FAQ about Communication - Siemens · FAQ about Communication Establishing a VPN Tunnel between PC Station and SCALANCE S 61x via the Internet Using the Microsoft Management Console

FAQ about Communication

Establishing a VPN Tunnel between PC Station and SCALANCE S 61x via the Internet Using the Microsoft Management Console

FAQ

VPN Tunnel between PC Station with Win XP SP2 and

SCALANCE S 61x V2.1 via Internet

Entry ID: 26098354

V1.0 07/13/07 38/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Table of Contents

Table of Contents ......................................................................................................... 2

1 The IPsec tunnel ............................................................................................. 4

2 Configuration – Overview .............................................................................. 6 2.1 Configuring the gateway in the PLC ................................................................. 7 2.2 Configuring the gateway in the PC station........................................................ 7

3 Configuration of the standard DSL Routers ................................................ 9 3.1 Configuration of the standard DSL router A (connected to PC station) ........... 9 3.2 Configuration of the standard DSL router B (connected to SCALANCE S) ...... 9

4 Configuration of the IPsec Channel Using the Microsoft Management Console ..................................................................................................... 10

4.1 Adding snap-ins .............................................................................................. 10 4.2 Creating IP security policy .............................................................................. 13 4.3 Adding or editing security methods................................................................. 14 4.4 Adding security rule for the data traffic from the PC station to the SCALANCE

S 61x module ............................................................................................. 15 4.4.1 Creating IP filter .............................................................................................. 16 4.4.2 Creating and assigning filter action................................................................. 18 4.4.3 Defining authentication method ...................................................................... 21 4.4.4 Defining tunnel settings .................................................................................. 22 4.5 Adding security rule for the data traffic from the SCALANCE S 61x module to

the PC station............................................................................................. 23 4.5.1 Creating IP filter .............................................................................................. 23 4.5.2 Assigning filter action...................................................................................... 25 4.5.3 Authentication method .................................................................................... 26 4.5.4 Defining tunnel settings .................................................................................. 26

5 SCALANCE S 61x Configuration................................................................. 29

6 Establishing VPN Tunnel ............................................................................. 34 6.1 Checking IPsec services................................................................................. 34 6.2 Establishing IPsec tunnel................................................................................ 36 6.3 Checking IPsec tunnel status ......................................................................... 36

7 History ........................................................................................................... 38

This entry is from the Internet offer of Siemens AG, Automation and Drives, Service & Support. Clicking the link below directly displays the download page of this document.

http://support.automation.siemens.com/WW/view/en/26098354




Entry ID: 26098354

V1.0 07/13/07 38/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Question How is a VPN tunnel between the PC station with Windows XP SP2 and a SCALANCE S 61x V2.1 module configured via the internet using the Microsoft Management Console?

Answer It is possible to establish a VPN tunnel from the PC station with Windows XP SP2 to a SCALANCE S 61x V2.1 module in routing mode via the internet. The Microsoft Management Console and the Security Configuration Tool are used for configuring the VPN tunnel.

The corresponding prerequisites are listed below:

• To support the establishment of the tunnel via the internet in routing mode, SCALANCE S 61x with firmware V2.1 and the Security Configuration Tool V2.1 are required. The firmware V2.1 for the SCALANCE S 61x module can be downloaded; the Entry ID is 24457842.

• The standard DSL routers A and B must support the NAT-T (network address translation-traversal) and NAPT (network address port translation) functions.

• A fixed external IP address for the standard DSL router B is required, which has to be parameterized on the passive SCALANCE S 61x module. Passive means here that the SCALANCE S 61x module waits until the partner initiates the establishment of the tunnel.

• A PC station with Windows XP SP2 is required which initiates the tunnel establishment.




Entry ID: 26098354

V1.0 07/13/07 38/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

1 The IPsec tunnel

The SCALANCE S module uses the IPsec protocol for tunneling.

The data exchange via an IPsec tunnel in the VPN has the following properties:

• Authentication – only persons with a corresponding authorization can establish a tunnel

• Integrity – ensures that the exchanged data have not been modified

• Confidentiality – the exchanged data are tap-proof

Key-based or certificate-based authentication methods are supported:

• Preshared key

• Certificate

The SCALANCE S module supports the following integrity check methods:

• SHA-1 – Secure Hash Algorithm 1

• MD5 – Message Digest Version 5

In addition, the SCALANCE S module supports two encryption algorithms:

• DES – Data Encryption Standard

• 3DES – Triple DES

• AES – Advanced Encrypting Standard (this encryption algorithm is supported by the SCALANCE S module only in phase 2 of the data exchange via IPsec.)

The data exchange via the IPsec tunnel consists of two phases:

• Phase1 – key exchange (IKE, Internet Key Exchange)

• Phase2 – data exchange (ESP, Encapsulating Security Payload)

The IKE protocol is used for the automatic IPsec key management. It uses the Diffie-Hellman key exchange for a secure exchange of keys in an insecure network. One of the following key exchange methods is used for the key exchange:

• Main mode –

• Aggressive mode

The following sections describe the individual configuration steps you have to perform to be able to establish the VPN tunnel via the internet.

The following parameters are configured for the key exchange (IKE, Internet Key Exchange):



Entry ID: 26098354

V1.0 07/13/07 38/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Table 1-1 IKE parameters

IKE Parameter Value

Authentication method Preshared key Integrity check method SHA-1 Encryption algorithm 3DES Key exchange method Main mode Diffie-Hellmann DH2

The following parameters are configured for the data exchange (ESP, Encapsulating Security Payload): Table 1-2 ESP parameters

ESP parameter Value

Integrity check method SHA-1 Encryption algorithm Triple DES (3DES)



ID Number:

V1.0 07/13/07 6/38

Copyright © Siemens AG 2007 All rights reserved VPN_Tunnel_Internet_e.doc

2 Configuration – Overview

Figure 1-1 shows the configuration. Figure 2-1 Configuration

Protected autom

ation cellStandard DSL router BStandard DSL router A

Internet

IP address:192.168.2.7Default gateway:192.168.2.1

External IP address of ISP 1:217.91.50.138Internal IP address:192.168.2.1

Fixed external IP address of ISP2:217.91.8.166Internal IP address:

192.168.2.1

External IP address: 192.168.2.5Internal IP address:140.80.0.2Default gateway:192.168.2.1

CPU 315-2DP withCP343-1

IP address:140.80.0.3Default gateway:140.80.0.2

VPN tunnel (IPsec)

ISP 1 ISP 2

SCALANCE S 61x

PC stationwith Windows XP SP2and optionally STEP 7



ID Number:

V1.0 07/13/07 7/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

2.1 Configuring the gateway in the PLC

The CPU 315-2DP with the CP 343-1 is located in the internal Ethernet network that is protected by the SCALANCE S 61x V2.1 module. SCALANCE S 61x V2.1 is the router or gateway for the CP 343-1.

For this reason, you have to enter the internal IP address 140.80.0.2 of the SCALANCE S 61x V2.1 module as a router or gateway in the Ethernet interface properties of the CP 343-1. Figure 2-2. Specifying gateway or router in the S7-300 controller

Internal IP address of SCALANCE S 61x

2.2 Configuring the gateway in the PC station

The PC station with the IP address 192.168.2.7 is located in the external Ethernet network of the SCALANCE S 61x V2.1 module. The standard router A is the gateway or router for the PC station. For this reason, in the Windows Network Connections in the Local Area Connection Properties, enter the internal IP address 192.168.2.1 of the standard router A for the “default gateway”. In addition, the standard router A is used as a DNS server for the PC station. Figure 2-3 Specifying default gateway in the PC station

Internal IP address of the standard router A

IP address of the PC station



ID Number:

V1.0 07/13/07 8/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Note When the standard router A is DHCP-capable, the PC can automatically

obtain its IP and DNS server address from router A.



ID Number:

V1.0 07/13/07 9/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

3 Configuration of the standard DSL Routers

3.1 Configuration of the standard DSL router A (connected to PC station)

The standard DSL router A is on the active side, i.e., the PC station initiates the establishment of the VPN tunnel. It is thus not required to configure PORT forwarding rules for the PC station’s IPsec packages in the standard DSL router A.

However, with fixed IP addresses on the PC station, the PORT forwarding can optionally be set in such a way that UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected PC station.

This means: The IP address 192.168.2.7 is indicated on the standard DSL router A of the PC station. Figure 3-1. Port forwarding for standard DSL router A

IP address of PC station

3.2 Configuration of the standard DSL router B (connected to SCALANCE S)

On the standard DSL router B the PORT forwarding has to be set in such a way that the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected SCALANCE S 61x module.

This means: The external IP address 192.168.2.5 of the SCALANCE S 61x module is indicated on the standard DSL router B. Figure 3-2 Port forwarding for standard DSL router B

External IP address of SCALANCE S 61x



ID Number:

V1.0 07/13/07 10/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

4 Configuration of the IPsec Channel Using the Microsoft Management Console

Use the Microsoft Management Console (MMC) for configuring the IPsec tunnel in the PC station.

Open the MMC via the Windows START menu “Run...” with the “mmc” command. Figure 4-1 Opening Microsoft Management Console

4.1 Adding snap-ins

At first the following snap-ins are inserted into the MMC console root via the File “Add/Remove Snap-in...” menu:

• IP Security Monitor

• IP Security Policy Management

• Services

The “Add/Remove Snap-in” window opens. Select the “Add...” button to go to the “Add Standalone Snap-in” window. In this window, select the corresponding snap-in and add it using the “Add” button.



ID Number:

V1.0 07/13/07 11/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-2 Adding snap-in

In the “Add Standalone Snap-in” window, select the “IP Security Monitor” snap-in and add it using the “Add” button. Figure 4-3 Adding “IP Security Monitor” snap-in



ID Number:

V1.0 07/13/07 12/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Subsequently, add the “IP Security Policy Management” snap-in. You indicate the local computer when selecting the computer or domain to be managed. Figure 4-4 Adding “IP Security Policy Management” snap-in

You also specify the local computer during the selection of the computer to be managed when adding the “Services” snap-in. Figure 4-5 Adding “Services” snap-in

After adding the necessary snap-ins, exit the “Add Standalone Snap-in” window by selecting the “Close” button and the “Add/Remove Snap-in” button by using the “OK” button.

The added snap-ins are now included in the console root of the MMC so that a new IP security policy can be created.



ID Number:

V1.0 07/13/07 13/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-6 Console root with inserted snap-in

4.2 Creating IP security policy

To create a new IP security policy, select the “IP Security Policies on Local Computer” snap-in in the console root and create a new IP security policy via the Action “Create IP Security Policy...” menu. Figure 4-7 Creating IP security policy

The wizard for creating a new IP security policy opens. At first name the new IP security policy. In this example, the name is “VPNtunnel_PC_ScalanceS”. Figure 4-8 Naming IP security policy



ID Number:

V1.0 07/13/07 14/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

In the next step, deactivate the default response rule since the authentication method will be defined later.

In the last step, the “Edit properties” option is activated to be able to edit and configure the IP security policy. Figure 4-9 Deactivating default response rule and activating “Edit properties”

4.3 Adding or editing security methods

After exiting the IP Security Policy Wizard by selecting “Finish”, the Properties window of the just created “VPNtunnel_PC_ScalanceS” IP security policy is displayed. In this window, the policy is configured and edited.

At first configure the key exchange settings between PC station and SCALANCE S.

In the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy, select the “General” tab.

Select the “Advanced...” button to go to the “Key Exchange Settings” window. In this window, use the “Methods…” button to add or edit the security methods (encryption and integrity) that are supported during the authentication.

The following security methods are to be supported during the authentication: Table 4-1 Security methods

Encryption Integrity Diffie-Hellmann

3DES SHA1 Low 3DES SHA1 Medium DES MD5 Low DES MD5 Medium



ID Number:

V1.0 07/13/07 15/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-10 Key exchange settings

After configuring the key exchange settings, the IP security rules are defined. A total of two IP security rules are defined. The first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module. The second IP security rule determines the data traffic from the network protected by the SCALANCE S module to the PC station.

4.4 Adding security rule for the data traffic from the PC station to the SCALANCE S 61x module

To add the first IP security rule, select the “Rules” tab of the IP security policy Properties window. The “Add…” button is used to add a new IP security rule. The New Rule Properties window opens.



ID Number:

V1.0 07/13/07 16/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-11 Adding IP security rule

4.4.1 Creating IP filter

The IP filter determines the data traffic of an IP security rule.

In the New Rule Properties window in the “IP Filter List” tab, use the “Add…” button to create a new IP filter. Figure 4-12 Creating IP filter



ID Number:

V1.0 07/13/07 17/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

The new IP filter is named “channel_from_PC_to_SCALANCE”. Select the “Add...” button to go to the Filter Properties window. The data traffic direction is defined here. Since the first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module, enter the following parameters:

• Source address: IP address of the PC station

• Destination address: Subnet connected to the internal SCALANCE S PORT

The “Mirrored. Also match packets with the exact opposite source and destination addresses” option is deactivated. A second security rule with corresponding IP filter determining the data traffic from the SCALANCE S module to the PC will be added later. Figure 4-13 Defining name and properties of the IP filter

The “channel_from_PC_to_SCALANCE” IP filter is now included in the IP filter list. Select the “channel_from_PC_to_SCALANCE” IP filter and subsequently select the “Filter Action” tab in the New Rule Properties window to add a new filter action and to assign it to the IP filter.



ID Number:

V1.0 07/13/07 18/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-14 Selecting IP filter

4.4.2 Creating and assigning filter action

Use the “Add...” button to go to the New Filter Action Properties window.

Since a new security method for this filter action does not yet exist, a new security method has to be created. In the New Filter Action Properties window in the “Security Methods” tab, activate the “Negotiate security:” option and select the “Add…” button. Figure 4-15 Creating filter action



ID Number:

V1.0 07/13/07 19/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Create a user-defined security method. Make the following settings for your user-defined security method with data integrity and encryption:

• Integrity algorithm: SHA1

• Encryption algorithm: 3DES Figure 4-16 Security method settings

After creating the user-defined security method with the corresponding settings, this method is visible in the New Filter Action Properties window in the “Security Methods” tab. The newly created security method is applied to the filter action. Figure 4-17 Applying security method



ID Number:

V1.0 07/13/07 20/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

In the New Filter Action Properties window, select the “General” tab. Name the filter action, e.g. “IPSec Configuration”, and apply this name. Figure 4-18 Naming filter action

Subsequently, in the New Rule Properties window in the “Filter Action” tab, select the “IPSec Configuration” filter action. Figure 4-19. Selecting filter action



ID Number:

V1.0 07/13/07 21/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

4.4.3 Defining authentication method

Now define the preshared key authentication method. In the New Rule Properties window, select the “Authentication Methods” tab. In this example, the preshared key is “scalance”. Figure 4-20 Configuring authentication method

Finally the authentication method is applied to the security rule. Figure 4-21 Applying authentication method



ID Number:

V1.0 07/13/07 22/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

4.4.4 Defining tunnel settings

The standard DSL router B, which is connected to the external SCALANCE S port, has a fixed external IP address known on the internet and is located on the passive side of the IPsec tunnel.

This means: The fixed external IP address of the standard DSL router B is the tunnel endpoint for the PC station. The standard DSL router B now has to send the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, to ports 500 and 4500 of the connected SCALANCE S module.

Define the tunnel endpoint in the Edit Rule Properties window in the “Tunnel Setting” tab. Enter the fixed external IP address 217.91.8.166 of the standard router B for the tunnel endpoint. Figure 4-22 Defining tunnel endpoint

Fixed external IP address of the standard router B

After defining the tunnel endpoint and applying it to the IP security rule, exit the Edit Rule Properties window by selecting the “OK” button.

The Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy is displayed.

The second IP security rule for the data traffic from the network protected by the SCALANCE S module to the PC station is now created.



ID Number:

V1.0 07/13/07 23/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

4.5 Adding security rule for the data traffic from the SCALANCE S 61x module to the PC station

In the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy, use the “Add…” button to create the second IP security rule. Figure 4-23 Adding security rule

4.5.1 Creating IP filter

The New Rule Properties window opens. In the “IP Filter List” tab, use the “Add…” button to create a new IP filter. This filter determines the data traffic of the second security rule.



ID Number:

V1.0 07/13/07 24/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-24 Creating IP filter

The IP filter is named “channel_from_SCALANCE_to_PC”. Select the “Add...” button to go to the Filter Properties window. The data traffic direction is defined here. Since the second IP security rule determines the data traffic from the network that is protected by the SCALANCE S module to the PC station, enter the following parameters:

• Source address: Subnet connected to the internal SCALANCE S PORT

• Destination address: IP address of the PC station

The “Mirrored. Also match packets with the exact opposite source and destination addresses” option is deactivated. A separate security rule exists for the data traffic from the PC to the SCALANCE S module.



ID Number:

V1.0 07/13/07 25/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-25 Defining name and properties of the IP filter

The “channel_from_SCALANCE_to_PC” IP filter is now included in the IP filter list. Select the “channel_from_SCALANCE_to_PC” IP filter and subsequently select the “Filter Action” tab in the New Rule Properties window to assign the already defined “IPSec Configuration” filter action to the IP filter. Figure 4-26 Selecting IP filter

4.5.2 Assigning filter action

In the “Filter Action” tab of the New Rule Properties window, the “IPSec Configuration” filter action is selected.



ID Number:

V1.0 07/13/07 26/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-27 Selecting filter action

4.5.3 Authentication method

Now define the authentication method for the second security rule as described in chapter 4.4.3.

4.5.4 Defining tunnel settings

The PC station initiates the establishment of the IPsec tunnel.

This means: The IP address of the PC station is the tunnel endpoint for the SCALANCE S module.

Define the tunnel endpoint in the New Rule Properties window in the “Tunnel Setting” tab. Enter the IP address 192.168.2.7 of the PC station for the tunnel endpoint.



ID Number:

V1.0 07/13/07 27/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-28 Defining tunnel setting

IP address of the PC station

After defining the tunnel endpoint, exit the New Rule Properties window by selecting the “OK” button.

The Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy is displayed.

Select the two following created security rules and apply the selection:

• channel_from_PC_to_SCALANCE

• channel_from_SCALANCE_to_P



ID Number:

V1.0 07/13/07 28/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 4-29 Selecting security rules

Use the “Close” button to exit the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy.

Subsequently, configure SCALANCE S 61x V2.1 using the Security Configuration Tool V2.1.



ID Number:

V1.0 07/13/07 29/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

5 SCALANCE S 61x Configuration

The SCALANCE S 61x V2.1 module is configured using the Security Configuration Tool V2.1.

Open the Security Configuration Tool (SCT) via the Windows START menu -> SIMATIC -> SCALANCE -> Security.

After creating a new project in the SCT, insert one module of the S612 V2 type and one of the MD740-1 type via the Insert Module menu. The module of the MD740-1 type is inserted to model the part of the configuration that is created by the standard DSL router A and the PC station. Figure 5-1 Inserting module

The external IP address 192.168.2.5 in subnet 255.255.255.0 is assigned to the SCALANCE S module. In addition, you have to enter the MAC address of SCALANCE S in the SCT.

The standard DSL router B is the gateway for SCALANCE S. For this reason, the internal IP address 192.168.2.1 of the standard DSL router B is specified for the default gateway of the S612 V2 module.

The external and internal IP address of the standard DSL router A is entered for the module of the MD740-1 type. In this example, the external IP address of the standard DSL router A is 217.91.50.138. The internal IP address of the standard DSL router A is 192.168.2.1.

In addition, the module names “SCALANCE” and “RouterA” are assigned. Figure 5-2 Inserted modules



ID Number:

V1.0 07/13/07 30/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Select the “View” menu and activate “Advanced Mode”.

Figure 5-3 Activating Advanced Mode

Activate the routing mode for the SCALANCE S module in the “SCALANCE” Module Properties window in the “Routing Modus” tab. Enter the internal IP address 140.80.0.2 and the subnet mask 255.255.0.0 of SCALANCE S. Figure 5-4 Activating Routing Modus



ID Number:

V1.0 07/13/07 31/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Subsequently, create a new group by selecting Insert Group. Figure 5-5 Group

Use drag & drop to assign the two modules of the type S612 V2 and MD740-1 to this group. Figure 5-6 Assigning modules to group

Drag & drop

In the Group Properties, make the settings for authentication and security method.

The settings for authentication and security method are made analogously to the configuration in the MMC, i.e.:

• Enter the preshared key “scalance”.

• Enter the integrity algorithm “SHA1” for phase 1 and 2 of the data exchange via IPsec.

• Enter the encryption algorithm “3DES” for phase 1 and 2 of the data exchange via IPsec.



ID Number:

V1.0 07/13/07 32/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 5-7 Group properties

In the “SCALANCE“ Module Properties window in the “VPN” tab, make the settings for establishing the VPN tunnel.

SCALANCE S 61x V2.1 is parameterized as a passive module. In addition, you have to enter a fixed external IP address of the connected standard DSL router via which the active module initiates the tunnel establishment. In this example, enter the fixed external IP address 217.91.8.166 of the standard DSL router B.



ID Number:

V1.0 07/13/07 33/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 5-8 Module Properties “VPN” tab

To complete the SCALANCE S configuration, transfer the configuration data from the Security Configuration Tool to the SCALANCE S 61x V2.1 module. In “All Modules”, select the corresponding module of the S612 V2 type and use the “Load” button. Figure 5-9 Loading the configuration into the SCALANCE S 61x module



ID Number:

V1.0 07/13/07 34/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

6 Establishing VPN Tunnel

6.1 Checking IPsec services

After configuring the IPsec tunnel using the MMC and the Security Configuration Tool, the VPN tunnel between PC station and SCALANCE S can be established via the internet. It is required that the “IPSEC Services” service is started and active. This can be checked in the Microsoft Management Console. In the MMC console root, select the “Services (Local)” snap-in. You see an overview of the services provided by your PC station. In this overview, search for “IPSEC Services”. Figure 6-1 IPSEC Services

Now double-click “IPSEC Services”. The IPSEC Services Properties window opens.

In the “General” tab, check the service status. The service status must be “Started”.



ID Number:

V1.0 07/13/07 35/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 6-2. IPSEC Services Properties window, “General” tab

In the “Log On” tab, you can check whether the “IPSEC Services” service is activated on your PC station. Figure 6-3 IPSEC Services Properties window, “Log On” tab



ID Number:

V1.0 07/13/07 36/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

6.2 Establishing IPsec tunnel

The establishment of the IPsec tunnel between the PC station with Windows XP SP2 and the SCALANCE S61x V2.1 module is initiated using the MMC. In the MMC console root, select the “IP Security Policies on Local Computer” snap-in. Now select the “VPNtunnel_PC_ScalanceS” IP security policy and assign it to the PC station by selecting Action “Assign”. Figure 6-4 Assigning IP security policy to the PC station

6.3 Checking IPsec tunnel status

When the IPsec tunnel between the PC station and the SCALANCE S module has been established via the internet, the protected automation cell (CP 343-1) can be accessed from the PC station, i.e.

• You can access SCALANCE S 61x V2.1 online using the Security Configuration Tool. To do this, use the “Online” button. If this online access has been successful, you can access the SCALANCE S 61x module via the VPN tunnel. In the Online View of the “SCALANCE” module “Communication Status” tab, the “enabled” tunnel status is displayed.

Figure 6-5 Online access to SCALANCE S 61x V2.1 using SCT



ID Number:

V1.0 07/13/07 37/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

Figure 6-6 IPsec tunnel status

• A ping can be sent from the PC station to the IP address of the

CP 343-1. In addition, a ping can be sent to the internal IP address of the SCALANCE S 61x module.

• In STEP 7, you can use the PG/OP functions for the online access to the S7-300 controller so that you can load the STEP 7 project or the configuration into the CPU of the S7 300 controller or read out the CPU diagnostics buffer.

Note Layer2 protocols such as the “Accessible Nodes” function in STEP 7 are not possible via the VPN tunnel.

A firewall that is additionally installed on the PC may cause problems.

ATTENTION This configuration was tested on several standard PCs with Windows XP SP2. It cannot be guaranteed that this example works correctly in all PC configurations.



ID Number:

V1.0 07/13/07 38/38

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

VP

N_T

unne

l_In

tern

et_e

.doc

7 History

Version Date Modification

V 1.0 First edition

Documents

FAQ about Communication - Siemens · FAQ about Communication Establishing a VPN Tunnel between PC Station and SCALANCE S 61x via the Internet Using the Microsoft Management Console