configuration 9 application february 2011 - siemens · 2015. 1. 19. · application examples and...

Applikationen & Tools

Answers for industry.

Cover

Secure Remote Access to SIMATIC Stations via Internet using EGPRS Router MD741-1 and SCALANCE S612

Configuration 9

Application February 2011

2 SIMATIC NET Configuration 9

V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Industry Automation and Drive Technologies Service & Support Portal

This article is taken from the Service Portal of Siemens AG, Industry Automation and Drive Technologies. The following link takes you directly to the download page of this document.

http://support.automation.siemens.com/WW/view/en/24960449

If you have any questions concerning this document please e-mail us to the following address:

[email protected]

http://support.automation.siemens.com/WW/view/en/24960449�

mailto:[email protected]�

SIMATIC NET Configuration 9 V2.1, Entry-ID: 24960449 3

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

s

SIMATIC RemoteAccess_GPRS

Automation Task

1

Automation Solution

2

Function Principle

3

Configuration and Startup

4 Remote Access Scenarios

5

Modifications & Tips

6

Related Literature

7

History

8

Warranty and Liability


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Warranty and Liability Note The Application Examples are not binding and do not claim to be complete

regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These application examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these application examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment.

Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of Siemens Industry Sector.

Table of Contents


Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Table of Contents Warranty and Liability ................................................................................................. 4 1 Automation Task................................................................................................ 7 2 Automation solution.......................................................................................... 8

2.1 Overview .............................................................................................. 8 2.2 Setup .................................................................................................... 9 2.3 Required Hardware and Software Components ................................ 13

3 Function Principle ........................................................................................... 16 3.1 Radio method ..................................................................................... 16 3.2 EGPRS router MD741-1..................................................................... 17 3.3 SCALANCE S..................................................................................... 19 3.4 Security .............................................................................................. 19 3.4.1 VPN tunnel ......................................................................................... 20 3.5 Estimating the data volume................................................................ 23

4 Configuration and Startup .............................................................................. 24 4.1 Hardware configuration / structural setup .......................................... 25 4.2 Installation of the software ................................................................. 26 4.3 Install example project........................................................................ 26 4.4 Configuring the DSL Router ............................................................... 27 4.5 Configuration of the central service station........................................ 28 4.6 Configuring the remote stations ......................................................... 30 4.6.1 Changing the IP address of the component....................................... 30 4.6.2 Remote Station 1................................................................................ 33 4.6.3 Remote Station 2................................................................................ 39 4.7 Configuring VPN tunnel...................................................................... 42 4.8 Configuring the MD741-1 ................................................................... 50 4.8.1 MD741-1 of Remote Station1............................................................. 50 4.8.2 MD741-1 of Remote Station2............................................................. 61 4.9 Final configuration .............................................................................. 61

5 Remote Access Scenarios.............................................................................. 62 5.1 Diagnostic scenario 1 for remote station 1 (S7 communication) ....... 63 5.2 Diagnostic scenario 2 for remote station 1 (access to panel using

WinCC flexible)................................................................................... 65 5.3 Diagnostic scenario 3 for remote station 1 (SOAP) ........................... 67 5.4 Diagnostic scenario 4 for remote station 1 (IP-CP standard page) ... 67 5.5 Diagnostic scenario 5 for remote station 2 (S7 routing)..................... 68 5.6 Diagnostic scenario 6 for remote station 1 (S7 routing process

devices) .............................................................................................. 68 5.7 Diagnostic scenario 7 for remote station 2 (OPC access) ................. 69

6 Modifications and Tips.................................................................................... 70 6.1 Add remote station ............................................................................. 70 6.2 Use the PG/PC from the LAN of the SCALANCE S to access the

internet ............................................................................................... 72 6.3 Use the PG/PC from the LAN of the MD741-1 to access the internet74 6.4 Maximum number of remote stations................................................. 77 6.5 Notes/ tips on planning the IP addresses........................................... 77

7 Related Literature ............................................................................................ 78 7.1 Bibliography........................................................................................ 78 7.2 Internet Link Specifications ................................................................ 78

8 History............................................................................................................... 79

Table of Contents


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

1 Automation Task


Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

1 Automation Task

Introduction

Remote diagnosis and remote maintenance of production facilities have become an integral part of modern automation technology. The efficiency regarding the workload and time and the corresponding costs is significantly higher than sending service employees around the world. Error detection and removal occurs much quicker. This reduces machine downtimes and increases their availability.

The basis for an optimal remote maintenance even for plants which are difficult to reach or widely distributed are reliable, always available, secured and cost-efficient data connections. Today’s radio technologies paired with broadband internet connections are increasingly used for this task.

Automation task

With this configuration we show you typical remote access scenarios to distributed S7 stations via a secured EGPRS or GPRS-based internet connection.

Several SIMATIC Remote stations with devices which are accessible via Ethernet (S7-CPUs, HMI device, Ethernet CPs) are connected with a central service station by means of a wireless transmission medium.

A PG/PC in the central service station shall, via this connection, perform all of the functions a cable-based PG can also perform. (e.g. all standard diagnosis functions, upload and download of programs, HMI-control of states, OPC, etc.)

Figure 1-1

Central Service Station


RemoteS7 Station 1

RemoteS7 Station 1

RemoteS7 Station 2

RemoteS7 Station 2

RemoteS7 Station N

RemoteS7 Station N

Distributed plants

Internet

EGPRS/GPRS

DSL

Secured connections

2 Automation solution


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


2.1 Overview

As the main SIMATIC components, this solution uses the EGPRS Router SINAUT MD741-1 in the stations and the security module SCALANCE S612 in the central station.

These two components establish IPSec-based tunnel connections between

a central service station, connected to the internet via DSL (broadband)

several remote stations connected to the internet via EGPRS or GPRS.

The following figure illustrates an overview of the realized solution in this configuration:

Figure 2-1

ISP

Remote Station 1

Remote Station 2


PG/PC SCALANCE S61x

DSLRouter

S7-CPU & IE-CP I-Slave

PB

IE

MD

74

1-1

MD 741-1

HMI PanelS7 Station 1S7 CPU & IE-CP

S7 Station 2S7 CPU(PN)

EGPRSProvider

A

Internet EGPRSProvider

B

VPN Tunnel 2

VPN Tunnel 1

STEP 7

PB

S7 Station 3S7 CPU with PB and IE-CP

SIMOCODE

Via the PG/PC in the central service station, using the STEP 7 standard software and the appropriate STEP 7 project of the respective remote station to be maintained,

all online system diagnostic functions can be performed as for the cable-based IE-LAN (diagnostic buffer of the CPU, module state, operating mode, monitoring/control, etc.),



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

variables can be monitored and controlled (variable table and OPC),

program states can be monitored and

download/upload of STEP 7 programs be performed.

Via a standard web browser on the service PG/PC

using Smart@Service of WinCC flexible

– the mask of the HMI project can be accessed (operator control and monitoring)

– the WinCC flexible project can be downloaded

– the state of the panel can be diagnosed

WinCC flexible variables can be accessed using a SOAP connection

all existing web servers in the stations can be accessed

– e.g. CP343-1 advanced (WebServer, FTP-Server/Client)

Additionally this example explains

the necessary basic terms on EGPRS, GPRS technology and security aspects

the produced data volume to be expected in this configuration

in detail, all configuration steps necessary to initiate a VPN tunnel between the EGPRS router MD741-1 and the security module SCALANCE S612.

2.2 Setup

The figure below shows the hardware setup of this Configuration 9.

Configuration of the central service station

Figure 2-2

DSL Router + Modem

Internet connection withfixed IP address

SCALANCE S612

Security module as VPN Router

PC/PG

• SIMATIC Manager

• SIMATIC PDM

• Web browser

• OPC Server/ Client

IE Standard Cable

IE Standard CablexDSL

STEP 7

The central station consists of a standard Windows PC/PG. Via the integrated Ethernet interface the PC is connected with the internal (safe) port 1 of the SCALANCE S612 and the external (unsafe) port is connected with a DSL router.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

The STEP 7 software, the SINAUT PDM Process Device Manager, a standard web browser and the SIMATIC NET OPC server is installed in the PG/PC.

Configuration of Remote Station 1

Figure 2-3

SIMOCODE pro

Motor mangementsystem

MD741-1(E)GPRS Router and VPN router with SIM card of the provider

SIMATIC Station2• PS 307 5A• CPU 315-2 DP• CP 343-1 Advanced

TP277 6‘‘HMI Panel forvisualization

IE Standard Cable

SIMATIC Station1• PS307 5A• CPU 315-2 PN/ DP

IE Standard Cable

SCALANCE X208

PB

SIMATIC Station3• PS 405 10A• CPU 416-2DP• CP 443-1 IT• CP 445-3 Ext.

Remote station 1 consists of two SIMATIC S7-300 stations with an HMI operator panel, a SIMATIC S7-400 station, one SIMOCODE pro motor management system as well as an EGPRS/GPRS router MD741-1.

The SIMATIC S7-400 station is connected

via a PROFIBUS CP443-5Ext with the SIMOCODE pro V device

via the Ethernet CP443-1 IT with the SCALANCE X208.

via the integrated Ethernet interface or Ethernet CPs all components are interconnected via a SCALANCE X208.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Configuration of remote station 2

Figure 2-4

MD741-1(E)GPRS Router and VPN Router with SIM card of the EGPRS provider

I-Slave ET 200S• IM151-7 CPU• PM-E DC24V• 4DI HF DC24• 4DO DC24V/ 0.5A

IE Standard Cable

SIMATIC Station• PS307 5A• CPU 315-2 DP• CP343-1 Lean

PB Cable

optional: PC/ PG• OPC Server

Remote station 2 consists of a SIMATIC station, a distributed I/O with intelligent interface module and an EGPRS/GPRS router MD741-1. The SIMATIC station is connected

via the PROFIBUS interface of the CPU with the ET200S (IM151-7 CPU)

the integrated Ethernet interface of the CP343-1 Lean with the EGPRS/GPRS router MD741-1.

For the diagnostic scenario with OPC server on site an additional PC/PG can be integrated into the Industrial Ethernet net using a SCALANCE X208.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Advantage of this solution

Optimized service of remote plants

Outstations can be reached worldwide

All remote stations can be parameterized and diagnosed using standard STEP7 means

High availability of the communication due to standardized mobile communication and internet technology

EGPRS/GPRS and internet secure short transmission times

Cost-effective data transmission due to payment based on data volumes

VPN functionality enables a secure, protected and encoded data connection via the IPSec standard.

High security by means of integrated firewall

Simple and user-friendly configuration of the VPN tunnels using the Security Configuration Tool.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

2.3 Required Hardware and Software Components

SIMATIC and SIMOCODE components

Table 2-1

Component Qty. MLFB / Order number Note

CPU 315-2 DP 2 6ES7315-2AG10-0AB0

CPU315-2 PN/DP 1 6ES7315-2EH13-0AB0

CP343-1 Advanced 1 6GK7343-1GX21-0XE0

CP343-1 lean 1 6GK7343-1CX10-0XE0

Power supply PS307 5A

3 6ES7307-1EA00-0AA0

Micro Memory Card 3 6ES7 953-8LF11-0AA0 At least 64 kB

IM151-7 CPU 1 6ES7151-7AA10-0BA0 ET200S module

Power module for ET200S PM-E DC24V

6ES7138-4CA01-0AA0 ET200S module

Digital input module for ET200S 6ES7131-4BD01-0AB0 4 DI HF DC24V

Digital output module for ET200S 6ES7132-4BD01-0AB0 4 DO DC24V/0.5A

PG 1 6ES7712-XXXXX-XXXX Configurator

Touch Panel TP277 1 6AV6643-0AA01-1AX0

Lizenz für Sm@rtService 1 6AV6618-7BB01-1AB0

S7-400 UR2 Rack 1 6ES7400-1JA00-0AA0

CPU 416-2DP 1 6ES7416-2XK02-0AB0

CP 443-1 IT 1 6GK7443-1GX11-0XE0 or CP 443-1 Advanced 6GK7 443-1GX20-0XE0

CP 443-5 Ext 1 6GK7443-5DX03-0XE0

Power supply PS 405 10 A

1 6ES7405-0KA00-0AA0

SIMOCODE pro V 1 3UF7010-1AU00-0

Security

Table 2-2

Component No. MLFB / Order number Note

SCALANCE S612 V2.3 1 6GK5612-0BA00-2AA3 Optionally, you can update an existing SCALANCE S V 2.1 to V2.3. See \2\ .

Security Configuration Tool V2.2.0.1

1 - SCT is delivered with SCALANCE S

EGPRS/GPRS router MD741-1 2 6NH9 741-1AA00

ANT 794-4MR 2 6NH9860-1AA00 Quadband antennae Omnidirectional with 5m cable

SIM card 2 Station contract with a GSM network operator; enabled for EGPRS

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10012935&mlfb=6ES7315%2D2AG10%2D0AB0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10026479&mlfb=6ES7315%2D2EH13%2D0AB0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10031216&mlfb=6GK7343%2D1GX21%2D0XE0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10023933&mlfb=6GK7343%2D1CX10%2D0XE0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000595&mlfb=6ES7138%2D4CA01%2D0AA0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000597&mlfb=6ES7131%2D4BD01%2D0AB0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000597&mlfb=6ES7131%2D4BD01%2D0AB0&siteID=DE&lang=de�

https://mall.automation.siemens.com/DE/guest/configurators/ipc/ipcFrameset.asp?urlParams=PROD%5FID%3D6ES7712&MLFB=&proxy=mall%2Eautomation%2Esiemens%2Ecom&retURL=%2FDE%2Fguest%2Findex%2Easp%3FnodeID%3D9990040%26lang%3Dde&lang=de�



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Note You receive the update version V2.2.0.1 of the Security Configuration Tool V 2.1 via your local contact person.

The SCALANCE S V2.3 can be configured with the Security Configuration Tool V 2.2 or higher. The use of the Security Configuration Tool V2.2.0.1 is strongly recommended.

Software

Table 2-3


STEP 7 V5.4 SP1 1 6ES7810-4CC08-0YA5 Or higher

SIMATIC NET PC Software Edition 2006

1 6GK1704-1LW64-3AA0 Optional, if you wish to test the OPC scenario

SIMATIC WinCC flexible 2007 HF4 1 6AV6612-0AA51-2CA5

SIMATIC PDM Software Basic V6.0 SP3

6ES7658-3AX06-0YA5

PDM Integration in STEP7 6ES7658-3BX06-2YB5

PDM Routing S7-400 6ES7658-3CX06-2YB5

LAN components

Table 2-4


IE FC TP STANDARD CABLE 5 6XV1840-2AH10 Connecting line IE minimum length 20m

IE TP XP CORD CABLE 1 6XV1870-3RH20 Crossed connecting line IE minimum length 2m

PROFIBUS FC Standard Cable 1 6XV1830-0EH10 Connecting line PB minimum length 20m

Bus connector 2 6ES7972-0BB12-0XA0

SCALANCE X208 1 6GK5208-0BA00-2AA3

RJ45 plug-in connector 10 6GK1901-1BB10-2AA0 Confectionable

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10021500&mlfb=6GK5208%2D0BA00%2D2AA3&siteID=DE&lang=de�



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Infrastructure

Table 2-5


DSL Router + Modem with VPN pass through function (port forwarding)

1 Alternatively router with integrated modem or individually e.g. Netgear RP614GR, Gigaset SE 515

Internet Service Provider 1

Fixed IP address 1 Contract with your Internet provider

3 Function Principle


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

3 Function Principle This chapter briefly discusses the underlying technologies and principles applied here.

3.1 Radio method

Part of the transmission path in this example occurs via the mobile radio service EGPRS or GPRS

GPRS

The General Packet Radio Service is a mobile radio technology for package-switched data transmission via the GSM networks (Global System for Mobile Communications). The GSM radio channels are divided into eight time slots. One time slot represents a transmission channel.

Package-switched data transmission means that as opposed to the line-switched data transmission (as for GSM) no transmission channel is reserved permanently. At the sender, the message is divided into individual packages provided with additional information (package sequence, receiver address). Using the GPRS system, the packages can be sent through different time slots of the network, which enables using free capacities. A GPRS session can also use several time slots parallel. The receiver then compiles the packages in the correct order. GPRS enables data traffic without establishing the connection and only charges for the transmitted data volume.

Packet switching is enabled by the IP (Internet Protocol) technology. GPRS is mainly used for access in IP based networks (e.g. internet).

Data rate for GPRS

To achieve higher data rates during transmission, several time slots can be combined. The highest multislot class (class 12) enables bundling a maximum of five time slots for a device. This means that a maximum of five channels in total can be used simultaneously for uplink and downlink. (e.g. 3 channels for uplink and 2 for downlink or 1 for uplink and 4 for downlink, see table 4-1)

However, a maximum of four channels can be bundled here per direction.

Table 3-1

Downlink Uplink

1 4

2 3

3 2

4 1

Depending on the error protection mechanisms, up to 21.4kbit/s can be transferred per time slot.The resulting maximum theoretical data rate is 85.6 kbit/s (4 x 21.4 kbit/s). In practice, however, this theoretical value is very rarely reached.

This is on the one hand due to the fact that the number of parallel usable GSM channels varies depending on network load and capability of the mobile device. On the other hand, the data rate is adjusted to the quality of the radio network through channel coding (Coding Schemes/CS). For GPRS the data rate in the individual GSM channel is fixed to 13.4 kbit/s (CS2).



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

MD741-1 supports the highest multislot class (class 12). This results in a maximum practical data rate of 53.6 kbit/s in uplink (4 GSM channels with CS2) or 53.6 kbit/s in downlink (4 GSM channels with CS2).

EGPRS

The Enhanced General Packet Radio Service (also referred to as EDGE, Enhanced Data Rates for GSM Evolution) is an expansion of GPRS. EGPRS uses a different modulation method (8-PSK) than GPRS, which is more efficient. This enables an up to four times faster data rate for EGPRS.

Data rate for EGPRS

As for GPRS, up to five time slots can be combined with each other at the same time in EGPRS. The maximum data rate per time slot is 59.2 kbit/s. When using up to four time slots for uplink or downlink, the maximum theoretical data rate is 236.8 kbit/s (4 x 59.2 kbit/s).

In practice, however, this theoretical value is not always reached. In Germany most providers use the modulation and coding scheme MCS8 for EGPRS. The data rate per channel established for MCS8 is 54.4kbits/s.

The data rate also depends on the network load and of course on the capability of the mobile device. The MD741-1 supports the highest multislot class (class 12), at which a maximum of four channels can be used for uplink or four for downlink. This results in a maximum practical data rate of 217.6 kbit/s in uplink (4 GSM channels with MCS8) or 217.6 kbit/s for downlink. (4 GSM channels with MCS8)

3.2 EGPRS router MD741-1

The MD741-1 router establishes a secured IP data connection between remote stations and central service station via EGPRS or GPRS.

Basic requirements for operation

For operating the router a SIM card with EGPRS/GPRS service is required which is plugged into the router.

Note The SIM cards activated for the GPRS also support EGPRS. Whether the router logs in at the EGPRS or GPRS network depends on the network coverage of the provider. Information on the network coverage of the provider is mostly available on the internet page of the provider.

The EGPRS router MD741-1 together with the quad band antennae ANT 794-4MR covers all four bands of the GSM networks and can hence be used world-wide.

850 MHz

900 MHz

1800 MHz

1900 MHz

Note Please also ensure the country approvals for the MD741-1. (see \3\ )

Properties of the MD741-1

For a secure radio data connection, the router provides the following core functions:



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

VPN router: supports a secure data connection via a IPSec-secured VPN tunnel (Virtual Private Network)

3DES data encoding, AES encoding

Firewall for protection from unauthorized access. The dynamic packet filter searches data packets using the source and target address (stateful packet inspection) and blocks the undesired data traffic (Anti-Spoofing)

EGRPS modem for a data communication in packages via GSM

Bi-directional data connection

Cyclic processing of protocol data for maintaining or monitoring the connection (NAT-T Keep Alive, Dead Peer Detection, Rx-Tx-Delay Trigger)

Configuration of the modem

The configuration of the router occurs via a standard browser via the web page integrated in the router via web-based management.

Explanation of important terms

In this section, the most important features of the MD741-1 are explained briefly.

Note For further information, refer to the MD741-1 manual. (See /1/)

Table 3-2

Feature Explanation

Virtual Private Network (VPN)

VPNs connect the computer or networks via the internet and provide for secured data transmission. The so-called tunnel is encoded. Using passwords, public keys or a digital certificate may guarantee the authentication of the VPN end products.

IPSec IPsec is an expansion of the internet protocol (IP) and contains extensive security functions:

AH mechanism (Authentication Header) handles the authentication and identification of the source.

ESP (Encapsulation-Security-Payload) transmits the data encoded via UDP port 4500

IKE (Internet Key Exchange ) for exchanging the key via UDP Port 500

Anti-Spoofing Anti-Spoofing prevents misuse of IP addresses and obscuring of the own identity

NAT-T Keep Alive The MD741-1 sends UDP packets through the tunnel port 4500 in a fixed time frame (in this example, every 90 sec), to maintain the connection at the APN. The time after which a provider interrupts a connection without data transfer is not defined and must be adjusted accordingly. For NAT-T Keep Alive no response is expected from the peer so the existence of the VPN tunnel cannot be proven this way.

Dead Peer Detection (DPD)

If no packets have been sent or received through the tunnel for an extended period of time (in this example after 150 seconds at the latest), the MD741-1 sends an UDP packet through port 4500. A response from the peer is expected and hence the status of the VPN tunnel is monitored. If a failure of the VPN tunnel is recognized, the MD741-1 tries to reconnect.

Rx-Tx-Delay Trigger The Rx-Tx-Delay Trigger in the MD741-1 checks the response behavior of the GPRS network. If data are still sent but not received anymore, the running connection is cancelled after a certain time (approx. 14 min). Subsequently the GPRS connection to APN as well as the VPN tunnel to S612 is reestablished. The time settings for the Rx-Tx-Delay Trigger cannot be parameterized. To prevent unnecessary connection interruptions by the trigger, the time settings for the Dead Peer Detection should never be higher



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Feature Explanation

than 600 seconds.

3.3 SCALANCE S

The SCALANCE S product family protects automation cells / networks from unauthorized access. Models S612/ 613 can be used as VPN-capable peers for the MD741-1.

Properties of the SCALANCE S612/613 models

SCALANCE S61x modules have the following core properties:

Supporting a safe data connection via a IPSec-secured VPN tunnel

VPN server/ client; supports up to 64 (S612) or 128 (S613) VPN tunnels simultaneously.

Firewall for protection from unauthorized access. The firewall has the following functionalities:

– Searching the data packets using the source and target address (stateful packet inspection)

– Supporting Ethernet “Non-IP” messages

– Band width limitation

Router mode for operating SCALANCE S as NAT/NAPT router. Internal network may be an own subnet.

Bridge mode to operate SCALANCE S in a flat network. Internal and external network are located in a subnet.

Configuration of the SCALANCE S module

The Security Configuration Tool (SCT) serves as a configuration tool for SCALANCE S modules and for generating configuration files for the MD741-1. All stations can be combined into a group here. This assignment defines which modules are allowed to communicate with each other via a VPN tunnel.

Advantages of the interaction with MD741-1

Both modules can be configured using the Security Configuration tool.

Very simple configuration process

Note For further information refer to the SCALANCE S manual. (Siehe /2/)

3.4 Security

Security requirements

Data confidentiality: the user data must be encoded and protected from unauthorized access

Station authentication: only defined station must participate in the data communication. An authentication is required.

Packet identification: it must be ensured, that data packets arrive at their target address unchanged.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Secrecy: networks behind the VPN Gateways should be hidden from third parties.

3.4.1 VPN tunnel

A VPN tunnel is a “virtual private network” (comparable with a LAN) via an unsecured network (Internet). Encoded data packages and authentication of the stations makes this possible. Authentication (proof of one’s own identity or checking the identity of the peer) occurs via a key (Pre-Shared Key) or certificates (X.509v3 certificates).

Pre Shared Key

Using a pre-shared key is a symmetrical crypto-system. Each station has only one secret key for coding and decoding of data packets. Authentication occurs via a joint password.

Certificates

Using certificates is an asymmetrical crypto-system, where each station has a set of keys. Each station has only one secret, private key and one public key of the peer. The private key enables decoding data, generating digital signatures and authentication. The public key enables encoding data packets for the peer.

The authenticity of the public key of the peer (authentication) is checked via an additional certificate issued by a certification authority. For SCALANCE S the CA is the group from the configuration tool SCT, in which all nodes of a VPN tunnel are located. The group issues certificates to the group members and certifies them with the group certificate (CA certificate).

Note In this example the authentication occurs via certificates.

Logic representation of the VPN connection

The figure below shows the logic end points of the VPN connection:

Figure 3-1

MD741-1Remote Station1

SCALANCES612

VPN TunnelVPN Tun

nel

MD741-1Remote Station2

- All Groups

Group1

Group2

SCT

Project Representation(Security Configuration Tool)

Logic Representation

The exact correlations during the configuration are given in chapter 4.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Distribution of certificates

Figure 3-2

MD741-1Remote Station2MD741-1

Remote Station1

SCALANCE S612

SecurityConfiguration

ToolCertificates

Downloadingthe certificates

Saving thecertificates

Importing thecertificates

Certificates = *.p12–file (public & private key) and *.cer-file (CA certificate)

PG/PC

IPSec

IPSec stands for IP security protocol and works on layer 3 of the OSI reference model. It is a tunneling method used in the internet for safe transmission of data.

Aims

The aims of IPSec are:

Authentication of stations

Protection from unauthorized and unnoticed changes of the data packets (data integrity)

Secrecy of the transmitted data packets.

Protection against replay attacks; prevents repeated receiving of the same data package

Key management

Protocols

IPSec is a standard which uses various protocols for security. The safety functions are achieved using the following mechanisms:

The IP authentication header handles the authentication and identification of the source and provides data integrity.

ESP (Encapsulation Security Payload) encodes the data and prevents unauthorized access.

The Security Association (SA) is an agreement between the stations regarding the live of the key, the encoding algorithm, time for a new authentication etc.

The Internet Key Exchange Protocol (IKE) is based on the Internet Security Association and Key Management Protocol (ISAKMP). It manages the key exchange in two phases and enables communication between the stations.

http://de.wikipedia.org/w/index.php?title=ISAKMP&action=edit�



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

– In phase 1 a key is agreed, on how the public keys of the peer can be exchanged safely (ISAKMP-SA). Then the public keys are exchanged with each other (authentication). Using the CA certificate, the authenticity of the key is checked (authentication). If the life of the key has elapsed, a new key is generated for safe transmission of the public key.

– Phase 2 is the encoded data transmission using the p12 certificate. If the life of the p12 certificate has elapsed, a new certificate is generated (IPSec-SA). Phase 1 starts again.

Operating modes

IPSec offers two operating modes. In these operating modes it is defined how the IP data packages must be expanded to fulfill the targets of IP data packages.

The transport mode is used if the cryptographic endpoint are also communication end points (computer to computer connection)

The tunnel mode is selected if the cryptographic endpoints are only safety gateways and remote subnets are interconnected via a secured network.

IPSec data package

Between the VPN connection SCALANCE S612 and MD741-1 the data packages are transmitted in tunnel mode. The VPN endpoints decode them and forward the data packages to the actual receiving address.

There is the option of securing the data packages using ESP and/ or Authentification Header (AH). The MD741-1 only uses encoding via ESP.

In tunnel mode the entire IP data package is embedded into a new IP package. The original IP address is no longer visible from outside.

Figure 3-3

IP HeaderTCP/UDP

HeaderData

Tunnel IPHeader

ESP Header

DataIP HeaderTCP/UDP

HeaderESP Trailer

Data package prior to encoding

After encoding via ESP

encoded

authenticated

ESP Authtrailer

The following table provides a brief overview of the meaning and function of the respective headers.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Table 3-3

Header Function

Tunnel IP Header This IP header contains the address of the cryptographic endpoint (VPN gateway).

ESP Header The original IP data package and the EXP trailer are encoded via ESP. The ESP header offer protection from replay attacks and receives the SPI (Security Parameters Index)

ESP Trailer If the user data volume to be transmitted is smaller than the block size, the ESP trailer fills up the missing numbers and saves the number of inserted bits.

ESP Authentication Trailer

Contains the integrity check value for authentication and integrity of the message

3.5 Estimating the data volume

The payment in GPRS/EGPRS networks occurs on the basis of the transmitted data volume. It is important to know which data volume must be expected for a standard diagnostic session.

Data volumes for automation functions

Using a function call to the remote stations the following table shows which net data volume must be expected.

Table 3-4

Automation function Explanation Data volume/ hour

STEP 7 project Download of the STEP 7 example project Remote Station1 (CPU315-2 DP+ CP343-1 Advanced)

Once approx. 77 Kbytes

Calling the diagnostic buffer

Go online with the STEP 7 project and call the module status of the CPU

Once 16.3 Kbytes

Variable table Two variables are continuously monitored in the variable table.

Ca 960 Kbytes/ h

Calling the TP277 panel operator page on a web browser with Sm@rtService function (initial call until the operating screen has been loaded completely)

Once approx. 90 Kbytes (for this example)

WinCC flexible Sm@rt Service

Delta operating screen display on the browser Ca 1.2 Kbytes/ h

Load the TP277 operating screen using the Sm@rt Viewers of WinCC flexible (initial call)

Once ca 14 Kbytes

WinCC flexible Sm@rt Viewer

Delta operating screen display on the browser Ca 855 Kbytes/ h

Note These values are only guide values and are used for orientation!

The values in the data volume/ h column do not indicate any velocity. From the example of the project on hand we illustrate how much data volume must be expected for each application.

mailto:Sm@rtService�

4 Configuration and Startup


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


Preliminary remarks

For startup we offer you a finished STEP 7 example project as a download. This software example supports you in the first steps and tests with this configuration. It enables a quick function test of hardware and software interfaces between the here described products. The software example is always assigned to the components used in this configuration and shows their principal interaction. However, it is not a real application in the sense of technological problem solving with definable properties. The following chapters take you step by step through the required configuration.

Download

The STEP 7 and WinCC flexible example project is available on the HTML page from which you downloaded this document. Upon downloading, extract the zip-file with any unzip-program, like, e.g. Winzip. Store the files on the hard disk and retrieve the STEP 7 projects by means of the STEP 7 software.

Table 4-1

File name Content

24960449_RemoteAccess_EGPRS_CODE_V20.zip All files of this configuration consisting of

STEP7_REMOTE1.zip STEP 7 project for Remote Station1

STEP7_REMOTE2.zip STEP 7 project for Remote Station2

SOAP.htm HTML file for the SOAP connection

Functionality

The example only serves for demonstrating a PLC basic load in order to illustrate certain diagnostic scenarios. An automation task is no preference here.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.1 Hardware configuration / structural setup

Figure 4-1

The following table gives you an overview of the IP addresses used. Cells with the same color belong to one subnet respectively. Modules with two addresses (internal/external) work as routers for the respective other subnet.

Table 4-2

IP address Module

Internal External

CP 343-1 Advanced 140.70.0.2

CPU 315-2 PN/DP 140.70.0.3

TP 277 6’’ 140.70.0.4

CP 443-1 IT 140.70.0.5 RM

T 1

MD741-1 140.70.0.1 Dynamic from APN

CP343-1 lean 140.80.0.12

RM

T 2

MD741-1 140.80.0.11 Dynamic from APN

DSL Router 192.168.2.1 Fixed IP from provider

SCALANCE S612 192.168.3.1 192.168.2.2

Cen

tral

se

rvic

e st

atio

n

PC/ PG 192.168.3.3

In the following chapters the required configuration steps of the individual components are now explained in greater detail.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Table 4-3

Number Configuration step Chapter

Configuring the DSL router 4.4

Configuration of the central service station 4.5

Configuring the remote stations 4.6

Configuring SCALANCE S and the VPN tunnel 4.7

Configuring the MD741-1 4.8

4.2 Installation of the software

For this configuration the following software packages are required:

STEP 7

SIMATIC PDM :

Basis Software/

Integration in STEP7 and

PDM Routing

WinCC flexible 2005 with Sm@rtViewer

Security Configuration Tool

Note Follow the instructions of the corresponding installation program.

4.3 Install example project

Table 4-4

No. Instruction Remark/figure

1. Unzip the file 24960449_RemoteAccess_EGPRS_CODE_V20.zip

The directory <LW>\GPRS_Configuration9 is used below as project directory.

3. Start STEP 7 and retrieve STEP7_REMOTE1.zip to <LW>\GPRS_Configuration9

The STEP 7 project is now filed at <LW>\GPRS_Configuration9\ GPRS_RMT1

3. Start STEP 7 and retrieve STEP7_REMOTE2.zip to <LW>\GPRS_Configuration9

The STEP 7 project is now filed at <LW>\GPRS_Configuration9\ GPRS_RMT2

1

2

3

4

5



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.4 Configuring the DSL Router

No specific router is discussed for the configuration as the operating screens differ from router to router.

Most routers have a web page for the configuration.

Required PC/PG IP address

For the configuration of the router you must assign an IP address to your PG/PC which is located in the same network than your router.

Configuration

Table 4-5

No. Instruction Remark / Note

1. Open the configuration user interface of the router

This may be additional software, “Telnet” or a web page.

2. Enter the connection data for your internet connection.

Login, password etc, which you received from your provider.

3. Switch off the DynDNS server. Your internet access has a fixed IP address.

4. Enter your DNS server. The address is available together with the access data.

5. Specify a LAN IP address for the router 192.168.2.1

6. Switch off the DHCP server. The SCALANCE S and the PC receive a fixed address.

7. Forward UDP port 500 and 4500 to the same ports of the SCALANCE S.

UDP Port 500 to UDP Port 500 of 192.168.2.2 UDP Port 4500 to UDP Port 4500 of 192.168.2.2

Note Some routers contain the function “IPSec Pass through”. Activate this function (if it explicitly exists in your router) to support IPSec.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.5 Configuration of the central service station

Change IP address

The figure shows the network settings to which you must change the PG/PC at the beginning for setting the PC station and at the end of the configuration (after chapter 4.8)! Loading the various modules (SCALANCE S, MD741-1, CPUs, Touch Panel) requires changing the IP address of the PC/PG frequently.

Table 4-6


1. Open the Internet Protocol (TCP/IP) Properties by selecting Start -> Settings -> Network Connection ->Local Connections

Select the Use the following IP address check box and fill out the field as shown in the screen shot on the right. Select the option field Use following DNS Server and enter the DNS server according to the screenshot. Close the dialog boxes with “OK”.

2. If your PG has an IWLAN interface, switch this off.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

PC station initial startup

A “PC station” is a PC with communication modules and software components within an automation solution with SIMATIC.

The hardware configuration of a PC station in SIMATIC is comparable with that of an S7 station. Components of a PC station such as modules or software interfaces are assigned to a virtual slot and parameterized in the same way.

Table 4-7

No. Instruction Remark/figure

1. Open the Component Configurator. Start -> Station Configurator Alternatively you can also double-click the icon in Windows SYSTRAY The empty configuration list appears initially.

2. Import the XDB file <LW>\GPRS_Configuration9\ GPRS_RMT2\XDBs\pcst_1.xdb via the Import Station… button.

3. Attention The import is only possible if the imported configuration corresponds with the locally existing configuration. For unsuitable components, the faulty component is selected.

4. Execute the import with OK. The components are restarted.

Should the components not be started immediately without error, please perform a RESTART of the PC.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.6 Configuring the remote stations

Note The provided STEP 7 projects, which have already been configured with the correct IP addresses, serve as a basis for configuring the STEP 7 stations.

4.6.1 Changing the IP address of the component

CPU/ CP

Prior to loading the STEP 7 project into the CPU the IP address, via which the project is loaded to the CPU, of the module must be changed according to Table 4-2. This may also be a CPU itself or a CP.

Table 4-8

No. Instruction Note

1. Open a STEP 7 project in the SIMATIC Manager.

2. In the PLC menu you select the Edit Ethernet Node… option.

3. Click the Browse… button.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


4. Select the desired module and acknowledge the selection with OK.

5. In the Set IP configurations window which appears you enter the IP address according to Table 4-2 Click the Assign IP Configuration button. Close the dialog with the Close button.

Touch Panel

Prior to loading the WinCC flexible project into the Touch Panel, the IP address of the panel must be changed according to Table 4-2.

Table 4-9

Nr Aktion Hinweis

1. Wechseln Sie in das Control Panel des TP 277 6’’ (My Computer -> Control Panel) und wählen Sie Transfer an.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Nr Aktion Hinweis

2. Ändern Sie die Übertragungseigenschaften gemäß der Abbildung. Klicken Sie auf den Button Advanced.

3. In the dialog which appears you select the Onboard LAN Ethernet Driver dialog and change to the properties via the Properties button.

4. Change the IP address of the panel according to the screenshot and acknowledge the dialog with OK.

5. A change of the IP address requires restarting the panel. Change back to Control Panel and double-click OP. The properties open. Change to the Device tab and perform a restart of the panel via the Reboot button.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.6.2 Remote Station 1


Table 4-10


6. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.

7. Connect the PC/ PG with the SCALANCE X208 via a standard Ethernet line.

The PC/ PG can now establish a connection with CPU315-2 PN/ DP, CP 343-1 Advanced, TP277 and MD741-1.

Loading the SIMATIC stations

Table 4-11


1. Change IP address of the CPUs and Ethernet CPs according to Table 4-2.

This is described in greater detail in chapter 4.6.1.

2. Select the first SIMATIC 300 station in the SIMATIC Manager (Station1) and use PLC-> Download to load it to the CPU via the CP.

3. Then select the second SIMATIC 300 station (Station2) and use also PLC-> Download to load it directly to the CPU.

4. Select the SIMATIC 400 (Station3) and use PLC-> Download to load it to the CPU via the CP.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Downloading the WinCC flexible project

Table 4-12


1. In SIMATIC Manager you open the SIMATIC HMI station(1) and select WinCC flexible RT. Use Right mouse button -> Open Object to open the WinCC flexible project.

2. As soon as WinCC flexible is started you reach the transmission settings via Project -> Transfer -> Transfer Settings. Change the dialog according to the figure. Mode: Ethernet IP Address: 140.70.0.4

3. Set your panel to transfer mode. Via the Transfer button you download the WinCC flexible project into the panel.

Load the SIMOCODE pro device

Table 4-13


1. In the SIMATIC Manager select Station3. Open HW Config via double-click on Hardware.

2. The default PROFIBUS address of SIMOCODE is 126. Set it to 103. Open the PDM in HW Config via double-click on the SIMOCODE device.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


3. The first window which opens is “SIMATIC PDM Device Selection TAG”. In this example SIMOCODE has been configured as Reversing Starter. Select this device from the list and acknowledge with OK.

4. Also close the window “Insert SIMATIC PDM PROFIBUS DP device Objects” with OK.

5. In the “User” window select the Specialist option and acknowledge with OK.

6. Load the configuration of the SIMOCODE device via the “download” icon.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


7. If the download process is positive this is displayed in the “Download to Devices – Result” by means of a green checkmark. Then close the dialog window with Close.

NetPro

The connection between the central service station and the remote station through the VPN tunnel is a mere point-to-point connection. The following figure displays an extract from NetPro:

Figure 4-2

Note Should you not have the packages WinCC flexible or/and SIMATIC PDM installed, then the respective objects are not displayed.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Default Router

In reality, the connection via EGPRS/GRPS and internet runs via several subnets. The remote station components and the central service station must be informed of their default router, the EGPRS router MD741-1.

The following screenshots show the entry of the respective default router in the network properties:

CPU315-2 PN/ DP

Figure 4-3

CP343-1 Advanced

Figure 4-4

IP address of the MD741-1



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

TP277 6’’

Figure 4-5

CP 443-1 IT

Figure 4-6



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.6.3 Remote Station 2


Table 4-14


1. For loading the SIMATIC stations please change the IP address of your PC/PG according to the screenshot.

2. Connect the PC/ PG with the CP343-1 Lean via a crossover Ethernet cable.

Loading the SIMATIC stations

Table 4-15


1. Change the IP address of the CP343-1 Lean according to Table 4-2.

This is described in greater detail in chapter 4.6.1.

2. Select the first SIMATIC 300 station in the SIMATIC Manager (Station1) and use PLC-> Download to load it to the CPU via the CP.

3. Then select the second SIMATIC 300 station (I_SLAVE) and use PLC-> Download to load it directly to the CPU via Station1.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

NetPro

The connection between the central service station and the remote station through the VPN tunnel is a mere point-to-point connection. The following figure displays an extract from NetPro:

Figure 4-7



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Default Router

In reality, the connection via GPRS and internet runs via several subnets. The remote station components and the central service station must be informed of their default router, the GPRS modem MD741-1.

The following screenshots show the entry of the respective default router in the network properties:

CP343-1 Lean

Figure 4-8

IP adress of the MD741-1



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.7 Configuring VPN tunnel

This section shows the necessary steps in the Security Configuration Tool, to generate two VPN tunnels.

Figure 4-9

Group 1

Group 2

MD741-1

Remote Station 1

MD741-1

Remote Station 2 VPN Tunnel 2

VPN Tunnel 1

SCALANCE S612

Note Reset the SCALANCE S612 to the factory settings prior to configuration. This ensures, that no other certificates / VPN connections are saved in the SCALANCE S and the IP address of SCALANCE S is set to 0.0.0.0.

An instruction for resetting the configuration to factory settings is available in the SCALANCE S manual chapter 2.1.7 (See /2/)



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


Table 4-16

Instruction Setting

For configuring the SCALANCE S please enter the IP address for your PC/PG according to the screenshot.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

VPN tunnel configuration

Table 4-17


1. Open the Security Configuration Tool (SCT). Start -> SIMATIC -> SCALANCE -> Security -> Security Configuration Tool

2. Create a new project with Project -> New. You will be prompted for User Name and Password. Fill in the dialog (e.g. User Name: Admin, Password: VPN) and close with OK.

3. The first module is automatically added. Change the module line as follows: Name: S612 Type: S612 V2 IP Address ext.: 192.168.2.2 Subnet Mask ext: 255.255.255.0. Default Router: 192.168.2.1 The MAC address is available at your SCALANCE S. It is printed on the front casing.

4. Insert a new module with Insert -> Module.

5. Change the second module line as follows. Name: Remote1 Type: MD741-1 IP Address ext.: leave default settings Subnet Mask ext: leave default settings IP Address int: 140.70.0.1 Subnet Mask int: 255.255.0.0

Note: The SCT requires an external IP address for the MD741-1. However, it is specified dynamically by the mobile radio network provider and cannot be entered here. Leave the default IP address of the SCT (here: 192.168.10.1).




Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


7. Change the third module line as follows. Name: Remote2 Type: MD741-1 IP Address ext.: leave default settings Subnet Mask ext: leave default settings IP Address int: 140.80.0.11 Subnet Mask int: 255.255.0.0

8. Select View -> Advanced Mode to change to the advanced mode of the SCT. Confirm the following dialog box with Yes. In the advanced mode there are further settings options.

9. Select the first module line (SCALANCE S module). Double-click Properties to open the properties dialog.

10. Go to the Routing Mode tab. Activate the Routing active mode and enter internal IP address (192.168.3.1) and subnet mask (255.255.255.0). Close Module Properties dialog with OK.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


11. If you have used the function NAT active in step 10 make the following settings: Go to the Firewall Settings tab. Press Add Rule to add a new drop rule Enter the IP address of the remote subnet as Destination IP with the subnet mask. Remote1: 140.70.0.0/16 Repeat the same procedure for the second router. Remote2: 140.80.0.0/16 Finally, you enter an allow rule for access from your local network (SCALANCE local network) via the SCALANCE and DSL router. Click OK to apply the settings.

A drop rule should be inserted for every destination subnet. If no VPN tunnel has been set up yet, all packages addressed to the MD741-1 are rejected. The last firewall rule allows all remaining packages to other stations. With this rule the firewall from internal to external will be open, for all packages which have not been rejected.

12. In the Offline View column you select the VPN groups (all groups) and click the right mouse-button. Now create a new group via Insert-> Group. Repeat this process a second time.

Note: Alternatively you can configure all module in the same group. The VPN properties and the certificates the same for all MD741-1.

13. S612 and the MD741-1 Remote1 are placed in Group1 . Select the modules S612 and Remote1 individually in the same column and draw them into Group1 via drag&drop.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


14. S612 and the MD741-1 Remote2 are placed in Group2. Select the modules S612 and Remote2 individually in the same column and draw them into Group2 via drag&drop.

Note: A group represents a VPN connection. Only stations which are part of this group can participate at the VPN runnel communication.

15. Select for example Group1 in the column. All stations of the group hence a VPN connection are listed.

16. For each group the group properties must still be adjusted. Double-click on the group to display the window with the Properties.

17. Change the SA Lifetimes in 1440 minutes. Click OK to close the dialog box. Repeat the same procedure for the other group!

18. Change back to the module lines and select the first module line (SCALANCE S).



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


19. Open the Properties of the SCALANCE S modules via double-click. Now go to the VPN tab. Set the Dead Peer Detection of the S612 to 180 seconds. This function prevents that old, not valid VPN tunnels will be shown in the online view. The SCALANCE S waits for the connection of the MD741-1. Change the permission to initiate the connection accordingly. As the WAN-IP Address you specify the fixed IP-Address of your DSL router. Click OK to close the dialog box.

Note:

The Dead-Peer-Detection für SCALANCE S must be set to a higher value than in the MD741-1. (Default setting for the MD741-1 is 150 seconds)

DynDNS is not supported by SCALANCE S.

20. Connect your PC/PG with the external port of the SCALANCE S.

The SCALANCE S has no default IP Address. Loading occurs via the given MAC Address

21. Load the configuration into the SCALANCE S. Select the SCALANCE S module line in the right pane and click Transfer.

22. In the following dialog you start the transmission to SCALANCE S by pressing Start.

23. Create a directory MD740_Remote1 in D:\GPRS_Configuration9. There you save the configuration for the MD741-1 of Remote Station1. Select the modem module line 2 and click Transfer. Specify the just created directory as a target directory for the configuration files and certificates. Acknowledge the following dialog with Yes for a new certificate password or with No for a default password.

The .p12 certificate is password protected. You have the option of using the project name of the SCT as a password or to assign a different one. Note: It is recommended to assign a new password.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


24. Create another directory MD740_Remote2 in D:\GPRS_Configuration9. There you save the configuration for the MD741-1 of Remote Station2. Proceed as for the other MD741-1 of Remote Station1.

25. In the target directory, a text file is saved for configuring the MD741-1, the CA certificate and the p12 certificate.

Note The firewall setting of the S612 enables only data traffic between a VPN tunnel and another VPN station. If you wish to lead the connection outside of the VPN tunnel as well, you must adjust the firewall accordingly. Information for this is available in chapter 7.2 and 7.3.

Note If you use the MD740-1 Router (instead of MD741-1) configure both remote stations in one VPN –group by inserting both MD740-1 in one group per Drag&Drop.

Note The MD740-1 Router should always be inserted in one VPN-group.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.8 Configuring the MD741-1

Commissioning the MD741-1 occurs in three steps:

execute PIN configuration

insert SIM card into the device

further configurations


Table 4-18

Instruction Setting

For the configuration of the MD741-1 you assign an IP address to your PG/PC which is located in the same network as your MD741-1.

According to the factory settings the MD741-1 has the address 192.168.1.1.

Connect the PC/PG back to the SCALANCE X208.

4.8.1 MD741-1 of Remote Station1

Note For further information, also refer to the MD741-1 manual. (see /1/)

Step 1: PIN configuration

For the MD741-1 to be able to communicate via the GPRS network, the PIN of the SIM card must be announced to the device.

WARNING First announce the PIN to the MD741-1 and then insert the SIM card.

Table 4-19


1. Connect the PC with the Ethernet connector of the MD741-1.

According to the factory settings the MD741-1 has the address 192.168.1.1.

2. Start a browser and enter the address https://[ip-adresse MD741-1].

After successful connection, a security dialog appears which you acknowledge with Yes.

3. Enter user name and password. The default settings are: User name: admin Password: sinaut

4. The administrator website opens. The default language is German. You can change the language in the top right field and accept the settings into the MD741-1 with go.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


5. Go to External Network -> EDGE/GPRS

6. In Username and Password (identical in both lines), enter the access data for your APN. Default setting of both fields is guest. For Vodafone: User name: guest Password: guest In APN, enter the address of your Access Point name. For Vodafone: web.vodafone.de For T-Mobile: internet.t-mobile Under PIN, enter the PIN of your SIM. Save the settings by selecting Save.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Step 2: Insert SIM card

Table 4-20


1. Separate the MD741-1 from the power supply

2. Insert the SIM card as in the picture and connect the router to the power supply.

Note The MD741-1 will now attempt to initiate a connection with the EGPRS/GPRS network. When the connection has been established, the LED S (status) lights up statically. LED C (connect) is ON with short interrupts if MD74-1 has been logged on at GPRS and lights statically if MD741-1 has been logged on at EGPRS. LED Q (quality) indicates the field intensity.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Step 3: Further configurations

IP address

Table 4-21


1. Open the administrator website of the MD741-1 again. In the Overview mask you receive information on the connection in EDGE or GPRS network, the signal strength and the IP address assigned by the provider

2. Go to Local Network -> Basic Settings -> Local IPs. Change the internal IP address of the MD741-1 according to Table 4-2. Accept the settings with Save. Note: You have to adjust the IP address of your PCs/PGs accordingly (e.g. 140.70.0.20) and then open the website of the MD741-1 again.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Configuring the VPN connection

Note For further configurations, the text file helps which was generated with the Security Configuration tool.

Figure 4-10



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Upload certificates

Figure 4-11

Table 4-22


1. Change to IPSec VPN -> Certificates.

Use the Browse… button to open the directory in which you have saved the configuration data and certificates for the MD741-1.

D:\GPRS_Configuration9\MD740_Remote1

2. Open the certificate (.cer) which is given in your text file

Here: Configuration1.S612.cer

3. Import the certificate with Upload. In Remote Certificates it is apparent that the certificate has been imported.

4. In order to upload your own certificate (p.12), use the Browse… button to open the directory in which you have saved the configuration data and certificates for the MD741-1.

5. Open your own certificate (p.12) which is given in your text file.

Here: [email protected]

6. Enter the password you have specified for the certificate in the Security Configuration tool.

Either the SCT project name or a new password.

[email protected]

Configuration1.S612.cer

IPSec VPN > Certificates

1



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


7. Import the certificate with Upload. In Device Certificates it is apparent that the certificate has been imported.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Create and edit connection

Table 4-23


1. Change to IPSec VPN -> Connections.

2. Generate a new connection with New. In this example REMOTE1 was used as the connection name. Accept the settings with Save.

Figure 4-12

Table 4-24


1. Use the Settings Edit button to switch to the connection properties.

IPSec VPN > Connections > Edit Settings

Static IP address from DSL provider

.cer certificate

Tunnel settings

2



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


2. As remote Gateway Address you enter the fixed IP Address of your DSL connection

Here: 217.175.91.54

3. In Remote Certificate you select your .cer certificate.

4. Click on the ScalanceS ID button to accept the Remote ID.

5. Enter the settings for the address of the local and the opposite network according to your text-file. Accept the settings with Save.

6. Change to Security -> Advanced Settings set the parameter External ICMP to the MD741-1 to Accept. Then accept the settings with Save.

VPN connection test

As soon as all settings have been transferred to the MD741-1, the EGPRS router automatically initiates a VPN tunnel to SCALANCE S612. This can be viewed

at the green LED VPN at the MD741-1 and

on the website of the router at IPSec VPN -> Status

Figure 4-13

If you have made different IKE or NAT-T settings in your SCT project than in this example, then follow points 3 and 4.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

IKE settings

Table 4-25


7. The IKE Edit button takes you to the additional IKE settings.

8. Enter the settings according to your text-file and accept the settings with Save.

Figure 4-14

Hinweis The default setting for the DPD- parameter of the DM741-1 is recommended for most applications. With this value it can take up to roughly 8 to 9 minutes to be noticed that the tunnel is aborted. You can set this value lower so that an abortion of the tunnel will be identified quicker. Is the DPD value reduced then a higher data volume will be produced.

Here the cyclic time window Dead Peer Detection can be changed. Default is set to 150 sec.

3



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Advanced settings NAT-T Keep Alive

To maintain the NAT Gateway at the APN, the NAT-T Keep Alive is sent after a certain period of time. Default setting is 60 seconds. You can change this time on the website of the MD741-1 at IPSec VPN -> Advanced.

Figure 4-15

Log-files – Expanded diagnosis

You can receive more system information in the system log file. Go to System -> Log and click Download.

Figure 4-16

Note For further information on further diagnostic options, refer to the MD741-1 manual. (See /1/ )

4



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

4.8.2 MD741-1 of Remote Station2

The configuration of this GPRS router MD741-1 occurs analog to the MD741-1 of the other remote station and is hence not further described.

Perform the following steps using the text-file which was generated for this modem.

Executing the PIN configuration

Insarting the SIM card into the device

Further configurations

Use REMOTE2 as the connection name.

The text-file and the certificates are available at <LW>\GPRS_Configuration9\ MD740_Remote2.

Note For the configuration you connect the PC/ PG with the MD741-1 in Remote Station2 via a standard Ethernet cable. The MD741-1 supports the “autocrossing” function, which enables a point-to-point connection with an uncrossed Ethernet cable.

4.9 Final configuration

If all modules have been loaded, you change the IP address of the PCs/PGs according to chapter 4.5. Connect all stations according to Figure 4-1.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


Overview

The following table lists the remote access scenarios which were tested in this configuration.

Table 5-1

Access function Function test Scenario

Standard diagnosis: – Module information – Diagnostic buffer – Report CPU – Variable table – DB Editor

OK OK OK OK OK

Chapter 5.1

STEP 7 Project – Upload – Download

OK OK

Chapter 5.1

S7 Routing S7 Routing PDM

OK OK

Chapter 5.5 Chapter 5.7 S

7 co

mm

un

icat

ion

OPC Access – Server and client in the central service station – Server on PC in remote station, client in central

service station

OK OK

Chapter 5.7

SO

AP

WinCC flexible – SOAP connection between PG and Panel

OK

Sm@rtService – Remote Control – Smart@Service Download – Sm@rt Viewer

OK OK OK

Chapter 5.2

WinCC flexible project – Upload – Download

*

OK

Chapter 5.2

Htt

p/

VN

C

CP343-1 Advanced – Standard WebSeite – Download S7 applets

OK OK

Chapter 5.3

Eth

ern

et WinCC flexible project

– Upload – Download

* *

Chapter 5.2

Note The functions marked with * are not possible for this constellation (secured remote access via GPRS).



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

5.1 Diagnostic scenario 1 for remote station 1 (S7 communication)

The following situation is simulated for this scenario:

Central service station permanently on the net

Connection to remote station is only generated on demand in order to save data volume.

In this diagnostic scenario it is proven, that even with several S7 stations a communication can take place via a VPN tunnel an the entire PG functionality is available.

Table 5-2

Instruction Action step Note

The connection to the remote station shall be generated

Activate the VPN-Tunnel via remote https or CSD.

Waiting for connection (modem actively established the connection with S612)

If the VPN tunnel has been generated, this can be seen

in remote station at the LED VPN lighting up at MD741-1

in the online function Communication status of the SCT

Reading out module status and diagnostic buffer from Station 1, Station 2, Station3.

Retrieve the respective STEP 7 project with the SIMATIC Manager switch it online.

Select CPU in Station 1 and view diagnostic buffer/ module status.

You can also repeat the same process for station 2 and 3. Select CPU in Station and view diagnostic buffer/ module status.

Receive CPU messages Select the CPU of station 2 and open the window for the CPU messages via PLC -> CPU Messages

Activate the checkbox W, in order to receive diagnostic events.

To receive a message, set the CPU, for example, in stop and back to RUN mode.

Monitor variable Open the variable table of station 2 and go online via Variable -> Monitor.

Here you can monitor the 27 variables almost in real-time.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


Programming sequence Upload

Create a new STEP 7 project in the SIMATIC Manager.

Via PLC-> Upload Station to PG you can load a STEP 7 project from a CPU.

In the following dialog you enter the Rack or Slot number of the CPU and IP Address, via which the CPU can be accessed. The target station can be reached locally.

Note: The IP address of the connection of the target station can be the CPU itself (PROFINET SS) or a CP.

Programming sequence Download

Then select the SIMATIC station in your STEP 7 project and use PLC-> Download to load it to the CPU.

The download of a STEP 7 projects via a VPN tunnel takes longer, however, it runs more stable.

DB Editor The SFC 51 has been implemented in the OB100 of station 1. It reads the module status of the CPU and saves the data record in DB 2.

Open the data block (RDSYSST_DB). Go online to view the current values.

Perform a restart at station 1 so the OB 100 can be called up.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

5.2 Diagnostic scenario 2 for remote station 1 (access to panel using WinCC flexible)

In this diagnostic scenario the remote control is demonstrated via a secured line. Operator control and monitoring of a process is possible without any restrictions.

Table 5-3


WinCC flexible project Download

For the transfer of the WinCC flexible project on the panel follow the instructions in chapter 4.6.2.

Change the dialog Transfer Settings as follows: Mode: HTTP

IP address: 140.70.0.4 User Name:Administrator HTTP Password: 100

The download of a WinCC flexible project via a VPN runs very stable despite of longer transmission time.

Sm@rtService Sequence Remote Diagnose

Start a standard web browser i.e. Internet Explorer and enter the address of the panel (http://140.70.0.4).

On the website of the panel you find the control functions, the panel state and a file Explorer

The download of the website of the panel takes only few seconds despite of the VPN tunnel. (ca 10sec.)

Sm@rtService Sequence Remote Control

In the navigation bar of the web site you click Remote Control and start the Sm@rtClient.

The applet for the VNC password is downloaded. Enter 100 as the password.

As soon as the user interface has been downloaded, operator control and monitoring is possible.

Downloading the operating screen via Sm@rtService takes very long and “costs“ a lot of data volume, since the website of the panel and the applet for the VNC password must be downloaded beforehand. If the operator screen has been downloaded, it is polled regularly which leads to an enormous data volume (1.2 Mbytes/h). Downloading the operating screen via GPRS is not recommended!



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


Sm@rtService Sequence Sm@rtViewer

Make the following settings on the panel: Open the dialog WinCC Control Panel-> WinCC Internet Settings -> Web Server Checkmark the following options. “Enable Remote Transfer” and “Start automatically after rebooting”

Then subsequently start the Sm@rtClient in START-> SIMATIC -> WinCC flexible 2007 Runtime.

Enter the IP Address of the panel as Server and activate LAN.

The session password is default 100.

As soon as the user interface has been downloaded, operator control and monitoring is possible.

The Sm@rtViewer is a sensible alternative to control the panel and the visualization user interface remotely. Here only the operating screen of the panel is loaded. If the operator screen has been download, it is polled regularly which leads to an enormous data volume (0.86 Mbytes/h). Downloading the operating screen via GPRS is not recommended!

Note If the transmission occurs via a VPN tunnel and GPRS, the packages in the Ethernet mode are fragmented too much, which WinCC flexible cannot handle. For a transmission via a VPN tunnel and GPRS only the http mode can be used.

A return from panel to PC/ PG only works in Ethernet mode and is not possible for this constellation.

mailto:Sm@rtClient�



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

5.3 Diagnostic scenario 3 for remote station 1 (SOAP)

In this diagnostic scenario it is proven, that a SOAP (Simple Object Access Protocol) connection between panel and PC/ PG is also possible via a VPN tunnel and variables can be read and written.

Table 5-4


Change host file at the PC Open the "lmhosts-file" with the editor (C:\Windows\System32\Drivers\ETC\Imhosts). At the end of this file you enter the IP address of the panel (140.70.0.4) as well as its Device Name.

The Device Name of the panel is given at the panel in Menu > Control Panel > Communications Properties > Device Name

Save this file without the .sam extension.

For changing the LMhost-file please also refer to the FAQ 13336639 ( See \4\). The section Setting up a network connection number 3 contains a respective instruction.

HTML file with SOAP connection

Open the HTML page SOAP-htm.

Here you can read and write WinCC flexible variables

5.4 Diagnostic scenario 4 for remote station 1 (IP-CP standard page)

This diagnostic scenario illustrates the call of an HTML-page of the IT-CP via a VPN tunnel, which contains diagnostic entries of the CPU and CP as well as other relevant information.

Table 5-5


IT-CP website Start a standard web browser i.e. Internet Explorer and enter the address of the IT-CP (http://140.70.0.2).

The website of the CP contains the server information, the current rack setup, diagnostic buffer entries as well as additional information

S7 applets Generate an HTML page with S7-applets

Store the files in the filing system of the IT-CP

Start a standard web browser i.e. Internet Explorer and enter the address of your generated HTML page in IT-CP.

Downloading S7 applets via a secured VPN tunnel takes very long and “costs” a lot of data volume depending on the applet size! It is not recommended, to download a Java applet via GPRS.

Note For further information, refer to the CP343-1 Advanced manual. (See /3/ )



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

5.5 Diagnostic scenario 5 for remote station 2 (S7 routing)

In this diagnostic scenario it is demonstrated that stations connected at PROFIBUS can be addressed via a secured connection. The communication occurs via a DP master which is connected at the Ethernet network. The S7 routing function occurs automatically.

Table 5-6


S7 Routing Open the Step 7 project for remote station 2.

Open the variable table of the station I_SLAVE and go online. The variables are now read from the I_SLAVE station via Station1 via Station1.

ET200S is connected with station 1 via PROFIBUS, station 1 in return with the MD741-1 via Ethernet.

5.6 Diagnostic scenario 6 for remote station 1 (S7 routing process devices)

As in diagnostic scenario 5, station 3 is also connected at PROFIBUS in this example. In this diagnostic scenario a SIMOCODE pro device is diagnosed and controlled via a secured connection.

Table 5-7


S7 Routing Open the Step 7 project for remote station 1.

Follow the instructions in chapter 4.6.2 to open PDM.

In PDM you open Device -> Control/Status Information

The left part of the window (Figure 5-1), e.g. with ON>/OFF button, it is possible to control the device.

In the right part of the window the status is displayed.

SIOMOCODE is connected with station 1 via PROFIBUS, station 1 in return with the MD741-1 via Ethernet.

Figure 5-2



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

5.7 Diagnostic scenario 7 for remote station 2 (OPC access)

In this scenario it is proven that a communication via OPC does not cause difficulties despite of the VPN tunnel and can be used without restrictions. The data are transferred in real-time.

Table 5-8


OPC Access OPC server and client in the central service station

Start OPC Scout via START -> SIMATIC -> SIMATIC NET

Click to connect with the OPC.Simatic.NET server and assign a group name

Double-click on the generated group. In \SYM->ET200S you select IM151-7 CPU.

Select the variable you wish to monitor and bring it to the group via the -> symbol. Acknowledge with OK.

The variables are now displayed with parameters (value, format, type, etc.).

The variables are monitored in real-time via OPC. As a standard the variables are updated in the OPC client every 500 ms. Reduce this value to save data volume.

OPC Access OPC server on PG in Remote Station OPC client in the central service station

For this OPC connection you must distribute access rights on both computers in the DCOM settings.

Start the OPC Scout and add a remote server. Node name: IP address of the PG/PC on which the OPC server runs

OPC server name: OPC.SimaticNET

Refer to the respective SIMATIC NET manual (See /4/ )

6 Modifications and Tips


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


6.1 Add remote station

In this section we show you which steps you must take to connect a further remote station to the central service station with the GPRS router MD741-1.

For each further remote station a VPN tunnel to the SCALANCE S612 must be configured (i.e. a further group be generated).

The following table shows the necessary steps to add a further remote station to the existing ones.

Table 6-1


1. Use the Security Configuration Tool to open the project created in chapter 4.7.

You must authenticate with user name and password


Change this module line as follows: Name: Remote3 Type: MD741-1 IP Address ext.: leave default settings Subnet Mask ext: leave default settings IP Address int: 140.60.0.1 Subnet Mask int: 255.255.0.0

Note: Each station must have its own network ID.

3. In the Offline View column, select the VPN groups (all groups) and click the right mouse-button. Now create a new group via Insert-> Group.

4. S612 and the MD741-1 Remote3 are placed in Group3. Select the individual modules S612 and Remote3 individually in the same column and draw them into Group3 via drag&drop.

5. SCALANCE and MD741-1 must be loaded again.

6. Connect your PC/PG with the external port of the SCALANCE S.

7. Load the configuration into the SCALANCE S. Select the SCALANCE S module line for this and click Transfer.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


8. Create a new directory MD740_Remote3 in D:\GPRS_Configuration9. There you save the configuration for the MD741-1 of Remote Station3. Select the modem module line 4 and click Transfer. Specify the just created directory as a target directory for the configuration files and certificates. Acknowledge the following dialog with Yes for a new certificate password or with No for a default password.

9. Connect the PC/ PG with the MD741-1, to be able to configure the module.

10. The configuration of the MD741-1 of remote station 3 is available in chapter 4.8.1.

Use REMOTE3 as the connection name. The text-file and the certificates are available at <LW>\GPRS_Configuration9\ MD740_Remote3.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

6.2 Use the PG/PC from the LAN of the SCALANCE S to access the internet

The settings described in the previous chapters enable a secured communication between the automation cells via the internet.

If you wish to access the internet or the external network of the SCALANCE S with a PG/PC from the automation cell protected by the SCALANCE S, proceed as follows.

Table 6-2


1. Select the first module line (SCALANCE S module). Double-click Properties to open the properties dialog.

2. Go to the Firewall Settings tab. Click the IP Services Definition... button and then three times on Add IP Service.

3. Define the following IP services: http (protocol for calling websites) https (protocol for calling websites with encoding/ authentication) DNS (service for converting domain names into their actual IP address)

4. Change to the Service Groups tab.

In the Name field you enter a name for the service group, e.g. WWW and click Add.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


5. Change to the Service Management tab.

6. Click on the services in the left window and then on the “->” symbol to combine these services into one header. Click OK to apply the settings.

7. In Service, you select WWW for the last firewall rule, which has already been configured, so the WWW service is enabled and apply the settings with OK.

8. Load the configuration into the SCALANCE S. Select the SCALANCE S module line in the right pane and click Transfer.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

6.3 Use the PG/PC from the LAN of the MD741-1 to access the internet

You can also access the internet by connecting your PC in the remote station in the LAN of MD741-1. The access to the internet is possible parallel to an existing communication via the VPN tunnel. In this example the PC is connected in the network of remote station 1. Configure the firewall rule on the administrator website of the MD741-1 as follows.

Table 6-3


1. Open the Internet Protocol (TCP/IP) Properties by selecting Start -> Settings -> Network Connection ->Local Connections.

Select the Use the following IP address check box and fill out the field as shown in the screen shot on the right. Select the option field Use following DNS Server and enter the IP address of the MD741-1 as DNS server according to the screenshot. Close the dialog boxes with “OK”.

2. Connect the PC with the Ethernet connector of the MD741-1 and start the administrator website of the MD741-1.

3. Change to the Local Network -> Basic Settings -> DNS tab

and make sure that the default settings are active. The address assigned by the mobile provider for the DNS server is used to process website requests.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d


4. Change to the External Network -> Security -> Packet Filter tab.

Add a new outgoing firewall rule by clicking new. Select the TCP protocol and enter to port 80 there. Accept the settings with Save.

This rule enables access of all nodes from the internet to all addresses in the internet via port 80. Enable the access for an individual node only, example for your PC, can be achieved by means of a more specific firewall rule.

Table 6-4

1. In the From IP (von IP) field you enter the IP address of the PC (in this example 140.70.0.69). This rule only enables access of the PC to all other addresses in the internet via port 80.

Configuring MD741-1 as DHCP server

Alternatively you can also configure the MD741-1 as DHCP server, so that your PC automatically has IP address, subnet mask, standard gateway and DNS server assigned.



V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Table 6-5


1. Now change to the following tab. Network -> Basic Settings -> DHCP

Start the DHCP server and accept the settings with Save.

2. As default gateway and DNS server you enter the IP address of the MD741-1. Activate the dynamic address pool and define an address area from which the IP address of the PC or other network nodes shall be assigned. (e.g. 140.70.0.20 to 140.70.0.80). Accept the settings with Save.

3. Adjust the Internet Protocol (TCP/IP) Properties of the PC, you wish to access the internet with, as shown on the screen, so that the PC can dynamically receive an IP address from the DHCP server.

Note For more information, please refer to \5\ und \6\.



Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

6.4 Maximum number of remote stations

Quantity framework SCALANCE S61x

For maintenance of more than 64 remote stations you can also use an S613 module. Instead of the S612 V2 you enter an S613 V2 into your Security Configuration Tool project. Then proceed as described in chapter 4.7.

SCALANCE S612 up to 64 VPN tunnel

SCALANCE S613: up to 127 VPN tunnel

6.5 Notes/ tips on planning the IP addresses

WARNING If the SCALANCE S communicates with several MD741-1, it is necessary that each remote station has one different network-ID. The SCALANCE S can only tell from the configured network-ID which data packages must be sent to which tunnel.

Figure 6-1

140.80.0.8140.70.0.11

SecurityConfiguration

Tool

PG/PCSTEP7

Remote Station 1

Net ID: 140.60.0.0

Remote Station 2

Net ID: 140.70.0.0

Remote Station 3

Net ID: 140.80.0.0

140.60.0.4

140.60.0.4 140.70.0.11 140.80.0.8

ConfigurationSCALANCE S knows fromthe SCT configuration, which data packate needs to go into which tunnel.

Subnet: 255.255.0.0 Subnet: 255.255.0.0 Subnet: 255.255.0.0

STEP 7Project 1

STEP 7Project 2

STEP 7Project 3

SCALANCE S612

7 Related Literature


V2.1, Entrys-ID: 24960449

Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

7 Related Literature

7.1 Bibliography

This list is not complete and only represents a selection of relevant literature.

Table 7-1

Subject Title

/1/ MD741-1 EGPRS/GPRS-Router SINAUT MD741-1 System manual http://support.automation.siemens.com/WW/view/en/31385703

/2/ SCALANCE S SCALANCE S and SOFTNET Security Client http://support.automation.siemens.com/WW/view/en/21718449

/3/ CP 343-1 Advanced

Manual Part B3A CP 343-1 Advanced http://support.automation.siemens.com/WW/view/en/22261695

/4/ SIMATIC NET SIMATIC NET Industrial Communications Commissioning PC Stations - Manual and Quick Start http://support.automation.siemens.com/WW/view/en/13542666

7.2 Internet Link Specifications

This list is not complete and only represents a selection of relevant information.

Table 7-2

Subject Title

\1\ Siemens I IA/DT Customer Support

http://support.automation.siemens.com

\2\ Download of Firmware V2.3 for SCALANCE S


\3\ Country Approval MD741-1


\4\ How do you integrate an HMI operator panel into a local network?


\5\ Which firewall rules should you configure for SCALANCE S in order to have access to the Internet with the PG/PC via the SCALANCE and router?


\6\ Which firewall rules should you configure for the EGPRS router MD741-1 in order to have access to the Internet with the PG/PC from






http://support.automation.siemens.com/�






8 History


Co

pyr

igh

t

Sie

me

ns

AG

20

11

All

righ

ts r

ese

rve

d

Subject Title

the LAN of the MD741-1?

8 History Tabelle 8-1 Historie

Version Datum Änderung

V1.0 04.04.2007 First version

V2.0 11.09.2008 Update to EGPRS router MD741-1 and SCT V2.2.

Expansion of the scenarios to process devices which can be configured via SIMATIC PDM

V2.1 14.02.2011 Notes and corrections have been inserted.

configuration 9 application february 2011 - siemens · 2015. 1. 19. · application examples and...

Documents