differs for the SCALANCE S and SOFTNET Security Client security components: SCALANCE S: The configuration data is downloaded directly from the Security Configuration Tool to the SCALANCE S. SOFTNET Security Client: The Security Configuration Tool generates a configuration file for import into the client software. Preparation As a WAN is used as an external public network, the S612 with factory default cannot be configured via this WAN. In this case, configure the security module from the internal network: Connect the PC on which the Security Configuration Tool is installed to the internal port of the SCALANCE S and change the network settings on the PC as follows: IP address: 172.12.80.100 Subnet mask: 255.255.255.0 Siemens AG 2014 All rights reserved SCALANCE S 1. Select the S612 and select the "Transfer" > "To module(s) " menu command. 2. When a configuration is downloaded for the first time after the installation of the Security Configuration Tool, a dialog appears where you can select the network adapter. In this dialog, explicitly select the network adapter via which you are actually connected to the module. 3. Clicking the "Start" button in the "Download configuration data to security module" dialog transfers the configuration to the SCALANCE S module. Result Now the S612 has been configured and can communicate at the IP level. This mode is indicated by the fact that the Fault LED lights up green. Entry ID: 99681083, V1.0, 09/2014 16
SOFTNET Security Client 1. Select the SOFTNET Security Client and select the "Transfer" > "To module(s) " menu command. 2. Save the <Project name>.ssc.dat" configuration file to your project directory. 3. Confirm the following message with "OK". 4. Specify a password for the certificate of the VPN configuration. If you do not assign a password, the project name (not the password of the logged in user) is applied as the password. Result The following files are saved to the project directory: Configuration file: "<Project name>.ssc.dat" Certificate: "<Project name>.<string>.ssc.p12" Group certificate: "<Project name>.group1.cer" 2.2.5 Final steps Siemens AG 2014 All rights reserved 1. Connect the PC (SOFTNET Security Client) to the LAN interface of DSL router1. 2. Assign the required network configuration to the network card as shown in Table 2-1. 3. In all devices on the internal port of the SCALANCE S612, enter a default gateway (IP address of the internal port). Entry ID: 99681083, V1.0, 09/2014 17
2.3 Establishing the VPN connection To establish the VPN connection, proceed as follows: 1. Start the SOFTNET Security Client. To load the configuration file, click the "Load Configuration" button. 2. Navigate to your project folder and open the "<Project name>.ssc.dat" configuration file. Siemens AG 2014 All rights reserved 3. Enter the password for the private key of the certificate. Click "Next". Entry ID: 99681083, V1.0, 09/2014 18
4. Activate the VPN tunnel for the internal members with "Yes". 5. Click the "Tunnel Overview" button. Siemens AG 2014 All rights reserved Result The tunnel between the SCALANCE S and the SOFTNET Security Client has been established. The green circle to the left of the "S612" item signals that the remote end is accessible. Entry ID: 99681083, V1.0, 09/2014 19
3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the SCALANCE S612 and the SOFTNET Security Client have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (for example, by opening the internal Web page when using a SCALANCE X or CP). 1. On the SOFTNET Security Client PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 2. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node>" command at the cursor position. Result You get a positive response from the internal node. Siemens AG 2014 All rights reserved Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. 4 History Table 4-1 Version Date Modifications V1.0 09/2014 First version Entry ID: 99681083, V1.0, 09/2014 20