SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M-800 to WAN 1

Similar documents
SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started. Preface. Connecting SCALANCE M- 800 to WAN 1

SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

SIMATIC NET. Industrial Remote Communication - Remote Networks SINEMA Remote Connect. Preface. Connecting the SINEMA RC Server to the WAN 1

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode

SIMATIC NET. Industrial Remote Communication - Remote Networks SINEMA Remote Connect - Client. Preface. Requirements for operation 1

SINEMA Remote Connect - Client SIMATIC NET. Industrial Remote Communication SINEMA Remote Connect - Client. Preface. Requirements for operation

SIMATIC NET. Industrial Ethernet / PROFINET Primary Setup Tool (PST) Preface. Functions 1. Software installation 2. Operation. Configuration Manual

SINEMA Remote Connect - Server SIMATIC NET. Industrial Remote Communication - TeleControl SINEMA Remote Connect - Server. Preface

SIMATIC NET. Industrial Remote Communication TeleService TS Gateway. Preface. Application and properties. Installation, commissioning and operation 2

SIMATIC. Process Control System PCS 7 Configuration McAfee Endpoint Security Security information 1. Preface 2.

Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Primary Setup Tool (PST) SIMATIC NET. Industrial Ethernet / PROFINET Primary Setup Tool (PST) Preface. Description. Software installation 2

SIMATIC. Process Control System PCS 7 Advanced Process Functions Operator Manual. Preface. Security information 1. Overview 2. Material management 3

SIMATIC. SIMATIC Energy Manager V1.0 App for ios and Android. Preface. SIMATIC Energy Manager app. Establish connection to SIMATIC Energy Manager PRO

SIMATIC. Industrial PC Microsoft Windows 7 (USB stick) Safety instructions 1. Initial startup: Commissioning the operating system

Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

SIMATIC. Industrial PC Microsoft Windows 7. Safety instructions 1. Initial startup: Commissioning the operating. system

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Readme SiVArc V14 SP1 Update 6

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

Performance data abgn SCALANCE W770/W730 SIMATIC NET. Industrial Wireless LAN Performance data abgn SCALANCE W770/W730.

SIMATIC. S7/HMI SIMATIC Automation Tool V3.1 SP1 product information. SIMATIC Automation Tool features 1. Known problems. Product Information

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

SIMATIC. Industrial PC Microsoft Windows Embedded Standard 7. Safety instructions 1. Initial startup: Commissioning the operating.

SIMATIC. Process Control System PCS 7 PCS 7 system documentation - Readme V8.0 SP2 (Update 1) Options for Accessing Documentation 1

Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

SIMATIC. PCS 7 Process Control System SIMATIC Logon Readme V1.6 (Online) Security information 1. Overview 2. Notes on installation 3.

SIMATIC. PCS 7 Process Control System Support and Remote Dialup. Security information 1. Preface 2. Support and Remote Dialup 3.

SIMATIC. Process Control System PCS 7 Configuration Symantec Endpoint Protection V14. Security information 1. Preface 2.

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Siemens Industrial SIMATIC. Process Control System PCS 7 Configuration Trend Micro OfficeScan Server XG. Security information 1.

SCALANCE S615 SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Web Based Management. Preface. Description. Technical basics

SIMATIC. Process Control System PCS 7 CFC Readme V9.0 (online) Security information 1. Overview 2. Notes on Installation 3. Notes on usage 4.

SIMATIC. PCS 7 Licenses and configuration limits (V9.0) Security information 1. Preface 2. Selecting the correct license keys 3

Creating the program. TIA Portal. SIMATIC Creating the program. Loading the block library 1. Deleting program block Main [OB1]

Performance data abgn PCIe Minicard MPCIE-R1-ABGN-U3 SIMATIC NET

Getting Started - Startdrive. Startdrive SINAMICS. Introduction 1. Connecting the drive unit to the PC. Creating a project 3

Remote networks. Easy remote access to machines and plants. Industrial Remote Communication. Edition 03/2017. Brochure. siemens.com/remote-networks

Industrial Controls. Motor management and control devices SIMOCODE pro. Introduction 1. Configuring a reversing starter. List of abbreviations


SIMOCODE pro. Read me SIMOCODE ES. Introduction 1. Installation notes 2. Installation/License key/ Uninstallation 3.


PD PA AP How To Configure Maxum II TimeServer Access

MindSphere. Visual Explorer. Introduction. User roles for "Visual Explorer" Connecting "Visual Explorer" to MindSphere data. Creating Visualizations

SIMATIC. Process Control System PCS 7 VT Readme V8.2 (online) Security information 1. Overview 2. Notes on Installation 3. Notes on usage 4.

SIMATIC. Process Control System PCS 7 SIMATIC Management Console (V9.0) Security information 1. Preface 2. Basics 3

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

SIMATIC. SIMATIC Logon V1.6. Security information 1. Conditions for secure operation of SIMATIC Logon 2. User management and electronic signatures 3

Siemens Drives & PLCs

SIMATIC. Process control system PCS 7 Operator Station (V9.0 SP1) Security information 1. Preface 2

Industrial Controls. Motor management and control devices SIMOCODE pro - Application examples. Introduction 1. Application example

Team engineering via Inter Project. Engineering. TIA Portal. Team engineering via Inter Project Engineering. Basics of "Inter Project Engineering"

Industrial Controls. SIMOCODE pro SIMOCODE pro PCS 7 Library. Preface. Security information. Product specific security. information.

CP 1623 SIMATIC NET. PG/PC - Industrial Ethernet CP Preface. Description of the device. Software installation. Hardware installation

SIMATIC. Process Control System PCS 7 Symantec Endpoint Protection 11.0 Configuration. Using virus scanners 1. Configuration 2. Commissioning Manual

Siemens Spares SIMATIC NET. Industrial Remote Communication - TeleControl TeleControl Server Basic. Preface. Application and functions


SIMATIC/SINAMICS. Getting started with SINAMICS V90 PN on S Motion Control. Fundamental safety instructions 1. Introduction

SIMATIC. Process Control System PCS 7 SIMATIC Management Console (V9.0 Update 1) Security information 1. Preface 2. Basics 3

SIMATIC. Process control system PCS 7 PCS 7 - PC Configuration (V9.0 SP1) Security information 1. Preface 2. PC components of a PCS 7 system 3

Class documentation. COMOSKDictionary COMOS. Platform Class documentation COMOSKDictionary. Trademarks. General. KDictionary. Programming Manual

SIMATIC HMI. WinCC WinCC Runtime Advanced readme. Security information 1. Installation 2. Runtime 3. System Manual. Online help printout

Optional package printer driver V1.4

SIMATIC NET. S TeleControl MSC300_Library program block library. Block library for TCSB (V3) WDC_S7_300_... (FB92) 2 UDT_WDC_PARAM (UDT91) 3

B.Data V6.0 Installation SIMATIC. B.Data V6.0 Installation. Introduction. Installing B.Data. Setting up B.Data Web 3

Use with 0 to 70 C ambient. temperature SIMATIC. Process Control System PCS 7 Use with 0 to 70 C ambient temperature. Preface 1. Product combination 2

COMOS. Platform Class documentation RevisionMaster_dll. Class: RevisionInfo 1. Class: RevisionMaster 2. Programming Manual

IO-Link Master (6ES7147-4JD00-0AB0) SIMATIC. ET 200pro IO-Link Master (6ES7147-4JD00-0AB0) Preface. Documentation guide. Product overview.

SIMATIC. SIMATIC Logon V User management and electronic signatures 1. Hardware and Software Requirements 2. Scope of delivery 3.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

SIMATIC. STEP 7 PLUS TIA Portal Teamcenter Gateway. Introduction to TIA Portal Teamcenter Gateway 1. System requirements 2

Settings. Prior information notice 1. Introduction to "Settings" 2. User rights in "Settings" 3. Settings interface 4.

SINETPLAN Siemens Network Planner

General Information 1. Connection 2. User Interface 3 ATC5300. Menus 4. Automatic Transfer Controller. Remote Control Software Manual A5E

Commissioning PC Stations - Manual. and Quick Start SIMATIC NET. PC software Commissioning PC Stations - Manual and Quick Start.

SIMATIC NET. Industrial Remote Communication Remote Networks SCALANCE M812, M816. Preface. Security recommendations. Description of the device

SIMATIC. TIA-Portal SIMATIC Visualization Architect. Security information 1. Basics 2. Installation 3. Elements and basic settings 4

SIMATIC. Process Control System PCS 7 Trend Micro OfficeScan (V8.0; V8.0 SP1) Configuration. Using virus scanners 1.

SIMATIC. Process Control System PCS 7 OS Process Control (V8.1) Security information 1. Preface 2. Additional documentation 3

SCALANCE WLC711 SIMATIC NET. Industrial Wireless LAN SCALANCE WLC711. Preface. Safety notes. Description. Getting started 3

B.Data V6.0 SP1 Installation SIMATIC. B.Data V6.0 SP1 Installation. Introduction 1. Installing B.Data. Setting up B.Data Web

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

SITOP UPS1600 under STEP 7 V13. SITOP UPS1600 under STEP 7 V13. Introduction. Safety notes. Description. Assigning the IP address

Product Information Mixed. Configuration ET 200SP / ET 200AL SIMATIC. ET 200SP Product Information Mixed Configuration ET 200SP / ET 200AL.

SIMATIC NET. S TeleControl CP LTE. Preface. Application and properties. LEDs and connectors

SIMATIC. S7-1500/ET 200MP Digital input module DI 16x24VDC BA (6ES7521-1BH10-0AA0) Preface. Documentation guide. Product overview.

SIMATIC. S7-1500/ET 200MP DI 16x230VAC BA Digital Input Module (6ES7521-1FH00-0AA0) Preface. Documentation guide. Product overview.

SIMATIC. Process Control System PCS 7 Time synchronization (V8.1) Security information 1. Preface 2. Fundamentals 3

SITOP UPS1600 under STEP 7 V5. SITOP UPS1600 under STEP 7 V5. Introduction. Safety notes. Description 3. Assigning the IP address

Software Kit. Automatic Door Controls. SIDOOR Software Kit. Introduction 1. General safety instructions. Installation. Uninstalling the software 4

SIMATIC. ET 200SP Open Controller Product information on CPU 1515SP PC. Preface. Product Information. Technical update. Technical specifications 3

Key Panels Library SIMATIC HMI. Key Panels Library. Preface 1. Installation of Key Panels Library. Working with the Key Panels Library

TELECONTROL SERVER BASIC SIMATIC NET. Telecontrol TELECONTROL SERVER BASIC. Preface. Application and properties. Installation and commissioning


S7-300 Getting Started - Commissioning a CPU 31xC: Closed-loop control

Validity 1. Improvements in STEP 7 2. Improvements in WinCC 3 SIMATIC. Readme. Readme

Transcription:

Preface Connecting SCALANCE M-800 to WAN 1 SIMATIC NET Industrial Remote Communication Remote Networks SCALANCE M-800 Getting Started Getting Started SCALANCE M-800 as DHCP server 2 Configuring a VPN tunnel 3 NETMAP with SCALANCE M-800 4 Reporting and switching by SMS 5 Configuring a VRRPv3 6 02/2018 C79000-G8976-C337-06

Legal information Warning notice system This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger. DANGER indicates that death or severe personal injury will result if proper precautions are not taken. WARNING indicates that death or severe personal injury may result if proper precautions are not taken. CAUTION indicates that minor personal injury can result if proper precautions are not taken. NOTICE indicates that property damage can result if proper precautions are not taken. If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage. Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems. Proper use of Siemens products Note the following: Trademarks WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed. All names identified by are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner. Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions. Siemens AG Division Process Industries and Drives Postfach 48 48 90026 NÜRNBERG GERMANY Document order number: C79000-G8976-C337 P 02/2018 Subject to change Copyright Siemens AG 2013-2018. All rights reserved

Preface Purpose The configuration of the SCALANCE M is shown based on examples. IP settings for the examples Note The IP settings used in the examples were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. General naming conventions The designation... stands for... SCT PST CP Security Configuration Tool Primary Setup Tool M87x SCALANCE M874-2 CP 343-1 Advanced GX31, CP 443-1 Advanced GX30, CP 1628 SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4 M874 SCALANCE M874-2 SCALANCE M874-3 M876 SCALANCE M876-3 SCALANCE M876-4 M812 SCALANCE M812-1 M816 SCALANCE M816-1 M81x SCALANCE M812-1 SCALANCE M816-1 M826 SCALANCE M826-2 M-800 SCALANCE M874-2 SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4 SCALANCE M812-1 SCALANCE M816-1 SCALANCE M826-2 Getting Started, 02/2018, C79000-G8976-C337-06 3

Preface Further documentation "Industrial Remote Communication Remote Networks - SCALANCE M874" operating instructions This document contains information with which you will be able to install and connect up a device of the SCALANCE M874 product line. The configuration and the integration of the device in a network are not described in these instructions "Industrial Remote Communication Remote Networks - SCALANCE M81x" operating instructions This document contains information with which you will be able to install and connect up a device of the SCALANCE M812, M816 product line. The configuration and the integration of the device in a network are not described in these instructions "Industrial Remote Communication Remote Networks - SCALANCE M-800 Web Based Management" configuration manual This document is intended to provide you with the information you require to install, commission and operate the device. It provides you with the information you require to configure the devices. You will find further information about working with the SCT (Security Configuration Tool) in the "Industrial Ethernet Security - Basics and Application" configuration manual. You will find this document on the Internet under the following entry ID: 56577508 (https://support.industry.siemens.com/cs/ww/en/view/56577508) The "SIMATIC NET Industrial Ethernet Network Manual" contains information on other SIMATIC NET products that you can operate along with the devices of this product line in an Industrial Ethernet network. There, you will find among other things optical performance data of the communications partners that you require for the installation. You will find this document on the Internet under the following entry ID: 27069465 (https://support.industry.siemens.com/cs/ww/en/view/27069465) SIMATIC NET manuals You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support: using the search function: Link to Siemens Industry Online Support (https://support.industry.siemens.com/cs/ww/en/) Enter the entry ID of the relevant manual as the search item. In the navigation panel on the left hand side in the area "Industrial Communication": Link to the area "Industrial Communication" (https://support.industry.siemens.com/cs/ww/en/ps/15247/pm) Go to the required product group and make the following settings: tab "Entry list", Entry type "Manuals" 4 Getting Started, 02/2018, C79000-G8976-C337-06

Preface Training, Service & Support You will find information on Training, Service & Support in the multi-language document "DC_support_99.pdf" on the data medium supplied with the documentation. SIMATIC NET glossary Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary. You will find the SIMATIC NET glossary on the Internet at the following address: 50305045 (https://support.industry.siemens.com/cs/ww/en/view/50305045) Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial security concept. Siemens products and solutions constitute one element of such a concept. Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place. Additionally, Siemens guidance on appropriate security measures should be taken into account. For additional information on industrial security measures that may be implemented, please visit Link: (https://www.siemens.com/industrialsecurity) Siemens products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customers exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under Link: (https://www.siemens.com/industrialsecurity) Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device. Trademarks The following and possibly other names not identified by the registered trademark sign are registered trademarks of Siemens AG: SCALANCE, SINEMA, CP 343-1, CP 443-1, CP 1628 Getting Started, 02/2018, C79000-G8976-C337-06 5

Preface 6 Getting Started, 02/2018, C79000-G8976-C337-06

Table of contents Preface... 3 1 Connecting SCALANCE M-800 to WAN... 11 1.1 Procedure in principle... 11 1.2 Setting up the SCALANCE M-800 and the network... 12 1.3 Connecting M826 to SHDSL... 13 1.4 Adapting IP settings... 17 1.4.1 Configuration with the Primary Setup Tool (PST)... 18 1.4.2 Configuration with DCP Discovery... 19 1.5 Starting Web Based Management... 22 1.6 Logging in to Web Based Management... 25 1.7 Specifying device information... 26 1.8 Setting the time... 27 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x... 29 1.9.1 Configuring access parameters for the SCALANCE M87x... 29 1.9.2 Configuring access parameters for the SCALANCE M81x... 32 1.9.3 Setting up the DDNS hostname... 35 1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation... 36 1.10.1 Configuring SHDSL... 36 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode... 38 1.11.1 Creating IP subnet... 38 1.11.2 Configuring routes... 40 1.12 Allow access... 41 2 SCALANCE M-800 as DHCP server... 45 2.1 Configuring dynamic IP address assignment... 46 2.2 Specifying DHCP options... 47 2.3 Configuring static IP address assignment... 49 3 Configuring a VPN tunnel... 51 3.1 VPN tunnel between SCALANCE M-800 and S612... 51 3.1.1 Procedure in principle... 51 3.1.2 Secure VPN tunnel with PSK... 55 3.1.2.1 Configuring a VPN tunnel with the SCT V3.x... 55 3.1.2.2 Configuring a VPN tunnel with the SCT V4.x... 62 3.1.2.3 Configuring SCALANCE M-800... 68 3.1.3 Secure VPN tunnel with certificates... 74 3.1.3.1 Configuring a VPN tunnel with the SCT V3.x... 74 3.1.3.2 Configuring a VPN tunnel with the SCT V4.x... 81 3.1.3.3 Configuring SCALANCE M-800... 87 Getting Started, 02/2018, C79000-G8976-C337-06 7

Table of contents 3.1.4 Firewall with a VPN connection... 95 3.1.4.1 Creating firewall rules automatically... 96 3.1.4.2 Creating firewall rules manually... 97 3.2 VPN tunnel between SCALANCE M-800 and security CPs... 99 3.2.1 Procedure in principle... 99 3.2.2 Secure VPN tunnel with PSK... 102 3.2.2.1 Configuring a VPN tunnel with the SCT V3.x... 102 3.2.2.2 Configuring a VPN tunnel with the SCT V4.x... 107 3.2.2.3 Configuring SCALANCE M-800... 111 3.2.3 Secure VPN tunnel with certificates... 117 3.2.3.1 Configuring a VPN tunnel with the SCT V3.x... 117 3.2.3.2 Configuring a VPN tunnel with the SCT V4.x... 122 3.2.3.3 Configuring SCALANCE M-800... 126 3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server... 133 3.3.1 Procedure in principle... 133 3.3.2 Configuring access to the SINEMA RC server... 138 3.3.2.1 Activating IP masquerading... 138 3.3.2.2 Allow access... 138 3.3.3 Configuring a remote connection on the SINEMA RC Server... 139 3.3.3.1 Creating node groups... 139 3.3.3.2 Create devices... 140 3.3.3.3 Configure communications relations... 143 3.3.4 Configuring a remote connection on the M87x... 144 3.3.4.1 Secure VPN connection with fingerprint... 144 3.3.4.2 Secure VPN connection with CA certificate... 148 3.4 VPN tunnel between two M-800s... 153 3.4.1 Procedure in principle... 153 3.4.2 Configuring a VPN tunnel with the SCT... 156 3.4.2.1 Creating the project and modules... 156 3.4.2.2 Configuring a tunnel connection... 159 3.4.2.3 Configuring VPN parameters... 160 3.4.2.4 Saving the configuration... 161 3.4.3 Configuring the SCALANCE M81x (VPN server)... 162 3.4.3.1 Loading a certificate... 162 3.4.3.2 Configuring the VPN remote end... 164 3.4.3.3 Configuring a VPN connection... 165 3.4.3.4 Configuring VPN authentication... 165 3.4.3.5 Configuring phase 1 and phase 2... 166 3.4.3.6 Activating VPN... 168 3.4.3.7 Establishing the VPN connection... 168 3.4.4 Configuring the SCALANCE M87x (VPN client)... 169 3.4.4.1 Loading a certificate... 169 3.4.4.2 Configuring the VPN remote end... 171 3.4.4.3 Configuring a VPN connection... 172 3.4.4.4 Configuring VPN authentication... 172 3.4.4.5 Configuring phase 1 and phase 2... 173 3.4.4.6 Activating VPN... 175 3.4.4.7 Establishing the VPN connection... 175 3.4.5 Displaying the status of the VPN connection... 176 8 Getting Started, 02/2018, C79000-G8976-C337-06

Table of contents 4 NETMAP with SCALANCE M-800... 177 4.1 NETMAP for the local network... 180 4.1.1 Creating a VPN connection... 181 4.1.2 Creating NETMAP rules... 183 4.2 NETMAP for the remote network... 184 4.2.1 Creating a VPN connection... 185 4.2.2 Creating NETMAP rules... 187 4.3 NETMAP for the local and remote network... 189 4.3.1 Creating a VPN connection... 190 4.3.2 Creating NETMAP rules... 192 5 Reporting and switching by SMS... 195 5.1 Introduction... 195 5.2 Generating and sending an event SMS message... 195 5.2.1 Introduction... 195 5.2.2 Configuring an event... 196 5.2.3 Configuring the sending of SMS messages... 197 5.3 Receiving and evaluating a command SMS message... 198 5.3.1 Introduction... 198 5.3.2 SINEMA RC Server sends a wake-up SMS message... 200 5.3.2.1 Configuring settings on the SINEMA RC Server... 200 5.3.2.2 Configuring receipt of the command SMS message on the M87x... 201 5.3.3 Service technician sends a command SMS message... 202 5.3.3.1 Start VPN connection with command SMS message... 202 5.3.3.2 Querying the status of the VPN connection with command SMS message... 203 6 Configuring a VRRPv3... 205 6.1 Introduction... 205 6.2 Configure VRRPv3... 207 6.2.1 Create VRRPv3 router... 207 6.2.2 Configure VRRPv3 router... 208 6.2.3 Specifying the virtual IP address... 209 6.2.4 Configuring interface monitoring... 210 6.3 Creating firewall rules for VRRPv3... 211 6.4 Verify VRRPv3... 212 Index... 215 Getting Started, 02/2018, C79000-G8976-C337-06 9

Table of contents 10 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1 1.1 Procedure in principle This section provides an overview of how a SCALANCE M-800 with the factory settings can be integrated in a network and configured. This can be a mobile wireless network (SCALANCE M87x) or a wired network (SCALANCE M812, SCALANCE M816 or SCALANCE M826). The device is assigned an IP address. Configuration is performed using the Web Based Management (WBM). Structure for SCALANCE M874 and SCALANCE M81x Figure 1-1 Internet access via a mobile wireless network with the SCALANCE M874-3 via ADSL with the SCALANCE M812-1 Required components SCALANCE M-800 Optional if the device is not mounted directly. Standard rail with fittings A power supply 24 VDC or 12 VDC with cable connector and terminal block connector A network cable complying with the IE FC RJ-45 standard for Industrial Ethernet One PC for the configuration Additionally with the SCALANCE M87x A suitable antenna A SIM card of your mobile wireless provider (The required services, for example Internet must be enabled.) Getting Started, 02/2018, C79000-G8976-C337-06 11

Connecting SCALANCE M-800 to WAN 1.2 Setting up the SCALANCE M-800 and the network Additionally with the SCALANCE M81x Activation for ADSL Steps in configuration The required steps in configuration depend in part on the device you are using. If the SCALANCE M826 is used in 2-wire operation, only the configuration step "Setting up SCALANCE M-800 and the network" is required. After this, the SCALANCE M826 is ready for operation immediately (out of the box). 1. Setting up SCALANCE M-800 and the network. For the SCALANCE M826, note the additional information in the section "Connecting SCALANCE M826 with SHDSL" 2. When necessary configure the device with the Primary Setup Tool (PST) or DCP Discovery 3. If applicable, adapt the IP configuration of the PC. 4. Start Web Based Management. 5. Log in to Web Based Management. 6. Configure the SCALANCE M-800. Specify device information Set the time of day Only with the devices SCALANCE M87x and SCALANCE M81x: Configure access data Only with the devices SCALANCE M87x and SCALANCE M81x: Set up the host name Only with the SCALANCE M826 in 4-wire operation: Configure SHDSL Allow access 1.2 Setting up the SCALANCE M-800 and the network Note Note the security instructions in the operating instructions before you commission the device. 12 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL Procedure 1. Unpack the SCALANCE M-800 and check the device for damage. 2. Only with with the SCALANCE M87x: Insert the SIM card. 3. Connect the power supply. WARNING Use safety extra-low voltage only The SCALANCE M874 is designed for operation with safety extra-low voltage. This means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/ VDE0805 can be connected to the power supply terminals. The power supply unit for the SCALANCE M power supply must meet NEC Class 2, according to the National Electrical Code(r) (ANSI / NFPA 70). 4. Connect the device to the network. This step depends on the device and the type of network: SCALANCE M87x (mobile wireless network): Mount the antenna. SCALANCE M81x (ADSL): Connect the device to the DSL socket on the splitter. SCALANCE M826 (SHDSL): Wire X1 with X2, for detailed information refer to the section "Connecting SCALANCE M826 to SHDSL". 5. Connect an Ethernet port (P1, P2, P3, P4) to the PC. 6. Turn the device on. After connecting up, the fault LED (F) is lit red 7. Now, turn on the PC. 1.3 Connecting M826 to SHDSL The SCALANCE M826 can be operated in two ways: 2-wire operation When supplied, the two SHDSL interfaces are set so that two SCALANCE M826 can be connected via a point-to-point connection. Interface X1 is configured as CO (Central Office) and interface X2 a CPE (Customer Premises Equipment). 4-wire operation Both SHDSL interfaces are put together to form a single connection with a higher transmission rate. The two interfaces X1 and X2 of one device are configured as CO and the two interfaces X1 and X2 of the other device as CPE. When supplied the SCALANCE M826 is configured so that there is no distinction between the internal and external network. The SCALANCE M826 is a transparent bridge and connects network nodes that are in the same IP subnet. Getting Started, 02/2018, C79000-G8976-C337-06 13

Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL 2-wire operation with factory settings (out of the box) Figure 1-2 The admin PCs represent network nodes that are connected to an Ethernet interface of the relevant SCALANCE M826. The SCALANCE M826 are connected together via an in-house 2-wire cable. Settings used Figure 1-3 Factory settings for the devices of the configuration example. 14 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL 4-wire operation Figure 1-4 The admin PCs represent network nodes that are connected to an Ethernet interface of the relevant SCALANCE M826. The two SCALANCE M826 are connected together via two in-house 2-wire cables. Settings used IP address Subnet mask Central office M826 192.168.100.1 255.255.255.0 Admin PC 192.168.100.20 255.255.255.0 Station M826 192.168.100.10 255.255.255.0 Admin PC 192.168.100.40 255.255.255.0 Getting Started, 02/2018, C79000-G8976-C337-06 15

Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 to SHDSL In routing mode In this example, three different IP subnets will be interconnected via the SCALANCE M826. For this connection, there must be a one SHDSL interface of a device in the role of CO and the other in the role of CPE. Since the SCALANCE M826 devices operate in routing mode, there is a division into external and internal networks. This means that the SHDSL interfaces and the Ethernet interfaces are located in different IP subnets. In this mode, the security functions (IPsec VPN, firewall, NAT/NAPT) are available. Figure 1-5 SCALANCE M826 in routing mode: The network nodes are in different IP subnets. The SHDSL interfaces are connected together via in-house 2-wire cables. Settings used Central office M826 Admin PC Interface SHDSL (external) Ethernet (internal) Ethernet (internal) Station 1 M826 SHDSL Admin PC (external) Ethernet (internal) Ethernet (internal) IP address Vlan 2 192.168.184.2 255.255.255.0 Vlan 1 192.168.100.1 255.255.255.0 192.168.100.20 255.255.255.0 Vlan 2 192.168.184.22 255.255.255.0 Vlan 1 192.168.11.2 255.255.255.0 192.168.11.40 255.255.255.0 16 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Interface Station 2 M826 SHDSL (external) Ethernet (internal) Admin PC Ethernet (internal) IP address Vlan 2 192.168.184.42 255.255.255.0 Vlan 1 192.168.50.2 255.255.255.0 192.168.50.40 255.255.255.0 1.4 Adapting IP settings Introduction To be able to access a SCALANCE M-800 with the Web Based Management, the device must have an IP address. You have the following options for assigning an IP address to devices the first time or changing already assigned IP addresses. Primary Setup Tool (PST) DCP Discovery (as of firmware version V4.3) SCALANCE M826 The SCALANCE M826 is supplied without a preset IP address, because for this device there are applications that require no further configuration (out of the box). In these cases, no access to the Web Based Management is necessary and therefore no IP address either. The device will, however, attempt to obtain an IP address from a DHCP server if it is available in the network. In all other cases, the device must first be assigned an IP address. SCALANCE M87x and SCALANCE M81x The devices SCALANCE M87x and SCALANCE M81x are supplied with the following factory settings: IP address: 192.168.1.1 Subnet mask: 255.255.255.0 If you enter the IP address "192.168.1.1" in the address box of a Web browser on a connected PC (in the examples called "admin PC"), you come directly to the WBM of the device. However, a change to the factory settings may be necessary due to address areas already configured in the existing network. Getting Started, 02/2018, C79000-G8976-C337-06 17

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings 1.4.1 Configuration with the Primary Setup Tool (PST) Introduction The following section describes the procedure when using the PST. Procedure 1. Start the Primary Setter Tool with "Start > SIMATIC > Primary Setup Tool". If several network adapters are installed in the PC, select the network adapter connected to the SCALANCE M-800 in "Settings > Network adapter". 2. Click on the magnifier in the toolbar to start the search. After the search, all devices are listed that can be configured with the PST. 3. Select the entry for the Ethernet interface of the SCALANCE M-800. 4. Select the option button "Assign IP parameters". 5. Enter the required values in the "IP address" und "subnet mask" boxes. Figure 1-6 User interface of the Primary Setup Tool 18 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Follow the steps below to transfer the parameter assignment to the device: 1. Select the entry for the SCALANCE M-800. 2. Click on the second button from left ("Download") or select the Module > Download menu command. Figure 1-7 Transfer the parameters with the "Download" button 1.4.2 Configuration with DCP Discovery Introduction The network parameters of the SCALANCE M826-2 in the plant network are to be updated in this example configuration. To do so, the PC in the service center establishes a WAN connection to a SCALANCE M87x, and the service technician accesses its WBM. On the WBM page "DCP Discovery and Set via DCP", the service technician can see all nodes that support the DCP protocol and can be accessed over the interface of the device, e.g. SCALANCE M826-2. For the SCALANCE M826-2, the device name, the IP address, the subnet mask and the gateway address are updated. The devices can be identified on site by flashing of the respective device. Getting Started, 02/2018, C79000-G8976-C337-06 19

Connecting SCALANCE M-800 to WAN 1.4 Adapting IP settings Requirement Firmware version V4.3 or later is installed on the devices. 20 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management Procedure 1. Click "System > DCP Discovery" in the navigation area. 2. Click "Discover" button to start the search. After the search, all devices are listed that can be reached via the interface. With the aid of the table you can check the configuration of the devices. The SCALANCE M826 is supplied without a preset IP address, so it currently has the IP address 0.0.0.0. 3. Enter the required values in the "IP Address" and "Subnet Mask" boxes. The assigned IP address must match your network and should be unique within the network. 4. Click on "Set Values". The status of the IP address changes from "Discovered" to "Configured". Getting Started, 02/2018, C79000-G8976-C337-06 21

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 1.5 Starting Web Based Management Depending on the device and the example shown, the admin PC is assigned the following IP address: SCALANCE M87x and SCALANCE M81x IP address Subnet mask Admin PC 192.168.1.20 255.255.255.0 SCALANCE M826 IP address Subnet mask Admin PC 1 192.168.1.20 255.255.255.0 Admin PC 2 192.168.1.40 255.255.255.0 Procedure 1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left. 3. Right-click on the "LAN Connection" symbol and select the "Properties" menu command. 4. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 22 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 5. Enter the values assigned to the admin PC from the table in the relevant boxes. Note The IP address used in the following figure for the standard gateway 192.168.1.1 must be adapted if the factory setting is not used for the IP address of the SCALANCE M-800. 6. Confirm the dialogs with "OK" and close the Control Panel. Getting Started, 02/2018, C79000-G8976-C337-06 23

Connecting SCALANCE M-800 to WAN 1.5 Starting Web Based Management 7. Enter the IP address "192.168.1.1" in the address box of the Internet browser. Access via HTTPS is enabled as default. If you access the device via HTTP, the address is automatically redirected to HTTPS. A message relating to the security certificate appears. Acknowledge this message and continue loading the page. Note Information on the security certificate Because the device can only be administered using encrypted access, it is delivered with a self-signed certificate. If certificates with signatures that the operating system does not know are used, a security message is displayed. You can display the certificate. 8. If there is a problem-free connection to the device, the logon page of Web Based Management (WBM)is displayed. 24 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.6 Logging in to Web Based Management 1.6 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2. Confirm the dialog. The "Account Passwords" WBM page is opened automatically. 3. Enter the default password "admin" in "Current User Password". 4. For "New Password", enter the new password. The new password must be at least 8 characters long and contain upper case letters, lower case letters, numbers and special characters. 5. Repeat the new password in "Password Confirmation" as confirmation. The entries must match. Getting Started, 02/2018, C79000-G8976-C337-06 25

Connecting SCALANCE M-800 to WAN 1.7 Specifying device information 6. Click the "Set Values" button. 7. The Basic Wizard starts to support you when configuring the device parameters. Result The password for the "admin" user is changed. The changes take immediate effect. 1.7 Specifying device information To allow better identification of the SCALANCE M-800, specify general device information. Procedure 1. In the navigation area click on "System > General" and in the content area on the "Device" tab. 2. In "System Name", enter a name for the device. 3. Enter the contact person responsible for the device in "System Contact". 4. Enter the identifier for the location at which the device is installed in "System Location", for example the room number. 5. Click the "Set Values" button. Result The general device information for the SCALANCE M-800 has been specified. 26 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.8 Setting the time 1.8 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of certificates and for the time stamps of log entries. You can set the system time yourself manually or have it synchronized automatically with a time server. There are a number of time servers on the Internet that can be used to obtain the current time precisely. For this example, the time server is configured using NTP. Note Manual time setting - reaction after interrupting the power supply Note that the time is reset to the factory setting if the power supply is interrupted. On return of the power, you need to set the system time again. As result, certificates can lose their validity. Synchronization using a time server Synchronization of the system time using a public time server creates additional data traffic on the connection. This may result in additional costs, depending on your subscriber contract. Requirement The NTP server is reachable. The IP address of the NTP server is known. For this example, a time server (e.g. 192.53.103.108) of the Physikalisch-Technischen Bundesanstalt (PTB) in Braunschweig is used (Federal Institute of Physical and Technical Affairs - metrology institute). As an alternative the Fully Qualified Domain Name (FQDN) can be specified, for example "pool.ntp.org". Getting Started, 02/2018, C79000-G8976-C337-06 27

Connecting SCALANCE M-800 to WAN 1.8 Setting the time Procedure 1. In the navigation area click on "System > System Time" and in the content area on the "NTP Client" tab. 2. In "Time zone", enter the local time difference to world time (UTC). For Central European Summer time (CEST) +02:00. 3. Click "Create". A new entry is created in the table. 4. In "NTP Server Address", enter the IP address 192.53.103.108. 5. If necessary, change the port in "NTP Server Port". As default, 123 is set. 6. In "Poll Interval", enter the interval for synchronization. As default, 64 is set. 7. Enable "NTP Client". 8. Click on "Set Values". Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 28 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 1.9.1 Configuring access parameters for the SCALANCE M87x Requirement The services are enabled, e.g. Internet. The following data is available: PIN number APN User name and password for the APN Enter the PIN number 1. In the navigation area click on "Interfaces" > "Mobile" and in the content area on the "SIM" tab. 2. In "PIN", enter the PIN number. 3. Enable the mobile wireless interface. 4. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 29

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configure APN 1. Click on the "Operator" tab in the content area. 2. Specify the access data for the APN. If your mobile wireless provider is included in the table, no further configuration is necessary. or In "Country List", select the country in which the device will be used. In "Provider List" select the appropriate mobile wireless provider. If a mobile wireless provider is listed more than once for a country, select the entry with the PLMNID that matches the SIM. or If your mobile wireless provider is not included in the table and not in the list of providers, enable the entry "Manual". When the "Manual" entry is enabled, all other entries are automatically ignored. Complete the boxes PLMNID, Operator Name, APN, User Name (optional), Password (optional) and Password Confirmation (optional). To adopt the entry click on "Create" and "Set Values". Result The PIN number and the APN are configured. The M87x4 connects to the mobile wireless network after approximately 30 seconds. You can check whether or not the connection is established in "Information > Mobile > Overview". 30 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x There the name of your mobile wireless provider should appear in "Provider". For a functioning connection, the signal strength should be higher than 104 dbm. Note This page provides the option of automatic updating. Click on the symbol with the two arrows in the upper display area to enable this function. The "Signal Recorder" page shows the signal strength for the cell into which the device is currently booked. Using the graphical display, you can check the orientation of the mobile radio antenna and correct it, if necessary. When there is a change in the cell, this is displayed by a vertical black line. The cell IDs (old > new) are displayed in the line. When the mobile network changes as well, this is also indicated. The display is updated automatically in a 500 ms cycle. Getting Started, 02/2018, C79000-G8976-C337-06 31

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x 1.9.2 Configuring access parameters for the SCALANCE M81x Requirement The services are enabled, e.g. Internet. The following access data is known from your DSL provider: User name and password for ADSL access DSL parameter 32 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Configuring ADSL 1. Click "Interfaces" > "DSL" in the navigation area 2. Enable the DSL interface. 3. Disable PPPoE passthrough to set up the access data for the SCALANCE M81x. The connected devices can use this DSL connection. If "Enable PPPoE Passthrough" is selected, the access data cannot be configured. In this case the SCALANCE M81x is used as a modem. Each individual connected device sends its access data to the SCALANCE M81x and establishes its own Internet connection. 4. Enter the user name and the password for the ADSL access. 5. Enter the settings for VCI / VPI. You will receive the settings from your DSL provider. 6. In "Encapsulation" select the required protocol. 7. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 33

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x Result The DSL connection is set up. The device connects to the Internet after approximately 30 seconds. You can check whether or not the connection is established in "Information" > "Start Page". 34 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x You will find more detailed information on the connection in "Information" > "DSL". 1.9.3 Setting up the DDNS hostname DDNS stands for "dynamic domain name system". If you log the SCALANCE M-800 on to a DDNS service, the device can be reached from the external network under a hostname, e.g. "example.no-ip.com". The DNS server of the DDNS service manages the assignment of IP address to hostname. The client informs the DNS server of its currently assigned IP address. The DNS name server registers the current hostname - IP address assignment and passes this on to other domain name servers in the Internet. This means that the SCALANCE M-800 can always be reached using its hostname. Requirement User name and password that give you the right to use the DDNS service. Registered hostname, e.g. example.no-ip.com Procedure 1. Click on "System > "DNS" in the navigation area and on the "DDNS Client" tab in the content area. 2. 3. In "Host", enter the hostname that you have agreed with your DDNS provider for the device, e.g. example.no-ip.com. 4. For "User name", enter the user data and for "Password / Password Confirmation" the password that allows you to use the DDNS service. Your DDNS provider will give you this information. Getting Started, 02/2018, C79000-G8976-C337-06 35

Connecting SCALANCE M-800 to WAN 1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation 5. Select the appropriate check box in the "enabled" column for one of the two services "No- IP" or "DynDNS". 6. Click on "Set Values". Result The DDNS client is activated. The DDNS client on the SCALANCE M-800 synchronizes the assigned IP address with the hostname registered in the DDNS service. 1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation 1.10.1 Configuring SHDSL Procedure 1. In the navigation area click "Interfaces" > "SHDSL" > "Configuration". 2. For "Port-Type" leave "Switch-Port VLAN Hybrid" enabled. 3. Specify the role of the interfaces. The two interfaces need to have the same role on both devices. M826 in the master station M826 in the station X1 X2 X1 X2 Central Office (CO) Central Office (CO) Customer Premises Equipment (CPE) Customer Premises Equipment (CPE) 4. For "Predefined Profile", select "Reliability". The following parameters are set automatically. 36 Getting Started, 02/2018, C79000-G8976-C337-06

in 4-wire operation Connecting SCALANCE M-800 to WAN 1.10 Additional steps in configuration with the SCALANCE M826 5. Click on "Set Values". 6. In the navigation area click "Interfaces" > "SHDSL" > "Overview". 7. Enable the PME aggregation function. When enabled, the SHDSL interfaces or the 2-wire cables are put together to form a single connection with a higher transmission rate. 8. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 37

Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode Result The SHDSL connection is set up. The devices negotiate the connection parameters. This means that the devices use the transmission rate at which the data can be sent and received reliably. 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode 1.11.1 Creating IP subnet In routing mode, the interfaces are handled differently. Ethernet interface: Connection of the internal IP subnet (vlan 1) SHDSL interface: Connection of the external IP subnet (vlan 2) The Ethernet interface or internal IP subnet has already been configured with the PST. For this configuration example, only the IP subnet for the SHDSL interface or for the external IP subnet needs to be configured. The same steps need to be taken on all devices. Procedure 1. Click on "Layer 3 > Subnets in the navigation area and on the "Configuration" tab in the content area. 2. For "Interface (Name)" select the entry "vlan2". 3. For "Interface Name" you can enter a name. 38 Getting Started, 02/2018, C79000-G8976-C337-06

in routing mode Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 4. Enter the value assigned to the M826 from the "Settings used (Page 13)" table. 5. Click on "Set Values". Result The IP subnets have been created. The IP subnets are displayed in the "Overview" tab. Getting Started, 02/2018, C79000-G8976-C337-06 39

Connecting SCALANCE M-800 to WAN 1.11 Additional steps in configuration with the SCALANCE M826 in routing mode 1.11.2 Configuring routes The master station and the stations are in different IP subnets. To allow the master station to communicate with the stations, the appropriate routes need to be created on the M826. M826 in the master station: Configuring routes 1. Click "Layer 3 > Static Routes" in the navigation area. 2. Configure the routes with the following settings: Route to station 1 Destination Network 192.168.11.0 Subnet Mask 255.255.255.0 Gateway 192.168.184.22 external IP address of the M826 in station 1 Administrative Distance -1 Route to station 2 Destination Network 192.168.50.0 Subnet Mask 255.255.255.0 Gateway 192.168.184.42 external IP address of the M826 in station 2 Administrative Distance -1 3. When you have entered the values, click "Create". 4. To update the display, click "Refresh". 40 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.12 Allow access M826 in the stations: Configuring routes 1. Click "Layer 3 > Static Routes" in the navigation area. 2. Configure the route to the master station with the following settings: Destination Network 192.168.100.0 Subnet Mask 255.255.255.0 Gateway 192.168.184.2 Administrative Distance -1 3. When you have entered the values, click "Create". 4. To update the display, click "Refresh". external IP address of the M826 in the master station Result The routes have been created. The SCALANCE M826 in the master station can communicate with the stations. Using the ping function, the communications connection can be tested. For example, can the Admin PC in station 1 be reached by the Admin PC in the master station? 1.12 Allow access The firewall is enabled as default. The following access is not allowed: Access from internal to external. Access from external to internal. Data exchange between different internal VLANs. Data exchange with the device from different zones. You have the following options for allowing access: Allow globally The predefined firewall rules specify which of the zones (VLAN1, VLAN2, or PPP) may access which services of the SCALANCE M-800. With predefined rules it is possible to permit data exchange between the zones (internal VLAN1 to external PPP0). The firewall rule for the opposite direction is permitted by stateful packet inspection. Allow certain services Here, you define firewall rules that allow individual services for a single node or all services for the node for access to the station or network. In this example, configure the firewall rules that only allow the device with IP address 192.168.100.10 access to the entire Internet. For the access, the services HTTP (TCP port 80) and DNS (UDP port 53) are required. Getting Started, 02/2018, C79000-G8976-C337-06 41

Connecting SCALANCE M-800 to WAN 1.12 Allow access Predefined rules 1. Click on "Security > Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2. Click on "Set Values". Allow Internet access for a certain device and a certain service (HTTP) Create HTTP and DNS services 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the content area. 2. As the service name, enter e.g. "HTTP" and click "Create". A new entry is created in the table. 3. Configure HTTP with the following settings: Transportation TCP Destination Port (Range) 80 (standard port) 4. Click on "Set Values". 5. A new entry is created in the table. 6. As the service name, enter e.g. "DNS" and click "Create". A new entry is created in the table. 42 Getting Started, 02/2018, C79000-G8976-C337-06

Connecting SCALANCE M-800 to WAN 1.12 Allow access 7. Configure DNS with the following settings: Transportation UDP Destination Port (Range) 53 (standard port) 8. Click on "Set Values". Only allow the IP service for a specific device 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. 3. Configure the firewall rule for HTTP with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb0 192.168.100.10 (the required device) 0.0.0.0/0 (all addresses) HTTP 4. Click on "Set Values". 5. Click "Create". A new entry is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 43

Connecting SCALANCE M-800 to WAN 1.12 Allow access 6. Configure the firewall rule for DNS with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb0 192.168.100.10 (the required device) 0.0.0.0/0 (all addresses) DNS 7. Click on "Set Values". Allow an internal node access to the Internet 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. 3. Configure the firewall rule for HTTP with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (INT) ppp0 or usb0 (depending on the device) 0.0.0.0/0 (all addresses) 0.0.0.0/0 (all addresses) all 4. Click on "Set Values". 44 Getting Started, 02/2018, C79000-G8976-C337-06

SCALANCE M-800 as DHCP server 2 If you want to use the device to manage the network configuration, you can use the device as a DHCP server. This allows IP addresses to be assigned automatically to the devices connected to the internal network. In this example, both static and dynamic IP address assignments are configured. Note DHCP client and DHCP server The device can either be only a DHCP client or only a DHCP server. SCALANCE M-800 as DHCP server Required devices/components SCALANCE M-800 as DHCP server 1 x M874, 1 x M812 or M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC with which the SCALANCE M-800 is connected. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Getting Started, 02/2018, C79000-G8976-C337-06 45

SCALANCE M-800 as DHCP server 2.1 Configuring dynamic IP address assignment Setting used In the configuration example, the SCALANCE M-800 has the following IP address setting: IP address 192.168.100.1 Subnet mask: 255.255.255.0 Requirement The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as "admin". Steps in configuration 1. Configuring dynamic IP address assignment (Page 46) 2. Specifying DHCP options (Page 47) 3. Configuring static IP address assignment (Page 49) 2.1 Configuring dynamic IP address assignment The devices whose MAC address or whose client ID was not specified specifically, are assigned a random IP address from a specified address range. Procedure 1. Click on "System" > "DHCP" in the navigation area and on the "DHCP Server" tab in the content area. 2. Click "Create". A new row with a unique number (pool ID) is created in the table. 3. Enter the network address range in "Subnet". Since the device being used is operating both as a gateway and a DNS relay, the IP address 192.168.100.1 must be in the network address range. In this example the network address: 192.168.100.0/24 (= 192.168.100.0 / 255.255.255.0) is used. 46 Getting Started, 02/2018, C79000-G8976-C337-06

SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options 4. In "Lower IP Address", enter the IP address 192.168.100.20 that specifies the start of the dynamic address band and that is located within the network address range. 5. In "Upper IP Address", enter the IP address 192.168.100.120 that specifies the end of the dynamic address band and that is located within the network address range. 6. Click on "Set Values". 7. To activate the DHCP server, select "DHCP Server". 8. Enable "Probe address with ICMP echo before offer" to enable the ping function. With this ping, the DHCP server checks whether or not the IP address has already been assigned. 9. To enable the configured DHCP pool, select the check box in the "Enable" column. 10.Click on "Set Values". Result The DHCP server can assign up to 100 IP addresses from a set address band. This is only possible if the connected devices are configured so that they obtain the IP address from a DHCP server. 2.2 Specifying DHCP options Further information can be transferred to the DHCP client using DHCP options. The various DHCP options are defined in RFC 2132. The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address band is created. With the exception of option 1, the options can be deleted. Getting Started, 02/2018, C79000-G8976-C337-06 47

SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options In this example, the following DHCP options are created. DHCP option Information contained 1 Netmask The subnet mask to match the IP address For this example the subnet mask is: 255.255.255.0 3 Default gateway IP address of the default gateway 6 DNS server IP address of the DNS server 66 TFTP server TFTP Server Address Without this information, the DHCP client is only assigned an IP address by the DHCP server and it can only communicate with the nodes in the internal network. Without this information, the DHCP client is not automatically assigned a DNS server. To allow name resolution, a DNS server must be known to the DHCP client. This can also be configured manually. This informs the DHCP client of the TFTP server to which it will connect. 67 Bootfile Name The DHCP client uses this file when it boots. Procedure 1. Click on "System > "DHCP" in the navigation area and on the "DHCP Options" tab in the content area. 2. Enable "Use Interface IP" for the DHCP options 3 and 6. Click on "Set Values". The IP address of the device is entered automatically as the value. 3. Enter "42" in "Option Code". 4. Click "Create". A new row is created in the table. 5. In "Value", enter the IP address of the NTP server. 6. Click on "Set Values". 48 Getting Started, 02/2018, C79000-G8976-C337-06

SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Result The DHCP options are configured. If a DHCP client requests an IP address, in addition to the host IP address, it also receives the information entered in the DHCP options. See also Configuring static IP address assignment (Page 49) 2.3 Configuring static IP address assignment For nodes in permanent operation, static IP address assignment should be preferred, for example for a local NTP server. The IP address of the NTP server is used in the DHCP option. As long as the NTP server can be reached at the same IP address, the DHCP option will work correctly. If the IP address changes, the DHCP option contains incorrect information. For the example, the IP address is assigned to the MAC address of the NTP server. This means that the NTP server always has the same IP address. In this configuration example, the NTP server can be reached with the following IP address setting: IP address Subnet mask 192.168.100.87 255.255.255.0 Requirement The NTP server obtains the IP address from a DHCP server and identification is based on the MAC address. Getting Started, 02/2018, C79000-G8976-C337-06 49

SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Procedure 1. Click on "System > "DHCP" in the navigation area and on the "Static Leases" tab in the content area. 2. For "Pool ID", select "1". 3. For "Identification Method" select the entry "Ethernet MAC". 4. In "Value", enter the MAC address of the NTP server. 5. Click "Create". A new row is created in the table. 6. In "IP Address", enter the IP address of the NTP server. 7. Click on "Set Values". Result The NTP server always has the IP address 192.168.100.87. 50 Getting Started, 02/2018, C79000-G8976-C337-06

3 3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.1 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and a SCALANCE S. Example 1: Secure VPN tunnel with pre-shared keys (PSK) Example 2: Secure VPN tunnel with certificates Structure Internal network 1 - connection to SCALANCE M-800 In the test setup, in the internal network, a network node is implemented by an Admin PC connected to an Ethernet interface of the SCALANCE M-800. Admin PC: Represents a node in the internal network M-800: SCALANCE M module for protection of the internal network Connection to the external, public network: Wireless via the antenna of the M874 to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 02/2018, C79000-G8976-C337-06 51

3.1 VPN tunnel between SCALANCE M-800 and S612 Internal network 2 - attachment to an internal port of the SCALANCE S In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC: Represents a node in the internal network S612: Security module for protection of the internal network Connection to the external, public network via DSL router Access to the Internet is via a DSL modem or a DSL router connected to the external port of the security module. Required devices/components Use the following components for setup: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x SCALANCE S612, (additional option: a suitably installed DIN rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x PC with which the SCALANCE M-800 is connected. 1 x PC with which the SCALANCE S612 is connected and on which the "Security Configuration Tool" is installed. 1 x DSL modem or DSL router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet 52 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Settings used For the configuration example, the devices are given the following IP address settings Internal address Internal network 1 M-800 192.168.100.1 255.255.255.0 Admin PC 192.168.100.20 255.255.255.0 Internal network 2 DSL router 192.168.184.254 255.255.255.0 S612 Internal port 192.168.11.2 255.255.255.0 PC 192.168.11.100 255.255.255.0 External address Fixed IP address, e.g. 90.90.90.90 Provider dependent As an alternative, the DDNS hostname can also be used. Fixed IP address (WAN IP address), e.g. 91.19.6.84 External port 192.168.184.2 255.255.255.0 Requirement SCALANCE S612 is connected to the Internet via the DSL router. On the DSL router, the PORT forwarding must be set so that the UDP packets from the Internet addressed to ports 500 and 4500 of the router are sent to ports 500 and 4500 of the connected SCALANCE S612 (passive module). The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration Example 1: Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x 1. Creating the project and modules (Page 55) 2. Configuring a tunnel connection (Page 57) 3. Configuring the properties of the S612 (Page 59) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 60) Configuring a VPN tunnel with the SCT V4.x 1. Creating the project and modules (Page 62) 2. Configuring a tunnel connection (Page 65) 3. Configuring the properties of the S612 (Page 66) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 67) Getting Started, 02/2018, C79000-G8976-C337-06 53

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring the SCALANCE M-800 1. Activating VPN (Page 68) 2. Configuring the VPN remote end (Page 68) 3. Configuring a VPN connection (Page 69) 4. Configuring VPN authentication (Page 71) 5. Configuring phase 1 and phase 2 (Page 71) 6. Establishing the VPN connection (Page 73) Example 2: Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x 1. Creating the project and modules (Page 74) 2. Configuring a tunnel connection (Page 76) 3. Configuring the properties of the S612 (Page 78) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 79) Configuring a VPN tunnel with the SCT V4.x 1. Creating the project and modules (Page 81) 2. Configuring a tunnel connection (Page 84) 3. Configuring the properties of the S612 (Page 85) 4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 86) Configuring the SCALANCE M-800 1. Loading a certificate (Page 87) 2. Activating VPN (Page 93) 3. Configuring the VPN remote end (Page 89) 4. Configuring a VPN connection (Page 90) 5. Configuring VPN authentication (Page 91) 6. Configuring phase 1 and phase 2 (Page 92) 7. Establishing the VPN connection (Page 94) 54 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.2 Secure VPN tunnel with PSK 3.1.2.1 Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. Getting Started, 02/2018, C79000-G8976-C337-06 55

3.1 VPN tunnel between SCALANCE M-800 and S612 5. Enter the values assigned to the S612 from the "Settings used (Page 51)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command 56 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 8. Enter the values assigned to the M-800 from the "Settings used (Page 51)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the S612 are assigned to the same VPN group. Getting Started, 02/2018, C79000-G8976-C337-06 57

3.1 VPN tunnel between SCALANCE M-800 and S612 Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Result The configuration of the tunnel connection is complete. 58 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router "192.168.184.254". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84 7. Click "Apply" and close the dialog with "OK". 8. Select the "Project" > "Save" menu command. Save the security project under the required name. Getting Started, 02/2018, C79000-G8976-C337-06 59

3.1 VPN tunnel between SCALANCE M-800 and S612 Result The security project is configured. The settings are saved in the configuration file: Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1. In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt 60 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 The configuration file contains the exported configuration information for the SCALANCE M- 800. Configuration file IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: 91.19.6.84 Authentication method: Pre Shared Key Pre Shared Key: 12345678 Remote ID: U28098881@GEA32 Local ID: U269159D5@GEA32 Remote net address: 192.168.184.0 Remote subnet mask: 255.255.255.0 Local net address: 192.168.100.0 Local subnet mask: 255.255.255.0 Settings in WBM Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: 91.19.6.84/32 Security > IPsec VPN > Authentication > Authentication: PSK Security > IPsec VPN > Authentication > PSK and PSK Confirmation: 12345678 Security > IPSec VPN > Authentication > Remote ID: not required. The external IP address of the S612 is entered in the WBM. In this example, this is 192.168.184.2 Security > IPSec VPN > Authentication > Local ID not required. The entry remains empty in the WBM. Security > IPSec VPN > Remote End > Remote Subnet: 192.168.184.0/24 Security > IPSec VPN > Connections > Local Subnet: 192.168.100.0/24 IPsec VPN > Connections > Edit IKE Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 ISAKMP-SA hash: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Security > IPsec VPN > Phase 1 > Encryption: 3DES Security > IPsec VPN > Phase 1 > Authentication: SHA-1 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 Phase 2 - IPSec SA -- IPsec SA encryption: 3DES-168 IPsec SA hash: SHA-1 IPsec SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): Nein -- Security > IPsec VPN > Phase 2 > Encryption: 3DES Security > IPsec VPN > Phase 2 > Authentication: SHA-1 Security > IPsec VPN > Phase 2 > Life Time [min]: 1440 DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): 150 -- DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- Getting Started, 02/2018, C79000-G8976-C337-06 61

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.2.2 Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 62 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 5. Enter the values assigned to the S612 from the "Settings used (Page 51)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 02/2018, C79000-G8976-C337-06 63

3.1 VPN tunnel between SCALANCE M-800 and S612 8. Enter the values assigned to the M-800 from the "Settings used (Page 51)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. 64 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the M-800 and the S612 are assigned to the same VPN group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation panel. 3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Getting Started, 02/2018, C79000-G8976-C337-06 65

3.1 VPN tunnel between SCALANCE M-800 and S612 Result The configuration of the tunnel connection is complete. Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router "192.168.184.254". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84 66 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file. Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1. In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the SCALANCE M-800 and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M- 800. Follow the instructions in the configuration file. Getting Started, 02/2018, C79000-G8976-C337-06 67

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.2.3 Configuring SCALANCE M-800 Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". Configuring the VPN remote end M81x in the master station: Configuring the VPN remote end 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612. 3. Click "Create". A new row is created in the table. 68 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address 91.19.6.84/32 WAN IP address of the DSL router Remote Subnet 192.168.11.0/24 5. Click on "Set Values". Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 69

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End S612 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". 70 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication PSK Local ID no entry necessary Remote ID External IP address of the S612, e.g. 162.168.184.2 PSK / PSK Confirmation 12345678 The key that you configured in the SCT. 3. Click on "Set Values". Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. Getting Started, 02/2018, C79000-G8976-C337-06 71

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: 1440 4. Click on "Set Values". 72 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". In the online view of the SCT, you can see the communications status on the S612. Getting Started, 02/2018, C79000-G8976-C337-06 73

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.3 Secure VPN tunnel with certificates 3.1.3.1 Configuring a VPN tunnel with the SCT V3.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 74 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 5. Enter the values assigned to the S612 from the "Settings used (Page 51)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 02/2018, C79000-G8976-C337-06 75

3.1 VPN tunnel between SCALANCE M-800 and S612 8. Enter the values assigned to the M-800 from the "Settings used (Page 51)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the S612 are assigned to the same group. 76 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. Result The configuration of the tunnel connection is complete. Getting Started, 02/2018, C79000-G8976-C337-06 77

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router "192.168.184.254". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84 7. Click "Apply" and close the dialog with "OK". 8. Select the "Project" > "Save" menu command. Save the security project under the required name. 78 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Result The security project is configured. The settings are saved in the configuration file: Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1. In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.S612.cer Getting Started, 02/2018, C79000-G8976-C337-06 79

3.1 VPN tunnel between SCALANCE M-800 and S612 The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Configuration file IPsec VPN > Certificates Upload Remote Site Certificate: Configuration- 1.group1.S612.cer Upload PKCS12 File (.p12): Configuration- 1.U800CB3FF@G471C.M-800.p12 Settings in WBM System > Load&Save > HTTP > X509Cert : Download IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: 91.19.6.84 Authentication method: X.509 remote certificate Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: 91.19.6.84/32 Security > IPsec VPN > Authentication > Authentication: Remote Cert Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Configuration-1.group1.CP.cer Remote ID: U5A634732@GC4D8 Remote net address: 192.168.184.0 Remote subnet mask: 255.255.255.0 Local net address: 192.168.100.0 Local subnet mask: 255.255.255.0 Security > IPsec VPN > Authentication > Remote ID: U5A634732@GC4D8 Security > IPsec VPN > Remote End > Remote Subnet: 192.168.184.0/24 Security > IPsec VPN > Connections > Local Subnet: 192.168.100.0/24 IPsec VPN > Connections > Edit IKE Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 ISAKMP-SA hash: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Security > IPsec VPN > Phase 1 > Encryption: 3DES Security > IPsec VPN > Phase 1 > Authentication: SHA-1 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 Phase 2 - IPsec SA -- IPsec SA encryption: 3DES-168 IPsec SA hash: SHA-1 IPsec SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): No -- Security > IPsec VPN > Phase 2 > Encryption: 3DES Security > IPsec VPN > Phase 2 > Authentication: SHA-1 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): 150 -- 80 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuration file Settings in WBM DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- 3.1.3.2 Configuring a VPN tunnel with the SCT V4.x Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. Getting Started, 02/2018, C79000-G8976-C337-06 81

3.1 VPN tunnel between SCALANCE M-800 and S612 5. Enter the values assigned to the S612 from the "Settings used (Page 51)" table. In addition to this, enter the MAC address printed on the front of the security module 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command 82 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 8. Enter the values assigned to the M-800 from the "Settings used (Page 51)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules. Getting Started, 02/2018, C79000-G8976-C337-06 83

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M and the S612 are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M and the S612 in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 84 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Result The configuration of the tunnel connection is complete. Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1. Select the "S612" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "Routing" tab. 3. For "Default router", enter the internal IP address of the default router "192.168.184.254". Click "Apply" 4. Click the "VPN" tab. 5. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84 Getting Started, 02/2018, C79000-G8976-C337-06 85

3.1 VPN tunnel between SCALANCE M-800 and S612 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file. Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1. In the content area, select the "S612" security module and select the menu command "Transfer" > "To module(s) ". The following dialog opens. 2. Click the "Start" button to start the download. If the download was completed free of errors, the security module is restarted automatically and the new configuration activated. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. 86 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.S612.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Follow the instructions in the configuration file. 3.1.3.3 Configuring SCALANCE M-800 Loading a certificate Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in "Password" and "Password confirmation". 3. Enable the password Getting Started, 02/2018, C79000-G8976-C337-06 87

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Navigate to the remote certificate. 88 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". Configuring the VPN remote end M81x in the master station: Configuring the VPN remote end 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612. 3. Click "Create". A new row is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 89

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address 91.19.6.84/32 WAN IP address of the DSL router Remote Subnet 192.168.11.0/24 5. Click on "Set Values". Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 90 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 4. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End S612 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Configuring VPN authentication M81x in the master station: Configuring VPN authentication 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings from the configuration file: Authentication Local certificate Remote Certificate Remote ID Remote Cert projectname.string.m-800.p12 Projectname.group1.S612.cer Remote ID from the configuration file 3. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 91

3.1 VPN tunnel between SCALANCE M-800 and S612 Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 92 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: 1440 4. Click on "Set Values". Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 93

3.1 VPN tunnel between SCALANCE M-800 and S612 Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The SCALANCE M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". You can also see the status of the tunnel connection in the online view of the SCT. 94 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.4 Firewall with a VPN connection You can create firewall rules for IPsec in the following ways: Automatic Here, the firewall rules are created automatically for the specified VPN connection. Manual Here, you define your own firewall rules for the specified VPN connection. Getting Started, 02/2018, C79000-G8976-C337-06 95

3.1 VPN tunnel between SCALANCE M-800 and S612 3.1.4.1 Creating firewall rules automatically For the example, the VPN tunnel described in the section "Secure VPN tunnel with certificates (Page 117)" is used. The devices have the following IP address setting: Internal address Local area network SCALANCE M-800 192.168.100.1 255.255.255.0 Remote network S612 internal port 192.168.11.2 255.255.255.0 Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. The setting "Auto Firewall Rules" is enabled as default. Result If "Auto Firewall Rules" is enabled, the following firewall rules are active. Action From / to Permitted protocols For Source IP addresses Dest. IP addresses Allow Internal network (VLAN1) / remote network (IPsec tunnel x) All services all ports or all ICMP packet types 192.168.100.0/ 24 192.168.11.0 /24 Allow Remote network (IPsec tunnel x) / internal network (VLAN1) All services all ports or all ICMP packet types 192.168.11.0/2 4 192.168.100. 0/24 These firewall rules make data exchange between the internal network and the remote network possible, however it is not possible for remote clients to reach the modem although they also belong to the tunnel subnet. Apart from ICMP Echo Request no access to the remote VPN partner. 96 Getting Started, 02/2018, C79000-G8976-C337-06

3.1 VPN tunnel between SCALANCE M-800 and S612 See also Creating firewall rules manually (Page 97) 3.1.4.2 Creating firewall rules manually Requirement The IP service HTTP has been created, see the section "Allow access (Page 41)". Allow all nodes from the remote subnet HTTP-based access to the SCALANCE M-800. In the following example an additional firewall rules is specified, that applies in addition to the automatic firewall rules. 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Configure the firewall rule for HTTP with the following settings: Action From To Accept IPsec VPN-1 Device Source (Range) 192.168.11.0/24 (all devices of the remote internal network 2) Destination (Range) Service 192.168.100.1 (to the required device) HTTP 3. Click on "Set Values". The SCALANCE M can be reached through the VPN tunnel and can be configured with WBM. Allow HTTP-based access through the VPN tunnel for a specific device In the following example, a firewall rule is specified manually, the automatic firewall rules are deactivated. 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the content area. 2. As "Service Name", enter "TCP all" and click "Create". A new entry is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 97

3.1 VPN tunnel between SCALANCE M-800 and S612 3. Configure the service with the following setting: Transportation TCP 4. Click on "Set Values". 5. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 6. Click "Create". A new entry is created in the table. 7. Configure the firewall rule with the following settings: Action From To Accept vlan1 (INT) IPsec VPN-1 Source (Range) 192.168.100.10 Destination (Range) Service (only this device is allowed to communicate from internal network 1 through the VPN tunnel with TCP) 0.0.0.0/0 (to all addresses) TCP 8. Click "Create". A new entry is created in the table. 9. Click on "Set Values". 98 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 3.2 VPN tunnel between SCALANCE M-800 and security CPs 3.2.1 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and the CP 1628. Example 1: Secure VPN tunnel with pre-shared keys (PSK) Example 2: Secure VPN tunnel with certificates Instead of the CP 1628, a CP 343-1 Advanced or CP 434-1 Advanced can be used. Structure Internal network 1 - connection to SCALANCE M-800 In the test setup, in the internal network, a network node is implemented by an Admin PC connected to an Ethernet interface of the SCALANCE M. Admin PC: Represents a node in the internal network M-800: SCALANCE M module for protection of the internal network Connection to the external, public network. Wireless via the antenna of the M874 to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 02/2018, C79000-G8976-C337-06 99

3.2 VPN tunnel between SCALANCE M-800 and security CPs Internal network 2 - attachment to a port of the CP 1628 In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module. PC1 with security module 1: PC with CP 1628 for protection of the internal network PC2: PC with the Security Configuration Tool and STEP 7 The PC represents a node in the internal network. Connection to the external, public network via DSL router Access to the Internet is via a DSL modem or a DSL router connected to one of the ports of the security module. Required devices/components Use the following components for setup: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x PC with CP 1628 1 x PC with the Security Configuration Tool and STEP 7. 1 x DSL modem or DSL router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Settings used For the configuration example, the devices are given the following IP address settings Internal address Internal network 1 M-800 192.168.100.1 255.255.255.0 Admin PC 192.168.100.20 255.255.255.0 External address Fixed IP address, e.g. 90.90.90.90 Provider dependent As an alternative, the DDNS hostname can also be used. 100 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Internal address Internal network 2 DSL router 192.168.184.254 PC1 with CP 1628 255.255.255.0 For CP 1628: The IP address of the NDIS interface, e.g. 192.168.184.10. (is configured on PC1) For CP 343-1 Advanced or CP 434-1 Advanced: The IP address of the PROFINET interface. PC2 192.168.184.20 255.255.255.0 External address Fixed IP address (WAN IP address), e.g. 91.19.6.84 For CP 1628: The IP address of the Industrial Ethernet interface, e.g. 192.168.184.2. For CP 343-1 Advanced or CP 434-1 Advanced: The IP address of the Gbit interface. Requirement The CP 1628 is connected to the Internet via the DSL router. In the properties of the CP, the internal IP address of the DSL router is configured as a default gateway. the SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M-800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration Example 1: Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 102) 2. Configuring a tunnel connection (Page 104) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 106) Configuring a VPN tunnel with the SCT V4.x 1. Creating project and modules with SCT (Page 107) 2. Configuring a tunnel connection (Page 109) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 111) Configuring SCALANCE M-800 1. Activating VPN (Page 116) 2. Configuring the VPN remote end (Page 111) 3. Configuring a VPN connection (Page 112) 4. Configuring VPN authentication (Page 114) Getting Started, 02/2018, C79000-G8976-C337-06 101

3.2 VPN tunnel between SCALANCE M-800 and security CPs 5. Configuring phase 1 and phase 2 (Page 114) 6. Establishing the VPN connection (Page 116) Example 2: Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 117) 2. Configuring a tunnel connection (Page 118) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 120) Configuring a VPN tunnel with the SCT V3.x 1. Creating project and modules with SCT (Page 122) 2. Configuring a tunnel connection (Page 124) 3. Downloading the configuration to the CP and saving the M-800 configuration (Page 126) Configuring SCALANCE M-800 1. Loading a certificate (Page 126) 2. Activating VPN (Page 132) 3. Configuring the VPN remote end (Page 129) 4. Configuring a VPN connection (Page 129) 5. Configuring VPN authentication (Page 130) 6. Configuring phase 1 and phase 2 (Page 131) 7. Establishing the VPN connection (Page 133) 3.2.2 Secure VPN tunnel with PSK 3.2.2.1 Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 102 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 99)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. Getting Started, 02/2018, C79000-G8976-C337-06 103

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same VPN group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 104 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Save the project with the "Project" > "Save" menu command. Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. Getting Started, 02/2018, C79000-G8976-C337-06 105

3.2 VPN tunnel between SCALANCE M-800 and security CPs Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the download, to activate the new configuration Saving the SCALANCE M-800 configuration 1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 3. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M-800. Configuration file IPsec VPN > Connections > VPN Standard Mode - Edit Settings Address of the remote site's VPN gateway: 91.19.6.84 Authentication method: Pre Shared Key Pre Shared Key: 12345678 Remote ID: U28098881@GEA32 Local ID: U269159D5@GEA32 Remote net address: 192.168.184.0 Remote subnet mask: 255.255.255.0 Settings in WBM Security > IPsec VPN > Remote End > Remote Mode: Standard Security > IPsec VPN > Remote End > Remote Address: 91.19.6.84/32 Security > IPsec VPN > Authentication > Authentication: PSK Security > IPsec VPN > Authentication > PSK and PSK Confirmation: 12345678 Security > IPSec VPN > Authentication > Remote ID: not required. The external IP address of the S612 is entered in the WBM. In this example, this is 192.168.184.2 Security > IPSec VPN > Authentication > Local ID not required. The entry remains empty in the WBM. Security > IPSec VPN > Remote End > Remote Subnet: 192.168.184.0/24 106 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuration file Local net address: 192.168.100.0 Local subnet mask: 255.255.255.0 Settings in WBM Security > IPSec VPN > Connections > Local Subnet: 192.168.100.0/24 IPSec VPN > Connections > Edit IKE Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 ISAKMP-SA hash: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Security > IPsec VPN > Phase 1 > Encryption: 3DES Security > IPsec VPN > Phase 1 > Authentication: SHA-1 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 Phase 2 - IPSec SA -- IPsec SA encryption: 3DES-168 IPSec SA hash: SHA-1 IPSec SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): Nein -- Security > IPsec VPN > Phase 2 > Encryption: 3DES Security > IPsec VPN > Phase 2 > Authentication: SHA-1 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): 150 -- DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- 3.2.2.2 Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. Getting Started, 02/2018, C79000-G8976-C337-06 107

3.2 VPN tunnel between SCALANCE M-800 and security CPs 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 99)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. 108 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same VPN group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation panel. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu Getting Started, 02/2018, C79000-G8976-C337-06 109

3.2 VPN tunnel between SCALANCE M-800 and security CPs 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Save the project with the "Project" > "Save" menu command. Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. 110 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the download, to activate the new configuration Saving the SCALANCE M-800 configuration 1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. 2. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 3. Save the configuration file "Projectname.M-800.txt" in your project directory. Result The following file will be saved in the project directory: Configuration file: projectname.m-800.txt The configuration file contains the exported configuration information for the SCALANCE M- 800. Follow the instructions in the configuration file. 3.2.2.3 Configuring SCALANCE M-800 Configuring the VPN remote end Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612. 3. Click "Create". A new row is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 111

3.2 VPN tunnel between SCALANCE M-800 and security CPs 4. For the configuration example, configure the VPN remote end with the following settings: Remote Mode Standard Remote Type Manual Remote Address 91.19.6.84/32 WAN IP address of the DSL router Remote Subnet 192.168.11.0/24 5. Click on "Set Values". Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. 112 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 4. For the configuration example, configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 113

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication PSK Local ID no entry necessary Remote ID 192.168.184.2 The IP address of the VPN remote station. PSK / PSK Confirmation 12345678 The key that you configured in the SCT. 3. Click on "Set Values". Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 114 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: 1440 4. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 115

3.2 VPN tunnel between SCALANCE M-800 and security CPs Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". 116 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Result The M-800 establishes the VPN tunnel to the CP 128. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". 3.2.3 Secure VPN tunnel with certificates 3.2.3.1 Configuring a VPN tunnel with the SCT V3.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 5. Generate a second module with the "Insert" > "Module" menu command. Getting Started, 02/2018, C79000-G8976-C337-06 117

3.2 VPN tunnel between SCALANCE M-800 and security CPs 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 99)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. 118 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Select the menu command "Project" > "Save". Save the security project under the required name. Getting Started, 02/2018, C79000-G8976-C337-06 119

3.2 VPN tunnel between SCALANCE M-800 and security CPs Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the download, to activate the new configuration. Saving the SCALANCE M configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.CP.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Configuration file IPsec VPN > Certificates Upload Remote Site Certificate: Configuration- 1.group1.S612.cer Upload PKCS12 File (.p12): Configuration- 1.U800CB3FF@G471C.M-800.p12 Settings in WBM System > Load&Save > HTTP > X509Cert : Download IPsec VPN > Connections > VPN Standard Mode - Edit Settings Security > IPsec VPN > Remote End > Remote Mode: Standard 120 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuration file Address of the remote site's VPN gateway: 91.19.6.84 Authentication method: X.509 remote certificate Settings in WBM Security > IPsec VPN > Remote End > Remote Address: 91.19.6.84/32 Security > IPsec VPN > Authentication > Authentication: Remote Cert Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Configuration-1.group1.CP.cer Remote ID: U5A634732@GC4D8 Remote net address: 192.168.184.0 Remote subnet mask: 255.255.255.0 Local net address: 192.168.100.0 Local subnet mask: 255.255.255.0 Security > IPsec VPN > Authentication > Remote ID: U5A634732@GC4D8 Security > IPsec VPN > Remote End > Remote Subnet: 192.168.184.0/24 Security > IPsec VPN > Connections > Local Subnet: 192.168.100.0/24 IPsec VPN > Connections > Edit IKE Phase 1 - ISAKMP SA -- ISAKMP-SA encryption: 3DES-168 ISAKMP-SA hash: SHA-1 ISAKMP-SA mode: Main mode -- ISAKMP-SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Security > IPsec VPN > Connections > Keying Protocol: IKEv1 Security > IPsec VPN > Phase 1 > Encryption: 3DES Security > IPsec VPN > Phase 1 > Authentication: SHA-1 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440 Phase 2 - IPsec SA -- IPsec SA encryption: 3DES-168 IPsec SA hash: SHA-1 IPsec SA lifetime (seconds): 86400 The value is specified in seconds in the text file. In the WBM, the value must be entered in minutes. Perfect Forward Secrecy (PFS): No -- Security > IPsec VPN > Phase 2 > Encryption: 3DES Security > IPsec VPN > Phase 2 > Authentication: SHA-1 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440 DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2 Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2 NAT-T: On -- DPD delay (seconds): 150 -- DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60 DPD maximum failures: 5 -- Getting Started, 02/2018, C79000-G8976-C337-06 121

3.2 VPN tunnel between SCALANCE M-800 and security CPs 3.2.3.2 Configuring a VPN tunnel with the SCT V4.x Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box. 2. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 3. Confirm the dialog with "OK". A new project is created. 4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security Configuration Tool" menu command. The created CP is displayed in the list of configured modules. 122 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 99)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. Getting Started, 02/2018, C79000-G8976-C337-06 123

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu 124 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them. 7. Select the menu command "Project" > "Save". Save the security project under the required name. Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. Getting Started, 02/2018, C79000-G8976-C337-06 125

3.2 VPN tunnel between SCALANCE M-800 and security CPs Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3. Download the new configuration to the security module using the "PLC" > "Download to Module " menu. For CP 1628: If the download was completed free of errors, the security module restarts automatically and the new configuration is activated. For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the download, to activate the new configuration. Saving the SCALANCE M-800 configuration 1. In the content area, select the "M-800" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Result The following files will be saved in the project directory: Configuration file: projectname.m-800.txt PKCS12 file: projectname.string.m-800.p12 Remote certificate: Projectname.group1.CP.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Follow the instructions in the configuration file. 3.2.3.3 Configuring SCALANCE M-800 Loading a certificate Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. 126 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in "Password" and "Password confirmation". 3. Enable the password 4. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 127

3.2 VPN tunnel between SCALANCE M-800 and security CPs 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Navigate to the remote certificate. 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". 128 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring the VPN remote end Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612. 3. Click "Create". A new row is created in the table. 4. For the configuration example, configure the VPN remote end with the following settings: Remote Mode Standard Remote Type Manual Remote Address 91.19.6.84/32 WAN IP address of the DSL router Remote Subnet 192.168.11.0/24 5. Click on "Set Values". Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Click "Create". A new row is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 129

3.2 VPN tunnel between SCALANCE M-800 and security CPs 4. For the configuration example, configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local subnet 1 in CIDR notation. 5. Click on "Set Values". Configuring VPN authentication Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. For the configuration example, configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert projectname.string.m-800.p12 Projectname.group1.CP.cer Remote ID from the configuration file 3. Click on "Set Values". 130 Getting Started, 02/2018, C79000-G8976-C337-06

3.2 VPN tunnel between SCALANCE M-800 and security CPs Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation DH group 2 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click the "Phase 2" tab. 2. Deselect the "Default Ciphers" check box. Getting Started, 02/2018, C79000-G8976-C337-06 131

3.2 VPN tunnel between SCALANCE M-800 and security CPs 3. Configure phase 2 with the following settings from the configuration file: Encryption 3DES Authentication SHA1 Key Derivation (DFS) DH group 2 Lifetime [min]: 1440 4. Click on "Set Values". Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". 132 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Establishing the VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "Start" and click "Set Values". Result The SCALANCE M-800 establishes the VPN tunnel to the CP 1628. If the VPN tunnel is established, the LED is lit green on the device. You will find more detailed information in "Information" > "IPsec VPN". 3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3.3.1 Procedure in principle In this sample configuration, two distributed stations are connected using the SCALANCE M87x. The devices communicate via the SINEMA RC Server located in the master station. The SINEMA RC is addressed using a WAN IP address obtained from a provider. As an alternative, you can also address the SINEMA RC Server using a defined name (FQDN). A KEY-PLUG SINEMA Remote Connect is required for each SCALANCE M87x device. The KEY-PLUG enables the connection from SCALANCE M87x to SINEMA RC. Getting Started, 02/2018, C79000-G8976-C337-06 133

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server To do this, the devices need to log on to the SINEMA RC Server. The VPN tunnel between the device and the SINEMA RC Server is established only after successful authentication. Depending on the configured communication relations and the security settings, the SINEMA RC server connects the individual VPN tunnels. Structure Master station - connection to SINEMA RC Server In the test setup in the internal network, a network node is implemented by a PC connected to the LAN interface of the SINEMA RC Server. PC: represents a participant in internal network 3 SINEMA RC Server Connection to the external network via a router Access to the external network is via a router connected to the WAN interface of the SINEMA RC Server. 134 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Station 1 / 2 - connection to SCALANCE M87x In the test setup in the internal network, a network node is implemented by a PC connected to the Ethernet interface P1 of the M-800. PC: represents a participant in internal network 1/2 M-87x: SCALANCE M module for protection of the internal network 1/2 Connection to the external, public network Wireless via the antenna of the M87x on the mobile wireless network (as of firmware 4.0) Required devices/components Use the following components for setup: 2 x M874 (additional option: a suitably installed standard rail with fittings) 2 x KEY-PLUG SINEMA RC 2 x 24 V power supply with cable connector and terminal block plug 2 x PC each connected to a SCALANCE M874. 2 x suitable antennas 2 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. 1 x PC on which the SINEMA RC Server is installed. 1 x PC that is connected to the SINEMA RC Server. 1 x router The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Note You can also use a SCALANCE M876. The configuration described below relates specifically to the components mentioned in the section "Required devices/components". Settings used For the configuration example, the devices are given the following IP address settings: Station -1 LAN1 Name Interface IP address M874-2 #1 LAN interface P1 (vlan1) WAN interface (ppp0) 192.168.100.1 255.255.255.0 Dynamic IP address from provider Getting Started, 02/2018, C79000-G8976-C337-06 135

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Station-2 LAN2 Master station LAN3 Name Interface IP address PC1 LAN interface 192.168.100.20 M874-2 #2 LAN interface P1 PC2 SINEMA RC Server PC3 (vlan1) WAN interface (ppp0) Ethernet (LAN 2) 255.255.255.0 192.168.10.1 255.255.255.0 Dynamic IP address from provider 192.168.10.20 255.255.255.0 WAN interface 192.168.20.250 Ethernet (LAN3) 255.255.255.0 The WAN IP address via which the SINEMA RC Server can be reached is the WAN IP address of the router in this example. 90.90.90.90 The default gateway is the LAN IP address of the router 192.168.20.1 As an alternative, the SINEMA RC Server can also be addressed using a defined host name (FQDN). 192.168.20.20 255.255.255.0 Router 3 LAN interface 192.168.20.1 WAN interface 255.255.255.0 Static IP address from the provider e.g. 90.90.90.90 Note The IP settings used in the configuration example were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. 136 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Requirement SINEMA RC Server The SINEMA RC Server is connected to the WAN. You will find the configuration steps in the Getting Started "SINEMA Remote Connect". Note Port forwarding at the router By using a router as a gateway you must enable the following ports on the router and forward the data packets to the SINEMA RC Server: TCP 443 TCP 5443 UDP 1194 Router with VPN capability If your router itself has VPN capability, make sure that the ports do not overlap or this function is disabled. You will find further information on this in the documentation of the router. SCALANCE M874 The M874 is connected to the WAN, refer to "Connecting SCALANCE M800 to the WAN". The steps in configuration are the same for all devices, the only difference being the settings, see table "Settings used (Page 133)". The M874 can be reached via PC1 or PC2 and you are logged in to the WBM as a user with the role "admin". A valid KEY-PLUG SINEMA Remote Connect is inserted in the SCALANCE M. Steps in configuration Configuring access to the SINEMA RC Server For the PC to be able to access the WBM of the SINEMA RC Server via the M874, the following steps are necessary on the M874: 1. Activate IP masquerading (Page 138) 2. Allow access (Page 138) Configure a remote connection on the SINEMA RC Server 1. Creating participant groups (Page 139) 2. Create devices (Page 140) 3. Configure communication relations (Page 143) Getting Started, 02/2018, C79000-G8976-C337-06 137

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Configure a remote connection on the M874 Secure VPN connection with fingerprint (Page 144) Secure VPN connection with CA certificate Loading a certificate (Page 148) Configuring a VPN connection to the SINEMA RC Server (Page 149) 3.3.2 Configuring access to the SINEMA RC server 3.3.2.1 Activating IP masquerading IP masquerading is used so that the internal IP addresses are not forwarded to external. In addition to this, no further routing settings are necessary on the router. Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "Masquerading" tab in the content area. 2. Activate "Enable Masquerading" on the WAN interface. M874, M876-3: ppp0 M876-4: usb0 M826-2: vlan1 3. Click on "Set Values". Result Masquerading is enabled on the WAN interface. When a packet is sent via this interface, the source address is rewritten to the IP address assigned to the WAN interface. 3.3.2.2 Allow access So that the PC can access the SINEMA RC Server, on the device access from vlan1 to the WAN interface is enabled. Procedure 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. 138 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3. Configure the firewall rule with the following settings: Action From To Source (Range) Destination (Range) Service Accept vlan1 (internal) external M874, M876-3: ppp0 M876-4: usb0 0.0.0.0 (all IP addresses) 0.0.0.0 (all IP addresses) all As default, the service is always available 4. Click on "Set Values". Result Due to this firewall rule, all services between vlan1 and ppp0 or usb0 are possible without restrictions, e.g. HTTPS 3.3.3 Configuring a remote connection on the SINEMA RC Server 3.3.3.1 Creating node groups Users and devices can be put together in participant groups. You can also specify whether the communication between the participants of an individual group is permitted or forbidden. For this sample configuration, the following groups are created. Station1 Station2 Service The Service group is required for the configuration example "OpenVPN tunnel between SINEMA RC Client and SINEMA RC Server". You will find this example in the Getting Started SINEMA RC Server. Getting Started, 02/2018, C79000-G8976-C337-06 139

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Requirement The SINEMA RC Server is connected to the WAN. Procedure 1. In the address box of the Web browser, enter the WAN IP address of the SINEMA RC Server "https://<wan IP address>", see table "Settings used (Page 133)". 2. Log in as the "admin" user and with the corresponding password. 3. In the navigation area, click "Remote connections" > "Participant groups". The participant groups that have already been created are listed in the content area. 4. Click "Create". The page "New participant group" is opened. 5. For group name enter "Station1". Enable the setting "Members may communicate" and click "Save". 6. Repeat steps 1-3 for the groups "Station2" and "Service" Result The participant groups have been created. 3.3.3.2 Create devices Procedure 1. In the navigation area, click "Remote connections" > "Devices". The devices that have already been created are listed in the content area. 2. Click "Create" button to create a new device. 140 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3. Enter the device name for the device e.g. "M874_1" for station 1 and "M874_2" for station 2. 4. Click "Continue". 5. For "VPN connection mode", select "OpenVPN". Click "Continue". 6. Enable the parameter "Connected local subnets". 7. Enable the parameter "Device is a network gateway". 8. Configure the devices with the following settings: Local LAN IP address Network mask 255.255.255.0 IP address for vlan1 according to the table "Settings used (Page 133)". 9. Click "Continue". The "Group memberships" tab is displayed. 10.Enable the appropriate group. For the device "M874_1" the group "Station1" For the device "M874_2"" the group "Station2" 11.Click "Continue". The "Password" tab is displayed. 12.Specify the password for the access e.g. An:t_010 for M874_1 and An:t_020 for M874_2. The password must be made up of uppercase and lowercase letters, numbers and special characters. 13.Click "Exit". Result The devices are listed with the devices that have already been created. Device password Device ID Fingerprint You will find the device ID and the fingerprint in the device information. Click on the symbol to open the device information. Getting Started, 02/2018, C79000-G8976-C337-06 141

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 142 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3.3.3.3 Configure communications relations So that participant groups can communicate with each other, communication relations are necessary. A communication relation can be created for every direction. For this sample configuration, the following communication relations are created: from group Service Station1 to the destination group Station1 Station2 Station2 In this configuration example, communication is only from the group "Station 1" to the group "Station 2". In the opposite direction, no communication is possible. For the communication from the group "Station2" to the group "Station1" another communication relation is necessary. The group "Service" can also communicate with the groups "Station1" and "Station2" but they cannot communicate with "Service". Procedure 1. In the navigation area, click "Remote connections" > "Participant groups". The participant groups that have already been created are listed in the content area. 2. For "Station1" in the "Actions" column click on the icon. The page "Destination group" is opened. 3. Enable "Station2" and click on "Save". 4. Click "Exit dialog". 5. For "Service", click the symbol in the "Actions" column. The page "Destination group" is opened. 6. Enable "Station1" and "Station2". Click "Save". 7. Click "Exit dialog". Result The communication relations have been created. Click "Remote connections" > "Communication relations" in the navigation area. The created relations are listed in the content area. Getting Started, 02/2018, C79000-G8976-C337-06 143

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3.3.4 Configuring a remote connection on the M87x 3.3.4.1 Secure VPN connection with fingerprint Requirement On PC1/2 there are two Web browser windows open. Web browser 1 for access to Web Based Management of SCALANCE M874. Web browser 2 for access to SINEMA RC. A valid KEY-PLUG is inserted in the M87x. 144 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Procedure 1. Change to the Web browser for access to Web Based Management of the SCALANCE M874. In the address box of the Web browser, enter the LAN IP address of the SCALANCE M874, see table "Settings used (Page 133)". Log in as the "admin" user and with the corresponding password. Click "System" > "SINEMA RC" in the navigation area. For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 133)". 2. Change to the Web browser for access to SINEMA RC. In the address box of the Web browser, enter the WAN IP address of the server, see table "Settings used (Page 133)". Log in as the "admin" user and the corresponding password. In the navigation area, click "Remote connections" > "Devices". Click on the symbol in "Actions" to open the device information. Holding down the left mouse button, select the entry for device ID. Right-click on the selection and in the shortcut menu, select the copy command. 3. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Device ID". In the shortcut menu, select the menu command for inserting. For "Device Password" enter the password that you configured for access, An:t_010 for M874-1 and An:t_020 for M874-2. Enable "Auto Firewall / NAT Rules". When enabled, the suitable NAT and firewall rules are created automatically. For "Verification Type" select "Fingerprint". Getting Started, 02/2018, C79000-G8976-C337-06 145

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 4. Change to the Web browser for access to SINEMA RC. Holding down the left mouse button, select the entry for fingerprint. Right-click on the selection and in the shortcut menu, select the copy command. 5. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Fingerprint". In the shortcut menu, select the menu command for inserting. Select "Enable SINEMA RC". Click "Set Values". Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. In the Web browser for access to Web Based Management of SCALANCE M874: In the navigation area, click "Information" > "SINEMA RC". 146 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Web browser for access to SINEMA RC: Click "Remote connections" > "Devices" in the navigation area. Getting Started, 02/2018, C79000-G8976-C337-06 147

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server 3.3.4.2 Secure VPN connection with CA certificate Loading a certificate Requirement The correct time is set on the M874 and the SINEMA RC Server. On PC1/2 there are two Web browser windows open. Procedure 1. Change to the Web browser for access to SINEMA RC. In the address box of the Web browser, enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 133)". Log in as the "admin" user and the corresponding password. Click "Security" > "Certificates" in the navigation area. Click on the symbol in "Actions" to export the certificate. 2. Change to the Web browser for access to Web Based Management of the SCALANCE M874. In the address box of the Web browser, enter the LAN IP address of the M874, see table "Settings used (Page 133)". Log in as the "admin" user and with the corresponding password. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. Enter the device password in "X509Cert". Enable the entry and click on "Set Values". Click on the "HTTP" tab in the content area. Click the "Load" button next to "X509Cert". The dialog for loading a file is opened. Navigate to the exported server certificate. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 148 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Result The certificates are loaded. Certificates are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". Configuring a VPN connection to the SINEMA RC Server Requirement A valid SINEMA RC KEY-PLUG is inserted in the M87x. Getting Started, 02/2018, C79000-G8976-C337-06 149

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Procedure 1. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Click "System > SINEMA RC" in the navigation area. For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see table "Settings used (Page 133)". 2. Change to the Web browser for access to SINEMA RC. In the navigation area, click "Remote connections" > "Devices". Click on the symbol in "Actions" to open the device information. Holding down the left mouse button, select the entry for device ID. Right-click on the selection and in the shortcut menu, select the copy command. 3. Change to the Web browser for access to Web Based Management of the SCALANCE M874. Right click in the input box of "Device ID". In the shortcut menu, select the menu command for inserting. For "Device Password" enter the password that you configured for access, An:t_010 for M874-1 and An:t_020 for M874-2. Enable "Auto Firewall / NAT Rules". When enabled, the suitable NAT and firewall rules are created automatically. For "Verification Type" select "CA Certificate". In "CA Certificate" select the server certificate. Only loaded certificates can be selected. 150 Getting Started, 02/2018, C79000-G8976-C337-06

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Activate "Enable SINEMA RC" and click on "Set Values". Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. Web browser 1: In the navigation area, click "Information" > "SINEMA RC". Getting Started, 02/2018, C79000-G8976-C337-06 151

3.3 VPN tunnel between SCALANCE M87x and SINEMA RC Server Web browser 2: Click "Remote connections" > "Devices" in the navigation area. 152 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 3.4 VPN tunnel between two M-800s 3.4.1 Procedure in principle In this example a secure VPN connection with certificates is established between two SCALANCE M-800 devices. In this example of a configuration the SCALANCE M81x in the master station is the VPN server and this can be reached from the WAN via its fixed IP address. The SCALANCE M87x in the station is the VPN client that establishes the connection to the VPN server when necessary. Layout Internal network 1 / 2 - connection to SCALANCE M In the test setup in the internal network, a network node is implemented by an Admin PC or SIMATIC station connected to an Ethernet interface of the SCALANCE M-800. Admin PC: Represents a node in the internal network M87x\M81x: SCALANCE M module for protection of the internal network Connection to the external, public network: Wireless via the antenna of the M87x to the mobile wireless network. Wired via the RJ-45 jack of the M81x to ADSL. Getting Started, 02/2018, C79000-G8976-C337-06 153

3.4 VPN tunnel between two M-800s Required devices/components Use the following components to set up the network: Connection to the mobile wireless network 1 x M874 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 1 x PC with which the SCALANCE M is connected. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Settings used For the configuration example, the devices are given the following IP address settings Master station M81x Admin PC Interface ADSL (external) Ethernet (internal) Ethernet (internal) Station 1 M87x Mobile wireless Admin PC (external) Ethernet (internal) Ethernet (internal) Vlan 2 IP address Fixed IP address, e.g. 90.90.90.90 (VPN server) Provider dependent As an alternative, the DDNS hostname can also be used. Vlan 1 192.168.100.1 Vlan 2 255.255.255.0 192.168.100.20 255.255.255.0 Dynamic IP address (VPN client) Vlan 1 192.168.11.2 255.255.255.0 192.168.11.40 255.255.255.0 154 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s Note For the devices located in the internal network, the IP address of the internal port must be entered as the standard gateway. Requirement The SCALANCE M87x/SCALANCE M81x is connected to the WAN, refer to "Connecting SCALANCE M to the WAN (Page 11)". The SCALANCE M87x/SCALANCE M81x can be reached via the Admin PC and you are logged in to the WBM as "admin". The "Security Configuration Tool V4.x" is installed Steps in configuration 1. Configuring a VPN tunnel with the SCT Creating the project and modules (Page 156) Configuring a tunnel connection (Page 159) Configuring VPN parameters (Page 160) Saving the M-800 configuration (Page 161) 2. Configuring the SCALANCE M81x (VPN server) Loading a certificate (Page 162) Configuring the VPN remote end (Page 164) Configuring a VPN connection (Page 165) Configuring VPN authentication (Page 165) Configuring phase 1 and phase 2 (Page 166) Activating VPN (Page 168) Establishing the VPN connection (Page 168) 3. Configuring the SCALANCE M87x (VPN client) Loading a certificate (Page 169) Configuring the VPN remote end (Page 171) Configuring a VPN connection (Page 172) Configuring VPN authentication (Page 172) Configuring phase 1 and phase 2 (Page 173) Activating VPN (Page 175) Establishing the VPN connection (Page 175) 4. Displaying the status of the VPN connection (Page 176) Getting Started, 02/2018, C79000-G8976-C337-06 155

3.4 VPN tunnel between two M-800s 3.4.2 Configuring a VPN tunnel with the SCT 3.4.2.1 Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3. In the dialog that follows, create a new user with a user name and the corresponding password. The "administrator" role is assigned to the user automatically. 4. Confirm the dialog with "OK". A new project has been created and the "Selection of a module or software configuration" dialog is open. 156 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 5. Enter the values assigned to the M87x from the "Settings used (Page 153)" table. With the M87x, the external IP address is not relevant. For the IP address (ext) use the default settings. 6. Close the dialog with "OK". 7. Generate a second module with the "Insert" > "Module" menu command Getting Started, 02/2018, C79000-G8976-C337-06 157

3.4 VPN tunnel between two M-800s 8. Enter the values assigned to the M81x from the "Settings used (Page 153)" table. 9. Close the dialog with "OK". Result The devices will then be displayed in the list of configured modules. 158 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 3.4.2.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M81x and the SCALANCE M87x are assigned to the same group. Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2. Select the "All modules" entry in the navigation area. 3. Select the two entries in the content area. Drag the modules to "Group1". Both modules are now assigned to "Group1". 4. Change to advanced mode with the menu command "View" > "Advanced mode". 5. Open the group properties of Group1 by selecting the "Properties..." shortcut menu. Getting Started, 02/2018, C79000-G8976-C337-06 159

3.4 VPN tunnel between two M-800s 6. For this configuration example, configure the group properties with the following settings. 7. Close the dialog with "OK". Result The configuration of the tunnel connection is complete. 3.4.2.3 Configuring VPN parameters In this configuration example, the M81x (VPN server) is "passive". The M81x waits for the partner M87x to initiate the connection establishment. 160 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s Procedure Configuring VPN parameters for M81x (VPN server) 1. Select the "M81xServer" in the content area. 2. Select the menu command "Edit" > "Properties". Click the "VPN" tab. 3. Click on the "VPN" tab. 4. For "Permission to initiate connection establishment", select the "Wait for partner (responder)" entry. 5. Enter the WAN IP address e.g. 90.90.90.90 6. Click "Apply" and close the dialog with "OK". Configuring VPN parameters for M87x (VPN client) 1. Select the "M81xServer" in the content area. 2. Select the menu command "Edit" > "Properties". Click on the "VPN" tab. 3. Click on the "VPN" tab. 4. For "Permission to initiate connection establishment", select the "Start connection to partner (initiator/responder)" entry. 5. Click "Apply" and close the dialog with "OK". 6. Select the "Project" > "Save" menu command. Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file. 3.4.2.4 Saving the configuration Procedure 1. In the content area, select the "M81xServer" and select the menu command "Transfer" > "To module(s) ". 2. Save the configuration file "Projectname.M81xServer.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. 3. In the content area, select the "M87xClient" and select the menu command "Transfer" > "To module(s) ". 4. Save the configuration file "Projectname.M87xClient.txt" in your project folder and assign a password for the private key of the certificate, e.g. Di1S+Xo?. Getting Started, 02/2018, C79000-G8976-C337-06 161

3.4 VPN tunnel between two M-800s Result The following files will be saved in the project directory: Configuration file: Project name of the module.txt PKCS12 file: Project name.string.name of the module.p12 Remote certificate: Projectname.group1module name.cer The configuration file contains the exported configuration information for the SCALANCE M-800 devices including information on the additionally generated certificates. Follow the instructions in the configuration file. 3.4.3 Configuring the SCALANCE M81x (VPN server) 3.4.3.1 Loading a certificate The certificates are necessary to authenticate the VPN node and therefore for the establishment of a secure VPN connection. You obtain the information which certificate is to be loaded on which device from the configuration file. Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. To load the file successfully on the SCALANCE M enter the password specified for the file in the line "X509Cert" in "Password" and "Password confirmation" When you saved the configuration files of the SCALANCE M from the Security Configuration Tool, you were requested to assign a password for the private key of the certificate or to use the project name for this. 3. Enable the password 162 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. Getting Started, 02/2018, C79000-G8976-C337-06 163

3.4 VPN tunnel between two M-800s 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". 3.4.3.2 Configuring the VPN remote end In this example of a configuration the M81x in the master station is the VPN server that accepts the connection of VPN partners with any IP address. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. VPN_Client_M87x. 3. Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Remote Type Standard Any Remote Subnet 192.168.11.0/24 5. Click on "Set Values". Accepts the connection from VPN partners with any IP address address from the remote subnet. The subnet that can be reached through the VPN tunnel 164 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 3.4.3.3 Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv2 Remote End VPN_Client_M87x Name of the VPN remote station Local Subnet 192.168.100.0/24 The local subnet 1 in CIDR notation. 4. Click on "Set Values". 3.4.3.4 Configuring VPN authentication For secure communication via VPN, all VPN partners need to authenticate themselves with each other. In this configuration example, the certificate of the VPN remote station is used. Getting Started, 02/2018, C79000-G8976-C337-06 165

3.4 VPN tunnel between two M-800s Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert The precise names of the certificates and the remote ID can be found in the relevant configuration file. 3. Click on "Set Values". 3.4.3.5 Configuring phase 1 and phase 2 The settings must match on both devices. Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. 166 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 4. Configure phase 1 with the following settings from the configuration file: Encryption AES 128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. 2. Leave the "Default Ciphers" check box enabled. When enabled, a preset list is transferred to the VPN connection partner during connection establishment. The list contains a combination of the three algorithms (Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner must support at least one of the combinations. The selection depends on the key exchange method. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 Getting Started, 02/2018, C79000-G8976-C337-06 167

3.4 VPN tunnel between two M-800s 5. Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN connection. 6. Click on "Set Values". 3.4.3.6 Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". 3.4.3.7 Establishing the VPN connection The M81x (VPN server) is configured as the responder. 168 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "wait" and click "Set Values". 3.4.4 Configuring the SCALANCE M87x (VPN client) 3.4.4.1 Loading a certificate The certificates are necessary to authenticate the VPN node and therefore for the establishment of a secure VPN connection. You obtain the information which certificate is to be loaded on which device from the configuration file. Requirement The correct time is set on the SCALANCE M-800, refer to the section Setting the time (Page 27). Certificates are available. You saved the required certificates on the PC in the last section and assigned a password for the private key. Transfer the certificates for the SCALANCE M-800 to the Admin PC. Procedure 1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in the content area. 2. To load the file successfully on the SCALANCE M enter the password specified for the file in the line "X509Cert" in "Password" and "Password confirmation" When you saved the configuration files of the SCALANCE M from the Security Configuration Tool, you were requested to assign a password for the private key of the certificate or to use the project name for this. Getting Started, 02/2018, C79000-G8976-C337-06 169

3.4 VPN tunnel between two M-800s 3. Enable the password 4. Click on "Set Values". 5. Click on the "HTTP" tab in the content area. 6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened. 170 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 7. Click the "Open" button in the dialog. The file is now loaded on the device. After loading successfully, confirm the next dialog with "OK". 8. Repeat steps 5 and 6 for the PKCS12 file. Result Certificates are loaded and are displayed in "Security" > "Certificates". The loaded certificates must have the status "Valid". 3.4.4.2 Configuring the VPN remote end In the configuration example, the M87x in the station is the VPN client that establishes the connection to the VPN server with a fixed IP address. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in the content area. 2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. VPN_Server_M81x. 3. Click "Create". A new row is created in the table. 4. Configure the VPN remote end with the following settings from the configuration file: Remote Mode Standard Remote Type Manual Remote Address Fixed external IP address of the M81x e.g. 90.90.90.90 Remote Subnet 192.168.100.0/24 The subnet that can be reached through the VPN tunnel 5. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 171

3.4 VPN tunnel between two M-800s 3.4.4.3 Configuring a VPN connection Requirement The VPN remote end has been created. Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. In "Connection Name" enter a name for the VPN connection. 3. Configure the VPN connection with the following settings: Operation Disabled Keying Protocol IKEv2 Remote End VPN_Server_M81x Name of the VPN remote station Local Subnet 192.168.11.0/24 The local subnet 1 in CIDR notation. 4. Click on "Set Values". 3.4.4.4 Configuring VPN authentication For secure communication via VPN, all VPN partners need to authenticate themselves with each other. In this configuration example, the certificate of the VPN remote station is used. 172 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication Local certificate Remote Certificate Remote ID Remote Cert The precise names of the certificates and the remote ID can be found in the relevant configuration file. 3. Click on "Set Values". 3.4.4.5 Configuring phase 1 and phase 2 The settings must match on both devices. Configuring phase 1 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the content area. 2. Deselect the "Default Ciphers" check box. 3. Select the "DPD" check box. Getting Started, 02/2018, C79000-G8976-C337-06 173

3.4 VPN tunnel between two M-800s 4. Configure phase 1 with the following settings from the configuration file: Encryption AES 128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 DPD Period [sec] 60 Aggressive Mode no 5. Click on "Set Values". Configuring phase 2 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the content area. 2. Leave the "Default Ciphers" check box enabled. When enabled, a preset list is transferred to the VPN connection partner during connection establishment. The list contains a combination of the three algorithms (Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN connection partner must support at least one of the combinations. The selection depends on the key exchange method. 3. Select the "DPD" check box. 4. Configure phase 1 with the following settings from the configuration file: Encryption AES128 Authentication SHA1 Key Derivation DH group 14 Lifetime [min]: 2880 174 Getting Started, 02/2018, C79000-G8976-C337-06

3.4 VPN tunnel between two M-800s 5. Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN connection. 6. Click on "Set Values". 3.4.4.6 Activating VPN Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Enable the "IPsec VPN" setting. 3. Click on "Set Values". 3.4.4.7 Establishing the VPN connection The M87x (VPN client) is configured as the initiator of the VPN tunnel and establishes the VPN connection to the SCALANCE M87x (VPN server) Getting Started, 02/2018, C79000-G8976-C337-06 175

3.4 VPN tunnel between two M-800s Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in the content area. 2. As "Operation", select "start" and click "Set Values". 3.4.5 Displaying the status of the VPN connection The devices are configured and connected to the Internet. The M87x (VPN client) starts connection establishment to the M81x (VPN server). To display the status of the VPN connection, you have the following options: Status display in the WBM LED display Status display in the WBM In the navigation area, click "Information" > "IPsec VPN". "Status" displays the status of the configured VPN connection. LED display If the VPN connection is established, the LED is lit green on the device. 176 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4 In these examples, two different IP subnets are connected together via a SCALANCE M- 800. Between the two SCALANCE M devices a VPN tunnel is established. The VPN connection is initiated by the M876. Via the established tunnel, the addresses are translated with NETMAP. In this translation, the subnet part of the IP address is changed and the host part remains. NETMAP can translate both the source IP address and the destination IP address. Local area network - connection to SCALANCE M-800 In the test setup, in the local network, a network node is implemented by a PC connected to an Ethernet interface of the SCALANCE M-800. PC: represents a node in the local network M-800: SCALANCE M module for protection of the internal network Connection to the external network: Wireless via the antenna of the M87x to the mobile wireless network. Getting Started, 02/2018, C79000-G8976-C337-06 177

NETMAP with SCALANCE M-800 Remote network - connection to M-800 In the test setup, in the remote network, the network node is implemented by a PC in each case connected to an Ethernet interface of the SCALANCE M-800. PC: represents a node in the remote network M-800: SCALANCE M module for protection of the external network Connection to the external network Wired via the RJ-45 jack of the M816 to ADSL. Required devices/components Use the following components to set up the network: Connection to the mobile wireless network 1 x M876 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug 1 x suitable antenna 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g. Internet. Connecting to ADSL 1 x M816 (additional option: a suitably installed standard rail with fittings) 1 x 24 V power supply with cable connector and terminal block plug ADSL access is enabled 2 x PCs connected to the SCALANCE M-800. The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45 standard for Industrial Ethernet Note You can also use other SCALANCE M-800 devices. The configuration described below relates explicitly to the components mentioned in the Section "Required devices/components". 178 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 Settings used For the configuration example, the devices are given the following IP address settings: Station IP subnet 1 Master station IP subnet 2 Name Interface IP address M876 LAN interface P1 (vlan1) WAN interface (ppp0) 192.168.20.1 255.255.255.0 PC1 LAN interface 192.168.20.20 M816 PC2 LAN interface P1 (vlan1) WAN interface (ppp0) Ethernet (LAN 2) Dynamic IP address from the provider The device is, however, reachable via a dynamic DNS service, e.g. example.no-ip.com 255.255.255.0 192.168.10.1 255.255.255.0 Fixed IP address (WAN IP address), e.g. 91.19.6.84 192.168.10.10 255.255.255.0 Examples There are the following examples of NETMAP 1. NETMAP for the local network (Page 180) 2. NETMAP for the remote network (Page 184) 3. NETMAP for the local and remote network (Page 189) Getting Started, 02/2018, C79000-G8976-C337-06 179

NETMAP with SCALANCE M-800 4.1 NETMAP for the local network 4.1 NETMAP for the local network With NETMAP of the local network, the source address 1 e.g. 192.168.20.20 is translated. In this translation, the subnet part of the IP address is changed and the host part remains. In the example, the subnet part is 192.168.20.0. This subnet part is replaced by 192.168.200.0. The source IP address is translated by the M876 2 and forwarded to the destination 3. With incoming queries 3, the destination IP address 192.168.200.0 is replaced by 192.168.20.0. The destination IP address is translated by the M876 2 and forwarded to the destination 1. Only the NETMAP rules for the direction of the query are necessary. The NETMAP rules for the replies are added implicitly. When PC1 sends a query to PC2, the reply is translated based on it. This, however, does not apply to queries from PC2 to PC1. For this, the following NETMAP rules are created on the M876 (initiator): Local network > remote network: The source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24. Remote network > local network: The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24 The two devices also communicate via a VPN tunnel. 180 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.1 NETMAP for the local network Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M-800 to the WAN (Page 45)". The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary to create NETMAP rules: 1. Creating a VPN connection (Page 181) 2. Creating NETMAP rules (Page 183) 4.1.1 Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet 192.168.200.0/24 192.168.10.0/24 Fixed IP address (WAN IP address) of the M816, e.g. 91.19.6.84 4. Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876 M876_to_M816 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet 192.168.10.0/24 192.168.20.0/24 Getting Started, 02/2018, C79000-G8976-C337-06 181

NETMAP with SCALANCE M-800 4.1 NETMAP for the local network 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g. 12345678 e. g. 12345678 6. Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M816) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices. 182 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.1 NETMAP for the local network 4.1.2 Creating NETMAP rules Requirement The VPN connection M876_to_M816 is configured, see Creating a VPN connection (Page 181). Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Source Source Interface vlan1 Destination Interface IPsec M876_to_M816 Source IP Subnet 192.168.20.0/24 Translated Source IP Subnet 192.168.200.0/24 Destination IP Subnet 192.168.10.0/24 3. Click "Create". A new row is created in the table with the settings. 4. Specify the NETMAP rule for the incoming queries with the following settings: Type Destination Source Interface IPsec M876_to_M816 Destination Interface vlan1 Source IP Subnet 192.168.10.0/24 Destination IP Subnet 192.168.200.0/24 Translated Destination IP Subnet 192.168.20.0/24 5. Click "Create". A new row is created in the table with the settings. 6. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 183

NETMAP with SCALANCE M-800 4.2 NETMAP for the remote network Result The rules for the outgoing and incoming queries have been created. 4.2 NETMAP for the remote network With NETMAP of the remote network, the destination 1 e.g. 192.168.100.10 is translated. In the example, the subnet part is 192.168.100.0 and this is replaced by 192.168.10.0. This 184 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.2 NETMAP for the remote network means that the remote network can also be reached in addition to 192.168.10.0 also via 192.168.100.0. The destination IP address is translated by the M876 2 and forwarded to the destination 3. With incoming queries 3, the source IP address 192.168.10.0 is replaced by 192.168.100.0. The source IP address is translated by the M876 2 and forwarded to the destination 1. Only the NETMAP rules for the direction of the query are necessary. The NETMAP rules for the replies are added implicitly. When PC1 sends a query to PC2, the reply is translated based on it. This, however, does not apply to queries from PC2 to PC1. For this, the following NETMAP rules are created on the M876 (initiator): Local network > remote network: The destination IP subnet 192.168.100.0/24 is replaced by 192.168.10.0/24. Remote network > local network: The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24 The two devices should also communicate with each other via a VPN tunnel. Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M-800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration The following steps are necessary 1. Creating a VPN connection (Page 185) 2. Creating NETMAP rules (Page 187) 4.2.1 Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 185

NETMAP with SCALANCE M-800 4.2 NETMAP for the remote network 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet 192.168.20.0/24 192.168.10.0/24 Fixed IP address (WAN IP address) of the M816, e.g. 91.19.6.84 4. Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876_2 M876_to_M816_2 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet 192.168.10.0/24 192.168.20.0/24 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g. 12345678 e. g. 12345678 186 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.2 NETMAP for the remote network 6. Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices. 4.2.2 Creating NETMAP rules Requirement The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 185). Getting Started, 02/2018, C79000-G8976-C337-06 187

NETMAP with SCALANCE M-800 4.2 NETMAP for the remote network Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Destination Source Interface vlan1 Destination Interface IPsec M876_to_M816_2 Source IP Subnet 192.168.20.0/24 Destination IP Subnet 192.168.100.0/24 Translated Destination IP Subnet 192.168.10.0/24 3. Click "Create". A new row is created in the table with the settings. 4. Specify the NETMAP rule for the incoming queries with the following settings: Type Source Source Interface IPsec M876_to_M816_2 Destination Interface vlan1 Source IP Subnet 192.168.10.0/24 Translated Source IP Subnet 192.168.100.0/24 Destination IP Subnet 192.168.20.0/24 5. Click "Create". A new row is created in the table with the settings. 6. Click on "Set Values". Result The rules for the outgoing and incoming queries have been created. 188 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network 4.3 NETMAP for the local and remote network In this example, the NETMAP rules from NETMAP for the local network (Page 180)and from NETMAP for the remote network (Page 184) are combined. There is, however, a special feature with the outgoing queries. Outgoing queries, whose source IP address is translated from 192.168.20.0 to 192.168.200.0, must be able to have both the IP address 192.168.10.10 as well as 192.168.100.10 as the destination IP address. For translating the destination IP address a further NETMAP rule is required. The addresses are translated by the M876 2 and forwarded to the destination 3. With the incoming query both IP addresses are exchanged. Local network > remote network: The source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24. The destination IP subnet 192.168.100.0/24 is replaced by 192.168.10.0/24. With queries with the destination IP subnet 192.168.100.0/24 the source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24. Getting Started, 02/2018, C79000-G8976-C337-06 189

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network Remote network > local network: The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24 The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24 The two devices should also communicate with each other via a VPN tunnel. Requirement The SCALANCE M-800 is connected to the WAN, refer to "Connecting SCALANCE M-800 to the WAN (Page 11)". The SCALANCE M-800 can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary 1. Creating a VPN connection (Page 190) 2. Creating NETMAP rules (Page 192) 4.3.1 Creating a VPN connection Procedure 1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the content area. 2. Activate "Enable IPsec VPN" and click "Set Values". 3. Click on the "Remote End" tab in the content area and create the VPN partner with the following settings: On the M816 Remote End Name M876 M816 On the M876 Remote Mode Standard Standard Remote Type Manual Manual Remote Address Reachable via a dynamic DNS service, e.g. example.no-ip.com Remote Subnet 192.168.200.0/24 192.168.10.0/24 Fixed IP address (WAN IP address) of the M816, e.g. 91.19.6.84 190 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network 4. Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876 M876_to_M816 Operation Disabled Disabled Keying Protocol IKv2 IKv2 Remote End M876 M816 Local Subnet 192.168.10.0/24 192.168.20.0/24 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 Authentication PSK PSK Local ID - - Remote ID - - PSK / PSK Confirmation On the M876 e. g. 12345678 e. g. 12345678 6. Click on the "Phase 1" tab in the content area and configure the following settings: M816 / M876 DPD enabled Encryption AES256 CBC (M87x) AES256 (M81x) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 DPD Period [sec] 60 Aggressive Mode no 7. Click on the "Phase 2" tab in the content area and configure the following settings: M816 / M876 Encryption AES256 CBC (M87x) AES256 (M816) Authentication SHA512 Key Derivation DH group 14 Lifetime [min]: 1440 Result The VPN connection on the devices is configured. To establish the VPN connection, click on the "Connections" tab in the content area. Getting Started, 02/2018, C79000-G8976-C337-06 191

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network For "Operation" select the following and click "Set Values" Operation On the M816 wait (Responder) On the M876 start (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices. 4.3.2 Creating NETMAP rules Requirement The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 190). The NETMAP rules for the local network (Page 187)have been created. The NETMAP rules for the remote network (Page 183)have been created. Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area. 2. Specify the NETMAP rule for the outgoing queries with the following settings: Type Source Source Interface vlan1 Destination Interface IPSec M876_to_M816_2 Source IP Subnet 192.168.20.0/24 Translated Source IP Subnet 192.168.100.0/16 Destination IP Subnet 192.168.200.0/24 3. Click "Create". A new row is created in the table with the settings. 4. Click on "Set Values". 192 Getting Started, 02/2018, C79000-G8976-C337-06

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network Result The rules for the outgoing and incoming queries have been created. Getting Started, 02/2018, C79000-G8976-C337-06 193

NETMAP with SCALANCE M-800 4.3 NETMAP for the local and remote network 194 Getting Started, 02/2018, C79000-G8976-C337-06

Reporting and switching by SMS 5 5.1 Introduction A SCALANCE M87x should be able to send important information about the plant status, alarm messages or warnings to a service employee or a master station as an event SMS message. In the other direction the device should be able to receive and interpret command SMS messages. Examples For the SMS there are the following configuration examples 1. The SCALANCE M87x generates an event SMS message and sends this to certain recipients. 2. The SCALANCE M87x receives a command SMS message and evaluates it. 5.2 Generating and sending an event SMS message 5.2.1 Introduction A service technician wants to monitor the connection on the Ethernet interface from a distance. If the Ethernet interface changes from "Link up" to "Link down" the technician should receive a corresponding event SMS message (event link). In addition to this the technician wants to monitor the digital input. Each time the door in the station is opened (event Door), the signal at the digital input changes from 0 (LOW) to 1 (HIGH) (rising edge). Getting Started, 02/2018, C79000-G8976-C337-06 195

Reporting and switching by SMS 5.2 Generating and sending an event SMS message Requirement The SCALANCE M87x is connected to the WAN, refer to "Connecting SCALANCE M87x to the WAN (Page 11)". The access parameters for the SCALANCE M87x are configured. The SCALANCE M87x can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Steps in configuration The following steps are necessary: 1. Configuring an event (Page 196) 2. Configuring sending of an SMS message (Page 197) 5.2.2 Configuring an event Enabling fault monitoringr check Link Change 1. Click on "System > "Fault Monitoring" in the navigation area and on the "Link Change" tab in the content area. 2. For P1 and P2 select the entry "Down". 3. Click on "Set Values". Enabling SMS for an event 1. Click on "System" > "Events" in the navigation area and on the "Configuration" tab in the content area. 2. For the event enable "Link Change" and "Digital Input" "SMS" 3. Click on "Set Values". Result Event link: When the Ethernet interface loses the connection to the node, this causes the fault LED to light up on the device and the sending of an event SMS message. Event Door: Each time the digital input switches, an event SMS message is sent. So that the SMS message is sent, you need to configure the sending of SMS messages. 196 Getting Started, 02/2018, C79000-G8976-C337-06

Reporting and switching by SMS 5.2 Generating and sending an event SMS message 5.2.3 Configuring the sending of SMS messages Configuring the sending of SMS messages 1. Click "System" > "SMS" in the navigation area. 2. On the "General" tab only change the phone number of the SMS master station if you do not use the standard SMS master station. The standard SMS master station is stored on the SIM card. 3. Click the "Event SMS" tab. 4. Enable the "Event SMS " function. 5. In "Phone Number" enter the full telephone number of the recipient including the country dialing code e.g. +49xxxxxxxx. 6. Click "Create". A new row with a unique number is created in the table. You can also specify several recipients. To do this repeat steps 5 and 6. 7. Enable the setting "Send" for the required recipient. The recipient only receives an event SMS message when the setting is enabled. 8. Click on "Set Values". Result The service technician is configured as the recipient. When the Ethernet interface changes from "Link up" to "Link down", the device generates an event SMS message and sends this to the configured recipient. Getting Started, 02/2018, C79000-G8976-C337-06 197

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message Adapting an SMS message for the digital input 1. Enter the required SMS text. A maximum of 160 characters are permitted as SMS text. On a "Rising edge" e.g. Door open. On a "Falling edge" e.g. Door closed. Note Characters permitted for the SMS text The following characters are permitted in the text: 0123456789 A...Z a...z Space! % & / ( ) = * + < > ',. - 2. So that the service technician receives an event SMS message for both switching operations select "Both" for "Sending Option". 3. Click on "Set Values". 5.3 Receiving and evaluating a command SMS message 5.3.1 Introduction This configuration example is based on the section "VPN tunnel between an M87x and a SINEMA RC server (Page 133)". The VPN tunnel should be established as the result of a command SMS message. The configuration example contains the following descriptions. To wake a station, the SINEMA RC Server sends an e-mail. The e-mail is sent to an SMS gateway via an SMTP server. The SMS gateway converts the e-mail into a wake-up SMS message and transfers this to the M87x device. When the SMS message is accepted, the device establishes the connection to the SINEMA RC Server. The service technician sends a wake-up SMS message to the M87x in station 2. The device starts the VPN connection and establishes the VPN tunnel to SINEMA RC Server. To check whether the VPN connection to the SINEMA RC Server still exists, it checks the status with a command SMS message. 198 Getting Started, 02/2018, C79000-G8976-C337-06

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message Requirement Configuration example VPN tunnel between an M87x and a SINEMA RC Server (Page 133). Steps in configuration The SINEMA RC Server sends a wake-up SMS message 1. Configure settings on the SINEMA RC Server V1.2 Configure SMS message & e-mail (Page 200) Change device settings (Page 201) 2. Configure receipt of the command SMS message on the M87x (Page 201) Service technician sends a command SMS message 1. Start VPN connection with command SMS message (Page 202) 2. Query status of the VPN connection with command SMS message (Page 203) Getting Started, 02/2018, C79000-G8976-C337-06 199

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message 5.3.2 SINEMA RC Server sends a wake-up SMS message 5.3.2.1 Configuring settings on the SINEMA RC Server Configuring SMS message & e-mail Requirement The SINEMA RC Server V1.2 is connected to the WAN. The SINEMA RC Server V1.2 can be reached via PC3 and you are logged in to the WBM as a user with the role "admin". Procedure 1. Click "System > SMS & E-mail" in the navigation area and on "SMS gateway provider" in the content area. 2. A list of the already existing SMS gateway providers is displayed. As default the data of four network providers is already set In this configuration example, the relevant SMS gateway provider is included in the llst. 3. For the SMS gateway provider in the "Actions" click on "Edit SMS gateway provider". 4. Configure the following settings Sender number Address Identification that is transferred in the e-mail. Email address of the recipient of the SMS message The e-mail address is generally made up of the call number of the SIM card and the SMS gateway name. Check with your network provider whether or not it is necessary to send an activation SMS message. You will find further information on this in the Operating Instructions of the SINEMA RC Server. 1. Click "Save". 2. Click on the "Settings" tab in the content area. 200 Getting Started, 02/2018, C79000-G8976-C337-06

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message 3. Configure the following settings Method of delivery Sender SMTP relay server SMTP relay port Transport Layer Security (TLS) Server requires authentication SMTP relay server E-mail address of the user account of the SMTP relay server Enter the name or the IP address of the SMTP relay server that forwards the received e-mails. Specify the port on which the SMTP relay server accepts connections. As default port 587 is set so that mail is received only from authenticated users. Opportunistic Some SMTP relay servers require a login. Enter the user name and the password. Some providers use the e-mail address as the user name. You will obtain more detailed information from your provider. 4. Click "Save". Result The settings for SMS and e-mail are configured. To test them you can send an e-mail. Click on "Test E-Mail" in the content area. To do this, enter the recipient, the subject and a text. Then click the "Send" button. Changing device settings Procedure 1. In the navigation area, click "Remote connections" > "Devices". The devices that have already been created are listed in the content area. 2. For the entry "M874_2" in the actions, click on "Edit device". 3. Change the following device settings: Connection type SMS gateway provider GSM number Wake-up SMS Select the SMS gateway provider. Call number of the end device to which a wake-up SMS is sent. 4. Click "Save". 5. Click "Exit dialog". 5.3.2.2 Configuring receipt of the command SMS message on the M87x Requirement The SCALANCE M87x can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Getting Started, 02/2018, C79000-G8976-C337-06 201

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message Procedure 1. Click on "System" > "SMS" in the navigation area and on the "SMS Command" tab in the content area. 2. Select "Enable Command SMS". 3. For "Phone Number / Sender Identifier" specify the "Sender Number" you specified in "Configuring SMS message & e-mail". The sender number is for identification. The device accepts the command SMS only if the sender number is included. 4. Click "Create". A new row with a unique number is created in the table. 5. Enable "Relay" and "System". 6. Click on "Set Values". 5.3.3 Service technician sends a command SMS message 5.3.3.1 Start VPN connection with command SMS message Requirement The SCALANCE M87x can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Procedure 1. Click on "System" > "SMS" in the navigation area and on the "SMS Command" tab in the content area. 2. Select "Enable Command SMS". 3. Enter the "Phone Number" of the service technician in "Phone Number / Sender Identifier". The phone number is necessary for the device to accept the command SMS from the mobile phone of the service technician. 4. Click "Create". A new row with a unique number is created in the table. 5. Enable "Relay" and "System". 6. Click on "Set Values". 7. The service technician sends a command SMS to start the connection to the SINEMA RC Server. SYS SRC UP <address of the SINEMA RC Server>, e.g. SYS SRC UP 90.90.90.90 Result The device establishes the connection to the SINEMA RC Server. 202 Getting Started, 02/2018, C79000-G8976-C337-06

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message 5.3.3.2 Querying the status of the VPN connection with command SMS message Requirement The SCALANCE M87x can be reached via the admin PC and you are logged in to the WBM as a user with the role "admin". Sending from the device to the service technician is configured, see Configuring the sending of SMS messages (Page 197). The device accepts the command SMS message from the mobile phone of the service technician, see Configuring receipt of the command SMS message on the M87x (Page 201). Procedure 1. The service technician sends a command SMS to query the status of the VPN connection to the SINEMA RC Server. SYS SRC STATUS<address of the SINEMA RC Server>, e.g. SYS SRC STATUS 90.90.90.90 Result The service technician receives a corresponding reply SMS message from the device at the phone numbers specified in "Event SMS". Getting Started, 02/2018, C79000-G8976-C337-06 203

Reporting and switching by SMS 5.3 Receiving and evaluating a command SMS message 204 Getting Started, 02/2018, C79000-G8976-C337-06

Configuring a VRRPv3 6 6.1 Introduction This section contains an example configuration that demonstrates the function of the VRRPv3. With the Virtual Router Redundancy Protocol v3 (VRRPv3), the failure of a router in a network can be countered. To set up router redundancy, multiple devices are combined into a logical group; these devices together form the virtual router. To clearly assign the devices to a logical group, a VRID is configured for each device. The devices of a logical group must have the same VRID. One device of the group is declared the master router, while the others are backup routers. A virtual IP address and a MAC address is assigned to this master router. The entire data traffic is handled over the master router. If the master router fails, the virtual IP address and the MAC address are transferred to the backup router that takes on the role of the master router. This means communication is restored within three seconds. In this example configuration, station 1 is to be connected to the Internet redundantly to ensure data communication to and from these networks even in case of a router failure. Setup To set up router redundancy, a SCALANCE M816 and a SCALANCE M874-2 are combined into a logical group (VRID). The SCALANCE M816 is the master router in this setup and the SCALANCE M874-2 is the backup router. On the surface, the logical group looks like one single virtual router. Station 1 (vlan1) is connected over interface P1, and the Internet is connected over the WAN interface (ppp0) of the devices. During normal operation, the entire data traffic is handled over the WAN interface of the master router. When one of these interfaces fails on the master router, data traffic is no longer possible over the master router. The connection over the interfaces P1 and ppp0 is therefore monitored. When the status of a monitored interface changes on the master router from "up" to "down", the priority of the master router is reduced. The virtual IP address and the MAC address are transferred to the backup router that takes on the tasks of the master router. Once connection over the SCALANCE M816 is possible again, the original priority of the VRRP router is restored. The SCALANCE M816 once again takes on the role of master router. The firewall is enabled on the devices by default. For the incoming VRRP packets to be forwarded to the device, you must configure a firewall rule. Getting Started, 02/2018, C79000-G8976-C337-06 205

Configuring a VRRPv3 6.1 Introduction Settings used For the configuration example, the devices are given the following IP address settings: VLAN / VRID Router status Device name Interface IP address Virtual IP address vlan1 / 1 Master M816 P1 192.168.100.1 255.255.255.0 Backup M874 P1 192.168.100.2 255.255.255.0 (Associated IP address) 192.168.100.15 (VRID 1) You configure the devices with the PC using Web Based Management. To do so, you must assign the IP address to the PC network adapter. In the extended TCP/IP settings of the network adapter configuration you have the option of adding additional IP addresses. PC IP address Gateway PC1 192.168.100.20 VRID1:Virtual IP address: 192.168.100.15 206 Getting Started, 02/2018, C79000-G8976-C337-06

Configuring a VRRPv3 6.2 Configure VRRPv3 Note The IP settings used in the configuration example were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts. Requirement The SCALANCE M87x/SCALANCE M81x is connected to the WAN, refer to "Connecting SCALANCE M to the WAN (Page 11)". The SCALANCE M87x/SCALANCE M81x can be reached via the Admin PC and you are logged in to the WBM as "admin". Steps in configuration The following steps are required on both devices for configuring VRRPV3: 1. Configure VRRPv3 2. Create firewall rules 3. Verify VRRPv3 6.2 Configure VRRPv3 6.2.1 Create VRRPv3 router Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the content area. 2. Select the setting "VRRPv3". Confirm the message with "OK". The procedure is described in the section "Creating firewall rules for VRRP (Page 211)". 3. Select the setting "VRID-Tracking". 4. Click on "Set Values". 5. For "Interface", select the entry "vlan1". 6. Enter 1 for "VRID" and click "Create". Getting Started, 02/2018, C79000-G8976-C337-06 207

Configuring a VRRPv3 6.2 Configure VRRPv3 Result A logical group has been created on the devices. 6.2.2 Configure VRRPv3 router This section describes how to configure the VRRPv3 routers. The M816 is configured as master router and the M874 as backup router in this case. Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Configuration" tab in the content area. 2. For "Interface / VRID" select the entry "vlan1 / 1". 3. Configure the virtual router VRID 1 with the following settings: M816 M874 Interface / VRID vlan1 / 1 vlan1 / 1 Primary Address 0.0.0.0 0.0.0.0 Because only one subnet is configured on this VLAN, no entry is necessary. The entry is then 0.0.0.0. Priority 150 100 Reduce Priority 100 0 4. Click on "Set Values". Result The virtual routers have been created. The configuration is identical on both devices. Overview of the configuration on M816: 208 Getting Started, 02/2018, C79000-G8976-C337-06

Configuring a VRRPv3 6.2 Configure VRRPv3 Overview of the configuration on M874: 6.2.3 Specifying the virtual IP address A virtual IP address is assigned so that the connected devices are not aware of the change. This virtual IP address is entered as gateway address in the devices. Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Address Configuration" tab in the content area. 2. For "Interface / VRID" select the entry "vlan1 / 1". 3. In "Associated IP Address", enter the IP address "192.168.100.15". 4. Click "Create". 5. Click on "Set Values". Getting Started, 02/2018, C79000-G8976-C337-06 209

Configuring a VRRPv3 6.2 Configure VRRPv3 Result The corresponding virtual IP address is specified. 6.2.4 Configuring interface monitoring The interfaces P1 and ppp0 are to be monitored. Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Interface Tracking" tab in the content area. 2. For "Interface" select the interface "P1". 3. For "Track-ID" enter the ID 1. 4. Click the "Create" button. 5. Repeat steps 2 to 4 for the interface "ppp0". 6. For "Track-ID", select "1". 7. Enter "1" for "Track Interface Count" and click "Set Values". Result The interfaces are tracked. The "Track Interface Count" 1 means that when the connection status at an interface changes from "up" to "down", the priority of the assigned VRRP router is reduced. You configure the value by which the priority is reduced on the page "Layer 3 > VRRPv3 > Configuration". When the connection status changes back from "down" to "up", the original priority is restored. 210 Getting Started, 02/2018, C79000-G8976-C337-06

Configuring a VRRPv3 6.3 Creating firewall rules for VRRPv3 6.3 Creating firewall rules for VRRPv3 For the incoming VRRP packets to be forwarded to the device, you must configure the following firewall rule. Procedure Create IP protocol 1. Click on "Layer 3 > Firewall" in the navigation area and on the "IP Protocol" tab in the content area. 2. For "Protocol Name" enter "VRRP". 3. Click on "Set Values". A new entry is generated in the table. 4. Enter "112" in "Protocol Number". 5. Click on "Set Values". Creating IP Rules 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2. Click "Create". A new entry is created in the table. Getting Started, 02/2018, C79000-G8976-C337-06 211

Configuring a VRRPv3 6.4 Verify VRRPv3 3. Configure the firewall rule for VRID1 with the following settings: Action Accept From vlan1 / 1 To Device Source (Range) 0.0.0.0/0 (all addresses) Destination (Range) 224.0.0.18/32 Service VRRP 4. Click on "Set Values". 5. Click "Create". A new entry is created in the table. 6. Click on "Set Values". Result The IP rules have been created. 6.4 Verify VRRPv3 Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the content area. 212 Getting Started, 02/2018, C79000-G8976-C337-06

Configuring a VRRPv3 6.4 Verify VRRPv3 Result Overview of the configuration on M816: Overview of the configuration on M874: For master address, the IP address of M816 is displayed. Getting Started, 02/2018, C79000-G8976-C337-06 213

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback