26662448 Remote Networks Overview Doku En

http://support.automation.siemens.com/WW/view/de/26662448

Application Descriptiony 09/2014

IP-based Remote NetworksSCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1,TS Adapter IE Advanced

Warranty and Liability

IP-based Remote NetworksEntry ID: 26662448, V2.0, 09/2014 2

S

iem

ens

AG

2014

All

right

sre

serv

ed

Warranty and LiabilityNote The Application Examples are not binding and do not claim to be complete

regarding the circuits shown, equipping and any eventuality. The ApplicationExamples do not represent customer-specific solutions. They are only intendedto provide support for typical applications. You are responsible for ensuring thatthe described products are used correctly. These Application Examples do notrelieve you of the responsibility to use safe practices in application, installation,operation and maintenance. When using these Application Examples, yourecognize that we cannot be made liable for any damage/claims beyond theliability clause described. We reserve the right to make changes to theseApplication Examples at any time without prior notice. If there are any deviationsbetween the recommendations provided in these Application Examples andother Siemens publications e.g. Catalogs the contents of the otherdocuments have priority.

We do not accept any liability for the information contained in this document.Any claims against us based on whatever legal reason - resulting from the use ofthe examples, information, programs, engineering and performance data etc.,described in this Application Example shall be excluded. Such an exclusion shallnot apply in the case of mandatory liability, e.g. under the German Product LiabilityAct ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,body or health, guarantee for the quality of a product, fraudulent concealment of adeficiency or breach of a condition which goes to the root of the contract("wesentliche Vertragspflichten"). The damages for a breach of a substantialcontractual obligation are, however, limited to the foreseeable damage, typical forthe type of contract, except in the event of intent or gross negligence or injury tolife, body or health. The above provisions do not imply a change of the burden ofproof to your detriment.Any form of duplication or distribution of these Application Examples or excerptshereof is prohibited without the expressed consent of Siemens Industry Sector.

Securityinforma-

tion

Siemens provides products and solutions with industrial security functions thatsupport the secure operation of plants, solutions, machines, equipment and/ornetworks. They are important components in a holistic industrial securityconcept. With this in mind, Siemens' products and solutions undergo continuousdevelopment. Siemens recommends strongly that you regularly check forproduct updates. Siemens recommends strongly that you regularly check forproduct updates.

For the secure operation of Siemens products and solutions, it is necessary totake suitable preventive action (e.g. cell protection concept) and integrate eachcomponent into a holistic, state-of-the-art industrial security concept. Third-partyproducts that may be in use should also be considered. For more informationabout industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visithttp://support.automation.siemens.com.

Table of Contents


S

iem

ens

AG

2014

All

right

sre

serv

ed

Table of ContentsWarranty and Liability .............................................................................................. 21 Remarks on this Document............................................................................ 6

1.1 Reason and objective ........................................................................ 61.2 Features and benefits ........................................................................ 61.3 Structure of this document ................................................................. 7

2 Introduction to Remote Networks .................................................................. 9

2.1 Remote networks & industrial security................................................ 92.2 Security Integrated product portfolio ................................................. 112.2.1 SCALANCE S .................................................................................. 122.2.2 SOFTNET Security Client ................................................................ 122.2.3 SCALANCE M-800 .......................................................................... 122.2.4 CP x43-1 Advanced ......................................................................... 142.2.5 CP 1x43-1 ....................................................................................... 142.2.6 CP 1628 .......................................................................................... 152.2.7 TS Adapter IE Advanced ................................................................. 15

3 SCALANCE S ................................................................................................ 16

3.1 Static IP address ............................................................................. 173.1.1 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE S using a static IP address ........................................... 173.1.2 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M81x-1 using a static IP address.................................. 183.1.3 VPN tunnel between SCALANCE S (VPN server) and

SOFTNET Security Client using a static IP address ......................... 193.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1

Advanced using a static IP address ................................................. 203.1.5 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M874-x using a static IP address.................................. 213.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile

client using a static IP address ......................................................... 223.2 Dynamic IP address......................................................................... 233.2.1 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE S using a dynamic IP address ...................................... 233.2.2 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M81x-1 using a dynamic IP address ............................. 243.2.3 VPN tunnel between SCALANCE S (VPN server) and

SOFTNET Security Client using a dynamic IP address .................... 253.2.4 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M874-x using a dynamic IP address ............................. 263.2.5 VPN tunnel between SCALANCE S (VPN server) and a mobile

client using a dynamic IP address .................................................... 273.3 PPPoE ............................................................................................ 283.3.1 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE S using PPPoE ............................................................ 283.3.2 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M81x-1 using PPPoE ................................................... 293.3.3 VPN tunnel between SCALANCE S (VPN server) and

SOFTNET Security Client using PPPoE ........................................... 303.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1

Advanced using PPPoE ................................................................... 313.3.5 VPN tunnel between SCALANCE S (VPN server) and

SCALANCE M874-x using PPPoE ................................................... 323.3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile

client using PPPoE .......................................................................... 33

Table of Contents


S

iem

ens

AG

2014

All

right

sre

serv

ed

4 SCALANCE M874-x ...................................................................................... 34

4.1 Static IP address ............................................................................. 354.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and

SCALANCE M81x-1 using a static IP address.................................. 354.1.2 VPN tunnel between SCALANCE M874-x (VPN server) and

SOFTNET Security Client using a static IP address ......................... 364.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP

x43-1 Advanced using a static IP address ........................................ 374.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP

1x43-1 using a static IP address ...................................................... 384.1.5 VPN tunnel between SCALANCE M874-x (VPN server) and

SCALANCE M874-x using a static IP address.................................. 394.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a

mobile client using a static IP address.............................................. 404.2 Dynamic IP address......................................................................... 414.2.1 VPN tunnel between SCALANCE M874-x (VPN server) and

SCALANCE M81x-1 using a dynamic IP address ............................. 414.2.2 VPN tunnel between SCALANCE M874-x (VPN server) and

SOFTNET Security Client using a dynamic IP address .................... 424.2.3 VPN tunnel between SCALANCE M874-x (VPN server) and

SCALANCE M874-x using a dynamic IP address ............................. 434.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a

mobile client using a dynamic IP address ......................................... 44

5 SCALANCE M81x-1 ...................................................................................... 45

5.1 Static IP address ............................................................................. 465.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SCALANCE M81x-1 using a static IP address.................................. 465.1.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SOFTNET Security Client using a static IP address ......................... 475.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP

x43-1 Advanced using a static IP address ........................................ 485.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP

1x43-1 using a static IP address ...................................................... 495.1.5 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SCALANCE M874-x using a static IP address.................................. 505.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a

mobile client using a static IP address.............................................. 515.2 Dynamic IP address......................................................................... 525.2.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SCALANCE M81x-1 using a dynamic IP address ............................. 525.2.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SOFTNET Security Client using a dynamic IP address .................... 535.2.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and

SCALANCE M874-x using a dynamic IP address ............................. 545.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a


6 CP x43-1 Advanced ...................................................................................... 56

6.1 Static IP address ............................................................................. 576.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and

SCALANCE S using a static IP address ........................................... 576.1.2 VPN tunnel between CP x43-1 Advanced (VPN server) and

SCALANCE M81x-1 using a static IP address.................................. 586.1.3 VPN tunnel between CP x43-1 Advanced (VPN server) and

SOFTNET Security Client using a static IP address ......................... 596.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP

x43-1 Advanced using a static IP address ........................................ 60

Table of Contents


S

iem

ens

AG

2014

All

right

sre

serv

ed

6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) andSCALANCE M874-x using a static IP address.................................. 61

6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and amobile client using a static IP address.............................................. 62

6.2 Dynamic IP address......................................................................... 636.2.1 VPN tunnel between CP x43-1 Advanced (VPN server) and

SOFTNET Security Client using a dynamic IP address .................... 636.2.2 VPN tunnel between CP x43-1 Advanced (VPN server) and

SCALANCE M81x-1 using a dynamic IP address ............................. 646.2.3 VPN tunnel between CP x43-1 Advanced (VPN server) and

SCALANCE M874-x using a dynamic IP address ............................. 656.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a


7 CP 1x43-1 ...................................................................................................... 67

7.1 Static IP address ............................................................................. 687.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE

S using a static IP address............................................................... 687.1.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE

M81x-1 using a static IP address ..................................................... 697.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET

Security Client using a static IP address .......................................... 707.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1

Advanced using a static IP address ................................................. 717.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1

using a static IP address .................................................................. 727.1.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE

M874-x using a static IP address ..................................................... 737.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile

client using a static IP address ......................................................... 747.2 Dynamic IP address......................................................................... 757.2.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE

M81x-1 using a dynamic IP address ................................................ 757.2.2 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET

Security Client using a dynamic IP address ...................................... 767.2.3 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE

M874-x using a dynamic IP address ................................................ 777.2.4 VPN tunnel between CP 1x43-1 (VPN server) and a mobile

client using a dynamic IP address .................................................... 78

8 TS Adapter IE Advanced .............................................................................. 79

8.1 VPN tunnel between TS Adapter IE Advanced (VPN server)and Windows SSTP client using a static IP address ......................... 80

8.2 VPN tunnel between TS Adapter IE Advanced (VPN server)and TIA Portal using a static IP address ........................................... 80

9 References .................................................................................................... 8210 History .......................................................................................................... 83

1 Remarks on this Document1.1 Reason and objective


S

iem

ens

AG

2014

All

right

sre

serv

ed

1 Remarks on this Document1.1 Reason and objective

ReasonBased on the Security Integrated product portfolio, there are numerous differentways of implementing secure communication that are always customized to theapplication. For the user, looking for the perfect solution involves the followingquestions:x Which solutions are available?x What are the differences between the solutions?

ObjectiveThe Security Integrated portfolio includes several products that can be combinedwith each other. This results in a large number of configuration options.

This document helps you find an optimal solution for secure communicationbased on VPN.

1.2 Features and benefits

FeaturesThe document has the following features:x Clear, compact structurex Concisely outlines the contents and provides an overview graphic of the

individual configurationsx Does not describe details; the details are provided in the individual

configurations.

BenefitsThe document offers the following benefits to the reader:x Support in planning and configurationx Quick finding of information regarding configuration optionsx Short, compact overview of the featuresx Reference to the individual configurations

1 Remarks on this Document1.3 Structure of this document


S

iem

ens

AG

2014

All

right

sre

serv

ed

1.3 Structure of this document

Siemens Security Integrated portfolio includes several products that can becombined with each other. This results in a large number of configuration options.

To present these options in a clear manner, the possible configurations areclassified based on specific criteria.This document gives you an overview of the configurations with the modules fromthe Remote Networks portfolio.

Classification based on SIMATIC dependencyThe VPN solutions with the SCALANCE modules / TS Adapter are independent ofSIMATIC, i.e. the application behind the VPN tunnel does not have to bea SIMATIC application. Access to other applications via the SCALANCE modules /TS Adapter is possible as well.The VPN solutions with the CPs are SIMATIC-based as a SIMATIC CPU isrequited to operate the CP. However, these configurations also allow access tonon-SIMATIC plants parts via the CP.

Classification of the configurationsThe possible configurations of an IP-based remote network are divided into groups.The criterion for this subdivision is the module that acts as the VPN server.

There is a separate group for each module that can be configured as a VPNserver. This results in the following subdivision of VPN server groups:x SCALANCE Sx SCALANCE M874x SCALANCE M810x CP x43-1 Adv.x CP 1x43-1x CP 1628x TS Adapter IE Advanced

Note For configuration examples for the CP 1628, use the following link: 10

Contents of a groupA group can in turn consist of multiple configurations. All these configurations haveone thing in common: For all configurations, the VPN server is the same securitymodule - specified by the group. They differ in the module used as the VPN client.For all possible configurations of a group, Siemens Industry Online Supportprovides a document with a specific configuration guide for the settings of the VPNmodules.The figure below shows the subdivision of the configurations.

1 Remarks on this Document1.3 Structure of this document


S

iem

ens

AG

2014

All

right

sre

serv

ed

Figure 1-1

Remote Access(IP-based)

Overviewdoc.

Group

Configura-tions

SCALANCE S

VPN Server

SCALANCEM874

VPN Server

SCALANCEM810

VPN Server

CP x43-1 Adv.

VPN Server

CP 1x43-1

VPN Server

TS Adapter

VPN Server

Configurations that belong to the same group have the same color (e.g., yellow forthe SCALANCE S group).In the relevant chapter, each configuration isx presented homogeneously in an overview graphic,x including a list of requirements andx the link for the detailed configuration description.

Then the configurations within the group are sorted by access type.x Access using a static public IP address (on the VPN server side)x Access using a dynamic public IP address (on the VPN server side)x PPPoE (only in the SCALANCE S group)

2 Introduction to Remote Networks2.1 Remote networks & industrial security


S

iem

ens

AG

2014

All

right

sre

serv

ed


Remote networksRemote networks are public or private communications infrastructures for coveringwide areas or long distances, for example mobile or fixed telephone networks.The geographical distribution of automation cells increases the demand fortelecontrol (remote control) and teleservice (remote maintenance/diagnostics) in aremote network.The comprehensive Remote Networks portfolio from Siemens offers connection toboth conventional (dedicated line, telephone) and IP-based infrastructures (e.g.,the Internet).

ApplicationsPossible remote access applications in a remote network:x Telecontrol

Connection of outstations (remote terminal units - RTUs) distributed over awide geographical area to one or more central control systems for the purposeof monitoring and control.

x TeleserviceData exchange with distant technical systems such as machines, plants andcomputers for the purpose of error detection, diagnostics, maintenance, repairand optimization.

Integration into the industrial security conceptThis document focuses on IP-based networks.As remote access to the plant is implemented via a public network (e.g., theInternet), protection against data manipulation and spying is particularlyimportant. For this purpose, virtual private networks (VPN) are used.

VPNA VPN is a private network that uses a public network (e.g., the Internet) as atransit network for transmitting data to a private destination network. The privatenetworks and the transit network need not be compatible with one another.Although VPN uses the addressing mechanisms of the transit network, itnevertheless uses its own network packets to separate the transport of private datapackets from the others. Due to this fact, the private networks appear as a shared,logical (virtual) network.VPN routers are required to set up a VPN. The VPN Security Integrated products(VPN routers) from Siemens support IPsec (Internet Protocol Security).The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket TunnelingProtocol).



S

iem

ens

AG

2014

All

right

sre

serv

ed

VPN client and VPN serverData communication protected using IPsec always starts with negotiating apreliminary Security Association (IKE phase 1) before algorithms, keys, etc. arefinally agreed upon in phase 2.The tunnel endpoint that actively starts negotiating a Security Association isreferred to as the VPN client.The remote end that waits for the VPN client is called the VPN server.

Note For more information on Internet Security Protocol and the Siemens SecurityConcept, use the following link: \3\

2 Introduction to Remote Networks2.2 Security Integrated product portfolio


S

iem

ens

AG

2014

All

right

sre

serv

ed

2.2 Security Integrated product portfolio

Through a combination of different security measures such as firewalls and VPN,the security modules protect individual devices or even entire automation cellsagainst:x Data espionagex Data manipulationx Unwanted access

The figure below shows the remote access cells.

Figure 2-1

SCALANCEM81x-1

SIMATIC S7Stations

Service PCs

Automation Cells

SSC

SIMATIC S7-300 orS7-400 with CP x43-1Advanced

SIMATIC S7-1200or S7-1500

with CP 1x43-1

Smartphone withIPSec Client App

TS Adapter IEAdvanced SIMATIC S7

Stations

SCALANCEM874-x

SIMATIC S7Stations

SCALANCE S

SCALANCEM874-x

SCALANCE S

SIMATIC S7Stations

TIAPortal

SCALANCEM81x-1

WindowsSSTP

InternetRouter

InternetRouter

InternetRouter

InternetRouter

InternetRouter

InternetRouter

InternetRouter

InternetRouter

To help you in selecting products, the following sections describe the mostimportant features of the respective security modules.



S

iem

ens

AG

2014

All

right

sre

serv

ed

2.2.1 SCALANCE S

The security modules of the SCALANCE S family are designed specifically for usein automation but integrate seamlessly with the security structures of the office andIT world. The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2Mmodules additionally provide the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to

128 VPN tunnels at a time).x IP addresses are automatically obtained from the Internet service provider

using PPPoE; therefore, it is no longer necessary to use a separate DSL routerand a DSL modem can be used instead.

x Use of DNS for VPN tunnels using public dynamic IP addresses from theInternet service provider.

x User-specific IP firewall to distinguish and differentiate access to specific plantparts.

Note For the technical specifications of the SCALANCE S modules, use the followinglink: \4\

2.2.2 SOFTNET Security Client

The SOFTNET Security Client allows programming devices, PCs and notebookcomputers access to network nodes or automation systems protected bySCALANCE S, SCALANCE M or CPs.It is characterized by the following features:x Secure access of programming devices or notebook computers to entire

automation cells.x Easy use on mobile PCs.x Non-secure devices can be integrated into the secure data traffic.x Supports the DNS client function.

2.2.3 SCALANCE M-800

SCALANCE M874The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGErouter) routers are suited for cellular networks. These modules are characterizedby the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to

10 VPN tunnels at a time).x Broad range of applications; can be used wherever a GPRS/UMTS network is

available.x Connection of stationary stations and/or mobile stations.x Simplicity of connecting local networks by means of IP communication via

WAN.x User-specific IP firewall to distinguish and differentiate access to specific plant

parts.



S

iem

ens

AG

2014

All

right

sre

serv

ed

Note For the technical specifications of the SCALANCE M874 modules, use thefollowing link: \5\

SCALANCE M810SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,secure connection of Ethernet-based subnets and programmable controllers towired telephone or DSL networks. They support ADSL2+ (Asynchronous DigitalSubscriber Line).These modules are characterized by the following features:x Simultaneous protection of multiple devices by IPsec tunnels (support of up to

20 VPN tunnels at a time).x VPN and DSL router in a single device; therefore, it is no longer necessary to

use a separate DSL router.x Broad range of applications due to high bandwidth, performance and speed.x Reduced travel expenses and personnel costs due to remote programming

and remote diagnostics via wired telephone or DSL networks.x User-specific IP firewall to distinguish and differentiate access to specific plant

parts.

Note For the technical specifications of the SCALANCE M810 modules, use thefollowing link: \6\



S

iem

ens

AG

2014

All

right

sre

serv

ed

2.2.4 CP x43-1 Advanced

CP 343-1 Advanced and CP 443-1 Advanced are communications processors forconnecting SIMATIC S7 CPUs to PROFINET / Industrial Ethernet networks.For the SIMATIC S7-300/S7-400, they are the bridge between the field level andthe MES level and integrate seamlessly with the security structures of the officeand IT world.These modules are characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Protection of S7-300/S7-400 controllers and their lower-level networks by

IPsec tunnels (support of up to 32 VPN tunnels at a time).

Note For the technical specifications of the CP 343-1 Advanced, use the following link:\7\

Note For the technical specifications of the CP 443-1 Advanced, use the following link:\8\

2.2.5 CP 1x43-1

The CP 1243-1 communications processor securely connects the SIMATICS7-1200 controller to Ethernet networks.The CP 1543-1 communications processor securely connects the SIMATICS7-1500 controller to Ethernet networks.These modules are characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Protection of S7-1200/S7-1500 controllers and their lower-level networks by

IPsec tunnels (support of up to 16 VPN tunnels at a time).

Note For the technical specifications of the CP 1243-1, use the following link: \7\

Note For the technical specifications of the CP 1543-1, use the following link: \8\



S

iem

ens

AG

2014

All

right

sre

serv

ed

2.2.6 CP 1628

CP 1628 is a communications module for securely connecting a PG/PC toIndustrial Ethernet. With a dedicated processor for automation/security tasks, theCP 1628 reduces the host PC's load and provides constant, stable and secure datacommunication.This module is characterized by the following features:x Firewall, VPN gateway and communications processor in a single device.x Simultaneous protection of multiple devices by IPsec tunnels (support of up to

64 VPN tunnels at a time).

Note For the technical specifications of the CP 1628, use the following link: \9\

2.2.7 TS Adapter IE Advanced

In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advancedallows access, through the Internet, to all automation components of a plant (e.g.,S7 controllers) that are connected to Industrial Ethernet.This module is characterized by the following features:x Aside from TIA Portal, no other software or hardware is required to establish

the VPN connection (VPN client).1

x Protection of S7 controllers and their lower-level networks by SSTP.

Note For the technical specifications of the TS Adapter IE Advanced, use the followinglink: 11

1 Internet access and a DSL modem are required to access the Internet.

3 SCALANCE S2.2 Security Integrated product portfolio


Siemens AG 2014 All rights reserved

3 SCALANCE SThis chapter describes the configurations in which the SCALANCE S is configured as the VPN server.This group is marked in yellow.

Table 3-1

VPN server VPN client Access type

SCALANCE S VPN remote end x Static IP addressx Dynamic IP addressx PPPoE

Characteristicsx The SCALANCE S can be either behind a DSL router or a DSL modem.x A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.x Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and

independently of one another.x A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established

tunnel connection is not necessary.x Due to the routing function, the networks on the internal and external interface become separate subnets.

3 SCALANCE S3.1 Static IP address



3.1 Static IP address

3.1.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address

OverviewFigure 3-1

SCALANCE S

Service PC

InternetModem/Router

SCALANCE S

VPN Server VPN Client

Automation Cell

VPN TunnelIndustrial Ethernet

StaticWAN IP Address

InternetRouter

SIMATIC S7Stations

Table 3-2


SCALANCE S SCALANCE S Static IP address

Requirementsx Static public IP address for the Internet router of the VPN serverx Internet router with port forwarding functionality (on the VPN server side)x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)

Link to the configuration description:http://support.automation.siemens.com/WW/view/en/99681360




3.1.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address

OverviewFigure 3-2

SCALANCE S

Service PC

VPN ServerVPN TunnelIndustrial Ethernet


InternetRouter

SCALANCEM81x-1

VPN Client

Automation Cell

SIMATIC S7Stations

Table 3-3


SCALANCE S SCALANCE M81x-1 Static IP address

Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).





3.1.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address

OverviewFigure 3-3



InternetRouter

SCALANCE S

VPN ServerSIMATIC S7Stations


Service PC withSOFTNET Security Client

VPN Client

SSC

Automation Cell

Table 3-4


SCALANCE S SOFTNET Security Client Static IP address

Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





3.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address

OverviewFigure 3-4

VPN Client

SIMATIC S7-300 or S7-400with CP x43-1 Advanced

SCALANCE S

Service PC




InternetRouter

Automation Cell

Table 3-5


SCALANCE S CP x43-1 Advanced Static IP address






3.1.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address

OverviewFigure 3-5

SCALANCE S

Service PC



InternetRouter

SIMATIC S7Stations

SCALANCEM874-x

VPN Client

Automation Cell

Table 3-6


SCALANCE S SCALANCE M874-x Static IP address

Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).





3.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address

OverviewFigure 3-6

InternetRouter

SCALANCE S

VPN Client VPN Server

Automation Cell



SIMATIC S7Stations


Table 3-7


SCALANCE S Mobile client Static IP address

Requirementsx Static public IP address for the Internet router of the VPN server.x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


3 SCALANCE S3.2 Dynamic IP address



3.2 Dynamic IP address

3.2.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a dynamic IP address

OverviewFigure 3-7

SCALANCE S

Service PC


SCALANCE S

VPN Server VPN Client

Automation Cell


DynamicWAN IP Address

InternetRouter

SIMATIC S7Stations

Table 3-8


SCALANCE S SCALANCE S Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).

Link to the configuration description:In progress




3.2.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a dynamic IP address

OverviewFigure 3-8

SCALANCE S

Service PC



InternetRouter

SCALANCEM81x-1

VPN Client

Automation Cell

SIMATIC S7Stations

Table 3-9


SCALANCE S SCALANCE M81x-1 Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).





3.2.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a dynamic IP address

OverviewFigure 3-9


InternetRouter

SCALANCE S

VPN Server SIMATIC S7Stations




VPN Client

SSC

Automation Cell

Table 3-10


SCALANCE S SOFTNET Security Client Dynamic IP address






3.2.4 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a dynamic IP address

OverviewFigure 3-10

SCALANCE S

Service PC



InternetRouter

SIMATIC S7Stations

VPN Client

SCALANCEM874-x

Automation Cell

Table 3-11


SCALANCE S SCALANCE M874-x Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router (use of the DDNS providers dyndns.org or no-ip.org)x Internet router with port forwarding functionalityx Mobile network operator's default APN





3.2.5 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a dynamic IP address

OverviewFigure 3-11

InternetRouter

SCALANCE S


Automation Cell



SIMATIC S7Stations


Table 3-12


SCALANCE S Mobile client Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


3 SCALANCE S3.3 PPPoE



3.3 PPPoE

3.3.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using PPPoE

OverviewFigure 3-12

SCALANCE S

Service PC


SCALANCE S

VPN Server VPN ClientVPN TunnelIndustrial Ethernet

InternetModem

SIMATIC S7Stations

Automation Cell

Table 3-13


SCALANCE S SCALANCE S PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic use of the DDNS providers dyndns.org or no-ip.org (VPN client: SCALANCE S (firmware version V4 or higher)) or static

public IP address for the Internet modem.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





3.3.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using PPPoE

OverviewFigure 3-13

SCALANCE S

Service PC


SCALANCEM81x-1

VPN Client

Automation Cell

SIMATIC S7Stations

InternetModem

Table 3-14


SCALANCE S SCALANCE M81x-1 PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).





3.3.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using PPPoE

OverviewFigure 3-14


InternetModem

SCALANCE S

VPN Server SIMATIC S7Stations



VPN Client

SSC

Automation Cell

Table 3-15


SCALANCE S SOFTNET Security Client PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





3.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using PPPoE

OverviewFigure 3-15

VPN Client


SCALANCE S

Service PC




InternetModem

Automation Cell

Table 3-16


SCALANCE S CP x43-1 Advanced PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





3.3.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using PPPoE

OverviewFigure 3-16

SCALANCE S

Service PC


InternetModem

VPN Client

SCALANCEM874-x

VPN Server

Automation Cell

SIMATIC S7Stations

Table 3-17


SCALANCE S SCALANCE M874-x PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).





3.3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using PPPoE

OverviewFigure 3-17

SCALANCE S


Automation Cell


SIMATIC S7Stations

Smartphone withIPSec Client App Internet

Modem

Table 3-18


SCALANCE S Mobile client PPPoE

Requirementsx SCALANCE S version 3 or higher (VPN server).x Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.x Standard Internet modem (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


4 SCALANCE M874-x3.3 PPPoE



4 SCALANCE M874-xThis chapter describes the configurations in which the SCALANCE M874-x is configured as the VPN server.This group is marked in light red.

Table 4-1


SCALANCE M874-x VPN remote end x Static IP addressx Dynamic IP address

Characteristicsx The plant with the SCALANCE M874-x as the VPN server can be both stationary and mobile.x A static or dynamic public IP address can be used for the SCALANCE M874-x.x Up to 10 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and


tunnel connection is not necessary.

4 SCALANCE M874-x4.1 Static IP address




4.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a static IP address

OverviewFigure 4-1

Service PC

VPN ClientVPN TunnelIndustrial Ethernet

SCALANCEM81x-1


SCALANCEM874-x

VPN Server

Automation Cell

SIMATIC S7Stations

Table 4-2


SCALANCE M874-x SCALANCE M81x-1 Static IP address

Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).





4.1.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a static IP address

OverviewFigure 4-2





VPN Client

SSC

SCALANCEM874-x

VPN Server

Automation Cell

SIMATIC S7Stations

Table 4-3


SCALANCE M874-x SOFTNET Security Client Static IP address

Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





4.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static IP address

OverviewFigure 4-3

VPN Client



Automation CellService PC



SCALANCEM874-x

Table 4-4


SCALANCE M874-x CP x43-1 Advanced Static IP address






4.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP address

OverviewFigure 4-4


Service PC



SCALANCEM874-x

VPN Client

Automation Cell

SIMATIC S7-1200 orS7-1500 with CP 1x43-1

Table 4-5


SCALANCE M874-x CP 1x43-1 Static IP address






4.1.5 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static IP address

OverviewFigure 4-5

Service PC



SCALANCEM874-x

VPN Client

Automation CellSCALANCE

M874-x

SIMATIC S7Stations

Table 4-6


SCALANCE M874-x SCALANCE M874-x Static IP address

Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile to mobile communication (depending on the mobile network operator).





4.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP address

OverviewFigure 4-6

VPN Client

Automation Cell


SIMATIC S7Stations


StaticWAN IP Adress

SCALANCEM874-x

VPN Server

Table 4-7


SCALANCE M874-x Mobile client Static IP address

Requirementsx Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).x Mobile to mobile communication (depending on the mobile network operator).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


4 SCALANCE M874-x4.2 Dynamic IP address




4.2.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a dynamic IP address

OverviewFigure 4-7

Service PC


SCALANCEM81x-1


SCALANCEM874-x

VPN Server

Automation Cell

SIMATIC S7Stations

Table 4-8


SCALANCE M874-x SCALANCE M81x-1 Dynamic IP address

Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN server side).





4.2.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a dynamic IP address

OverviewFigure 4-8





VPN Client

SSC

SCALANCEM874-x

VPN Server

Automation Cell

SIMATIC S7Stations

Table 4-9


SCALANCE M874-x SOFTNET Security Client Dynamic IP address

Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN server side).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





4.2.3 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a dynamic IP address

OverviewFigure 4-9

Service PC



SCALANCEM874-x

VPN Client


M874-x

SIMATIC S7Stations

Table 4-10


SCALANCE M874-x SCALANCE M874-x Dynamic IP address

Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile to mobile communication (depending on the mobile network operator).





4.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a dynamic IP address

OverviewFigure 4-10

VPN Client

Automation Cell


SIMATIC S7Stations



SCALANCEM874-x

VPN Server

Table 4-11


SCALANCE M874-x Mobile client Dynamic IP address

Requirementsx Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile to mobile communication (depending on the mobile network operator).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


5 SCALANCE M81x-14.2 Dynamic IP address



5 SCALANCE M81x-1This chapter describes the configurations in which the SCALANCE M81x-1 is configured as the VPN server.This group is marked in light green.

Table 5-1


SCALANCE M81x-1 VPN remote end x Static IP addressx Dynamic IP address

Characteristicsx The DSL router and VPN server settings are made directly in the SCALANCE M81x-1; a separate DSL router is not required.x A static or dynamic public IP address can be used for the SCALANCE M81x-1.x Up to 20 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and


tunnel connection is not necessary.

5 SCALANCE M81x-15.1 Static IP address




5.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static IP address

OverviewFigure 5-1

Service PC



SCALANCEM81x-1

SCALANCEM81x-1

VPN Client

Automation Cell

SIMATIC S7Stations

Table 5-2


SCALANCE M81x-1 SCALANCE M81x-1 Static IP address

Requirementsx Static public IP address for the VPN server.





5.1.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a static IP address

OverviewFigure 5-2





VPN Client

SSC

SCALANCEM81x-1

VPN Server

Automation Cell

SIMATIC S7Stations

Table 5-3


SCALANCE M81x-1 SOFTNET Security Client Static IP address

Requirementsx Static public IP address for the VPN server.x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





5.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP x43-1 Advanced using a static IP address

OverviewFigure 5-3

VPN Client






SCALANCEM81x-1

Table 5-4


SCALANCE M81x-1 CP x43-1 Advanced Static IP address






5.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP 1x43-1 using a static IP address

OverviewFigure 5-4


Service PC



SCALANCEM81x-1

VPN Client

Automation Cell


Table 5-5


SCALANCE M81x-1 CP 1x43-1 Static IP address






5.1.5 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a static IP address

OverviewFigure 5-5

Service PC



SCALANCEM874-x

VPN Client


M81x-1

SIMATIC S7Stations

Table 5-6


SCALANCE M81x-1 SCALANCE M874-x Static IP address

Requirementsx Static public IP address for the VPN server.x Mobile network operator's default APN (on the VPN client side).





5.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a static IP address

OverviewFigure 5-6




SCALANCEM81x-1

VPN Server

Automation Cell

SIMATIC S7Stations

Table 5-7


SCALANCE M81x-1 Mobile client Static IP address

Requirementsx Static public IP address for the VPN server.x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).






5.2.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address

OverviewFigure 5-7

Service PC



SCALANCEM81x-1

SCALANCEM81x-1

VPN Client

Automation Cell

SIMATIC S7Stations

Table 5-8


SCALANCE M81x-1 SCALANCE M81x-1 Dynamic IP address

Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).





5.2.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a dynamic IP address

OverviewFigure 5-8





VPN Client

SSC

SCALANCEM81x-1

VPN Server

Automation Cell

SIMATIC S7Stations

Table 5-9


SCALANCE M81x-1 SOFTNET Security Client Dynamic IP address

Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).





5.2.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a dynamic IP address

OverviewFigure 5-9

Service PC



SCALANCEM874-x

VPN Client


M81x-1

SIMATIC S7Stations

Table 5-10


SCALANCE M81x-1 SCALANCE M874-x Dynamic IP address

Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN client side).





5.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a dynamic IP address

OverviewFigure 5-10




SCALANCEM81x-1

VPN Server

Automation Cell

SIMATIC S7Stations

Table 5-11


SCALANCE M81x-1 Mobile client Dynamic IP address

Requirementsx Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN server side).


6 CP x43-1 Advanced5.2 Dynamic IP address



6 CP x43-1 AdvancedThis chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.This group is marked in dark blue.

Table 6-1


CP x43-1 Advanced VPN remote end x Static IP addressx Dynamic IP address

Characteristicsx The firewall, VPN server and communication settings are made directly in the CCP x43-1 Advanced; the security functions are

integrated in the communications processor.x A static or dynamic public IP address can be used for the DSL router on the VPN server side.

6 CP x43-1 Advanced6.1 Static IP address




6.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address

OverviewFigure 6-1

SCALANCE S

Service PC



VPN Server


Automation Cell

InternetRouter


Table 6-2


CP x43-1 Advanced SCALANCE S Static IP address






6.1.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address

OverviewFigure 6-2

VPN Server




InternetRouter


SCALANCEM81x-1

Table 6-3


CP x43-1 Advanced SCALANCE M874-x Static IP address






6.1.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address

OverviewFigure 6-3


VPN Client



SSC

VPN Server


Automation Cell

InternetRouter


Table 6-4


CP x43-1 Advanced SOFTNET Security Client Static IP address






6.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address

OverviewFigure 6-4

VPN Client



Automation Cell B



InternetRouter

VPN Server


Automation Cell A

Table 6-5


CP x43-1 Advanced CP x43-1 Advanced Static IP address






6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address

OverviewFigure 6-5

VPN Server




SCALANCEM874-x Internet

Router


Table 6-6


CP x43-1 Advanced SCALANCE M874-x Static IP address






6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address

OverviewFigure 6-6


VPN Client


VPN Server


Automation Cell

InternetRouter


Table 6-7


CP x43-1 Advanced Mobile client Static IP address







6.2.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a dynamic IP address

OverviewFigure 6-7


VPN Client



SSC

VPN Server


Automation Cell

InternetRouter


Table 6-8


CP x43-1 Advanced SOFTNET Security Client Dynamic IP address






6.2.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a dynamic IP address

OverviewFigure 6-8

VPN Server




InternetRouter


SCALANCEM81x-1

Table 6-9


CP x43-1 Advanced SCALANCE M874-x Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).





6.2.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a dynamic IP address

OverviewFigure 6-9

VPN Server





Router


Table 6-10


CP x43-1 Advanced SCALANCE M874-x Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN





6.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a dynamic IP address

OverviewFigure 6-10


VPN Client


VPN Server


Automation Cell

InternetRouter


Table 6-11


CP x43-1 Advanced Mobile client Dynamic IP address

Requirementsx Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).x Internet router with port forwarding functionality (on the VPN server side).x Mobile network operator's default APN (on the VPN client side).x Smartphone with IPSec Client app and Android operating system (on the VPN client side).


7 CP 1x43-16.2 Dynamic IP address



7 CP 1x43-1This chapter describes the configurations in which the CP 1x43-1 is configured as the VPN server.This group is marked in gray.

Table 7-1


CP 1x43-1 VPN remote end x Static IP addressx Dynamic IP address

Characteristicsx The firewall, VPN server and communication settings are made directly in the CP 1x43-1; the security functions are integrated in the

communications processor.x A static or dynamic public IP address can be used for the DSL router on the VPN server side.

7 CP 1x43-17.1 Static IP address




7.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address

OverviewFigure 7-1

SCALANCE S

Service PC



InternetRouter


VPN Server

Automation Cell


Table 7-2


CP 1x43-1 SCALANCE S Static IP address






7.1.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address

OverviewFigure 7-2

Service PC


InternetRouter


VPN Server

Automation Cell


SCALANCEM81x-1

Table 7-3


CP 1x43-1 SCALANCE M81x-1 Static IP address






7.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address

OverviewFigure 7-3


VPN Client



SSC

InternetRouter


VPN Server

Automation Cell


Table 7-4


CP 1x43-1 SOFTNET Security Client Static IP address






7.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address

OverviewFigure 7-4

VPN Client



Automation Cell B



InternetRouter

VPN Server

Automation Cell A


Table 7-5


CP 1x43-1 CP x43-1 Advanced Static IP address






7.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address

OverviewFigure 7-5



InternetRouter

VPN Server

Automation Cell A


VPN Client


Automation Cell B


Table 7-6


CP 1x43-1 CP 1x43-1 Static IP address






7.1.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address

OverviewFigure 7-6

Service PC



Router


VPN Server

Automation Cell


Table 7-7


CP 1x43-1 SCALANCE M874-x Static IP address






7.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address

OverviewFigure 7-7


VPN Client

Smartphone withIPSec Client App Internet

Router


VPN Server

Automation Cell


Table 7-8


CP 1x43-1 Mobile client Static IP address



7 CP 1x43-17.2 Dynamic IP address




7.2.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address

OverviewFigure 7-8

Service PC


InternetRouter


VPN Server

Automation Cell


SCALANCEM81x-1

Table 7-9

VPN s

Documents

26662448 Remote Networks Overview Doku En