Similar documents

Single Message Report for the Information Server. SIMATIC PCS 7, SIMATIC Information Server Siemens Industry Online Support

Message Cycle Report for the Information Server. SIMATIC PCS 7, SIMATIC Information Server Siemens Industry Online Support

Tabular SIMATIC BATCH report for the Information Server. SIMATIC PCS 7 / SIMATIC Information Server 2014 / Customized Reporting


Project planning of the NTP time synchronization of a Process Historian and Information Server. SIMATIC PCS 7, SIMATIC Information Server 2014



Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address





Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced



Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7


Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address



Setting up a secure VPN Connection between SCALANCE M-800 and SSC


Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

Setting up a secure VPN Connection between two M812-1 Using a static IP Address


Configuration of an MRP Ring and a Topology with Two Projects

Multiuser Engineering in the TIA Portal

Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address


SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1



Integration of Process Historian / Information Server in a Domain






Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address


Job List, Data Collector and Marshalling Blocks for the Modbus/TCP Library. "Additional Modbus Blocks" for SIMATIC S7 and PCS 7

Audit Trail-Filter. WinCC AuditTrail. Siemens Industry Online Support.



APF report templates based on data from the WinCC User Archive








Migration of a Process Historian database



Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

SIMATIC NET. Industrial Remote Communication - Remote Networks SINEMA Remote Connect. Preface. Connecting the SINEMA RC Server to the WAN 1


TeleService of a S station via mobile network





STEP 7 Professional V14 SP1, Energy Suite V14 SP1, SENTRON PAC Measuring Devices, Modbus TCP



Visualizing Energy Data of a SITOP PSU8600


Integration of SIMATIC PCS 7 Asset Management into existing projects

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

IP-based Remote Networks

Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016


SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format

SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible


I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015

Strengthen your network security with Industrial Security Appliances SCALANCE S siemens.com/scalance-s

Calculating the expected PH storage requirements of SIMATIC BATCH batches



Data Storage on Windows Server or NAS Hard Drives


Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.


PCS 7 Configuration Changes in RUN with Active Fieldbus Diagnosis

Exchange of large data volumes between S control system and WinCC


Production feedback via WinCC Data Transfer with XML file

Automatic Visualization of the Sample Blocks in WinCC Advanced

Engineering of the Configuration Control for IO Systems


Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security


Check List for Programming Styleguide for S7-1200/S7-1500

Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool

Transcription:

Setting up VPN connection between two SCALANCE SC SCALANCE SC https://support.industry.siemens.com/cs/ww/en/view/99681360 Siemens Industry Online Support

Siemens AG 2018 All rights reserved Legal information Legal information Use of application examples Application examples illustrate the solution of automation tasks through an interaction of several components in the form of text, graphics and/or software modules. The application examples are a free service by Siemens AG and/or a subsidiary of Siemens AG ( Siemens ). They are nonbinding and make no claim to completeness or functionality regarding configuration and equipment. The application examples merely offer help with typical tasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safe operation of the products in accordance with applicable regulations and must also check the function of the respective application example and customize it for your system. Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the application examples used by technically trained personnel. Any change to the application examples is your responsibility. Sharing the application examples with third parties or copying the application examples or excerpts thereof is permitted only in combination with your own products. The application examples are not required to undergo the customary tests and quality inspections of a chargeable product; they may have functional and performance defects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that may occur do not result in property damage or injury to persons. Disclaimer of liability Siemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability for the usability, availability, completeness and freedom from defects of the application examples as well as for related information, configuration and performance data and any damage caused thereby. This shall not apply in cases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, gross negligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee, fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damages arising from a breach of material contractual obligations shall however be limited to the foreseeable damage typical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life, bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof to your detriment. You shall indemnify Siemens against existing or future claims of third parties in this connection except where Siemens is mandatorily liable. By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyond the liability provisions described. Other information Siemens reserves the right to make changes to the application examples at any time without notice. In case of discrepancies between the suggestions in the application examples and other Siemens publications such as catalogs, the content of the other documentation shall have precedence. The Siemens terms of use (https://support.industry.siemens.com) shall also apply. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions constitute one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the Internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. For additional information on industrial security measures that may be implemented, please visit https://www.siemens.com/industrialsecurity. Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customer s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed at: https://www.siemens.com/industrialsecurity. Entry ID: 99681360, V2.0, 06/2018 2

Siemens AG 2018 All rights reserved Table of contents Table of contents Legal information... 2 1 Introduction... 4 1.1 Overview... 4 1.2 Mode of operation... 6 1.3 Components used... 7... 8 2.1 Setting up environment... 8 2.1.1 IP address overview... 8 2.1.2 Setting up the infrastructure... 9 2.2 Preparing devices... 10 2.2.1 DSL access (DSL router1)... 10 2.2.2 SCALANCE SC646-2C... 10 2.3 Setting up security... 11 2.3.1 Integration of SCALANCE SC646-2C... 11 2.3.2 Making security settings... 13 2.3.3 Parameterizing SCALANCE... 16 2.3.4 Setting up a VPN connection... 20 2.3.5 Setting WAN IP address... 24 2.3.6 Loading project into the modules... 26 3 Operation... 29 4 Appendix... 31 4.1 Service and Support... 31 4.2 Links and Literature... 32 4.3 Change documentation... 32 Entry ID: 99681360, V2.0, 06/2018 3

Siemens AG 2018 All rights reserved 1 Introduction 1 Introduction 1.1 Overview Industry 4.0 Industrial security The Internet serves as an enormous accelerator of business processes and has revolutionized business operations around the world. The resulting change in the manufacturing industry is also referred to as Industry 4.0. Industry 4.0 affects all aspects of the industrial value chain, including the very important aspects of industrial communication and security. In the face of digitization and the increasing networking of machinery and equipment, data security must always be taken into account. The use of industrial security solutions precisely tailored to the needs of industry is therefore of fundamental importance and should be inseparably linked with industrial communication. This includes the following points: Use of robust products with security features and security services Use of concepts such as "Defense in Depth" and a holistic security concept Measures The measures for safe operation in a digital enterprise are: Encryption and monitoring of communication Access control for industrial components and networks Protection of transfer and saving of data Authentication of devices and users VPN as a solution To ensure secure operation in a digital enterprise, data transmission can be encrypted using Virtual Private Network (VPN) to protect against data espionage and tampering. The communication partners are securely authenticated. Automation networks, automation systems and industrial communication can be secured with SCALANCE SC, SCALANCE M or security communications processors for SIMATIC. Entry ID: 99681360, V2.0, 06/2018 4

Siemens AG 2018 All rights reserved 1 Introduction Applicative implementation This application example shows you how to use the SCALANCE SC-600 Industrial Security Appliance to set up a VPN connection. The Internet Protocol Security (short: IPsec) is used. If you use the SCALANCE SC-600 Industrial Security Appliance, you have the following added value: Protection of networks and individual TIA components according to the "Defense in Depth" security concept Flexibly configurable security zones can be realized. Controlled and encrypted data traffic between both SCALANCE SCs via IPsec. High level of security for machines and plants thanks to implementation of the cell protection concept Versatile configuration with TIA Portal, Web Based Management (WBM), Command Line Interface (CLI) and Simple Network Management Protocol (SNMP). Easy integration into existing networks and protection of devices without their own security functions. Entry ID: 99681360, V2.0, 06/2018 5

Siemens AG 2018 All rights reserved 1 Introduction 1.2 Mode of operation Schematic representation The following figure shows a schematic representation of the application example: Figure 1-1 Service PC Automation cell SCALANCE SC Internet router Internet SCALANCE SC modem/router VPN tunnel Industrial Ethernet VPN server Static WAN IP address VPN client SIMATIC S7 stations Description The connection between the service PC (or other nodes/network devices) and the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. Two SCALANCE SC646-2Cs form the two tunnel endpoints for the secure connection in this example. One module acts as a VPN server, the other as a VPN client. Access to the SCALANCE SC (VPN server) from the WAN is defined by the use of a static WAN IP address. WAN access on the client side is flexible; the IP address of the WAN access is not relevant. The role distribution when setting up the VPN tunnel is defined as follows: Table 1-1 Component SCALANCE SC (right) SCALANCE SC (left) VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waiting for VPN connection SCALANCE SC The Industrial Security Appliances support the Industrial Security concept "Defense in Depth". They secure automation networks and seamlessly connect to the security structures of the office and IT world. The SCALANCE SC components protect devices and networks in discrete manufacturing and the process industry and help to set up a flexible security zone concept. The SCALANCE SCs offer the following functions: High-quality stateful inspection firewall with filtering of IP-based traffic. Managing of multiple IPsec VPN connections simultaneously. NAT/NAPT for communication with standard machines with identical IP addresses. Secure remote access via SINEMA Remote Connect. Digital input for local activation of secure remote access Two or six RJ45 electrical ports, two of which are SFP optical ports via combo ports. Entry ID: 99681360, V2.0, 06/2018 6

Siemens AG 2018 All rights reserved 1 Introduction Console port for direct access via a programming device. Redundant power supply Simple device replacement via C-PLUG removable data storage medium for automatic backup of configuration data. 1.3 Components used Software packages This solution requires the "TIA Portal V15". Install this software on a PC/PG. Install the latest update or Service Pack. Note If you have network components, such as You do not need a license, for example, to configure SCALANCE using the TIA Portal. Required devices/components: To build the application example, use the following components: Two SCALANCE SC646-2Cs (optional: a correspondingly mounted DIN rail with mounting material). One or two 24V power supplies with cable connection and terminal block connector (both modules can also be operated with a common power supply). A DSL access with dynamic WAN IP address and a DSL router. A DSL access with static WAN IP address and a DSL router. A PG on which the "TIA Portal V15" is installed. The required network cable, TP cable (twisted pair) complying with the IE FC RJ45 standard for Industrial Ethernet. Note You can also use another internet access, e.g. mobile. The configuration described below refers explicitly to the components mentioned in the section "Required devices/components". Entry ID: 99681360, V2.0, 06/2018 7

Siemens AG 2018 All rights reserved 2.1 Setting up environment 2.1.1 IP address overview The assignment of the IP addresses is defined as follows for this example: SC646-2C SC646-2C DSL router2 DSL router1 172.22.80.2 10.70.0.4 172.16.47.1 172.16.0.1 Static WAN Dynamic IP WAN IP 192.168.2.1 192.168.2.89 Table 2-1 Component Port IP address Router Subnet mask SC646-2C SC646-2C Zone INT; LAN-Port: P1 to P4 Zone EXT; LAN-Port: P5 or P6 172.22.80.2-255.255.255.0 172.16.47.1 172.16.0.1 255.255.0.0 DSL router1 LAN port 172.16.0.1-255.255.0.0 DSL router1 WAN port Static IP address of the provider DSL router2 WAN port Dynamic IP address of the provider - Assigned by the provider - Assigned by the provider DSL router2 LAN port 192.168.2.1-255.255.255.0 SC646-2C SC646-2C PG (for configuring the SCALANCE SC- 600) Zone EXT; LAN-Port: P5 or P6 Zone INT; LAN-Port: P1 to P4 LAN port 172.22.80.100 10.70.0.100 192.168.2.89 192.168.2.1 255.255.255.0 10.70.0.4-255.255.255.0 255.255.255.0 Note The initial assignment of an IP address for the SCALANCE SC 646-2C cannot be done with Web Based Management (WBM) because this configuration tool already requires an IP address. The following options exist for assigning a fixed IP address to an unconfigured device: Commissioning tools, e.g. PRONETA, Primary Setup Tool Command line interface TIA Portal Closer information can be found in the SCALANCE s manual (see Section 4.2). Entry ID: 99681360, V2.0, 06/2018 8

Siemens AG 2018 All rights reserved 2.1.2 Setting up the infrastructure Connect all participating components of this solution together. Figure 2-1 SC646-2C SC646-2C DSL router1 DSL router2 P1 P1 P5 LAN port WAN ports LAN port P5 Table 2-2 Component Local port Partners Partner port SC646-2C (VPN server) SC646-2C (VPN server) SC646-2C (VPN client) SC646-2C (VPN client) Zone INT; LAN port P1 to P4 Zone EXT; LAN port P5 or P6 Zone EXT; LAN-Port: P5 or P6 Zone INT; LAN port P1 to P4 E.g. a PC in the service center (not available in this solution) DSL router1 DSL router2 LAN port LAN port E.g. an automation network (not available in this solution) Note Note that in the case of all devices that are located in the internal network of the SCALANCE SC646-2C, for example, controllers, panels, the IP address of the internal network of the SCALANCE SC646-2C must be entered as the default gateway. Entry ID: 99681360, V2.0, 06/2018 9

Siemens AG 2018 All rights reserved 2.2 Preparing devices 2.2.1 DSL access (DSL router1) Static IP address with DSL router1 The WAN access of the SCALANCE SC646-2C (VPN client) to the SCALANCE SC646-2C (VPN server) takes place via a permanently assigned, public IP address. Port forwarding on DSL router1 By using a DSL router as the Internet gateway, you must enable the following ports on the DSL router1 and the data packets to the SCALANCE SC646-2C (VPN - Server; IP address on the WAN port): VPN function UDP port 500 (ISAKMP) UDP port 4500 (IPsec NAT traversal) If your DSL routers themselves are VPN-enabled, make sure that this feature is disabled. 2.2.2 SCALANCE SC646-2C Factory setting To ensure that no old configurations and certificates are stored in the SCALANCE SC646-2C, reset the modules to their factory settings. You will find instructions for the module in the manual (see Section 4.2). Assigning the IP address To open the Web Based Management or load the configuration into the module via the TIA Portal, the SCALANCE needs an IP address. Connect the PG to a LAN port (port P1 to port P4) of the SCALANCE and assign the corresponding IP address to the SCALANCE (See Table 2-1). For this, use a commissioning tool, e.g. PRONETA, TIA Portal, Primary Setup Tool. Checking and setting time If you work with certificates, it is essential that the correct time is entered in the VPN participant. If the time in the device is incorrect, then the certificates can be considered invalid and discarded. To set the system time of the device, you have several options: Manual setup Time synchronization procedure, e.g. SNTP, NTP. You can set up the time and the synchronization procedures in the SCALANCE SC-600 using Web Based Management (WBM), the Command Line Interface (CLI) or in the TIA Portal. Closer information can be found in the SCALANCE manual (see Section 4.2). Note It is recommended to use a time synchronization procedure. Entry ID: 99681360, V2.0, 06/2018 10

Siemens AG 2018 All rights reserved 2.3 Setting up security Preparation Configure the VPN tunnel with the TIA Portal. Open the TIA Portal and create a new project via "Project > New..." Change to the "Network view". 2.3.1 Integration of SCALANCE SC646-2C To integrate the two SCALANCE SC464-2Cs into the TIA Portal, proceed as follows 1. In the hardware catalog, open the group "Network components > Industrial Security > SCALANCE S" ("Network components> Industrial Security > SCALANCE S") and mark the article number for the SCALANCE SC646-2C. Figure 2-2 2. Drag and drop the module twice into the network view. Entry ID: 99681360, V2.0, 06/2018 11

Siemens AG 2018 All rights reserved Result: You have placed two SCALANCE SC646-2Cs in the network view. Double-click on the device to open the device view. In the project navigation, a separate folder with its project-internal name appears for each device. Figure 2-3 Note In this application example, SCALANCE is assigned as follows: The "Security_1" module serves as a VPN server. The "Security_2" module serves as a VPN client. Note You can adapt the display name of the SCALANCE devices in the TIA at this time. The display name must conform to the guidelines of DNS naming. Allowed are: Letters "a to z" or "A to Z" Numbers "0 to 9" Underscore "_" The display name must start with a letter and end with a letter or a number. Entry ID: 99681360, V2.0, 06/2018 12

Siemens AG 2018 All rights reserved 2.3.2 Making security settings The security functions configured in STEP 7 are protected against unauthorized access by their own user administration. Before you can access the global and local security settings of security appliances, you must log in to the security configuration with a user. Determining the project administrator To enable user management and set a project administrator, follow these steps: 1. Open the folder "Security Settings" in the project navigation. Open the folder "Security Settings" in the project navigation. Figure 2-4 2. The user management editor opens and the project protection area is displayed. Click the "Protect this project" button. Figure 2-5 3. This opens the dialog "Protect Project". Enter a username and password. The password must comply with the following guidelines: Password length: A minimum of 8 characters, a maximum of 128 characters At least one upper-case letter At least one special character (special characters and ß are not allowed) At least one number Enter the password again to confirm. Entry ID: 99681360, V2.0, 06/2018 13

Siemens AG 2018 All rights reserved 4. You may enter a comment if required. Confirm your entries with "OK". Figure 2-6 Result You have activated the user management. You are logged in as the project administrator and have the right to add more users and roles. Entry ID: 99681360, V2.0, 06/2018 14

Siemens AG 2018 All rights reserved Assigning rights to the "NET Administrator" role In order to be able to configure, diagnose and load the security components, the user must additionally have the rights of the role "NET Administrator" or "NET Standard". To assign additional permissions to the project administrator, follow these steps: 1. Open the folder "Security Settings" in the project navigation. Double-click on the "Users and roles" command. Figure 2-7 2. Open the "User" tab. Select the user to whom you want to assign roles (here: Project administrator "VPN_User"). In the lower section "Assigned roles", activate the role "NET Administrator". Figure 2-8 Result You have assigned the project administrator another role with the rights to configure, diagnose, and load security modules. Entry ID: 99681360, V2.0, 06/2018 15

Siemens AG 2018 All rights reserved 2.3.3 Parameterizing SCALANCE You can parameterize the system functions of the SCALANCE SC646-2C via the TIA Portal. The following settings are relevant for this application example: Setting the IP address. Defining static route. Setting up time synchronization. Note The following instructions are valid for both SCALANCE SC646-2C. To parameterize the SCALANCE, use the IP addresses assigned to the device (see Table 2-1). Setting the IP address To set up the IP addresses in SCALANCE, proceed as follows: 1. Open the device folder of the SCALANCE in the project tree. Double click on the "Device configuration" command. Figure 2-9 2. Switch to the "Properties" tab in the Inspector window. This tab displays the properties of the SCALANCE. Properties that are editable can be changed here. In the "General" tab, switch to the "Layer 3 > Subnets > Configuration" menu. Figure 2-10 Entry ID: 99681360, V2.0, 06/2018 16

Siemens AG 2018 All rights reserved 3. For VLAN1, enter the IP address that is specified for this SCALANCE for the internal network (Port 1 to Port 4) (see Table 2-1). Figure 2-11 4. Change the interface to VLAN2. Disable DHCP. For VLAN2, enter the IP address that is specified for this SCALANCE for the external network (Port 5 to Port 6) (see Table 2-1). Figure 2-12 Result You have set the IP addresses for the modules. Under "Layer 3 > Subnets > Overview" you can see IP addresses. Figure 2-13 Entry ID: 99681360, V2.0, 06/2018 17

Siemens AG 2018 All rights reserved Defining default router With a static route, you specify the routes through which data can be exchanged between the various subnets. To store a static route in SCALANCE, proceed as follows: 1. In the "General" tab, switch to the "Layer 3 > Static Routes" menu. Figure 2-14 2. To reach all subnets, enter the following values: In the input field "Destination network" and in the input field "Subnet mask" the network address "0.0.0.0". In the input field "Gateway" the corresponding router (see Table 2-1). Right-click on a free row in the table and select the entry "New Entry". Figure 2-15 Entry ID: 99681360, V2.0, 06/2018 18

Siemens AG 2018 All rights reserved Result You have set the static route for the modules. Figure 2-16 Defining time synchronization. When working with certificates, it is essential that the time is set correctly in SCALANCE. You can use time synchronization for this. To set up a time synchronization, proceed as follows: 1. In the "General" tab, change to the "System > System time" menu. Figure 2-17 2. Several options to synchronize the time are offered at this point. Choose an option, e.g. SNTP, and parameterize the required input fields. Figure 2-18 Entry ID: 99681360, V2.0, 06/2018 19

Siemens AG 2018 All rights reserved 2.3.4 Setting up a VPN connection Requirement To set up a VPN connection, you need to have completed the instructions in Section 2.3.3 for both assemblies. These included the points: Setting up a VPN group Assigning IP addresses for the internal and external network Creating static routes Setting up time synchronization. To set up a new VPN group, proceed as follows: Open the folder "Security Settings > Security Functions > VPN Groups" in the project tree. Double-click the "Add new VPN group" command. Figure 2-19 Entry ID: 99681360, V2.0, 06/2018 20

Siemens AG 2018 All rights reserved Result You have created a new VPN group. The VPN group "VPN_1" appears in the folder "VPN groups". Figure 2-20 Entry ID: 99681360, V2.0, 06/2018 21

Siemens AG 2018 All rights reserved Assigning VPN participants To assign the two SCALANCEs to the new VPN group, proceed as follows: 1. In the "VPN groups" folder, double-click the newly created VPN group "VPN_1". Figure 2-21 2. In the working window you will see two tables: "Assigned modules" "Available modules" Figure 2-22 Entry ID: 99681360, V2.0, 06/2018 22

Siemens AG 2018 All rights reserved 3. The SCALANCE SC646-2C (VPN client) works as an initiator and actively establishes the connection. The SCALANCE SC646-2C (VPN server) works as a responder and waits for the connection. In the "Available modules" table, select the SCALANCE that serves as the VPN server. Change the role to "Responder". Figure 2-23 4. In the "Available modules" table, highlight both modules and use the arrow button to move them to the "Assigned modules" table. Figure 2-24 Result You have defined the roles of the modules and integrated them into a common VPN group. Both assemblies are now in the "Assigned modules" table. Figure 2-25 Entry ID: 99681360, V2.0, 06/2018 23

Siemens AG 2018 All rights reserved 2.3.5 Setting WAN IP address The VPN connection between the two SCALANCE SC646-2Cs is established via the Internet. The SCALANCE, which has the role of the VPN client and thus actively establishes the connection to the VPN server, requires the WAN IP address of the router (DSL router1). This WAN IP address is the remote access point to the VPN server for the VPN client. To enter the WAN IP address, proceed as follows: 1. Open the device folder of the SCALANCE (VPN client) in the project tree. Double click on the "Device configuration" command. Figure 2-26 2. Switch to the "Properties" tab in the Inspector window. Open the menu "Security > IPsec VPN" and then the submenu "Connections". In the "Operation" column, open the selection list and select the command "Disabled". Figure 2-27 Entry ID: 99681360, V2.0, 06/2018 24

Siemens AG 2018 All rights reserved 3. Change to the "Remote End" submenu. Enter the WAN IP address of your DSL router1 in the "Remote Address" column. Leave the subnet mask on "/32" (shortened spelling of the subnet mask with CIDR suffix). Figure 2-28 4. Switch back to the Connections submenu. In the "Operation" column, open the selection list and select the "Start" command. Figure 2-29 Result You have changed the remote endpoint in SCALANCE (VPN client). SCALANCE now initiates the VPN connection to the entered WAN IP address. Entry ID: 99681360, V2.0, 06/2018 25

Siemens AG 2018 All rights reserved 2.3.6 Loading project into the modules Requirement Before you load the configuration into the respective modules, you must save and compile the TIA project. If there are errors during compilation, fix them. Connecting PG with SCALANCE The SCALANCE devices are loaded via the internal network. Connect the PG to a LAN port (Port P1 to Port P4) of the SCALANCE. Note The SCALANCE must have an IP address in the internal network (zone: INT). Loading a configuration The configuration is loaded into the SCALANCE via the HTTPS protocol. To load the configuration into the module, proceed as follows: 1. In the project tree, select the SCALANCE to which you are connected. 2. Click on the "Load" icon in the TIA Portal menu bar. 3. The dialog for loading the module appears. Define your PG/PC interface. Restrict the display of found devices to "Show devices with the same address". To start the search, click on the "Start search" button. Figure 2-30 Entry ID: 99681360, V2.0, 06/2018 26

Siemens AG 2018 All rights reserved 4. If the SCALANCE was found, the module appears in the table as the destination device. Click the "Load" button to load the configuration. Figure 2-31 5. The loading preview appears. Accept the certificate. Log on to the SCALANCE. When logging in for the first time or after factory reset, enter the factory default user "admin" and the password "admin". The password will be changed during loading in this case. Please also note the note following this manual. Click the "Load" button Figure 2-32 6. Repeat steps 1 through 5 for the other module. Entry ID: 99681360, V2.0, 06/2018 27

Siemens AG 2018 All rights reserved Note about logging on to SCALANCE If you connect to the SCALANCE via HTTPS, e.g. in Web Based Management or for loading the configuration from the TIA Portal, you must log in. When logging in for the first time or after factory reset, enter the factory default user "admin" and the password "admin". The password must then be changed. This can be done in the following ways: If the SCALANCE is set to factory settings and you log on to Web Based Management, you will be prompted to choose a new password. To log on to the SCALANCE, use the new password you assigned from this point onwards. The username is still "admin". If the SCALANCE is at the factory setting and you load the SCALANCE via the TIA Portal, the password is automatically changed during the loading process. The new password corresponds to the password of the user logged on to the TIA Portal at this time. Log on to the SCALANCE with this password. The username is still "admin". Example: You are logged on to the TIA Portal with the username "VPN_User" and the password TIAPortal0815!". The SCALANCE is set to factory settings and you load the SCALANCE for the first time from the TIA Portal. Once loaded, you must log on with the following ID: User: admin Password: admin While loading, the password will be changed to "TIAPortal0815!". To log on to SCALANCE, you must now use this password. User: admin Password: TIAPortal0815! Entry ID: 99681360, V2.0, 06/2018 28

Siemens AG 2018 All rights reserved 3 Operation 3 Operation Requirement For the SCALANCE devices to establish a VPN connection, the following points must be met: Checking time You have loaded the two SCALANCE devices with their configuration. You have defined the WAN IP address as a remote endpoint in the SCALANCE (VPN client). The system time must be up-to-date in both SCALANCE devices. All participating components of this solution must be interconnected (see Section 2.1.2). To check the system time in SCALANCE, proceed as follows: 1. Connect the PG to a LAN port (Port P1 to Port P4) of the SCALANCE, e.g. the VPN client. 2. To open the Web Based Management of the SCALANCE, enter the internal IP address of the SCALANCE in the address bar of an Internet browser. 3. The start page of Web Based Management opens. Log on to the SCALANCE. Please also note the tip in Section 2.3.5. Figure 3-1 Entry ID: 99681360, V2.0, 06/2018 29

Siemens AG 2018 All rights reserved 3 Operation 4. Switch to the menu System > General". The current system time of the SCALANCE is displayed. Figure 3-2 5. If the times are incorrect, you can manually set the system time in the menu "System > System Time". Figure 3-3 Checking VPN connection If configuration is loaded in the SCALANCE, the VPN client initiates the VPN tunnel to the VPN server. You can view the status of the connection via Web Based Management. To check the VPV connection status, go to the menu. "Information > IPsec VPN". Here you can see the current status of the connection. Figure 3-4 Entry ID: 99681360, V2.0, 06/2018 30

Siemens AG 2018 All rights reserved 4 Appendix 4 Appendix 4.1 Service and Support Industry Online Support Do you have any questions or need assistance? Siemens Industry Online Support offers round the clock access to our entire service and support know-how and portfolio. The Industry Online Support is the central address for information about our products, solutions and services. Product information, manuals, downloads, FAQs, application examples and videos all information is accessible with just a few mouse clicks: https://support.industry.siemens.com Technical Support The Technical Support of Siemens Industry provides you fast and competent support regarding all technical queries with numerous tailor-made offers ranging from basic support to individual support contracts. Please send queries to Technical Support via Web form: www.siemens.com/industry/supportrequest SITRAIN Training for Industry We support you with our globally available training courses for industry with practical experience, innovative learning methods and a concept that s tailored to the customer s specific needs. For more information on our offered trainings and courses, as well as their locations and dates, refer to our web page: www.siemens.com/sitrain Service offer Our range of services includes the following: Plant data services Spare parts services Repair services On-site and maintenance services Retrofitting and modernization services Service programs and contracts You can find detailed information on our range of services in the service catalog web page: https://support.industry.siemens.com/cs/sc Industry Online Support app You will receive optimum support wherever you are with the "Siemens Industry Online Support" app. The app is available for Apple ios, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067 Entry ID: 99681360, V2.0, 06/2018 31

Siemens AG 2018 All rights reserved 4 Appendix 4.2 Links and Literature Table 4-1 No. \1\ Siemens Industry Online Support https://support.industry.siemens.com Topic \2\ Link to the entry page for the application example https://support.industry.siemens.com/cs/ww/en/view/99681360 \3\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600 https://support.industry.siemens.com/cs/ww/en/view/109754812 \4\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600 Command Line Interface (CLI) https://support.industry.siemens.com/cs/ww/en/view/109754814 \5\ SIMATIC NET: Industrial Ethernet Security SCALANCE SC-600 Web Based Management (WBM) https://support.industry.siemens.com/cs/ww/en/view/109754815 4.3 Change documentation Table 4-2 Version Date Change V1.0 06/2018 First edition Entry ID: 99681360, V2.0, 06/2018 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback