Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Similar documents
Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

X-Tools Loading Profile Files (LPF)

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016

Transmitting HMI data to an external monitor

Setting up time synchronization of Process Historian and Information Server

Networking a SINUMERIK 828D

Generating the Parameters for the Modbus/TCP Communication

Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Improving the performance of the Process Historian

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009

Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040


Configuration of an MRP Ring and a Topology with Two Projects

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040


Moving a Process Historian/ Information Server from Workgroup A to Workgroup B

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.

IP-based Remote Networks

Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool

Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security

Data Storage on Windows Server or NAS Hard Drives

X-Tools configuration to connect with OPC servers and clients


SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible

Key Panel Library / TIA Portal


TeleService of a S station via mobile network


Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format

Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

PCS 7 Process Visualization on Mobile Devices with RDP

SIMATIC PCS 7 Minimal Configuration


Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint


STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP

Multiuser Engineering in the TIA Portal

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016


Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB


Display of SINAMICS Error Messages in Runtime Professional

User Login with RFID Card Reader




Application for Process Automation

Application on Control Technology


SIMATIC NET OPC Server Implementation

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Exchange of large data volumes between S control system and WinCC

Automatic Visualization of the Sample Blocks in WinCC Advanced

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.

Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

Check List for Programming Styleguide for S7-1200/S7-1500

Check List for Programming Styleguide for S7-1200/S7-1500


Integration of Process Historian / Information Server in a Domain


Data Synchronization between Head and Field PLCs with Storage of the Process Values in CSV Files

Engineering of the Configuration Control for IO Systems

Display of SINAMICS Fault Messages in WinCC V7.4



Configuration Control with the S and ET 200SP

PNDriver V2.1 Quick Start Guide for IOT2040 SIMATIC IOT



RAID systems within Industry

APF report templates based on data from the WinCC User Archive

SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

Applications & Tools. Service Concept: Auto Backup for the Comfort Panels. WinCC (TIA Portal) V12. Application Description May 2013

Application for Process Automation

Universal Parameter Server

Monitoring of 24 V load circuits


Production feedback via WinCC Data Transfer with XML file


House Control with Touch Panel

Line Contactor Control using the ON/OFF1 Command for SINAMICS G120

S Data Transfer with SEND/RECEIVE Interface

Topology Reporter Tool Description April 2012 Applications & Tools Answers for industry.

Migration of a Process Historian database

Block for SIMOTION SCOUT for Monitoring 24V-Branches

Application Description 03/2014. Detecting PROFINET Topologies and Activating IO Devices.

Applications & Tools. Configuring Electronic Signatures in SIMATIC PCS 7. SIMATIC PCS 7 V8.0 SP1, SIMATIC Logon V 1.5. Application May 2014


Transcription:

Configuration Example 09/2014 Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address SCALANCE S, SOFTNET Security Client http://support.automation.siemens.com/ww/view/en/99681083

Warranty and liability Warranty and liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Siemens AG 2014 All rights reserved Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 99681083, V1.0, 09/2014 2

Table of Contents Siemens AG 2014 All rights reserved Table of Contents Warranty and liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 SOFTNET Security Client... 8 2.1.3 DSL access for SCALANCE S612... 9 2.1.4 SCALANCE S612... 9 2.1.5 Setting up the infrastructure... 10 2.2 Setting up VPN communication... 10 2.2.1 Integrating the VPN endpoint SCALANCE S612... 11 2.2.2 Integrating the VPN endpoint SOFTNET Security Client... 13 2.2.3 Configuring the VPN tunnel... 14 2.2.4 Loading the components... 16 2.2.5 Final steps... 17 2.3 Establishing the VPN connection... 18 3 Testing the Tunnel Function... 20 4 History... 20 Entry ID: 99681083, V1.0, 09/2014 3

1 Task and Solution 1 Task and Solution 1.1 Task The task is to allow a service employee secure access to automation cells or PCs via the Internet or a company's internal network. The following customer requirements have to be considered: Protection against spying and data manipulation. Prevention of unauthorized access. Provision of secure remote access for remote maintenance and remote control. Flexible access for the service employee (regardless of the user's location). 1.2 Possible solution Complete overview The figure below shows one way of implementing these customer requirements: Service PC with SOFTNET Security Client Automation Cell Siemens AG 2014 All rights reserved VPN Tunnel SSC VPN Client Industrial Ethernet Internet Modem/Router Static WAN IP Address Internet Router SCALANCE S VPN Server SIMATIC S7 Stations Remote access of a service employee to the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. Client access from the PC to the automation cell is established using the SOFTNET Security Client, a VPN client software product. The SCALANCE S612 (here: VPN server) placed in front of the automation cell is used as the endpoint of the VPN tunnel. WAN access to the SCALANCE S from the WAN is implemented using a static public IP address. WAN access on the client side is flexible; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Component SOFTNET Security Client SCALANCE S VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Entry ID: 99681083, V1.0, 09/2014 4

1 Task and Solution SOFTNET Security Client The SOFTNET Security Client allows programming devices, PCs and notebook computers access to network nodes or automation systems protected by SCALANCE S, SCALANCE M or CPs. It is characterized by the following features: Secure access of programming devices or notebook computers to entire automation cells. Easy to use on PCs due to an intuitive graphical user interface. configuration import. Connection control and diagnostics, connection statistics, log files; trace tool for error diagnostics; icons to indicate the connection status. Protection of data transmission against spying and spoofing by means of certified standards. Supports the DNS client function. Siemens AG 2014 All rights reserved SCALANCE S The security modules of the SCALANCE S family are designed specifically for use in automation but integrate seamlessly with the security structures of the office and IT world. They provide the following functions: High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. User-specific IP firewall to distinguish and differentiate access to specific plant parts. Router functionality (PPPoE, DNS). IPSec VPN (data encryption and authentication). Protection of all devices of an Ethernet network. Flexible, reaction-free and protocol-independent protection. Support of multiple VPN tunnels at a time. 1.3 Characteristics of the solution VPN tunnel for flexible access to the automation cell - possible, for example, for a service employee. Controlled, encrypted data traffic between SCALANCE S and SOFTNET Security Client. High degree of security for machines and plants through the implementation of the cell protection concept. Integrated network diagnostics via SNMP or Syslog. Easy integration into existing networks and protection of devices that do not have their own security functions. Entry ID: 99681083, V1.0, 09/2014 5

2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages This solution requires the following software packages: "Security Configuration Tool V4" (included in the scope of delivery of the SCALANCE S or available as a download under the following Entry ID: 84467278) "SOFTNET Security Client V4 HF1" Install this software on a PC/PG. Siemens AG 2014 All rights reserved Required devices/components: Note To set up the environment, use the following components: A SCALANCE S612 (firmware V4) (optional: A DIN rail installed accordingly, including fitting accessories). DSL access with a dynamic WAN IP address and a DSL router. DSL access with a static WAN IP address and a DSL router. A 24V power supply with cable connector and terminal block plug. PC on which the "Security Configuration Tool" and the "SOFTNET Security Client" are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. You can also use a different SCALANCE S type (except SCALANCE S602) or Internet access method (e.g., UMTS). The configuration described below refers explicitly to the components listed in "Required devices/components". Entry ID: 99681083, V1.0, 09/2014 6

IP addresses For this example, the IP addresses are assigned as follows: DSL Router1 DSL Router2 S612 SSC 192.168.2.88 192.168.2.1 Dynamic WAN IP Static WAN IP 172.16.0.1 172.16.47.1 172.12.80.2 Siemens AG 2014 All rights reserved Table 2-1 Component Port IP address Router Subnet mask SSC (SOFTNET Security Client) 192.168.2.88 192.168.2.1 255.255.255.0 DSL router1 LAN port 192.168.2.1-255.255.255.0 DSL router1 WAN port Dynamic IP address from provider DSL router2 WAN port Static IP address from provider - Assigned by provider - Assigned by provider DSL router2 LAN port 172.16.0.1-255.255.0.0 S612 External port 172.16.47.1 172.16.0.1 255.255.0.0 S612 Internal port 172.12.80.2-255.255.255.0 Entry ID: 99681083, V1.0, 09/2014 7

2.1.2 SOFTNET Security Client Network The subnet on the local network adapter of the SOFTNET Security Client and the internal subnet on the SCALANCE S must be different. If the PC has multiple network adapters, please note the following: A default gateway must only be entered for a single network adapter. If necessary, remove any other default gateways or replace them with static routes. The other connected networks on the PC where the SOFTNET Security Client is installed and the internal network of the VPN remote end must be different. Even if no cable is plugged in, the routing function is impaired. Change the subnet of the other network adapter or disable it completely. VPN software VPN software from third-party manufacturers may cause incompatibilities and prevent the SOFTNET Security Client from functioning properly. Uninstall this software if disabling is not sufficient. Siemens AG 2014 All rights reserved Firewall Time When the SOFTNET Security Client is run on the Windows Vista or Windows 7 operating system, establishing a VPN connection requires that the Windows firewall be enabled. Make sure that the current date and time is always set on the SOFTNET Security Client PC. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. Entry ID: 99681083, V1.0, 09/2014 8

2.1.3 DSL access for SCALANCE S612 Static IP address WAN access of the SOFTNET Security Client to the SCALANCE S612 is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in DSL router2. Port forwarding on DSL router2 VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on DSL router2 and forward the data packets to the S612 (VPN server; external IP address): UDP Port 500 (ISAKMP) UDP Port 4500 (NAT-T) If the DSL routers themselves are VPN-capable, make sure that this function is disabled. 2.1.4 SCALANCE S612 Siemens AG 2014 All rights reserved To make sure that no old configurations and certificates are stored in the SCALANCE S, reset the module to factory default. For the appropriate chapter in the SCALANCE S manual, please use the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57280996235&guiLanguage=en. The configured state is indicated by the fact that the Fault LED lights up orange. If problems occur when accessing the SCALANCE S or rebooting, please refer to the appropriate troubleshooting chapter: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57279890699&guiLanguage=en Entry ID: 99681083, V1.0, 09/2014 9

2.1.5 Setting up the infrastructure Connect all the components involved in this solution. DSL Router 1 DSL Router 2 S612 SSC LAN Port LAN Port WAN Port WAN Port LAN Port External Port Internal Port Table 2-2 Component Local port Partner Partner port SOFTNET Security Client LAN port DSL router1 LAN port SCALANCE S612 External (unprotected) port DSL router2 LAN port SCALANCE S612 Internal (protected) port E.g., an automation network (does not exist in this solution) Siemens AG 2014 All rights reserved Note In all devices in the internal network of the S612 (e.g., controllers, panels, etc.), please make sure to enter the IP address of the internal port as the default gateway. 2.2 Setting up VPN communication SCT project Component overview The VPN tunnel is configured using the Security Configuration Tool V4. Open the tool and select "Project" > "New " to create a new project. Define a user name and password. This solution uses the following security components: SCALANCE S612 (firmware V4) SOFTNET Security Client V4 HF1 Entry ID: 99681083, V1.0, 09/2014 10

2.2.1 Integrating the VPN endpoint SCALANCE S612 To integrate the SCALANCE S612 component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Note: If you have created a new project, this dialog opens automatically. Define the following module: Product type: SCALANCE S Module: S612 Firmware release: V4 2. Assign a name to the module and apply the MAC address from the S612 housing to the appropriate text box. Enter the external IP address and subnet mask as listed in Table 2-1. Siemens AG 2014 All rights reserved Entry ID: 99681083, V1.0, 09/2014 11

3. Change the mode of the SCALANCE S to Routing. Enter the internal IP address and subnet mask as listed in Table 2-1. Close the dialog with "OK". Siemens AG 2014 All rights reserved Result Now the SCALANCE S612 appears as a new module. Entry ID: 99681083, V1.0, 09/2014 12

2.2.2 Integrating the VPN endpoint SOFTNET Security Client To integrate the SOFTNET Security Client component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module: Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release:v4 2. Assign a name to the module. Siemens AG 2014 All rights reserved 3. Close the dialog with "OK". Result Now the SSC appears as an additional module. Entry ID: 99681083, V1.0, 09/2014 13

2.2.3 Configuring the VPN tunnel Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. Siemens AG 2014 All rights reserved 2. One after the other, select the SCALANCE S612 and the SOFTNET Security Client from the "All modules" list and use drag and drop to insert them into the VPN group. Result The SCALANCE S612 and the SOFTNET Security Client have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: 99681083, V1.0, 09/2014 14

Defining the VPN parameters To establish the VPN tunnel, you have to enter the following information: Standard router WAN IP address of the DSL router VPN role Parameterize this information as follows: 1. In the "All modules" project tree, select the S612 and double-click to open its properties dialog. 2. In the "Routing" tab, enter the standard router as listed in Table 2-1. Siemens AG 2014 All rights reserved 3. In the "VPN" tab, select the "Responder" VPN role for the S612. In the WAN IP address / FQDN field, enter the WAN IP address of your DSL access point. 4. Close the dialog with "OK". 5. Confirm the message with "OK". 6. Save the project. Result The VPN configuration is complete. Entry ID: 99681083, V1.0, 09/2014 15

2.2.4 Loading the components The transfer of the configuration data differs for the SCALANCE S and SOFTNET Security Client security components: SCALANCE S: The configuration data is downloaded directly from the Security Configuration Tool to the SCALANCE S. SOFTNET Security Client: The Security Configuration Tool generates a configuration file for import into the client software. Preparation As a WAN is used as an external public network, the S612 with factory default cannot be configured via this WAN. In this case, configure the security module from the internal network: Connect the PC on which the Security Configuration Tool is installed to the internal port of the SCALANCE S and change the network settings on the PC as follows: IP address: 172.12.80.100 Subnet mask: 255.255.255.0 Siemens AG 2014 All rights reserved SCALANCE S 1. Select the S612 and select the "Transfer" > "To module(s) " menu command. 2. When a configuration is downloaded for the first time after the installation of the Security Configuration Tool, a dialog appears where you can select the network adapter. In this dialog, explicitly select the network adapter via which you are actually connected to the module. 3. Clicking the "Start" button in the "Download configuration data to security module" dialog transfers the configuration to the SCALANCE S module. Result Now the S612 has been configured and can communicate at the IP level. This mode is indicated by the fact that the Fault LED lights up green. Entry ID: 99681083, V1.0, 09/2014 16

SOFTNET Security Client 1. Select the SOFTNET Security Client and select the "Transfer" > "To module(s) " menu command. 2. Save the <Project name>.ssc.dat" configuration file to your project directory. 3. Confirm the following message with "OK". 4. Specify a password for the certificate of the VPN configuration. If you do not assign a password, the project name (not the password of the logged in user) is applied as the password. Result The following files are saved to the project directory: Configuration file: "<Project name>.ssc.dat" Certificate: "<Project name>.<string>.ssc.p12" Group certificate: "<Project name>.group1.cer" 2.2.5 Final steps Siemens AG 2014 All rights reserved 1. Connect the PC (SOFTNET Security Client) to the LAN interface of DSL router1. 2. Assign the required network configuration to the network card as shown in Table 2-1. 3. In all devices on the internal port of the SCALANCE S612, enter a default gateway (IP address of the internal port). Entry ID: 99681083, V1.0, 09/2014 17

2.3 Establishing the VPN connection To establish the VPN connection, proceed as follows: 1. Start the SOFTNET Security Client. To load the configuration file, click the "Load Configuration" button. 2. Navigate to your project folder and open the "<Project name>.ssc.dat" configuration file. Siemens AG 2014 All rights reserved 3. Enter the password for the private key of the certificate. Click "Next". Entry ID: 99681083, V1.0, 09/2014 18

4. Activate the VPN tunnel for the internal members with "Yes". 5. Click the "Tunnel Overview" button. Siemens AG 2014 All rights reserved Result The tunnel between the SCALANCE S and the SOFTNET Security Client has been established. The green circle to the left of the "S612" item signals that the remote end is accessible. Entry ID: 99681083, V1.0, 09/2014 19

3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the SCALANCE S612 and the SOFTNET Security Client have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (for example, by opening the internal Web page when using a SCALANCE X or CP). 1. On the SOFTNET Security Client PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 2. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node>" command at the cursor position. Result You get a positive response from the internal node. Siemens AG 2014 All rights reserved Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. 4 History Table 4-1 Version Date Modifications V1.0 09/2014 First version Entry ID: 99681083, V1.0, 09/2014 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback