Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Similar documents
Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

X-Tools Loading Profile Files (LPF)

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016

Transmitting HMI data to an external monitor

Generating the Parameters for the Modbus/TCP Communication

Setting up time synchronization of Process Historian and Information Server

Networking a SINUMERIK 828D

Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009

Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040

Configuration of an MRP Ring and a Topology with Two Projects

Improving the performance of the Process Historian

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040

Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool



Configuring the F-I-Device function with the SENDDP and RCVDP blocks.

Moving a Process Historian/ Information Server from Workgroup A to Workgroup B

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

Data Storage on Windows Server or NAS Hard Drives

X-Tools configuration to connect with OPC servers and clients



SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible

Key Panel Library / TIA Portal

STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP


Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint

Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format

TeleService of a S station via mobile network


Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

User Login with RFID Card Reader

Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB


IP-based Remote Networks

PCS 7 Process Visualization on Mobile Devices with RDP

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

SIMATIC PCS 7 Minimal Configuration

Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security


Multiuser Engineering in the TIA Portal

Display of SINAMICS Error Messages in Runtime Professional

Application for Process Automation



Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

Application on Control Technology


Integration of Process Historian / Information Server in a Domain

SIMATIC NET OPC Server Implementation



Automatic Visualization of the Sample Blocks in WinCC Advanced


Exchange of large data volumes between S control system and WinCC

Display of SINAMICS Fault Messages in WinCC V7.4

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.

Check List for Programming Styleguide for S7-1200/S7-1500

Data Synchronization between Head and Field PLCs with Storage of the Process Values in CSV Files



RAID systems within Industry

Engineering of the Configuration Control for IO Systems

APF report templates based on data from the WinCC User Archive

Check List for Programming Styleguide for S7-1200/S7-1500


Configuration Control with the S and ET 200SP


Universal Parameter Server

PNDriver V2.1 Quick Start Guide for IOT2040 SIMATIC IOT




SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

House Control with Touch Panel

Applications & Tools. Service Concept: Auto Backup for the Comfort Panels. WinCC (TIA Portal) V12. Application Description May 2013


Migration of a Process Historian database



Line Contactor Control using the ON/OFF1 Command for SINAMICS G120

Monitoring of 24 V load circuits

SIMATIC Energy Suite Visualization example of the "*.csv"-energy Data Files

Application Description 03/2014. Detecting PROFINET Topologies and Activating IO Devices.

Energy monitoring and load management with PCS 7 Industry Library

Integration of SIMATIC PCS 7 Asset Management into existing projects

Production feedback via WinCC Data Transfer with XML file

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Transcription:

Configuration Example 09/2014 Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address SCALANCE S http://support.automation.siemens.com/ww/view/en/99681360

Warranty and liability Warranty and liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Siemens AG 2014 All rights reserved Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 99681360, V1.0, 09/2014 2

Table of Contents Siemens AG 2014 All rights reserved Table of Contents Warranty and liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 DSL access for SCALANCE S612 (DSL router2)... 7 2.1.3 SCALANCE S... 8 2.1.4 Setting up the infrastructure... 8 2.2 Configuring the VPN tunnel... 9 2.2.1 Integrating the VPN endpoint SCALANCE S612 (VPN client)... 10 2.2.2 Integrating the VPN endpoint SCALANCE S612 (VPN server)... 12 2.2.3 Configuring the VPN tunnel... 14 2.2.4 Loading the components... 17 2.2.5 Final steps... 18 2.3 Establishing the VPN connection... 19 3 Testing the Tunnel Function... 21 4 History... 22 Entry ID: 99681360, V1.0, 09/2014 3

1 Task and Solution 1 Task and Solution 1.1 Task The task is to establish a secure connection between two networks (e.g., automation networks or individual devices) via the Internet or a company's internal network. The following customer requirements have to be considered: Protection against spying and data manipulation Prevention of unauthorized access Easy handling and integration If required: Embedding of mobile users Use of existing addresses and addressing schemes Transparency (or easy use) for users 1.2 Possible solution Siemens AG 2014 All rights reserved Complete overview Service PC VPN Tunnel Industrial Ethernet The figure below shows one way of implementing the customer requirements: SCALANCE S VPN Server Internet Router Static WAN IP Address Internet SCALANCE S Modem/Router VPN Client Automation Cell SIMATIC S7 Stations The connection between the service PC (or other nodes/network devices) and the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. In this example, two SCALANCE S612 modules form the two tunnel endpoints for the secure connection. One module acts as the VPN server, the other module acts as the VPN client. Access to the SCALANCE S (VPN server) from the WAN is predefined by the use of a static WAN IP address. WAN access on the client side is flexible; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Component SCALANCE S (on the right) SCALANCE S (on the left) VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Entry ID: 99681360, V1.0, 09/2014 4

1 Task and Solution SCALANCE S The security modules of the SCALANCE S family are designed specifically for use in automation but integrate seamlessly with the security structures of the office and IT world. They provide the following functions: High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. User-specific IP firewall to distinguish and differentiate access to specific plant parts. Router functionality (PPPoE, DNS). IPSec VPN (data encryption and authentication). Protection of all devices of an Ethernet network. Flexible, reaction-free and protocol-independent protection. Support of multiple VPN tunnels at a time. 1.3 Characteristics of the solution Siemens AG 2014 All rights reserved VPN tunnel for flexible access to the automation cell possible, for example, for a service employee. Controlled, encrypted data traffic between the two SCALANCE S. High degree of security for machines and plants through the implementation of the cell protection concept. Integrated network diagnostics via SNMP or Syslog. Easy integration into existing networks and protection of devices that do not have their own security functions. Entry ID: 99681360, V1.0, 09/2014 5

2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages This solution requires the "Security Configuration Tool". This software is included in the scope of delivery of the SCALANCE S or available as a download under Entry ID: 84467278. Install this software on a PC/PG. Siemens AG 2014 All rights reserved Required devices/components: Note To set up the environment, use the following components: Two SCALANCE S612 modules (firmware V4) (optional: A DIN rail installed accordingly, including fitting accessories). One or two 24V power supplies with cable connector and terminal block plug (both modules can also be operated with a shared power supply). DSL access with a dynamic WAN IP address and a DSL router. DSL access with a static WAN IP address and a DSL router. PC on which the "Security Configuration Tool" is installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. You can also use a different SCALANCE S type (except SCALANCE S602) or Internet access method (e.g., UMTS). The configuration described below refers explicitly to the components listed in "Required devices/components". Entry ID: 99681360, V1.0, 09/2014 6

IP addresses For this example, the IP addresses are assigned as follows: S612 DSL Router2 DSL Router1 S612 172.22.80.2 172.16.47.1 172.16.0.1 Static WAN IP Dynamic WAN IP 192.168.2.1 192.168.2.89 10.70.0.4 Table 2-1 Component Port IP address Router Subnet mask Siemens AG 2014 All rights reserved S612 Internal port 172.22.80.2-255.255.255.0 S612 External port 172.16.47.1 172.16.0.1 255.255.0.0 DSL router2 LAN port 172.16.0.1-255.255.0.0 DSL router2 WAN port Static IP address from provider DSL router1 WAN port Dynamic IP address from provider - Assigned by provider - Assigned by provider DSL router1 LAN port 192.168.2.1-255.255.255.0 S612 External port 192.168.2.89 192.168.2.1 255.255.255.0 S612 Internal port 10.70.0.4-255.255.255.0 2.1.2 DSL access for SCALANCE S612 (DSL router2) Static IP address for DSL router2 WAN access of the SCALANCE S612 (VPN client) to the SCALANCE S612 (VPN server) is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in DSL router2. Port forwarding on DSL router2 VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on DSL router2 and forward the data packets to the S612 (VPN server; external IP address): UDP Port 500 (ISAKMP) UDP Port 4500 (NAT-T) If the DSL routers themselves are VPN-capable, make sure that this function is disabled. Entry ID: 99681360, V1.0, 09/2014 7

2.1.3 SCALANCE S To make sure that no old configurations and certificates are stored in the SCALANCE S612, reset the modules to factory default. For the appropriate chapter in the SCALANCE S manual, please use the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57280996235&guiLanguage=en The configured state is indicated by the fact that the Fault LED lights up orange. If problems occur when accessing the SCALANCE S or rebooting, please refer to the appropriate troubleshooting chapter: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57279890699&guiLanguage=en 2.1.4 Setting up the infrastructure Connect all the components involved in this solution. Siemens AG 2014 All rights reserved Internal Port S612 External Port Table 2-2 DSL Router2 DSL Router1 LAN Port WAN Port WAN Port LAN Port External Port Component Local port Partner Partner port S612 Internal Port S612 (VPN server) Internal port E.g., a PC in the service center (does not exist in this solution) S612 (VPN server) External port DSL router2 LAN port S612 (VPN client) External port DSL router1 LAN port S612 (VPN client) Internal port E.g., an automation network (does not exist in this solution) Note In all devices in the internal network of the S612 (e.g., controllers, panels, etc.), please make sure to enter the IP address of the internal port of the S612 as the default gateway. Entry ID: 99681360, V1.0, 09/2014 8

2.2 Configuring the VPN tunnel SCT project Components used The VPN tunnel is configured using the Security Configuration Tool V4. Open the tool and select "Project" > "New " to create a new project. Define a user name and password. This solution uses the SCALANCE S612 security components (firmware V4). Siemens AG 2014 All rights reserved Entry ID: 99681360, V1.0, 09/2014 9

2.2.1 Integrating the VPN endpoint SCALANCE S612 (VPN client) To integrate the SCALANCE S612 component (VPN client) into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Note: If you have created a new project, this dialog opens automatically. Define the following module as the VPN client: Product type: SCALANCE S Module: S612 Firmware release: V4 2. Assign a name to the module and apply the MAC address from the S612 housing to the appropriate text box. Enter the external IP address and subnet mask as listed in Table 2-1. Siemens AG 2014 All rights reserved Entry ID: 99681360, V1.0, 09/2014 10

3. Change the mode of the SCALANCE S to Routing. Enter the internal IP address and subnet mask as listed in Table 2-1. Close the dialog with "OK". Siemens AG 2014 All rights reserved Result Now the S612 (VPN client) appears as a new module. Entry ID: 99681360, V1.0, 09/2014 11

2.2.2 Integrating the VPN endpoint SCALANCE S612 (VPN server) To integrate the SCALANCE S612 component (VPN server) into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module as the VPN server: Product type: SCALANCE S Module: S612 Firmware release: V4 2. Assign a name to the module and apply the MAC address from the S612 housing to the appropriate text box. Enter the external IP address and subnet mask as listed in Table 2-1. Siemens AG 2014 All rights reserved Entry ID: 99681360, V1.0, 09/2014 12

3. Change the mode of the SCALANCE S to Routing. Enter the internal IP address and subnet mask as listed in Table 2-1. Close the dialog with "OK". Siemens AG 2014 All rights reserved Result: Now the S612 (VPN server) appears as a new module. Entry ID: 99681360, V1.0, 09/2014 13

2.2.3 Configuring the VPN tunnel Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. Siemens AG 2014 All rights reserved 2. One after the other, select the SCALANCE S612 modules from the "All modules" list and use drag and drop to insert them into the VPN group. Result The two SCALANCE S612 modules have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: 99681360, V1.0, 09/2014 14

Defining the VPN parameters (VPN client) To establish the VPN tunnel, you have to enter the standard router: Parameterize it as follows: 1. In the "All modules" project tree, select the S612 V4 (VPN client) and doubleclick to open its properties dialog. 2. In the "Routing" tab, enter the standard router as listed in Table 2-1. Siemens AG 2014 All rights reserved 3. Close the dialog with OK. 4. Confirm the message with "OK". Entry ID: 99681360, V1.0, 09/2014 15

Defining the VPN parameters (VPN server) To establish the VPN tunnel, you have to enter the following information: Standard router WAN IP address of the DSL router Parameterize this information as follows: 1. In the "All modules" project tree, select the S612 V4 (VPN server) and doubleclick to open its properties dialog. 2. In the "Routing" tab, enter the standard router as listed in Table 2-1. Siemens AG 2014 All rights reserved 3. In the "VPN" tab, change the VPN role of the S612 to "Responder". Enter the WAN IP address of your DSL access point. 4. Close the dialog with OK. 5. Confirm the message with "OK". 6. Save the project. Result The VPN configuration is complete. Entry ID: 99681360, V1.0, 09/2014 16

2.2.4 Loading the components Preparation The configuration data is transferred to the SCALANCE S security components directly from the Security Configuration Tool. As a WAN is used as an external public network, the S612 modules with factory default cannot be configured via this WAN. In this case, configure the security module from the local network: Connect the PC on which the Security Configuration Tool is installed to the internal port of the SCALANCE S and change the network settings on the PC as follows: To load the S612 (VPN client) IP address: 10.70.0.100 Subnet mask: 255.255.255.0 To load the S612 (VPN server) IP address: 172.22.80.100 Subnet mask: 255.255.255.0 Siemens AG 2014 All rights reserved SCALANCE S 1. Select the S612 (VPN client) and select the "Transfer" > "To module(s) " menu command. 2. When a configuration is downloaded for the first time after the installation of the Security Configuration Tool, a dialog appears where you can select the network adapter. In this dialog, explicitly select the network adapter via which you are actually connected to the module. 3. Clicking the "Start" button in the "Download configuration data to security module" dialog transfers the configuration to the SCALANCE S module. Entry ID: 99681360, V1.0, 09/2014 17

4. Proceed in the same way with the S612 (VPN server). Set the PC's network settings accordingly, select the module and choose the menu command for downloading. Trigger the download. Result Now both S612 have been configured and can communicate at the IP level. This mode is indicated by the fact that the Fault LED lights up green. 2.2.5 Final steps Siemens AG 2014 All rights reserved 1. Connect the internal port of the SCALANCE S612 (VPN client) to your network (e.g., an automation network). 2. Connect the internal port of the SCALANCE S612 (VPN server) to your network (e.g., a PC in the service center). 3. For all devices on the internal port of the devices, set the appropriate standard router (IP address of the internal port). 4. If you want the nodes to additionally access the Internet from the internal network, you have to configure the firewall rules in the SCALANCE S accordingly. Helpful information can be found in the following FAQ, Entry ID: 70892408. Entry ID: 99681360, V1.0, 09/2014 18

2.3 Establishing the VPN connection When all SCALANCE S612 modules have been parameterized and connected to the appropriate DSL routers, the S612 (VPN client) initializes the VPN tunnel to the S612 (VPN server). Diagnostics in the Security Configuration Tool allow you to view the status. 1. Use the Security Configuration Tool to connect the PC to the internal port of a SCALANCE S module. 2. Depending on the SCALANCE S612 module, change the network settings on the PC as follows: S612 (VPN client): IP address: 10.70.0.100 Subnet mask: 255.255.255.0 S612 (VPN server): IP address: 172.22.80.100 Subnet mask: 255.255.255.0 Siemens AG 2014 All rights reserved 3. In the Security Configuration Tool, open the project with which the module was configured. 4. Use the "View" > "online" menu command to activate "Online" mode. 5. In the content area, select the module to be edited. 6. Select the "Edit" > "Online diagnostics " menu command. Entry ID: 99681360, V1.0, 09/2014 19

7. The "Communications status" tab displays the communication status. Siemens AG 2014 All rights reserved Entry ID: 99681360, V1.0, 09/2014 20

3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the SCALANCE S612 modules have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (for example, by opening the internal Web page when using a CP or SCALANCE X). 1. Connect the PC with the Security Configuration Tool to the internal port of the SCALANCE S612 (VPN client). 2. Change the network settings on the PC as follows: IP address: 10.70.0.100 Subnet mask: 255.255.255.0 Default gateway: 10.70.0.4 3. On the PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. Siemens AG 2014 All rights reserved 4. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node of remote end>" command at the cursor position. Result You get a positive response from the internal node. Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. Entry ID: 99681360, V1.0, 09/2014 21

4 History 4 History Table 4-1 Version Date Modifications V1.0 09/2014 First version Siemens AG 2014 All rights reserved Entry ID: 99681360, V1.0, 09/2014 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback