Scalance - VPN Tunnel
Scalance - VPN Tunnel
Scalance - VPN Tunnel
Clicking the link below directly displays the download page of this document.
http://support.automation.siemens.com/WW/view/en/32447942
Question
How do I configure a VPN tunnel between PC station and SCALANCE S61x via the
Internet with the SOFTNET Security Client 2008?
Answer
The instructions and notes listed in this document provide a detailed answer to this
question.
Table of content
1 Introduction........................................................................................................ 4
2 Configuration of the Standard Router ............................................................. 8
3 Configuration of the SCALANCE S 61x and SOFTNET Security Client ....... 9
3.1 Configuring the SCALANCE S 61x ...................................................... 9
3.2 Configuring the SOFTNET Security Client......................................... 11
3.3 Configuring the Virtual Private Network (VPN) .................................. 12
3.4 Download and save the configuration ................................................ 13
4 Establish the VPN tunnel with the SOFTNET Security Client ..................... 15
5 Diagnostic ........................................................................................................ 18
6 History............................................................................................................... 19
1 Introduction
Using the SOFTNET Security Client Edition 2008 its possible to establish a VPN
tunnel to a SCALANCE S61x module via the Internet by means of the Security
Configuration Tool. Use the SCALANCE S61x in routing modus.
The below-mentioned guideline describes the configuration of the VPN tunnel.
The Figure 1-1 Configuration shows the structure of this configuration.
Requirements for this are:
In order to support the establishment of the VPN tunnel via the Internet in
routing mode, you require the SCALANCE S 61x minimum with firmware V2.1.
In the following entry the current Firmware V2.3 for the SCALANCE S 61x is
available to download:
http://support.automation.siemens.com/WW/view/en/37352999
You need the following Software components:
SOFTNET Security Client V2.0 (Edition 2008) or higher version
Security Configuration Tool V2.2 or higher version
You need a fixed external IP address for the standard router B. The active module
(SOFTNET Security Client) initiates the establishment of the VPN tunnel via this
fixed external IP address. The passive module (SCALANCE S 61x) waits for
connection from remote VPN gateway.
Internet
ISP 1 ISP 2
Control Center
Standard Router A Standard Router B
PC station
SCALANCE S 61x
Remote Station
(protected automation cell)
IP subnet: 140.80.0.0
internal IP address
SCALANCE 61x
internal IP address
Standard Router A
NOTE If the standard router A possesses DHCP capability, the PC can automatically
obtain its IP address and DNS server address from standard router A.
external IP address
SCALANCE S61x
Using the following instruction to configure the SCALANCE S 61x and SOFTNET
Security Client.
Double-click the S612 V2-type module under All Modules to open the module
properties.
Change to the register Routing Modus in the module properties.
Enable the function Routing active.
Enter the internal IP address 140.80.0.2 and the subnet mask 255.255.0.0.
Figure 3-5 module properties S612 V2 register Routing Modus
Creating group
Create a new group via the menu Insert Group.
Figure 3-7 creating group
Now the configuration of the SCALANCE S 61x and the SOFTNET Security Client
is finished.
Figure 3-10 finished configuration
NOTE When the SCALANCE S61x is in factory setting, than the first download of the
SCALANCE S61x isnt possible via internet. The first download of SCALANCE
S61x must takes place in the factory.
The configuration data for the SSC are saved in a "*.dat" format file. Additional the
PCKS12 certificate is saved in two *.p12 and *.cer format files in the same
directory as the configuration data.
In this example the configuration file is called "Configuration2.SOFTNET.dat".
Figure 3-13 creating the configuration data
Saving PKCS12 certificate its possible to define a separate password. Confirm the
following message with Yes.
When you confirm the message with No than the name of the project is used as
password for the PKCS12 certificate.
Figure 3-14 defining the password for the PKCS12 certificate
In the following dialog you enter and confirm the password of the PKCS12
certificate. Close the dialog with OK.
Figure 3-15 password of the PKCS12 certificate
In the following dialog enter the password which you have defined for the PKCS12
certificate while saving the configuration data in the configuration file.
When you havent defined a separate password for the PKCS12 certificate then
enter the name of the project which you have created with the Security
Configuration Tool and where the configuration of the SCALANCE S61x and
SOFTNET Security Client is saved.
Figure 4-3 entering the password of PKCS12 certificate
In the dialog Tunnel overview the modules and subnets are shown which are
reachable via the VPN tunnel.
If the VPN tunnel is established successfully and the SCALANCE S61x is
reachable by the PC station a yellow key will be shown in the column Status.
Figure 4-6 dialog Tunnel overview
5 Diagnostic
If the VPN tunnel between the PC station and the SCALANCE S61x is set up via
the Internet, you can access the protected automation cell (S7-300 station) from
the PC station, i.e.
A ping can be transmitted from the PC station to the Industrial Ethernet CP
which is used in the S7-300 station.
In STEP 7 you can use the PG/OP functions to access the S7-300 controller
online so as to enable you to load the STEP 7 project or the configuration into
the S7-300 controller's CPU or to read out the CPU's diagnostic buffer.
NOTE The VPN tunnel does not support layer 2 protocols, such as the "accessible
nodes" function in STEP 7.
Problems can also arise if there is a firewall additionally installed on the PC.
6 History
Table 6-1 History
Version Date Changes
V1.0 03.12.08 First issue
V1.1 15.12.08 Change the structure / composition of the document
V1.2 11.08.09 Correct some spelling mistakes
When no separate password is defined while saving the
certificate, than the name of the project is used as
password.
Chapter 1:
add the link to the download of the current firmware
V2.3 for SCALANCE S61x
Chapter 3.1:
delete the passage Add firewall rules
Chapter 4:
Add the note how you can open the dialog to select the
correct network adapter
V1.3 17.08.10 New style sheet is used
Add-on in chapter 3.4, section Save the configuration
of the SOFTNET Security Client in addition to the
configuration data the PKCS12 certificate is saved in
the following files: *.p12 and *.cer file
Add-on in chapter 4, section Load the configuration
data the *.p12 and *.cer file must exist in the
same directory as the configuration data