Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Similar documents
Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016

Generating the Parameters for the Modbus/TCP Communication

X-Tools Loading Profile Files (LPF)

Setting up time synchronization of Process Historian and Information Server

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015


Transmitting HMI data to an external monitor

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.


Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009

SIMATIC PCS 7 Minimal Configuration

Networking a SINUMERIK 828D

Application for Process Automation

TeleService of a S station via mobile network

Configuration of an MRP Ring and a Topology with Two Projects

Key Panel Library / TIA Portal

Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040

Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security

Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible

Moving a Process Historian/ Information Server from Workgroup A to Workgroup B


Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

Improving the performance of the Process Historian

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040

IP-based Remote Networks

User Login with RFID Card Reader



Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool

Multiuser Engineering in the TIA Portal

Display of SINAMICS Error Messages in Runtime Professional

Exchange of large data volumes between S control system and WinCC


Configuration Control with the S and ET 200SP




Data Storage on Windows Server or NAS Hard Drives

X-Tools configuration to connect with OPC servers and clients

Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040


SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format


Display of SINAMICS Fault Messages in WinCC V7.4

Data Synchronization between Head and Field PLCs with Storage of the Process Values in CSV Files



STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP

Applications & Tools. Communication between WinAC MP and a SIMATIC S7. Application for the PUT and GET Function Blocks of the S7 Communication

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.

Monitoring of 24 V load circuits

Applications & Tools. Time-of-Day Synchronization between WinCC Runtime Professional and S7 Controllers. WinCC Runtime Professional

SIMATIC NET OPC Server Implementation


Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

PCS 7 Process Visualization on Mobile Devices with RDP

Engineering of the Configuration Control for IO Systems


Check List for Programming Styleguide for S7-1200/S7-1500

Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint


Application on Control Technology

Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB

Automatic Visualization of the Sample Blocks in WinCC Advanced

Integration of Process Historian / Information Server in a Domain

Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode


Application Description 03/2014. Detecting PROFINET Topologies and Activating IO Devices.


House Control with Touch Panel

SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

Check List for Programming Styleguide for S7-1200/S7-1500

PNDriver V2.1 Quick Start Guide for IOT2040 SIMATIC IOT

Acyclic communication between S and V90PN via PROFINET. Application example 12/

APF report templates based on data from the WinCC User Archive

Application for Communication

S Data Transfer with SEND/RECEIVE Interface

Production feedback via WinCC Data Transfer with XML file


SIMATIC Energy Suite Visualization example of the "*.csv"-energy Data Files

Universal Parameter Server


Topology Reporter Tool Description April 2012 Applications & Tools Answers for industry.

Application for Process Automation


Integration of SIMATIC PCS 7 Asset Management into existing projects

Transcription:

Configuration Example 02/2015 Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address SOFTNET Security Client, CP 343-1 Advanced, CP 443-1 Advanced http://support.automation.siemens.com/ww/view/en/108910602

Warranty and Liability Warranty and Liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. Siemens AG 2015 All rights reserved We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ("wesentliche Vertragspflichten"). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens AG. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens' products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 108910602, V1.0, 02/2015 2

Table of Contents Siemens AG 2015 All rights reserved Table of Contents Warranty and Liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 SOFTNET Security Client... 8 2.1.3 DSL access for the CP 343-1 Advanced... 8 2.1.4 SIMATIC S7-300 station... 9 2.1.5 Setting up the infrastructure... 16 2.2 Configuring the VPN tunnel... 17 2.2.1 Integrating the VPN endpoint CP 343-1 Advanced... 17 2.2.2 Integrating the VPN endpoint SOFTNET Security Client... 19 2.2.3 Defining the VPN properties... 20 2.2.4 Transferring the configuration data... 22 2.3 Final steps... 23 2.4 Establishing the VPN connection... 24 3 Testing the Tunnel Function... 27 4 History... 28 Entry ID: 108910602, V1.0, 02/2015 3

1 Task and Solution 1 Task and Solution 1.1 Task The task is to allow a service employee secure access to an automation system via the Internet or a company's internal network. The following customer requirements have to be considered: Protection against spying and data manipulation. Prevention of unauthorized access. Provision of secure remote access for remote maintenance and remote control. Flexible access for the service employee (regardless of the user's location). Network protection without additional security appliances on the automation side. 1.2 Possible solution Complete overview The figure below shows one way of implementing these customer requirements: Siemens AG 2015 All rights reserved Service PC with SOFTNET Security Client SSC VPN Client VPN Tunnel Industrial Ethernet Internet Modem/ Router Internet Router Static WAN IP Address Automation Cell SIMATIC S7-300 or S7-400 with CP x43-1 Advanced VPN Server Remote access of a service employee to the automation cell (SIMATIC controller) is protected by a VPN tunnel. Client access from the PC to the SIMATIC controller is established using the SOFTNET Security Client, a VPN client software product. The CP 343-1/CP 443-1 Advanced (here: VPN server) is used as the endpoint of the VPN tunnel. Access to the CP 343-1/CP 443-1 Advanced from the WAN is predefined by the use of a static WAN IP address. WAN access on the client side is flexible; the IP address is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 Component SOFTNET Security Client CP x43-1 Advanced VPN role Initiator (VPN client); starts the VPN connection Responder (VPN server); waits for the VPN connection Entry ID: 108910602, V1.0, 02/2015 4

1 Task and Solution SOFTNET Security Client The SOFTNET Security Client allows programming devices, PCs and notebook computers access to network nodes or automation systems protected by SCALANCE S, SCALANCE M or CPs. It is characterized by the following features: Secure access of programming devices or notebook computers to entire automation cells. Easy to use on PCs due to an intuitive graphical user interface. configuration import. Connection control and management, connection statistics, log files; trace tool for error diagnostics; icons to indicate the connection status. Protection of data transmission against spying and spoofing by means of certified standards. Supports the DNS client function. Siemens AG 2015 All rights reserved CP x43-1 Advanced The CP x43-1 Advanced (version 3 or higher) is a communications processor with security functions. For the SIMATIC S7-300/S7-400, it is the bridge between the field level and the MES level and integrates seamlessly with the security structures of the office and IT world. The module provides protection of the data transmission between devices or network segments against data manipulation/spying and unauthorized access. In addition to the basic communications services, it offers the following functions: Two separate interfaces (integrated network separation): Gigabit interface with one RJ45 port and PROFINET interface with 2 RJ45 ports. High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. HTTPS, FTPS, NTP (secure). IPSec VPN (data encryption and authentication). Protection of the S7 station in which the CP is operated. Protection of the internal networks connected to the PROFINET interface. Support of multiple VPN tunnels at a time. 1.3 Characteristics of the solution VPN tunnel for flexible access to the automation cell - possible, for example, for a service employee. Controlled, encrypted data traffic between CP x43-1 Advanced and SOFTNET Security Client. Integrated network diagnostics via SNMP or Syslog. The firewall, VPN server and communication settings are made directly in the CP x43-1 Advanced; the security functions are integrated in the communications processor. Entry ID: 108910602, V1.0, 02/2015 5

2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages This solution requires the following software packages: "Security Configuration Tool V4". This software is included in the scope of delivery of the security modules or available as a download under the following Entry ID: 84467278. "SOFTNET Security Client V4 HF1" "STEP 7 V5.5", Service Pack 2 or higher, Hotfix 1. The required HSP (HSP 1058) is included in the scope of delivery of the CP 343-1 Advanced or available as a download under the following Entry ID: 23183356. Install these software packages on a PC/PG. Siemens AG 2015 All rights reserved Required devices/components: To set up the environment, use the following components: A CP 343-1 Advanced (article number: 6GK7343-1GX31-0XE0) A CPU 317-2 PN/DP (article number: 6ES7317-2EK14-0AB0) with an MMC. DSL access with a dynamic WAN IP address and a DSL router (e.g., SCALANCE M81x-1). DSL access with a static WAN IP address and a DSL router (e.g., SCALANCE M81x-1). One or two 24V power supplies with cable connector and terminal block plug (the modules can also be operated with a shared power supply). DIN rail with fitting accessories for the S7-300. PC on which the "Security Configuration Tool", "SOFTNET Security Client" and "STEP 7 V5.5" are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. Note A different S7-300 PROFINET CPU can also be used. For the device environment in which the CP can be operated with the range of functions described here, please refer to the appropriate chapter of the CP 343-1 Advanced manual: https://support.industry.siemens.com/my/ww/en/documentation/advanced/?docv ersionid=42597696395&topicid=37239174923&guilanguage=en Note You can also use a different Internet access method (e.g., UTMS). The configuration described below refers explicitly to the components listed in "Required devices/components". Entry ID: 108910602, V1.0, 02/2015 6

IP addresses For this example, the IP addresses are assigned as follows: DSL Router1 DSL Router2 SIMATIC S7-300 with CP 343-1 Advanced SSC 192.168.2.88 192.168.2.1 Dynamic WAN IP Static WAN IP 172.16.0.1 172.16.47.1 172.22.80.2 Table 2-1 Siemens AG 2015 All rights reserved Component Port IP address Router Subnet mask SSC (SOFTNET Security Client) 192.168.2.88 192.168.2.1 255.255.255.0 DSL router1 LAN port 192.168.2.1-255.255.255.0 DSL router1 WAN port Dynamic IP address from provider DSL router2 WAN port Static IP address from provider - Assigned by provider - Assigned by provider DSL router2 LAN port 172.16.0.1-255.255.0.0 CP 343-1 Adv. Gigabit port 172.16.47.1 172.16.0.1 255.255.0.0 CP 343-1 Adv. PROFINET port 172.22.80.2-255.255.255.0 CPU PROFINET port 172.22.80.3 172.22.80.2 255.255.255.0 Entry ID: 108910602, V1.0, 02/2015 7

2.1.2 SOFTNET Security Client Network The subnet on the local network adapter of the SOFTNET Security Client and the internal subnet on the CP 343-1 Advanced must be different. If the PC has multiple network adapters, please note the following: A default gateway must only be entered for a single network adapter. If necessary, remove any other default gateways or replace them with static routes. The other connected networks on the PC where the SOFTNET Security Client is installed and the internal network of the VPN remote end must be different. Even if no cable is plugged in, the routing function is impaired. Change the subnet of the other network adapter or disable it completely. VPN software VPN software from third-party manufacturers may cause incompatibilities and prevent the SOFTNET Security Client from functioning properly. Uninstall this software if disabling is not sufficient. Siemens AG 2015 All rights reserved Firewall Time When the SOFTNET Security Client is run on the Windows Vista or Windows 7 operating system, establishing a VPN connection requires that the Windows firewall be enabled. Make sure that the current date and time are always set on the SOFTNET Security Client PC. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. 2.1.3 DSL access for the CP 343-1 Advanced Static IP address WAN access of the SOFTNET Security Client to the CP 343-1 Advanced is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in DSL router2. Port forwarding on DSL router2 VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on DSL router2 and forward the data packets to the CP 343-1 Advanced (VPN server; Gigabit port): UDP port 500 (ISAKMP) UDP port 4500 (NAT-T) If the DSL router itself is VPN-capable, make sure that this function is disabled. Entry ID: 108910602, V1.0, 02/2015 8

2.1.4 SIMATIC S7-300 station Connection between PC and controller Factory default Connect the PC on which STEP 7 V5.5 is installed to a PROFINET port of the CPU and change the network settings on the PC as follows: IP address: 172.22.80.100 Subnet mask: 255.255.255.0 To make sure that no old configurations and certificates are stored in the CP 343-1 Advanced, reset the module to factory default. For the appropriate chapter in the CP 343-1 Advanced manual, please use the following link: https://support.industry.siemens.com/my/ww/en/documentation/advanced/?docver sionid=42597696395&topicid=40344018827&guilanguage=en Changing the IP address of the CPU To download the project data to the CPU, it is useful to first change the IP address of the CPU as shown in Table 2-1. Siemens AG 2015 All rights reserved The STEP 7 function "Edit Ethernet Node " is suitable for assigning the IP address. For more information, please refer to the manual, Entry ID: 45531110. Entry ID: 108910602, V1.0, 02/2015 9

STEP 7 project Use the STEP 7 configuration software to create a new project and create a hardware configuration with the modules you are using. For the required IP addresses for the CP 343-1 Advanced (Gigabit port and PROFINET port) and the CPU (PROFINET port), please refer to Table 2-1. Interface configuration of the CPU: Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 10

Interface configuration of the CP (Gigabit port): Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 11

Interface configuration of the CP (PROFINET port): Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 12

Time-of-day synchronization In the OFF state, the CP 343-1 Advanced loses the current time stamp and, by default, is set to 01.01.1984. To establish secure communication, it is essential that the current date and time are always set on the CP. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. The CP provides the following modes for time-of-day synchronization: SIMATIC Mode (used in this example) NTP Mode (Network Time Protocol) Time-of-day synchronization for the S7-300 station is configured in the hardware configuration. Proceed as follows: 1. Open your STEP 7 project and the hardware configuration of the S7-300 station. Siemens AG 2015 All rights reserved 2. In the STEP 7 object properties of the CP 343-1 Advanced, "Time-of-Day Synchronization" tab, check the "Accept time of day on CP" check box and select "Automatic". Entry ID: 108910602, V1.0, 02/2015 13

3. Click "OK" to close the dialog. 4. In the STEP 7 object properties of the CPU, "Diagnostics/Clock" tab, set the "As master" synchronization type and the "1 minute" time interval for synchronization in the automation system. Siemens AG 2015 All rights reserved 5. Click "OK" to close the dialog. 6. Select "Station" > "Save and Compile" to save and compile the configuration. 7. Close the hardware configuration. Note More information on these modes and the configuration can be found in Chapter 3.3.5 of the Configuration Manual for SIMATIC S7 CPs (Entry ID: 60053848). Loading the controller In the SIMATIC MANAGER, select the S7-300 station and select "PLC" > "Download " to download the project to your CPU and then start the CPU. Entry ID: 108910602, V1.0, 02/2015 14

Adjusting the time in the CPU Due to the "SIMATIC Mode" time-of-day synchronization, the CPU cyclically passes on its system time to the CP 343-1 Advanced. The CPU clock must no longer be in the default state. It must have been set once. Time-of-day synchronization as the time-of-day master does not start before the time of day has been set via SFC 0 "SET_CLK" or using the PG function. Note In the following cases, the CPU clock has not yet been set: In the as-supplied state. After resetting to the as-supplied state using the mode selector switch. After a firmware update. 1. Open your STEP 7 project and the hardware configuration of the S7-300 station. 2. Select the CPU and select "PLC" > "Set Time of Day" to open the dialog where you can set the time of day. Siemens AG 2015 All rights reserved 3. Check the "Take from PG/PC" check box and confirm your selection. 4. Select "Close" to close the dialog. Result The CPU's time of day has been set to the current PG time. Entry ID: 108910602, V1.0, 02/2015 15

2.1.5 Setting up the infrastructure Connect all the components involved in this solution. SSC DSL Router1 DSL Router2 SIMATIC S7-300 with CP 343-1 Advanced LAN Port LAN Port WAN Port WAN Port LAN Port Gigabit Port PROFINET Port Table 2-2 Component Local port Partner Partner port SOFTNET Security Client LAN port DSL router1 LAN port CP 343-1 Advanced Gigabit port DSL router2 LAN port CP 343-1 Advanced PROFINET port E.g., an automation network (does not exist in this solution) Siemens AG 2015 All rights reserved Note In all devices in the internal network of the CP 343-1 Advanced (e.g., controllers, panels, etc.), please make sure to enter the IP address of the PROFINET port as the default gateway. Entry ID: 108910602, V1.0, 02/2015 16

2.2 Configuring the VPN tunnel SCT project Components used The VPN tunnel configuration is performed using the Security Configuration Tool V4 integrated in STEP 7 and started when enabling the security function in the CP 343-1 Advanced. This solution uses the following security components: SOFTNET Security Client (version 4 HF1 or higher) and CP 343-1 Advanced (version 3 or higher). 2.2.1 Integrating the VPN endpoint CP 343-1 Advanced Overview To integrate the CP into the Security Configuration Tool, perform the following steps: Enable the security function of the CP. Create a user and password for the SCT project integrated in STEP 7. Proceed as follows: Siemens AG 2015 All rights reserved 1. Open your STEP 7 project and the hardware configuration of the S7-300 station. 2. In the STEP 7 object properties of the CP 343-1 Advanced, "Security" tab, check the "Enable security" check box. 3. In the following dialog, create a new user with a user name and the associated password. The user is automatically assigned the "Administrator" role. 4. Confirm your entries with "OK". Entry ID: 108910602, V1.0, 02/2015 17

5. Close the STEP 7 object properties with "OK". 6. Confirm the following security message with "OK". 7. Select "Station" > "Save and Compile" to save and compile the hardware configuration. 8. Close the hardware configuration. Result You have created a new security project. Opening the SCT project In the hardware configuration, select the "Edit" > "Security Configuration Tool" menu command to open the Security Configuration Tool and log in. Result The security module is displayed in the list of configured modules. Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 18

2.2.2 Integrating the VPN endpoint SOFTNET Security Client To integrate the SOFTNET Security Client component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module: Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release:v4 2. Assign a name to the module. Siemens AG 2015 All rights reserved 3. Click "OK" to close the dialog. Result Now the SOFTNET Security Client appears as an additional module. Entry ID: 108910602, V1.0, 02/2015 19

2.2.3 Defining the VPN properties Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. Siemens AG 2015 All rights reserved 2. One after the other, select the CP 343-1 Advanced and the SOFTNET Security Client ("SSC") from the "All modules" list and use drag and drop to insert them into the VPN group. Result The CP 343-1 Advanced and the SOFTNET Security Client have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: 108910602, V1.0, 02/2015 20

Defining the VPN parameters The WAN IP address of DSL router2 is a piece of information that is required to establish the VPN tunnel. Parameterize this piece of information as follows: 1. In the "All modules" project tree, select the CP 343-1 Advanced and double-click to open its properties dialog. 2. In the "VPN" tab, select the "Responder" VPN role for the CP 343-1 Advanced. In the WAN IP address / FQDN field, enter the WAN IP address of your DSL access point. In addition, enable access to the internal network. Siemens AG 2015 All rights reserved 3. Click "OK" to close the dialog. 4. Click "OK" to confirm the message. 5. Save the project. Result The VPN configuration is complete. Entry ID: 108910602, V1.0, 02/2015 21

2.2.4 Transferring the configuration data The transfer of the configuration data to the appropriate security components is implemented in different ways: CP 343-1 Advanced: Download via the STEP 7 project. SOFTNET Security Client: The Security Configuration Tool generates a configuration file for import into the client software and exports the required data to a specified location. SOFTNET Security Client 1. In the "All modules" project tree, select the "SSC" module and select the "Transfer" > "To module(s) " menu command. 2. Save the "<Project name>.ssc.dat" configuration file and the certificates to your project directory. 3. Confirm the following message with "OK". Siemens AG 2015 All rights reserved 4. Enter a password for the.p12 certificate. If you do not assign a password, the project name (not the password of the logged in user) is applied as the password. 5. Close the Security Configuration Tool. Result The following files are saved to the project directory: Configuration file: "<Project name>.ssc.dat" Certificate: "<Project name>.<string>.ssc.p12" Group certificate: "<Project name>.group1.cer" Entry ID: 108910602, V1.0, 02/2015 22

CP 343-1 Advanced 1. Connect the PC on which the Security Configuration Tool is installed to a PROFINET port of the CPU and change the network settings on the PC as follows: IP address: 172.22.80.100 Subnet mask: 255.255.255.0 2. Select "Station" > "Save and Compile" to save and compile the hardware configuration. 3. Select "Options" > "Configure Network" to start NetPro and here, too, compile the entire configuration using "Network" > "Save and Compile ". 4. Close the output to check the consistency. 5. Close NetPro and the hardware configuration. Siemens AG 2015 All rights reserved 6. In the SIMATIC MANAGER, select the S7-300 station and select "PLC" > "Download " to download the configuration data to your CPU. Then start the CPU. 7. If downloading has completed without errors, the security module starts automatically and the new configuration has been activated. Result The security module is configured and in productive mode. 2.3 Final steps 1. Connect the PC (SOFTNET Security Client) to the LAN interface of DSL router1. 2. Assign the required network configuration to the network card as shown in Table 2-1. Entry ID: 108910602, V1.0, 02/2015 23

2.4 Establishing the VPN connection To establish the VPN connection, proceed as follows: 1. Start the SOFTNET Security Client. To load the configuration file, click the "Load Configuration" button. 2. Navigate to your project folder and open the "<Project name>.ssc.dat" configuration file. Siemens AG 2015 All rights reserved 3. If necessary, select the appropriate network card. Entry ID: 108910602, V1.0, 02/2015 24

4. Enter the password for the private key of the certificate. Click "Next". 5. Activate the VPN tunnel for the internal members with "Yes". Siemens AG 2015 All rights reserved 6. Click the "Tunnel Overview" button. Entry ID: 108910602, V1.0, 02/2015 25

Result The tunnel between the CP 343-1 Advanced and the SOFTNET Security Client has been established. The green circle to the left of the "S612" item signals that the remote end is reachable. Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 26

3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the CP 343-1 Advanced and the SOFTNET Security Client have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on the Gigabit port of the CP. This is described below. Alternatively, you can also use other methods to test the configuration (e.g., by opening the internal Web page of the CP (https://172.16.47.1) or loading the S7 controller from STEP 7). 1. On the SOFTNET Security Client PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 2. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of Gigabit port of CP>" command at the cursor position. Result You get a positive response. Siemens AG 2015 All rights reserved Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. Entry ID: 108910602, V1.0, 02/2015 27

4 History 4 History Table 4-1 Version Date Modifications V1.0 2/2015 First version Siemens AG 2015 All rights reserved Entry ID: 108910602, V1.0, 02/2015 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback