Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address

Similar documents
Setting up a secure VPN Connection between two M812-1 Using a static IP Address

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and SSC Using a static IP Address. SCALANCE S, SOFTNET Security Client

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Setting up a secure VPN Connection between CP x43-1 Adv. and M812-1 Using a static IP Address

Setting up a secure VPN Connection between SCALANCE S and CP x43-1 Adv. Using a static IP Address. SCALANCE S, CP Advanced, CP Advanced

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Setting up a secure VPN Connection between the TS Adapter IE Advanced and Windows 7

Setting up a secure VPN Connection between a Tablet (ios), SCALANCE S615 and SINEMA Remote Connect Server. SINEMA Remote Connect, SCALANCE S615

Windows firewall settings for X-Tools Server Pro. CMS X-Tools / V / CPU PN/DP. Application description 6/2016

X-Tools Loading Profile Files (LPF)

Transmitting HMI data to an external monitor

Networking a SINUMERIK 828D

Applikationen & Tools. Network Address Translation (NAT) and Network Port Address Translation (NAPT) SCALANCE W. Application Description July 2009

Generating the Parameters for the Modbus/TCP Communication

Checking of STEP 7 Programs for the Migration of S7-318 to S CPU318 Migration Check. Application description 01/2015

Setting up time synchronization of Process Historian and Information Server

Application example 02/2017. SIMATIC IOT2000 Connection to IBM Watson IoT Platform SIMATIC IOT2040

IP-based Remote Networks

Configuration of an MRP Ring and a Topology with Two Projects


Moving a Process Historian/ Information Server from Workgroup A to Workgroup B

Application example 12/2016. SIMATIC IOT2000 OPC UA Client SIMATIC IOT2020, SIMATIC IOT2040

I-Device Function in Standard PN Communication SIMATIC S7-CPU, CP, SIMOTION, SINUMERIK. Configuration Example 08/2015


Data Storage on Windows Server or NAS Hard Drives

TeleService of a S station via mobile network

Configuring the F-I-Device function with the SENDDP and RCVDP blocks.

Improving the performance of the Process Historian

SINAMICS G/S: Integrating Warning and Error Messages into STEP 7 V5.x or WinCC flexible


Determination of suitable hardware for the Process Historian 2014 with the PH-HWAdvisor tool



SINAMICS G/S: Tool for transforming Warning and Error Messages in CSV format


Configuration of an MRP ring with SIMOCODE and SIMATIC S SIMOCODE pro V PN, SIMATIC S Siemens Industry Online Support

Setting up 01/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

Library Description 08/2015. HMI Templates. TIA Portal WinCC V13.

Setting up 08/2017. Setting up the SIMATIC IOT2000 SIMATIC IOT2020, SIMATIC IOT2040

X-Tools configuration to connect with OPC servers and clients


Position Control with SIMATIC S and SINAMICS V90 via IRT PROFINET SINAMICS V90 PROFINET. Application description 03/2016

PCS 7 Process Visualization on Mobile Devices with RDP

Key Panel Library / TIA Portal

Display of SINAMICS Error Messages in Runtime Professional

Integral calculation in PCS 7 with "Integral" FB or "TotalL" FB

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Applications & Tools. Security Configurations in LAN and WAN (DSL) with SCALANCE S61x Modules and the Softnet Security Client. Industrial Security

User Login with RFID Card Reader


Multiuser Engineering in the TIA Portal


SIMATIC PCS 7 Minimal Configuration

STEP 7 function block to control a MICROMASTER 4 or SINAMICS G120/G120D via PROFIBUS DP


Exchange of large data volumes between S control system and WinCC

Tracking the MOP setpoint to another setpoint source to bumplessly changeover the setpoint

Integration of Process Historian / Information Server in a Domain

Communication between HMI and Frequency Converter. Basic Panel, Comfort Panel, Runtime Advanced, SINAMICS G120. Application Example 04/2016

Configuration Control with the S and ET 200SP



Engineering of the Configuration Control for IO Systems


SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

Sending and Receiving SMS Messages via a SCALANCE M Router SCALANCE M874/M876, S7-1200/S CPU / V1.0. Application Example 06/2016

Application for Process Automation

Application on Control Technology

Data Synchronization between Head and Field PLCs with Storage of the Process Values in CSV Files



SIMATIC NET OPC Server Implementation





Display of SINAMICS Fault Messages in WinCC V7.4

Cover. WinAC Command. User documentation. V1.5 November Applikationen & Tools. Answers for industry.


RAID systems within Industry


Universal Parameter Server

PNDriver V2.1 Quick Start Guide for IOT2040 SIMATIC IOT

Automatic Visualization of the Sample Blocks in WinCC Advanced

Applications & Tools. Configuring Electronic Signatures in SIMATIC PCS 7. SIMATIC PCS 7 V8.0 SP1, SIMATIC Logon V 1.5. Application May 2014

Monitoring Energy Consumption with LOGO! 8 and LOGO! CMR


Setting up securityglobal FW Rulesets SIMATIC NET. Industrial Ethernet Security Setting up security. Preface. Firewall in standard mode


SINAMICS V: Speed Control of a V20 with S (TIA Portal) via MODBUS RTU, with HMI

Topology Reporter Tool Description April 2012 Applications & Tools Answers for industry.

Check List for Programming Styleguide for S7-1200/S7-1500

Check List for Programming Styleguide for S7-1200/S7-1500


FAQ about Communication

APF report templates based on data from the WinCC User Archive

Applications & Tools. Service Concept: Auto Backup for the Comfort Panels. WinCC (TIA Portal) V12. Application Description May 2013

Monitoring of 24 V load circuits

Block for SIMOTION SCOUT for Monitoring 24V-Branches

Transcription:

Configuration Example 09/2014 Setting up a secure VPN Connection between SCALANCE S and M812-1 Using a static IP Address SCALANCE S, SCALANCE M http://support.automation.siemens.com/ww/view/en/99681595

Warranty and liability Warranty and liability Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications e.g. Catalogs the contents of the other documents have priority. We do not accept any liability for the information contained in this document. Any claims against us based on whatever legal reason resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act ( Produkthaftungsgesetz ), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract ( wesentliche Vertragspflichten ). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector. Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, solutions, machines, equipment and/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens products and solutions undergo continuous development. Siemens recommends strongly that you regularly check for product updates. For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept) and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should also be considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity. To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit http://support.automation.siemens.com. Entry ID: 99681595, V1.0, 09/2014 2

Table of Contents Table of Contents Warranty and liability... 2 1 Task and Solution... 4 1.1 Task... 4 1.2 Possible solution... 4 1.3 Characteristics of the solution... 5 2 Configuration and Project Engineering... 6 2.1 Setting up the environment... 6 2.1.1 Required components and IP address overview... 6 2.1.2 DSL access for SCALANCE S612... 7 2.1.3 SCALANCE S612... 8 2.1.4 SCALANCE M812-1... 8 2.1.5 Setting up the infrastructure... 15 2.2 Setting up VPN communication... 15 2.2.1 Integrating the VPN endpoint SCALANCE S612... 16 2.2.2 Integrating the VPN endpoint SCALANCE M812-1... 18 2.2.3 Defining the VPN properties... 19 2.2.4 Transferring the configuration data... 21 2.3 VPN configuration in the SCALANCE M812-1... 23 2.4 Final steps... 32 2.5 Status of the VPN connection... 33 3 Testing the Tunnel Function... 35 4 History... 36 Entry ID: 99681595, V1.0, 09/2014 3

1 Task and Solution 1 Task and Solution 1.1 Task A service center connected via the Internet is to be able to perform classical applications such as remote programming, parameterization and diagnostics and monitoring of plants installed worldwide. The following customer requirements have to be considered: Protection of communication against spying and data manipulation Prevention of unauthorized access Provision of secure remote access for remote maintenance and remote control High degree of flexibility and independence of the existing infrastructure 1.2 Possible solution Complete overview The figure below shows one way of implementing these customer requirements: Service PC VPN Tunnel Industrial Ethernet SCALANCE S VPN Server Internet Router Static WAN IP Address SCALANCE M81x-1 VPN Client The connection between the service PC (or other nodes/network devices) and the automation cell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel. In this example, the SCALANCE S612 and a SCALANCE M81x-1 form the tunnel endpoints for the secure connection. The SCALANCE S acts as the VPN server, the SCALANCE M acts as the VPN client. Access to the SCALANCE S from the WAN is predefined by the use of a static WAN IP address. On the client side, ADSL is used for WAN access; the IP address of the WAN port is not relevant. When establishing the VPN tunnel, the roles are defined as follows: Table 1-1 SCALANCE S Component SCALANCE M81x VPN role Responder (VPN server); waits for the VPN connection Initiator (VPN client); starts the VPN connection Automation Cell SIMATIC S7 Stations Entry ID: 99681595, V1.0, 09/2014 4

1 Task and Solution SCALANCE M SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective, secure connection of Ethernet-based subnets and programmable controllers to wired telephone or DSL networks that support ADSL2+ (Asynchronous Digital Subscriber Line). These modules are characterized by the following features: Simultaneous protection of multiple devices by IPsec tunnels (support of up to 20 VPN tunnels at a time). VPN and DSL router in a single device; therefore, it is no longer necessary to use a separate DSL router. Broad range of applications due to high bandwidth, performance and speed. Reduced travel expenses and personnel costs due to remote programming and remote diagnostics via wired telephone or DSL networks. The modules automatically establish and maintain the IP-based online connection to the Internet. SCALANCE S The security modules of the SCALANCE S family are designed specifically for use in automation but integrate seamlessly with the security structures of the office and IT world. They provide the following functions: High-quality stateful inspection firewall with filtering of IP- and MAC-based data traffic. User-specific IP firewall to distinguish and differentiate access to specific plant parts. Router functionality (PPPoE, DNS). IPSec VPN (data encryption and authentication). Protection of all devices of an Ethernet network. Flexible, reaction-free and protocol-independent protection. Support of multiple VPN tunnels at a time. 1.3 Characteristics of the solution Easy integration into existing networks and protection of devices that do not have their own security functions. Low investment and operating costs for secure remote access to machines and plants. Controlled, encrypted data traffic between SCALANCE S and SCALANCE M. High degree of security for machines and plants through the implementation of the cell protection concept. Integrated network diagnostics via SNMP, Syslog and Web interface. Worldwide use. Entry ID: 99681595, V1.0, 09/2014 5

2 Configuration and Project Engineering 2.1 Setting up the environment 2.1.1 Required components and IP address overview Software packages This solution requires the following software packages: "Security Configuration Tool V4" (included in the scope of delivery of the SCALANCE S or available as a download under the following Entry ID: 84467278). Web browser to configure the SCALANCE M. Install this software on a PC/PG. Required devices/components: To set up the environment used in the following, use the following components: A SCALANCE S612 (firmware V4) (optional: A DIN rail installed accordingly, including fitting accessories). A SCALANCE M812-1 (optional: A DIN rail installed accordingly, including fitting accessories). A 24V power supply with cable connector and terminal block plug. ADSL access. DSL access with a static WAN IP address and a DSL router. PC on which the "Security Configuration Tool" and a Web browser are installed. The necessary network cables, TP cables (twisted pair) according to the IE FC RJ45 standard for Industrial Ethernet. Note You can also use a different SCALANCE S type (except SCALANCE S602) or Internet access method (e.g., UMTS). The configuration described below refers explicitly to the components listed in "Required devices/components". Entry ID: 99681595, V1.0, 09/2014 6

IP addresses For this example, the IP addresses are assigned as follows: S 612 DSL Router M812-1 172.22.80.2 172.16.47.1 172.16.0.1 Static WAN IP Dynamic WAN IP 192.168.2.1 Table 2-1 Component Port IP address Router Subnet mask S612 Internal port 172.22.80.2-255.255.255.0 S612 External port 172.16.47.1 172.16.0.1 255.255.0.0 DSL router LAN port 172.16.0.1-255.255.0.0 DSL router WAN port Static IP address from provider M812-1 WAN port Dynamic IP address from provider - Assigned by provider - Assigned by provider M812-1 LAN port 192.168.2.1-255.255.255.0 2.1.2 DSL access for SCALANCE S612 Static IP address WAN access of the SCALANCE M812-1 to the SCALANCE S612 is implemented using a fixed public IP address. This IP address must be requested from the provider and then stored in the DSL router. Port forwarding on the DSL router VPN function Due to the use of a DSL router as an Internet gateway, you have to enable the following ports on the DSL router and forward the data packets to the S612 (VPN server; external IP address): UDP Port 500 (ISAKMP) UDP Port 4500 (NAT-T) If the DSL router itself is VPN-capable, make sure that this function is disabled. Entry ID: 99681595, V1.0, 09/2014 7

2.1.3 SCALANCE S612 Factory default To make sure that no old configurations and certificates are stored in the SCALANCE S612, reset the module to factory default. For the appropriate chapter in the SCALANCE S manual, please use the following link: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57280996235&guiLanguage=en. The configured state is indicated by the fact that the Fault LED lights up orange. If problems occur when accessing the SCALANCE S or rebooting, please refer to the appropriate troubleshooting chapter: https://www.automation.siemens.com/mdm/default.aspx?docversionid=58712435 339&Language=en-EN&TopicId=57279890699&guiLanguage=en 2.1.4 SCALANCE M812-1 Factory default To make sure that no old configurations and certificates are stored in the SCALANCE M812-1, reset the module to factory default. Press the SET button - for approx. 10 seconds - to reset the device to factory default; it can now be accessed via IP address 192.168.1.1. Requirements for Web Based Management The SCALANCE M features an integrated HTTP server for Web Based Management (WBM). In order to use this function without any restrictions, please note the following: Access via HTTPS is enabled. JavaScript is enabled in the Web browser. When the firewall is enabled, TCP port 443 must be enabled for access via HTTPS. Entry ID: 99681595, V1.0, 09/2014 8

Physical connection between PC and SCALANCE M Use the PC to connect to the Web user interface of the SCALANCE M. When the SCALANCE M is set to factory default, the IP address of the internal interface of the module is 192.168.1.1. In this case, change the network settings on the PC as follows: IP address: 192.168.1.100 Subnet mask: 255.255.255.0 Use address https://192.168.1.1 to open Web Based Management. Web Based Management login When you log on for the first time or after setting to factory default, the login data is defined as follows: Name: admin Password: admin 1. Enter the name and password in the appropriate text boxes. 2. Click the "Login" button or confirm your entries with "Enter". 3. When you log on for the first time or after setting to factory default, you are prompted to change the password. Entry ID: 99681595, V1.0, 09/2014 9

4. Enter the old and new password. 5. Click the "Set Values" button to complete the operation and activate the new password. 6. After successful logon, the start page appears. Entry ID: 99681595, V1.0, 09/2014 10

Customizing the IP address To change the IP address of the internal interface of the SCALANCE M, proceed as follows: 1. In the navigation bar, navigate to "System" > "Agent IP" and change the IP address as listed in Table 2-1. 2. Apply the setting with "Set Values". 3. Change the network settings on the PC as follows: IP address: 192.168.2.100 Subnet mask: 255.255.255.0 4. Reload the Web page. Result The internal interface of the SCALANCE M is set to the desired IP address. Entry ID: 99681595, V1.0, 09/2014 11

Setting the time To establish secure communication, it is essential that the current date and time are always set on the SCALANCE M. Otherwise, the certificates used are interpreted as invalid and secure VPN communication is not possible. 1. In the navigation bar, navigate to "System" > "System Time". 2. Click the "Use PC Time" button to apply the time setting of the PC. 3. Click the "Set Values" button. Result The date and time are applied and "Manual" is entered in the "Last Synchronization Mechanism" field. Note Note that the time is reset to the factory setting if the power supply is interrupted. On return of the power, you need to set the system time again. As result, certificates can lose their validity. Entry ID: 99681595, V1.0, 09/2014 12

Note You also have the possibility, that the system time is synchronized automatically with a time server. There are a number of time servers on the Internet that can be used to obtain the current time precisely. Synchronization of the system time using a public time server creates additional data traffic on the connection. This may result in additional costs, depending on your subscriber contract. Setting up DSL access Access to the Internet requires the following access parameters: User name and password for DSL access VCI / VPI Encapsulation These parameters can be obtained from your Internet service provider. 1. In the navigation pane, click "Interfaces" > "DSL". 2. Check "Enable DSL Interface" and uncheck "Enable PPPoE Passthrough". Entry ID: 99681595, V1.0, 09/2014 13

3. Enter the user name (Account) and password for DSL access. If necessary, change the values for "VCI", "VPI" and "Encapsulation". The settings can be obtained from your DSL provider. 4. Click "Set Values". Result The DSL connection has been set up. After approx. 30 seconds, the device connects to the Internet. "Information" > "DSL" allows you to check whether the connection has been established. Entry ID: 99681595, V1.0, 09/2014 14

2.1.5 Setting up the infrastructure Connect all the components involved in this solution. S 612 DSL Router M812-1 External Port Internal Port LAN Port WAN Port WAN Port LAN Port Table 2-2 Component Local port Partner Partner port SCALANCE S612 Internal (protected) port E.g., an automation network (does not exist in this solution) SCALANCE S612 External (unprotected) port DSL router LAN port SCALANCE M812-1 WAN port ADSL2+ port for operation on public DSL networks SCALANCE M812-1 LAN port E.g., an automation network (does not exist in this solution) Note In all devices in the internal network of the S612 or M812-1 (e.g., controllers, panels, etc.), please make sure to enter the IP address of the internal port as the default gateway. 2.2 Setting up VPN communication SCT project Component overview VPN communication between SCALANCE S and SCALANCE M is set up using the Security Configuration Tool V4. Open the tool and select "Project" > "New " to create a new project. Define a user name and password. This solution uses the following security components: SCALANCE S612 (firmware V4) SCALANCE M812-1 Entry ID: 99681595, V1.0, 09/2014 15

2.2.1 Integrating the VPN endpoint SCALANCE S612 To integrate the SCALANCE S612 component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Note: If you have created a new project, this dialog opens automatically. Define the following module: Product type: SCALANCE S Module: S612 Firmware release: V4 2. Assign a name to the module and apply the MAC address from the S612 housing to the appropriate text box. Enter the external IP address and subnet mask as listed in Table 2-1. Entry ID: 99681595, V1.0, 09/2014 16

3. Change the mode of the SCALANCE S to Routing. Enter the internal IP address and subnet mask as listed in Table 2-1. Close the dialog with "OK". Result Now the SCALANCE S612 appears as a new module. Entry ID: 99681595, V1.0, 09/2014 17

2.2.2 Integrating the VPN endpoint SCALANCE M812-1 To integrate the SCALANCE M812-1 component into the Security Configuration Tool, proceed as follows: 1. Use "Insert" > "Module" or select the appropriate menu icon to open the module selection dialog. Define the following module: Product type: SOFTNET configuration Module: SCALANCE M87x/MD74x Firmware release: SCALANCE M874-x 2. Assign a name to the module. Enter the internal IP address and subnet mask as listed in Table 2-1. Note: The external IP address is irrelevant and can be left at default settings. Close the dialog with "OK". Result The M812-1 appears as an additional module. Entry ID: 99681595, V1.0, 09/2014 18

2.2.3 Defining the VPN properties Creating a VPN group All members of a VPN group are authorized to communicate with each other through a VPN tunnel. To create a VPN group, proceed as follows: 1. In the project tree, select the "VPN groups" item. Use "Insert" > "Group" or select the appropriate menu icon to create a new VPN group. 2. One after the other, select the SCALANCE S612 and the SCALANCE M812-1 from the "All modules" list and use drag and drop to insert them into the VPN group. Result The SCALANCE S612 and the SCALANCE M812-1 have been assigned to VPN group Group1. Certificates are used for authentication. Entry ID: 99681595, V1.0, 09/2014 19

Defining the VPN parameters To establish the VPN tunnel, you have to enter the following information: Standard router WAN IP address of the DSL router VPN role Parameterize this information as follows: 1. In the "All modules" project tree, select the S612 and double-click to open its properties dialog. 2. In the "Routing" tab, enter the standard router as listed in Table 2-1. 3. In the "VPN" tab, select the "Responder" VPN role for the S612. In the WAN IP address / FQDN field, enter the WAN IP address of your DSL access point. Close the dialog with "OK". 4. Acknowledge the message with "OK". 5. Save the project. Result The VPN configuration is complete. Entry ID: 99681595, V1.0, 09/2014 20

2.2.4 Transferring the configuration data Preparation The transfer of the configuration data differs for the SCALANCE S and SCALANCE M security components: SCALANCE S: The configuration data is downloaded directly from the Security Configuration Tool to the SCALANCE S. SCALANCE M812-1: The Security Configuration Tool creates a configuration guide for manual configuration of the SCALANCE M812-1 in Web Based Management. As a WAN is used as an external public network, the S612 with factory default cannot be configured via this WAN. In this case, configure the security module from the internal network: Connect the PC on which the Security Configuration Tool is installed to the internal port of the SCALANCE S and change the network settings on the PC as follows: IP address: 172.22.80.100 Subnet mask: 255.255.255.0 SCALANCE S To transfer the configuration to the SCALANCE S, proceed as follows: 1. Select the S612 and select the "Transfer" > "To module(s) " menu command. 2. When a configuration is downloaded for the first time after the installation of the Security Configuration Tool, a dialog appears where you can select the network adapter. In this dialog, explicitly select the network adapter via which you are actually connected to the module. 3. Clicking the "Start" button in the "Download configuration data to security module" dialog transfers the configuration to the SCALANCE S module. Result Now the S612 has been configured and can communicate at the IP level. This mode is indicated by the fact that the Fault LED lights up green. Entry ID: 99681595, V1.0, 09/2014 21

SCALANCE M812-1 To create the configuration guide for the SCALANCE M, proceed as follows: 1. Select the SCALANCE M812-1 and select the "Transfer" > "To module(s) " menu command. 2. Save the "<Project name>.m812" configuration guide and the certificates to your project directory. 3. Specify a password for the private key of the certificate. If you do not assign a password, the project name (not the password of the logged in user) is applied as the password. Result The following files are saved to the project directory: Configuration guide: "<Project name>.m812.txt" Certificate: "<Project name>.<string>.m812.p12" Group certificate: "<Project name>.group1.s612.cer" Entry ID: 99681595, V1.0, 09/2014 22

2.3 VPN configuration in the SCALANCE M812-1 Configuration guide Use the Web user interface of the SCALANCE M to configure it with the aid of the saved "<Project name>.m812.txt" configuration guide. The configuration includes the following steps shown below: Table 2-3 No. Configuration step 1. Enter the certificate password. 2. Load the certificates to the SCALANCE M. 3. Define the VPN remote end. 4. Create the connection. 5. Define the authentication method for the connection. 6. Define the VPN parameters for Phase 1. 7. Define the VPN parameters for Phase 2. 8. Define the SCALANCE M as the initiator. 9. Enable the VPN function. Entry ID: 99681595, V1.0, 09/2014 23

Physical connection between PC and SCALANCE M Use the PC to connect to the Web user interface of the SCALANCE M (address: https://192.168.2.1). For this purpose, change the network settings on the PC as follows: IP address: 192.168.2.100 Subnet mask: 255.255.255.0 After successful logon, the start page appears. Managing the certificate password There are files whose access is password-protected. When saving the configuration files of the SCALANCE M from the Security Configuration Tool, you were prompted to assign a password for the private key of the certificate or use the project name as the password. To successfully download the file to the SCALANCE M, enter the password defined for the file on the WBM page. 1. In the navigation bar, navigate to "System" > "Load&Save" > "Passwords". 2. In the "Password" text box, enter the password. In "Password Confirmation", reenter the password to confirm it. Check the "Enabled" option. 3. Click the "Set Values" button. Result The password for the private key of the certificate has been defined. Entry ID: 99681595, V1.0, 09/2014 24

Loading the certificates The certificates are required to authenticate the VPN user and therefore to establish a secure VPN connection. Load the two required certificates to the SCALANCE M as described in the following section: 1. In the navigation bar, navigate to "System" > "Load&Save" > "HTTP". 2. In "IPSecCert", click the "Load" button to start loading. 3. The dialog for loading a file opens. Navigate to your project directory with the configuration data of the SCALANCE M. 4. Select a certificate. For the exact certificate name, please refer to your configuration guide. 5. In the dialog, click the "Open" button. The file is loaded. 6. Repeat steps 2 through 5 with the other certificate. Result The certificates "<Project name>.<string>.m812.p12" and "<Project name>.group1.s612.cer" have been loaded to the SCALANCE M. Entry ID: 99681595, V1.0, 09/2014 25

Defining the VPN remote end The VPN tunnel is always established to one or more users. In this example, the only endpoint is the SCALANCE S612. Configure the remote end as follows: 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Remote End". 2. In the "Remote End Name" text box, enter a name for the VPN remote end (e.g., S612). Click "Create" to create a new remote end. 3. Set the parameters for the VPN remote end as described in your configuration guide: Remote Mode: Standard Remote Type: manual Remote Address: WAN IP address of your DSL access point Remote Subnet: 172.22.80.0/24 4. Click the "Set Values" button. Result The access address of the remote end and the via VPN reachable - subnet have been made known to the SCALANCE M. Entry ID: 99681595, V1.0, 09/2014 26

Creating the VPN connection In this section, you configure the basic settings for the VPN connection. Then you define the security settings. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Connections". 2. In "Connection Name", enter a name for the VPN connection. Click "Create" to create a new entry. 3. Set the parameters for the VPN connection as described in your configuration guide: Keying Protocol: IKEv1 Remote End: Name of the VPN remote end (here: S612) Local Subnet: 192.168.2.0/24 4. Click the "Set Values" button. Result A VPN connection was configured, the remote end for this connection was chosen and the subnet was defined, which is allowed to communicate with the remote end. Entry ID: 99681595, V1.0, 09/2014 27

Defining the authentication method For secure communication via VPN, all VPN partners must authenticate each other. This example uses the certificate of the remote end as the authentication method. Note For the exact names of your certificates, please refer to your configuration guide. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Authentication". 2. Configure authentication with the settings described in your configuration guide. Authentication: Remote Cert Local Certificate: <see configuration guide> Remote Certificate: <see configuration guide> Remote ID: <see configuration guide> 3. Click the "Set Values" button. Result The SCALANCE M can authenticate for the shared VPN tunnel with the loaded certificates and accept the remote end as the VPN partner. Entry ID: 99681595, V1.0, 09/2014 28

Defining Phase 1 Phase 1 of authentication involves the encryption agreement and authentication between the VPN users via the standardized IKE (Internet Key Exchange) protocol. For IPSec key management, you have to enter defined protocol parameters. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Phase 1". 2. Set the protocol parameters as described in your configuration guide: Encryption: 3DES Authentication: SHA1 Key Derivation: DH group 2 Keying Tries: 0 Lifetime [min]: 2500000 DPD: restart DPD Delay [sec]: default DPD Timeout [sec]: default Aggressive Mode: No 3. Click the "Set Values" button. Entry ID: 99681595, V1.0, 09/2014 29

Defining Phase 2 Phase 2 is data exchange via the standardized ESP (Encapsulating Security Payload) security protocol. For IPSec data exchange, you have to enter defined protocol parameters. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Phase 2". 2. Set the protocol parameters as described in your configuration guide: Encryption: 3DES Authentication: SHA1 Key Derivation: DH group 2 Lifetime [min]: 2880 Lifebytes: 0 3. Click the "Set Values" button. Result You have defined all the necessary parameters for the IKE and ESP protocols. Entry ID: 99681595, V1.0, 09/2014 30

Establishing the VPN connection The SCALANCE M is configured as the initiator of the VPN tunnel and actively establishes the connection to the SCALANCE S612. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "Connections". 2. In the "Operation" column, change the mode to "Start". 3. Click the "Set Values" button. Result The SCALANCE M812-1 is the initiator of the VPN connection. Entry ID: 99681595, V1.0, 09/2014 31

Activating IPSec For the secure connection between SCALANCE M and SCALANCE S, a VPN tunnel is established with IPSec. 1. In the navigation bar, navigate to "Security" > "IPSec VPN" > "General". 2. Check the "Activate IPSec VPN" check box to activate IPSec. 3. Click the "Set Values" button. Result IPSec is active and used for the VPN tunnel. 2.4 Final steps Connect the internal port of the SCALANCE S612 and SCALANCE M812-1 to your network (e.g., an automation network). For all devices on the internal port of the devices, set the appropriate standard router (IP address of the internal port). Entry ID: 99681595, V1.0, 09/2014 32

2.5 Status of the VPN connection When all security modules have been parameterized, loaded and connected to the Internet, the SCALANCE M812-1 initializes the VPN tunnel to the SCALANCE S612. Diagnostics in the Security Configuration Tool or SCALANCE M's Web Based Management allow you to view the status. Security Configuration Tool For diagnostics via the Security Configuration Tool, proceed as described below: 1. Connect the PC with the Security Configuration Tool to the internal port of the SCALANCE S and change the network settings on the PC as follows: IP address: 172.22.80.100 Subnet mask: 255.255.255.0 2. In the Security Configuration Tool, open the project with which the module was configured. 3. Use the "View" > "online" menu command to activate "Online" mode. 4. In the content area, select the module you want to edit and select the "Edit" > "Online diagnostics " menu command. 5. The "Communications status" tab displays the communication status. Entry ID: 99681595, V1.0, 09/2014 33

Web Based Management Status indication via Web Based Management can be accessed as follows: 1. Use the PC to connect to the Web user interface of the SCALANCE M (address: https://192.168.2.1). For this purpose, change the network settings on the PC as follows: IP address: 192.168.2.100 Subnet mask: 255.255.255.0 After successful logon, the start page appears. 2. In the navigation bar, navigate to "Information" > "IPSec VPN". 3. The "Status" column shows the status of the configured VPN connection. Entry ID: 99681595, V1.0, 09/2014 34

3 Testing the Tunnel Function 3 Testing the Tunnel Function Chapter 2 completes the commissioning of the configuration and the SCALANCE S612 and SCALANCE M812-1 have established a VPN tunnel for secure communication. You can test the established tunnel connection using a ping command on an internal node. This is described below. Alternatively, you can also use other methods to test the configuration (for example, by opening the internal Web page when using a PROFINET CPU). 1. Connect the PC to the internal port of the SCALANCE M812-1. 2. Change the network settings on the PC as follows: IP address: 192.168.2.100 Subnet mask: 255.255.255.0 Default gateway: 192.168.2.1 3. On the PC, select "Start" > "All Programs" > "Accessories" > "Command Prompt" in the start bar. 4. In the command line of the "Command Prompt" window that appears, enter the "ping <IP address of internal node of remote end>" command at the cursor position. Result You get a positive response from the internal node. Note In Windows, the default settings of the firewall may prevent ping commands from passing. You may have to enable the ICMP services of the "Request" and "Response" type. Entry ID: 99681595, V1.0, 09/2014 35

4 History 4 History Table 4-1 Version Date Modifications V1.0 09/2014 First version Entry ID: 99681595, V1.0, 09/2014 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback