Upload
tran-phi-huynh
View
42
Download
3
Tags:
Embed Size (px)
DESCRIPTION
A
Citation preview
http://support.automation.siemens.com/WW/view/de/26662448
Application Descriptiony 09/2014
IP-based Remote NetworksSCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1,TS Adapter IE Advanced
Warranty and Liability
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 2
S
iem
ens
AG
2014
All
right
sre
serv
ed
Warranty and LiabilityNote The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These Application Examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice. If there are any deviationsbetween the recommendations provided in these Application Examples andother Siemens publications e.g. Catalogs the contents of the otherdocuments have priority.
We do not accept any liability for the information contained in this document.Any claims against us based on whatever legal reason - resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract("wesentliche Vertragspflichten"). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of Siemens Industry Sector.
Securityinforma-
tion
Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens' products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates. Siemens recommends strongly that you regularly check forproduct updates.
For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.automation.siemens.com.
Table of Contents
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 3
S
iem
ens
AG
2014
All
right
sre
serv
ed
Table of ContentsWarranty and Liability .............................................................................................. 21 Remarks on this Document............................................................................ 6
1.1 Reason and objective ........................................................................ 61.2 Features and benefits ........................................................................ 61.3 Structure of this document ................................................................. 7
2 Introduction to Remote Networks .................................................................. 9
2.1 Remote networks & industrial security................................................ 92.2 Security Integrated product portfolio ................................................. 112.2.1 SCALANCE S .................................................................................. 122.2.2 SOFTNET Security Client ................................................................ 122.2.3 SCALANCE M-800 .......................................................................... 122.2.4 CP x43-1 Advanced ......................................................................... 142.2.5 CP 1x43-1 ....................................................................................... 142.2.6 CP 1628 .......................................................................................... 152.2.7 TS Adapter IE Advanced ................................................................. 15
3 SCALANCE S ................................................................................................ 16
3.1 Static IP address ............................................................................. 173.1.1 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using a static IP address ........................................... 173.1.2 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M81x-1 using a static IP address.................................. 183.1.3 VPN tunnel between SCALANCE S (VPN server) and
SOFTNET Security Client using a static IP address ......................... 193.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 203.1.5 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M874-x using a static IP address.................................. 213.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile
client using a static IP address ......................................................... 223.2 Dynamic IP address......................................................................... 233.2.1 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using a dynamic IP address ...................................... 233.2.2 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M81x-1 using a dynamic IP address ............................. 243.2.3 VPN tunnel between SCALANCE S (VPN server) and
SOFTNET Security Client using a dynamic IP address .................... 253.2.4 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M874-x using a dynamic IP address ............................. 263.2.5 VPN tunnel between SCALANCE S (VPN server) and a mobile
client using a dynamic IP address .................................................... 273.3 PPPoE ............................................................................................ 283.3.1 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using PPPoE ............................................................ 283.3.2 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M81x-1 using PPPoE ................................................... 293.3.3 VPN tunnel between SCALANCE S (VPN server) and
SOFTNET Security Client using PPPoE ........................................... 303.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using PPPoE ................................................................... 313.3.5 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE M874-x using PPPoE ................................................... 323.3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile
client using PPPoE .......................................................................... 33
Table of Contents
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 4
S
iem
ens
AG
2014
All
right
sre
serv
ed
4 SCALANCE M874-x ...................................................................................... 34
4.1 Static IP address ............................................................................. 354.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and
SCALANCE M81x-1 using a static IP address.................................. 354.1.2 VPN tunnel between SCALANCE M874-x (VPN server) and
SOFTNET Security Client using a static IP address ......................... 364.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP
x43-1 Advanced using a static IP address ........................................ 374.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP
1x43-1 using a static IP address ...................................................... 384.1.5 VPN tunnel between SCALANCE M874-x (VPN server) and
SCALANCE M874-x using a static IP address.................................. 394.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a static IP address.............................................. 404.2 Dynamic IP address......................................................................... 414.2.1 VPN tunnel between SCALANCE M874-x (VPN server) and
SCALANCE M81x-1 using a dynamic IP address ............................. 414.2.2 VPN tunnel between SCALANCE M874-x (VPN server) and
SOFTNET Security Client using a dynamic IP address .................... 424.2.3 VPN tunnel between SCALANCE M874-x (VPN server) and
SCALANCE M874-x using a dynamic IP address ............................. 434.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a dynamic IP address ......................................... 44
5 SCALANCE M81x-1 ...................................................................................... 45
5.1 Static IP address ............................................................................. 465.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SCALANCE M81x-1 using a static IP address.................................. 465.1.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SOFTNET Security Client using a static IP address ......................... 475.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
x43-1 Advanced using a static IP address ........................................ 485.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
1x43-1 using a static IP address ...................................................... 495.1.5 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SCALANCE M874-x using a static IP address.................................. 505.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a
mobile client using a static IP address.............................................. 515.2 Dynamic IP address......................................................................... 525.2.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SCALANCE M81x-1 using a dynamic IP address ............................. 525.2.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SOFTNET Security Client using a dynamic IP address .................... 535.2.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and
SCALANCE M874-x using a dynamic IP address ............................. 545.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a
mobile client using a dynamic IP address ......................................... 55
6 CP x43-1 Advanced ...................................................................................... 56
6.1 Static IP address ............................................................................. 576.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE S using a static IP address ........................................... 576.1.2 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE M81x-1 using a static IP address.................................. 586.1.3 VPN tunnel between CP x43-1 Advanced (VPN server) and
SOFTNET Security Client using a static IP address ......................... 596.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP
x43-1 Advanced using a static IP address ........................................ 60
Table of Contents
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 5
S
iem
ens
AG
2014
All
right
sre
serv
ed
6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) andSCALANCE M874-x using a static IP address.................................. 61
6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and amobile client using a static IP address.............................................. 62
6.2 Dynamic IP address......................................................................... 636.2.1 VPN tunnel between CP x43-1 Advanced (VPN server) and
SOFTNET Security Client using a dynamic IP address .................... 636.2.2 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE M81x-1 using a dynamic IP address ............................. 646.2.3 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE M874-x using a dynamic IP address ............................. 656.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a
mobile client using a dynamic IP address ......................................... 66
7 CP 1x43-1 ...................................................................................................... 67
7.1 Static IP address ............................................................................. 687.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
S using a static IP address............................................................... 687.1.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
M81x-1 using a static IP address ..................................................... 697.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a static IP address .......................................... 707.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 717.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1
using a static IP address .................................................................. 727.1.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
M874-x using a static IP address ..................................................... 737.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a static IP address ......................................................... 747.2 Dynamic IP address......................................................................... 757.2.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
M81x-1 using a dynamic IP address ................................................ 757.2.2 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a dynamic IP address ...................................... 767.2.3 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
M874-x using a dynamic IP address ................................................ 777.2.4 VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a dynamic IP address .................................................... 78
8 TS Adapter IE Advanced .............................................................................. 79
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server)and Windows SSTP client using a static IP address ......................... 80
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server)and TIA Portal using a static IP address ........................................... 80
9 References .................................................................................................... 8210 History .......................................................................................................... 83
1 Remarks on this Document1.1 Reason and objective
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 6
S
iem
ens
AG
2014
All
right
sre
serv
ed
1 Remarks on this Document1.1 Reason and objective
ReasonBased on the Security Integrated product portfolio, there are numerous differentways of implementing secure communication that are always customized to theapplication. For the user, looking for the perfect solution involves the followingquestions:x Which solutions are available?x What are the differences between the solutions?
ObjectiveThe Security Integrated portfolio includes several products that can be combinedwith each other. This results in a large number of configuration options.
This document helps you find an optimal solution for secure communicationbased on VPN.
1.2 Features and benefits
FeaturesThe document has the following features:x Clear, compact structurex Concisely outlines the contents and provides an overview graphic of the
individual configurationsx Does not describe details; the details are provided in the individual
configurations.
BenefitsThe document offers the following benefits to the reader:x Support in planning and configurationx Quick finding of information regarding configuration optionsx Short, compact overview of the featuresx Reference to the individual configurations
1 Remarks on this Document1.3 Structure of this document
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 7
S
iem
ens
AG
2014
All
right
sre
serv
ed
1.3 Structure of this document
Siemens Security Integrated portfolio includes several products that can becombined with each other. This results in a large number of configuration options.
To present these options in a clear manner, the possible configurations areclassified based on specific criteria.This document gives you an overview of the configurations with the modules fromthe Remote Networks portfolio.
Classification based on SIMATIC dependencyThe VPN solutions with the SCALANCE modules / TS Adapter are independent ofSIMATIC, i.e. the application behind the VPN tunnel does not have to bea SIMATIC application. Access to other applications via the SCALANCE modules /TS Adapter is possible as well.The VPN solutions with the CPs are SIMATIC-based as a SIMATIC CPU isrequited to operate the CP. However, these configurations also allow access tonon-SIMATIC plants parts via the CP.
Classification of the configurationsThe possible configurations of an IP-based remote network are divided into groups.The criterion for this subdivision is the module that acts as the VPN server.
There is a separate group for each module that can be configured as a VPNserver. This results in the following subdivision of VPN server groups:x SCALANCE Sx SCALANCE M874x SCALANCE M810x CP x43-1 Adv.x CP 1x43-1x CP 1628x TS Adapter IE Advanced
Note For configuration examples for the CP 1628, use the following link: 10
Contents of a groupA group can in turn consist of multiple configurations. All these configurations haveone thing in common: For all configurations, the VPN server is the same securitymodule - specified by the group. They differ in the module used as the VPN client.For all possible configurations of a group, Siemens Industry Online Supportprovides a document with a specific configuration guide for the settings of the VPNmodules.The figure below shows the subdivision of the configurations.
1 Remarks on this Document1.3 Structure of this document
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 8
S
iem
ens
AG
2014
All
right
sre
serv
ed
Figure 1-1
Remote Access(IP-based)
Overviewdoc.
Group
Configura-tions
SCALANCE S
VPN Server
SCALANCEM874
VPN Server
SCALANCEM810
VPN Server
CP x43-1 Adv.
VPN Server
CP 1x43-1
VPN Server
TS Adapter
VPN Server
Configurations that belong to the same group have the same color (e.g., yellow forthe SCALANCE S group).In the relevant chapter, each configuration isx presented homogeneously in an overview graphic,x including a list of requirements andx the link for the detailed configuration description.
Then the configurations within the group are sorted by access type.x Access using a static public IP address (on the VPN server side)x Access using a dynamic public IP address (on the VPN server side)x PPPoE (only in the SCALANCE S group)
2 Introduction to Remote Networks2.1 Remote networks & industrial security
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 9
S
iem
ens
AG
2014
All
right
sre
serv
ed
2 Introduction to Remote Networks2.1 Remote networks & industrial security
Remote networksRemote networks are public or private communications infrastructures for coveringwide areas or long distances, for example mobile or fixed telephone networks.The geographical distribution of automation cells increases the demand fortelecontrol (remote control) and teleservice (remote maintenance/diagnostics) in aremote network.The comprehensive Remote Networks portfolio from Siemens offers connection toboth conventional (dedicated line, telephone) and IP-based infrastructures (e.g.,the Internet).
ApplicationsPossible remote access applications in a remote network:x Telecontrol
Connection of outstations (remote terminal units - RTUs) distributed over awide geographical area to one or more central control systems for the purposeof monitoring and control.
x TeleserviceData exchange with distant technical systems such as machines, plants andcomputers for the purpose of error detection, diagnostics, maintenance, repairand optimization.
Integration into the industrial security conceptThis document focuses on IP-based networks.As remote access to the plant is implemented via a public network (e.g., theInternet), protection against data manipulation and spying is particularlyimportant. For this purpose, virtual private networks (VPN) are used.
VPNA VPN is a private network that uses a public network (e.g., the Internet) as atransit network for transmitting data to a private destination network. The privatenetworks and the transit network need not be compatible with one another.Although VPN uses the addressing mechanisms of the transit network, itnevertheless uses its own network packets to separate the transport of private datapackets from the others. Due to this fact, the private networks appear as a shared,logical (virtual) network.VPN routers are required to set up a VPN. The VPN Security Integrated products(VPN routers) from Siemens support IPsec (Internet Protocol Security).The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket TunnelingProtocol).
2 Introduction to Remote Networks2.1 Remote networks & industrial security
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 10
S
iem
ens
AG
2014
All
right
sre
serv
ed
VPN client and VPN serverData communication protected using IPsec always starts with negotiating apreliminary Security Association (IKE phase 1) before algorithms, keys, etc. arefinally agreed upon in phase 2.The tunnel endpoint that actively starts negotiating a Security Association isreferred to as the VPN client.The remote end that waits for the VPN client is called the VPN server.
Note For more information on Internet Security Protocol and the Siemens SecurityConcept, use the following link: \3\
2 Introduction to Remote Networks2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 11
S
iem
ens
AG
2014
All
right
sre
serv
ed
2.2 Security Integrated product portfolio
Through a combination of different security measures such as firewalls and VPN,the security modules protect individual devices or even entire automation cellsagainst:x Data espionagex Data manipulationx Unwanted access
The figure below shows the remote access cells.
Figure 2-1
SCALANCEM81x-1
SIMATIC S7Stations
Service PCs
Automation Cells
SSC
SIMATIC S7-300 orS7-400 with CP x43-1Advanced
SIMATIC S7-1200or S7-1500
with CP 1x43-1
Smartphone withIPSec Client App
TS Adapter IEAdvanced SIMATIC S7
Stations
SCALANCEM874-x
SIMATIC S7Stations
SCALANCE S
SCALANCEM874-x
SCALANCE S
SIMATIC S7Stations
TIAPortal
SCALANCEM81x-1
WindowsSSTP
InternetRouter
InternetRouter
InternetRouter
InternetRouter
InternetRouter
InternetRouter
InternetRouter
InternetRouter
To help you in selecting products, the following sections describe the mostimportant features of the respective security modules.
2 Introduction to Remote Networks2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 12
S
iem
ens
AG
2014
All
right
sre
serv
ed
2.2.1 SCALANCE S
The security modules of the SCALANCE S family are designed specifically for usein automation but integrate seamlessly with the security structures of the office andIT world. The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2Mmodules additionally provide the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to
128 VPN tunnels at a time).x IP addresses are automatically obtained from the Internet service provider
using PPPoE; therefore, it is no longer necessary to use a separate DSL routerand a DSL modem can be used instead.
x Use of DNS for VPN tunnels using public dynamic IP addresses from theInternet service provider.
x User-specific IP firewall to distinguish and differentiate access to specific plantparts.
Note For the technical specifications of the SCALANCE S modules, use the followinglink: \4\
2.2.2 SOFTNET Security Client
The SOFTNET Security Client allows programming devices, PCs and notebookcomputers access to network nodes or automation systems protected bySCALANCE S, SCALANCE M or CPs.It is characterized by the following features:x Secure access of programming devices or notebook computers to entire
automation cells.x Easy use on mobile PCs.x Non-secure devices can be integrated into the secure data traffic.x Supports the DNS client function.
2.2.3 SCALANCE M-800
SCALANCE M874The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGErouter) routers are suited for cellular networks. These modules are characterizedby the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to
10 VPN tunnels at a time).x Broad range of applications; can be used wherever a GPRS/UMTS network is
available.x Connection of stationary stations and/or mobile stations.x Simplicity of connecting local networks by means of IP communication via
WAN.x User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
2 Introduction to Remote Networks2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 13
S
iem
ens
AG
2014
All
right
sre
serv
ed
Note For the technical specifications of the SCALANCE M874 modules, use thefollowing link: \5\
SCALANCE M810SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,secure connection of Ethernet-based subnets and programmable controllers towired telephone or DSL networks. They support ADSL2+ (Asynchronous DigitalSubscriber Line).These modules are characterized by the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to
20 VPN tunnels at a time).x VPN and DSL router in a single device; therefore, it is no longer necessary to
use a separate DSL router.x Broad range of applications due to high bandwidth, performance and speed.x Reduced travel expenses and personnel costs due to remote programming
and remote diagnostics via wired telephone or DSL networks.x User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note For the technical specifications of the SCALANCE M810 modules, use thefollowing link: \6\
2 Introduction to Remote Networks2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 14
S
iem
ens
AG
2014
All
right
sre
serv
ed
2.2.4 CP x43-1 Advanced
CP 343-1 Advanced and CP 443-1 Advanced are communications processors forconnecting SIMATIC S7 CPUs to PROFINET / Industrial Ethernet networks.For the SIMATIC S7-300/S7-400, they are the bridge between the field level andthe MES level and integrate seamlessly with the security structures of the officeand IT world.These modules are characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Protection of S7-300/S7-400 controllers and their lower-level networks by
IPsec tunnels (support of up to 32 VPN tunnels at a time).
Note For the technical specifications of the CP 343-1 Advanced, use the following link:\7\
Note For the technical specifications of the CP 443-1 Advanced, use the following link:\8\
2.2.5 CP 1x43-1
The CP 1243-1 communications processor securely connects the SIMATICS7-1200 controller to Ethernet networks.The CP 1543-1 communications processor securely connects the SIMATICS7-1500 controller to Ethernet networks.These modules are characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Protection of S7-1200/S7-1500 controllers and their lower-level networks by
IPsec tunnels (support of up to 16 VPN tunnels at a time).
Note For the technical specifications of the CP 1243-1, use the following link: \7\
Note For the technical specifications of the CP 1543-1, use the following link: \8\
2 Introduction to Remote Networks2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 15
S
iem
ens
AG
2014
All
right
sre
serv
ed
2.2.6 CP 1628
CP 1628 is a communications module for securely connecting a PG/PC toIndustrial Ethernet. With a dedicated processor for automation/security tasks, theCP 1628 reduces the host PC's load and provides constant, stable and secure datacommunication.This module is characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Simultaneous protection of multiple devices by IPsec tunnels (support of up to
64 VPN tunnels at a time).
Note For the technical specifications of the CP 1628, use the following link: \9\
2.2.7 TS Adapter IE Advanced
In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advancedallows access, through the Internet, to all automation components of a plant (e.g.,S7 controllers) that are connected to Industrial Ethernet.This module is characterized by the following features:x Aside from TIA Portal, no other software or hardware is required to establish
the VPN connection (VPN client).1
x Protection of S7 controllers and their lower-level networks by SSTP.
Note For the technical specifications of the TS Adapter IE Advanced, use the followinglink: 11
1 Internet access and a DSL modem are required to access the Internet.
3 SCALANCE S2.2 Security Integrated product portfolio
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 16
Siemens AG 2014 All rights reserved
3 SCALANCE SThis chapter describes the configurations in which the SCALANCE S is configured as the VPN server.This group is marked in yellow.
Table 3-1
VPN server VPN client Access type
SCALANCE S VPN remote end x Static IP addressx Dynamic IP addressx PPPoE
Characteristicsx The SCALANCE S can be either behind a DSL router or a DSL modem.x A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.x Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.x A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.x Due to the routing function, the networks on the internal and external interface become separate subnets.
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 17
Siemens AG 2014 All rights reserved
3.1 Static IP address
3.1.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
OverviewFigure 3-1
SCALANCE S
Service PC
InternetModem/Router
SCALANCE S
VPN Server VPN Client
Automation Cell
VPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
SIMATIC S7Stations
Table 3-2
VPN server VPN client Access type
SCALANCE S SCALANCE S Static IP address
Requirementsx Static public IP address for the Internet router of the VPN serverx Internet router with port forwarding functionality (on the VPN server side)x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681360
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 18
Siemens AG 2014 All rights reserved
3.1.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address
OverviewFigure 3-2
SCALANCE S
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7Stations
Table 3-3
VPN server VPN client Access type
SCALANCE S SCALANCE M81x-1 Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681595
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 19
Siemens AG 2014 All rights reserved
3.1.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address
OverviewFigure 3-3
VPN TunnelIndustrial Ethernet
InternetModem/Router
InternetRouter
SCALANCE S
VPN ServerSIMATIC S7Stations
StaticWAN IP Address
Service PC withSOFTNET Security Client
VPN Client
SSC
Automation Cell
Table 3-4
VPN server VPN client Access type
SCALANCE S SOFTNET Security Client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681083
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 20
Siemens AG 2014 All rights reserved
3.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address
OverviewFigure 3-4
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
SCALANCE S
Service PC
InternetModem/Router
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
Automation Cell
Table 3-5
VPN server VPN client Access type
SCALANCE S CP x43-1 Advanced Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681025
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 21
Siemens AG 2014 All rights reserved
3.1.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address
OverviewFigure 3-5
SCALANCE S
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
SIMATIC S7Stations
SCALANCEM874-x
VPN Client
Automation Cell
Table 3-6
VPN server VPN client Access type
SCALANCE S SCALANCE M874-x Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681225
3 SCALANCE S3.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 22
Siemens AG 2014 All rights reserved
3.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address
OverviewFigure 3-6
InternetRouter
SCALANCE S
VPN Client VPN Server
Automation Cell
VPN TunnelIndustrial Ethernet
StaticWAN IP Address
SIMATIC S7Stations
Smartphone withIPSec Client App
Table 3-7
VPN server VPN client Access type
SCALANCE S Mobile client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99680894
3 SCALANCE S3.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 23
Siemens AG 2014 All rights reserved
3.2 Dynamic IP address
3.2.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a dynamic IP address
OverviewFigure 3-7
SCALANCE S
Service PC
InternetModem/Router
SCALANCE S
VPN Server VPN Client
Automation Cell
VPN TunnelIndustrial Ethernet
DynamicWAN IP Address
InternetRouter
SIMATIC S7Stations
Table 3-8
VPN server VPN client Access type
SCALANCE S SCALANCE S Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 24
Siemens AG 2014 All rights reserved
3.2.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a dynamic IP address
OverviewFigure 3-8
SCALANCE S
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
DynamicWAN IP Address
InternetRouter
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7Stations
Table 3-9
VPN server VPN client Access type
SCALANCE S SCALANCE M81x-1 Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:In progress
3 SCALANCE S3.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 25
Siemens AG 2014 All rights reserved
3.2.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a dynamic IP address
OverviewFigure 3-9
InternetModem/Router
InternetRouter
SCALANCE S
VPN Server SIMATIC S7Stations
DynamicWAN IP Address
VPN TunnelIndustrial Ethernet
Service PC withSOFTNET Security Client
VPN Client
SSC
Automation Cell
Table 3-10
VPN server VPN client Access type
SCALANCE S SOFTNET Security Client Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 26
Siemens AG 2014 All rights reserved
3.2.4 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a dynamic IP address
OverviewFigure 3-10
SCALANCE S
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
DynamicWAN IP Address
InternetRouter
SIMATIC S7Stations
VPN Client
SCALANCEM874-x
Automation Cell
Table 3-11
VPN server VPN client Access type
SCALANCE S SCALANCE M874-x Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router (use of the DDNS providers dyndns.org or no-ip.org)x Internet router with port forwarding functionalityx Mobile network operator's default APN
Link to the configuration description:In progress
3 SCALANCE S3.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 27
Siemens AG 2014 All rights reserved
3.2.5 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a dynamic IP address
OverviewFigure 3-11
InternetRouter
SCALANCE S
VPN Client VPN Server
Automation Cell
VPN TunnelIndustrial Ethernet
DynamicWAN IP Address
SIMATIC S7Stations
Smartphone withIPSec Client App
Table 3-12
VPN server VPN client Access type
SCALANCE S Mobile client Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 28
Siemens AG 2014 All rights reserved
3.3 PPPoE
3.3.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using PPPoE
OverviewFigure 3-12
SCALANCE S
Service PC
InternetModem/Router
SCALANCE S
VPN Server VPN ClientVPN TunnelIndustrial Ethernet
InternetModem
SIMATIC S7Stations
Automation Cell
Table 3-13
VPN server VPN client Access type
SCALANCE S SCALANCE S PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic use of the DDNS providers dyndns.org or no-ip.org (VPN client: SCALANCE S (firmware version V4 or higher)) or static
public IP address for the Internet modem.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 29
Siemens AG 2014 All rights reserved
3.3.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using PPPoE
OverviewFigure 3-13
SCALANCE S
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7Stations
InternetModem
Table 3-14
VPN server VPN client Access type
SCALANCE S SCALANCE M81x-1 PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 30
Siemens AG 2014 All rights reserved
3.3.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using PPPoE
OverviewFigure 3-14
InternetModem/Router
InternetModem
SCALANCE S
VPN Server SIMATIC S7Stations
VPN TunnelIndustrial Ethernet
Service PC withSOFTNET Security Client
VPN Client
SSC
Automation Cell
Table 3-15
VPN server VPN client Access type
SCALANCE S SOFTNET Security Client PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 31
Siemens AG 2014 All rights reserved
3.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using PPPoE
OverviewFigure 3-15
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
SCALANCE S
Service PC
InternetModem/Router
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetModem
Automation Cell
Table 3-16
VPN server VPN client Access type
SCALANCE S CP x43-1 Advanced PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 32
Siemens AG 2014 All rights reserved
3.3.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using PPPoE
OverviewFigure 3-16
SCALANCE S
Service PC
VPN TunnelIndustrial Ethernet
InternetModem
VPN Client
SCALANCEM874-x
VPN Server
Automation Cell
SIMATIC S7Stations
Table 3-17
VPN server VPN client Access type
SCALANCE S SCALANCE M874-x PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:In progress
3 SCALANCE S3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 33
Siemens AG 2014 All rights reserved
3.3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using PPPoE
OverviewFigure 3-17
SCALANCE S
VPN Client VPN Server
Automation Cell
VPN TunnelIndustrial Ethernet
SIMATIC S7Stations
Smartphone withIPSec Client App Internet
Modem
Table 3-18
VPN server VPN client Access type
SCALANCE S Mobile client PPPoE
Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x3.3 PPPoE
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 34
Siemens AG 2014 All rights reserved
4 SCALANCE M874-xThis chapter describes the configurations in which the SCALANCE M874-x is configured as the VPN server.This group is marked in light red.
Table 4-1
VPN server VPN client Access type
SCALANCE M874-x VPN remote end x Static IP addressx Dynamic IP address
Characteristicsx The plant with the SCALANCE M874-x as the VPN server can be both stationary and mobile.x A static or dynamic public IP address can be used for the SCALANCE M874-x.x Up to 10 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.x A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 35
Siemens AG 2014 All rights reserved
4.1 Static IP address
4.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a static IP address
OverviewFigure 4-1
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
SCALANCEM81x-1
StaticWAN IP Address
SCALANCEM874-x
VPN Server
Automation Cell
SIMATIC S7Stations
Table 4-2
VPN server VPN client Access type
SCALANCE M874-x SCALANCE M81x-1 Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 36
Siemens AG 2014 All rights reserved
4.1.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a static IP address
OverviewFigure 4-2
VPN TunnelIndustrial Ethernet
InternetModem/Router
StaticWAN IP Address
Service PC withSOFTNET Security Client
VPN Client
SSC
SCALANCEM874-x
VPN Server
Automation Cell
SIMATIC S7Stations
Table 4-3
VPN server VPN client Access type
SCALANCE M874-x SOFTNET Security Client Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 37
Siemens AG 2014 All rights reserved
4.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static IP address
OverviewFigure 4-3
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
InternetModem/Router
Automation CellService PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM874-x
Table 4-4
VPN server VPN client Access type
SCALANCE M874-x CP x43-1 Advanced Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 38
Siemens AG 2014 All rights reserved
4.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP address
OverviewFigure 4-4
InternetModem/Router
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM874-x
VPN Client
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 4-5
VPN server VPN client Access type
SCALANCE M874-x CP 1x43-1 Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 39
Siemens AG 2014 All rights reserved
4.1.5 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static IP address
OverviewFigure 4-5
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM874-x
VPN Client
Automation CellSCALANCE
M874-x
SIMATIC S7Stations
Table 4-6
VPN server VPN client Access type
SCALANCE M874-x SCALANCE M874-x Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile to mobile communication (depending on the mobile network operator).
Link to the configuration description:In progress
4 SCALANCE M874-x4.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 40
Siemens AG 2014 All rights reserved
4.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP address
OverviewFigure 4-6
VPN Client
Automation Cell
VPN TunnelIndustrial Ethernet
SIMATIC S7Stations
Smartphone withIPSec Client App
StaticWAN IP Adress
SCALANCEM874-x
VPN Server
Table 4-7
VPN server VPN client Access type
SCALANCE M874-x Mobile client Static IP address
Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile to mobile communication (depending on the mobile network operator).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 41
Siemens AG 2014 All rights reserved
4.2 Dynamic IP address
4.2.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a dynamic IP address
OverviewFigure 4-7
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
SCALANCEM81x-1
DynamicWAN IP Address
SCALANCEM874-x
VPN Server
Automation Cell
SIMATIC S7Stations
Table 4-8
VPN server VPN client Access type
SCALANCE M874-x SCALANCE M81x-1 Dynamic IP address
Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN server side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 42
Siemens AG 2014 All rights reserved
4.2.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a dynamic IP address
OverviewFigure 4-8
VPN TunnelIndustrial Ethernet
InternetModem/Router
DynamicWAN IP Address
Service PC withSOFTNET Security Client
VPN Client
SSC
SCALANCEM874-x
VPN Server
Automation Cell
SIMATIC S7Stations
Table 4-9
VPN server VPN client Access type
SCALANCE M874-x SOFTNET Security Client Dynamic IP address
Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
4 SCALANCE M874-x4.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 43
Siemens AG 2014 All rights reserved
4.2.3 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a dynamic IP address
OverviewFigure 4-9
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
DynamicWAN IP Address
SCALANCEM874-x
VPN Client
Automation CellSCALANCE
M874-x
SIMATIC S7Stations
Table 4-10
VPN server VPN client Access type
SCALANCE M874-x SCALANCE M874-x Dynamic IP address
Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile to mobile communication (depending on the mobile network operator).
Link to the configuration description:In progress
4 SCALANCE M874-x4.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 44
Siemens AG 2014 All rights reserved
4.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a dynamic IP address
OverviewFigure 4-10
VPN Client
Automation Cell
VPN TunnelIndustrial Ethernet
SIMATIC S7Stations
Smartphone withIPSec Client App
DynamicWAN IP Address
SCALANCEM874-x
VPN Server
Table 4-11
VPN server VPN client Access type
SCALANCE M874-x Mobile client Dynamic IP address
Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile to mobile communication (depending on the mobile network operator).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-14.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 45
Siemens AG 2014 All rights reserved
5 SCALANCE M81x-1This chapter describes the configurations in which the SCALANCE M81x-1 is configured as the VPN server.This group is marked in light green.
Table 5-1
VPN server VPN client Access type
SCALANCE M81x-1 VPN remote end x Static IP addressx Dynamic IP address
Characteristicsx The DSL router and VPN server settings are made directly in the SCALANCE M81x-1; a separate DSL router is not required.x A static or dynamic public IP address can be used for the SCALANCE M81x-1.x Up to 20 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.x A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 46
Siemens AG 2014 All rights reserved
5.1 Static IP address
5.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static IP address
OverviewFigure 5-1
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM81x-1
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7Stations
Table 5-2
VPN server VPN client Access type
SCALANCE M81x-1 SCALANCE M81x-1 Static IP address
Requirementsx Static public IP address for the VPN server.
Link to the configuration description:In progress
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 47
Siemens AG 2014 All rights reserved
5.1.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a static IP address
OverviewFigure 5-2
VPN TunnelIndustrial Ethernet
InternetModem/Router
StaticWAN IP Address
Service PC withSOFTNET Security Client
VPN Client
SSC
SCALANCEM81x-1
VPN Server
Automation Cell
SIMATIC S7Stations
Table 5-3
VPN server VPN client Access type
SCALANCE M81x-1 SOFTNET Security Client Static IP address
Requirementsx Static public IP address for the VPN server.x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 48
Siemens AG 2014 All rights reserved
5.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP x43-1 Advanced using a static IP address
OverviewFigure 5-3
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
InternetModem/Router
Automation CellService PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM81x-1
Table 5-4
VPN server VPN client Access type
SCALANCE M81x-1 CP x43-1 Advanced Static IP address
Requirementsx Static public IP address for the VPN server.x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 49
Siemens AG 2014 All rights reserved
5.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP 1x43-1 using a static IP address
OverviewFigure 5-4
InternetModem/Router
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 5-5
VPN server VPN client Access type
SCALANCE M81x-1 CP 1x43-1 Static IP address
Requirementsx Static public IP address for the VPN server.x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 50
Siemens AG 2014 All rights reserved
5.1.5 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a static IP address
OverviewFigure 5-5
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
StaticWAN IP Address
SCALANCEM874-x
VPN Client
Automation CellSCALANCE
M81x-1
SIMATIC S7Stations
Table 5-6
VPN server VPN client Access type
SCALANCE M81x-1 SCALANCE M874-x Static IP address
Requirementsx Static public IP address for the VPN server.x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 51
Siemens AG 2014 All rights reserved
5.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a static IP address
OverviewFigure 5-6
VPN ClientVPN TunnelIndustrial Ethernet
Smartphone withIPSec Client App
StaticWAN IP Address
SCALANCEM81x-1
VPN Server
Automation Cell
SIMATIC S7Stations
Table 5-7
VPN server VPN client Access type
SCALANCE M81x-1 Mobile client Static IP address
Requirementsx Static public IP address for the VPN server.x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 52
Siemens AG 2014 All rights reserved
5.2 Dynamic IP address
5.2.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
OverviewFigure 5-7
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
DynamicWAN IP Address
SCALANCEM81x-1
SCALANCEM81x-1
VPN Client
Automation Cell
SIMATIC S7Stations
Table 5-8
VPN server VPN client Access type
SCALANCE M81x-1 SCALANCE M81x-1 Dynamic IP address
Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Link to the configuration description:In progress
5 SCALANCE M81x-15.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 53
Siemens AG 2014 All rights reserved
5.2.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
OverviewFigure 5-8
VPN TunnelIndustrial Ethernet
InternetModem/Router
DynamicWAN IP Address
Service PC withSOFTNET Security Client
VPN Client
SSC
SCALANCEM81x-1
VPN Server
Automation Cell
SIMATIC S7Stations
Table 5-9
VPN server VPN client Access type
SCALANCE M81x-1 SOFTNET Security Client Dynamic IP address
Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 54
Siemens AG 2014 All rights reserved
5.2.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
OverviewFigure 5-9
Service PC
VPN ServerVPN TunnelIndustrial Ethernet
DynamicWAN IP Address
SCALANCEM874-x
VPN Client
Automation CellSCALANCE
M81x-1
SIMATIC S7Stations
Table 5-10
VPN server VPN client Access type
SCALANCE M81x-1 SCALANCE M874-x Dynamic IP address
Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:In progress
5 SCALANCE M81x-15.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 55
Siemens AG 2014 All rights reserved
5.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a dynamic IP address
OverviewFigure 5-10
VPN ClientVPN TunnelIndustrial Ethernet
Smartphone withIPSec Client App
DynamicWAN IP Address
SCALANCEM81x-1
VPN Server
Automation Cell
SIMATIC S7Stations
Table 5-11
VPN server VPN client Access type
SCALANCE M81x-1 Mobile client Dynamic IP address
Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN server side).
Link to the configuration description:In progress
6 CP x43-1 Advanced5.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 56
Siemens AG 2014 All rights reserved
6 CP x43-1 AdvancedThis chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.This group is marked in dark blue.
Table 6-1
VPN server VPN client Access type
CP x43-1 Advanced VPN remote end x Static IP addressx Dynamic IP address
Characteristicsx The firewall, VPN server and communication settings are made directly in the CCP x43-1 Advanced; the security functions are
integrated in the communications processor.x A static or dynamic public IP address can be used for the DSL router on the VPN server side.
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 57
Siemens AG 2014 All rights reserved
6.1 Static IP address
6.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address
OverviewFigure 6-1
SCALANCE S
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetModem/Router
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell
InternetRouter
StaticWAN IP Address
Table 6-2
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE S Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108910593
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 58
Siemens AG 2014 All rights reserved
6.1.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address
OverviewFigure 6-2
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation CellService PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetRouter
StaticWAN IP Address
SCALANCEM81x-1
Table 6-3
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108910139
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 59
Siemens AG 2014 All rights reserved
6.1.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address
OverviewFigure 6-3
VPN TunnelIndustrial Ethernet
VPN Client
InternetModem/Router
Service PC withSOFTNET Security Client
SSC
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell
InternetRouter
StaticWAN IP Address
Table 6-4
VPN server VPN client Access type
CP x43-1 Advanced SOFTNET Security Client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108910602
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 60
Siemens AG 2014 All rights reserved
6.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address
OverviewFigure 6-4
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
InternetModem/Router
Automation Cell B
VPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell A
Table 6-5
VPN server VPN client Access type
CP x43-1 Advanced CP x43-1 Advanced Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108910347
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 61
Siemens AG 2014 All rights reserved
6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address
OverviewFigure 6-5
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation CellService PC
VPN ClientVPN TunnelIndustrial Ethernet
SCALANCEM874-x Internet
Router
StaticWAN IP Address
Table 6-6
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108913753
6 CP x43-1 Advanced6.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 62
Siemens AG 2014 All rights reserved
6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address
OverviewFigure 6-6
VPN TunnelIndustrial Ethernet
VPN Client
Smartphone withIPSec Client App
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell
InternetRouter
StaticWAN IP Address
Table 6-7
VPN server VPN client Access type
CP x43-1 Advanced Mobile client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:http://support.automation.siemens.com/WW/view/en/108909919
6 CP x43-1 Advanced6.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 63
Siemens AG 2014 All rights reserved
6.2 Dynamic IP address
6.2.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a dynamic IP address
OverviewFigure 6-7
VPN TunnelIndustrial Ethernet
VPN Client
InternetModem/Router
Service PC withSOFTNET Security Client
SSC
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell
InternetRouter
DynamicWAN IP Address
Table 6-8
VPN server VPN client Access type
CP x43-1 Advanced SOFTNET Security Client Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
6 CP x43-1 Advanced6.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 64
Siemens AG 2014 All rights reserved
6.2.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a dynamic IP address
OverviewFigure 6-8
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation CellService PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetRouter
DynamicWAN IP Address
SCALANCEM81x-1
Table 6-9
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:In progress
6 CP x43-1 Advanced6.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 65
Siemens AG 2014 All rights reserved
6.2.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a dynamic IP address
OverviewFigure 6-9
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation CellService PC
VPN ClientVPN TunnelIndustrial Ethernet
SCALANCEM874-x Internet
Router
DynamicWAN IP Address
Table 6-10
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN
Link to the configuration description:In progress
6 CP x43-1 Advanced6.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 66
Siemens AG 2014 All rights reserved
6.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a dynamic IP address
OverviewFigure 6-10
VPN TunnelIndustrial Ethernet
VPN Client
Smartphone withIPSec Client App
VPN Server
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
Automation Cell
InternetRouter
DynamicWAN IP Address
Table 6-11
VPN server VPN client Access type
CP x43-1 Advanced Mobile client Dynamic IP address
Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-16.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 67
Siemens AG 2014 All rights reserved
7 CP 1x43-1This chapter describes the configurations in which the CP 1x43-1 is configured as the VPN server.This group is marked in gray.
Table 7-1
VPN server VPN client Access type
CP 1x43-1 VPN remote end x Static IP addressx Dynamic IP address
Characteristicsx The firewall, VPN server and communication settings are made directly in the CP 1x43-1; the security functions are integrated in the
communications processor.x A static or dynamic public IP address can be used for the DSL router on the VPN server side.
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 68
Siemens AG 2014 All rights reserved
7.1 Static IP address
7.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
OverviewFigure 7-1
SCALANCE S
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetModem/Router
InternetRouter
StaticWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-2
VPN server VPN client Access type
CP 1x43-1 SCALANCE S Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 69
Siemens AG 2014 All rights reserved
7.1.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address
OverviewFigure 7-2
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetRouter
StaticWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
SCALANCEM81x-1
Table 7-3
VPN server VPN client Access type
CP 1x43-1 SCALANCE M81x-1 Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 70
Siemens AG 2014 All rights reserved
7.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address
OverviewFigure 7-3
VPN TunnelIndustrial Ethernet
VPN Client
InternetModem/Router
Service PC withSOFTNET Security Client
SSC
InternetRouter
StaticWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-4
VPN server VPN client Access type
CP 1x43-1 SOFTNET Security Client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 71
Siemens AG 2014 All rights reserved
7.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address
OverviewFigure 7-4
VPN Client
SIMATIC S7-300 or S7-400with CP x43-1 Advanced
InternetModem/Router
Automation Cell B
VPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
VPN Server
Automation Cell A
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-5
VPN server VPN client Access type
CP 1x43-1 CP x43-1 Advanced Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 72
Siemens AG 2014 All rights reserved
7.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
OverviewFigure 7-5
VPN TunnelIndustrial Ethernet
StaticWAN IP Address
InternetRouter
VPN Server
Automation Cell A
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
VPN Client
InternetModem/Router
Automation Cell B
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-6
VPN server VPN client Access type
CP 1x43-1 CP 1x43-1 Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 73
Siemens AG 2014 All rights reserved
7.1.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address
OverviewFigure 7-6
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
SCALANCEM874-x Internet
Router
StaticWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-7
VPN server VPN client Access type
CP 1x43-1 SCALANCE M874-x Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.1 Static IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 74
Siemens AG 2014 All rights reserved
7.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
OverviewFigure 7-7
VPN TunnelIndustrial Ethernet
VPN Client
Smartphone withIPSec Client App Internet
Router
StaticWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
Table 7-8
VPN server VPN client Access type
CP 1x43-1 Mobile client Static IP address
Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:In progress
7 CP 1x43-17.2 Dynamic IP address
IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 75
Siemens AG 2014 All rights reserved
7.2 Dynamic IP address
7.2.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
OverviewFigure 7-8
Service PC
VPN ClientVPN TunnelIndustrial Ethernet
InternetRouter
DynamicWAN IP Address
VPN Server
Automation Cell
SIMATIC S7-1200 orS7-1500 with CP 1x43-1
SCALANCEM81x-1
Table 7-9
VPN s