faq about communication - siemens · faq about communication establishing a vpn tunnel between pc...
TRANSCRIPT
FAQ about Communication
Establishing a VPN Tunnel between PC Station and SCALANCE S 61x via the Internet Using the Microsoft Management Console
FAQ
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
Entry ID: 26098354
V1.0 07/13/07 38/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Table of Contents
Table of Contents ......................................................................................................... 2
1 The IPsec tunnel ............................................................................................. 4
2 Configuration – Overview .............................................................................. 6 2.1 Configuring the gateway in the PLC ................................................................. 7 2.2 Configuring the gateway in the PC station........................................................ 7
3 Configuration of the standard DSL Routers ................................................ 9 3.1 Configuration of the standard DSL router A (connected to PC station) ........... 9 3.2 Configuration of the standard DSL router B (connected to SCALANCE S) ...... 9
4 Configuration of the IPsec Channel Using the Microsoft Management Console ..................................................................................................... 10
4.1 Adding snap-ins .............................................................................................. 10 4.2 Creating IP security policy .............................................................................. 13 4.3 Adding or editing security methods................................................................. 14 4.4 Adding security rule for the data traffic from the PC station to the SCALANCE
S 61x module ............................................................................................. 15 4.4.1 Creating IP filter .............................................................................................. 16 4.4.2 Creating and assigning filter action................................................................. 18 4.4.3 Defining authentication method ...................................................................... 21 4.4.4 Defining tunnel settings .................................................................................. 22 4.5 Adding security rule for the data traffic from the SCALANCE S 61x module to
the PC station............................................................................................. 23 4.5.1 Creating IP filter .............................................................................................. 23 4.5.2 Assigning filter action...................................................................................... 25 4.5.3 Authentication method .................................................................................... 26 4.5.4 Defining tunnel settings .................................................................................. 26
5 SCALANCE S 61x Configuration................................................................. 29
6 Establishing VPN Tunnel ............................................................................. 34 6.1 Checking IPsec services................................................................................. 34 6.2 Establishing IPsec tunnel................................................................................ 36 6.3 Checking IPsec tunnel status ......................................................................... 36
7 History ........................................................................................................... 38
This entry is from the Internet offer of Siemens AG, Automation and Drives, Service & Support. Clicking the link below directly displays the download page of this document.
http://support.automation.siemens.com/WW/view/en/26098354
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
Entry ID: 26098354
V1.0 07/13/07 38/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Question How is a VPN tunnel between the PC station with Windows XP SP2 and a SCALANCE S 61x V2.1 module configured via the internet using the Microsoft Management Console?
Answer It is possible to establish a VPN tunnel from the PC station with Windows XP SP2 to a SCALANCE S 61x V2.1 module in routing mode via the internet. The Microsoft Management Console and the Security Configuration Tool are used for configuring the VPN tunnel.
The corresponding prerequisites are listed below:
• To support the establishment of the tunnel via the internet in routing mode, SCALANCE S 61x with firmware V2.1 and the Security Configuration Tool V2.1 are required. The firmware V2.1 for the SCALANCE S 61x module can be downloaded; the Entry ID is 24457842.
• The standard DSL routers A and B must support the NAT-T (network address translation-traversal) and NAPT (network address port translation) functions.
• A fixed external IP address for the standard DSL router B is required, which has to be parameterized on the passive SCALANCE S 61x module. Passive means here that the SCALANCE S 61x module waits until the partner initiates the establishment of the tunnel.
• A PC station with Windows XP SP2 is required which initiates the tunnel establishment.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
Entry ID: 26098354
V1.0 07/13/07 38/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
1 The IPsec tunnel
The SCALANCE S module uses the IPsec protocol for tunneling.
The data exchange via an IPsec tunnel in the VPN has the following properties:
• Authentication – only persons with a corresponding authorization can establish a tunnel
• Integrity – ensures that the exchanged data have not been modified
• Confidentiality – the exchanged data are tap-proof
Key-based or certificate-based authentication methods are supported:
• Preshared key
• Certificate
The SCALANCE S module supports the following integrity check methods:
• SHA-1 – Secure Hash Algorithm 1
• MD5 – Message Digest Version 5
In addition, the SCALANCE S module supports two encryption algorithms:
• DES – Data Encryption Standard
• 3DES – Triple DES
• AES – Advanced Encrypting Standard (this encryption algorithm is supported by the SCALANCE S module only in phase 2 of the data exchange via IPsec.)
The data exchange via the IPsec tunnel consists of two phases:
• Phase1 – key exchange (IKE, Internet Key Exchange)
• Phase2 – data exchange (ESP, Encapsulating Security Payload)
The IKE protocol is used for the automatic IPsec key management. It uses the Diffie-Hellman key exchange for a secure exchange of keys in an insecure network. One of the following key exchange methods is used for the key exchange:
• Main mode –
• Aggressive mode
The following sections describe the individual configuration steps you have to perform to be able to establish the VPN tunnel via the internet.
The following parameters are configured for the key exchange (IKE, Internet Key Exchange):
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
Entry ID: 26098354
V1.0 07/13/07 38/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Table 1-1 IKE parameters
IKE Parameter Value
Authentication method Preshared key Integrity check method SHA-1 Encryption algorithm 3DES Key exchange method Main mode Diffie-Hellmann DH2
The following parameters are configured for the data exchange (ESP, Encapsulating Security Payload): Table 1-2 ESP parameters
ESP parameter Value
Integrity check method SHA-1 Encryption algorithm Triple DES (3DES)
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 6/38
Copyright © Siemens AG 2007 All rights reserved VPN_Tunnel_Internet_e.doc
2 Configuration – Overview
Figure 1-1 shows the configuration. Figure 2-1 Configuration
Protected autom
ation cellStandard DSL router BStandard DSL router A
Internet
IP address:192.168.2.7Default gateway:192.168.2.1
External IP address of ISP 1:217.91.50.138Internal IP address:192.168.2.1
Fixed external IP address of ISP2:217.91.8.166Internal IP address:
192.168.2.1
External IP address: 192.168.2.5Internal IP address:140.80.0.2Default gateway:192.168.2.1
CPU 315-2DP withCP343-1
IP address:140.80.0.3Default gateway:140.80.0.2
VPN tunnel (IPsec)
ISP 1 ISP 2
SCALANCE S 61x
PC stationwith Windows XP SP2and optionally STEP 7
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 7/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
2.1 Configuring the gateway in the PLC
The CPU 315-2DP with the CP 343-1 is located in the internal Ethernet network that is protected by the SCALANCE S 61x V2.1 module. SCALANCE S 61x V2.1 is the router or gateway for the CP 343-1.
For this reason, you have to enter the internal IP address 140.80.0.2 of the SCALANCE S 61x V2.1 module as a router or gateway in the Ethernet interface properties of the CP 343-1. Figure 2-2. Specifying gateway or router in the S7-300 controller
Internal IP address of SCALANCE S 61x
2.2 Configuring the gateway in the PC station
The PC station with the IP address 192.168.2.7 is located in the external Ethernet network of the SCALANCE S 61x V2.1 module. The standard router A is the gateway or router for the PC station. For this reason, in the Windows Network Connections in the Local Area Connection Properties, enter the internal IP address 192.168.2.1 of the standard router A for the “default gateway”. In addition, the standard router A is used as a DNS server for the PC station. Figure 2-3 Specifying default gateway in the PC station
Internal IP address of the standard router A
IP address of the PC station
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 8/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Note When the standard router A is DHCP-capable, the PC can automatically
obtain its IP and DNS server address from router A.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 9/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
3 Configuration of the standard DSL Routers
3.1 Configuration of the standard DSL router A (connected to PC station)
The standard DSL router A is on the active side, i.e., the PC station initiates the establishment of the VPN tunnel. It is thus not required to configure PORT forwarding rules for the PC station’s IPsec packages in the standard DSL router A.
However, with fixed IP addresses on the PC station, the PORT forwarding can optionally be set in such a way that UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected PC station.
This means: The IP address 192.168.2.7 is indicated on the standard DSL router A of the PC station. Figure 3-1. Port forwarding for standard DSL router A
IP address of PC station
3.2 Configuration of the standard DSL router B (connected to SCALANCE S)
On the standard DSL router B the PORT forwarding has to be set in such a way that the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 of the connected SCALANCE S 61x module.
This means: The external IP address 192.168.2.5 of the SCALANCE S 61x module is indicated on the standard DSL router B. Figure 3-2 Port forwarding for standard DSL router B
External IP address of SCALANCE S 61x
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 10/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
4 Configuration of the IPsec Channel Using the Microsoft Management Console
Use the Microsoft Management Console (MMC) for configuring the IPsec tunnel in the PC station.
Open the MMC via the Windows START menu “Run...” with the “mmc” command. Figure 4-1 Opening Microsoft Management Console
4.1 Adding snap-ins
At first the following snap-ins are inserted into the MMC console root via the File “Add/Remove Snap-in...” menu:
• IP Security Monitor
• IP Security Policy Management
• Services
The “Add/Remove Snap-in” window opens. Select the “Add...” button to go to the “Add Standalone Snap-in” window. In this window, select the corresponding snap-in and add it using the “Add” button.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 11/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-2 Adding snap-in
In the “Add Standalone Snap-in” window, select the “IP Security Monitor” snap-in and add it using the “Add” button. Figure 4-3 Adding “IP Security Monitor” snap-in
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 12/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Subsequently, add the “IP Security Policy Management” snap-in. You indicate the local computer when selecting the computer or domain to be managed. Figure 4-4 Adding “IP Security Policy Management” snap-in
You also specify the local computer during the selection of the computer to be managed when adding the “Services” snap-in. Figure 4-5 Adding “Services” snap-in
After adding the necessary snap-ins, exit the “Add Standalone Snap-in” window by selecting the “Close” button and the “Add/Remove Snap-in” button by using the “OK” button.
The added snap-ins are now included in the console root of the MMC so that a new IP security policy can be created.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 13/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-6 Console root with inserted snap-in
4.2 Creating IP security policy
To create a new IP security policy, select the “IP Security Policies on Local Computer” snap-in in the console root and create a new IP security policy via the Action “Create IP Security Policy...” menu. Figure 4-7 Creating IP security policy
The wizard for creating a new IP security policy opens. At first name the new IP security policy. In this example, the name is “VPNtunnel_PC_ScalanceS”. Figure 4-8 Naming IP security policy
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 14/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
In the next step, deactivate the default response rule since the authentication method will be defined later.
In the last step, the “Edit properties” option is activated to be able to edit and configure the IP security policy. Figure 4-9 Deactivating default response rule and activating “Edit properties”
4.3 Adding or editing security methods
After exiting the IP Security Policy Wizard by selecting “Finish”, the Properties window of the just created “VPNtunnel_PC_ScalanceS” IP security policy is displayed. In this window, the policy is configured and edited.
At first configure the key exchange settings between PC station and SCALANCE S.
In the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy, select the “General” tab.
Select the “Advanced...” button to go to the “Key Exchange Settings” window. In this window, use the “Methods…” button to add or edit the security methods (encryption and integrity) that are supported during the authentication.
The following security methods are to be supported during the authentication: Table 4-1 Security methods
Encryption Integrity Diffie-Hellmann
3DES SHA1 Low 3DES SHA1 Medium DES MD5 Low DES MD5 Medium
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 15/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-10 Key exchange settings
After configuring the key exchange settings, the IP security rules are defined. A total of two IP security rules are defined. The first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module. The second IP security rule determines the data traffic from the network protected by the SCALANCE S module to the PC station.
4.4 Adding security rule for the data traffic from the PC station to the SCALANCE S 61x module
To add the first IP security rule, select the “Rules” tab of the IP security policy Properties window. The “Add…” button is used to add a new IP security rule. The New Rule Properties window opens.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 16/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-11 Adding IP security rule
4.4.1 Creating IP filter
The IP filter determines the data traffic of an IP security rule.
In the New Rule Properties window in the “IP Filter List” tab, use the “Add…” button to create a new IP filter. Figure 4-12 Creating IP filter
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 17/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
The new IP filter is named “channel_from_PC_to_SCALANCE”. Select the “Add...” button to go to the Filter Properties window. The data traffic direction is defined here. Since the first IP security rule determines the data traffic from the PC station to the network that is protected by the SCALANCE S module, enter the following parameters:
• Source address: IP address of the PC station
• Destination address: Subnet connected to the internal SCALANCE S PORT
The “Mirrored. Also match packets with the exact opposite source and destination addresses” option is deactivated. A second security rule with corresponding IP filter determining the data traffic from the SCALANCE S module to the PC will be added later. Figure 4-13 Defining name and properties of the IP filter
The “channel_from_PC_to_SCALANCE” IP filter is now included in the IP filter list. Select the “channel_from_PC_to_SCALANCE” IP filter and subsequently select the “Filter Action” tab in the New Rule Properties window to add a new filter action and to assign it to the IP filter.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 18/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-14 Selecting IP filter
4.4.2 Creating and assigning filter action
Use the “Add...” button to go to the New Filter Action Properties window.
Since a new security method for this filter action does not yet exist, a new security method has to be created. In the New Filter Action Properties window in the “Security Methods” tab, activate the “Negotiate security:” option and select the “Add…” button. Figure 4-15 Creating filter action
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 19/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Create a user-defined security method. Make the following settings for your user-defined security method with data integrity and encryption:
• Integrity algorithm: SHA1
• Encryption algorithm: 3DES Figure 4-16 Security method settings
After creating the user-defined security method with the corresponding settings, this method is visible in the New Filter Action Properties window in the “Security Methods” tab. The newly created security method is applied to the filter action. Figure 4-17 Applying security method
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 20/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
In the New Filter Action Properties window, select the “General” tab. Name the filter action, e.g. “IPSec Configuration”, and apply this name. Figure 4-18 Naming filter action
Subsequently, in the New Rule Properties window in the “Filter Action” tab, select the “IPSec Configuration” filter action. Figure 4-19. Selecting filter action
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 21/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
4.4.3 Defining authentication method
Now define the preshared key authentication method. In the New Rule Properties window, select the “Authentication Methods” tab. In this example, the preshared key is “scalance”. Figure 4-20 Configuring authentication method
Finally the authentication method is applied to the security rule. Figure 4-21 Applying authentication method
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 22/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
4.4.4 Defining tunnel settings
The standard DSL router B, which is connected to the external SCALANCE S port, has a fixed external IP address known on the internet and is located on the passive side of the IPsec tunnel.
This means: The fixed external IP address of the standard DSL router B is the tunnel endpoint for the PC station. The standard DSL router B now has to send the UDP packages from the internet, which are addressed to ports 500 and 4500 of the router, to ports 500 and 4500 of the connected SCALANCE S module.
Define the tunnel endpoint in the Edit Rule Properties window in the “Tunnel Setting” tab. Enter the fixed external IP address 217.91.8.166 of the standard router B for the tunnel endpoint. Figure 4-22 Defining tunnel endpoint
Fixed external IP address of the standard router B
After defining the tunnel endpoint and applying it to the IP security rule, exit the Edit Rule Properties window by selecting the “OK” button.
The Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy is displayed.
The second IP security rule for the data traffic from the network protected by the SCALANCE S module to the PC station is now created.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 23/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
4.5 Adding security rule for the data traffic from the SCALANCE S 61x module to the PC station
In the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy, use the “Add…” button to create the second IP security rule. Figure 4-23 Adding security rule
4.5.1 Creating IP filter
The New Rule Properties window opens. In the “IP Filter List” tab, use the “Add…” button to create a new IP filter. This filter determines the data traffic of the second security rule.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 24/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-24 Creating IP filter
The IP filter is named “channel_from_SCALANCE_to_PC”. Select the “Add...” button to go to the Filter Properties window. The data traffic direction is defined here. Since the second IP security rule determines the data traffic from the network that is protected by the SCALANCE S module to the PC station, enter the following parameters:
• Source address: Subnet connected to the internal SCALANCE S PORT
• Destination address: IP address of the PC station
The “Mirrored. Also match packets with the exact opposite source and destination addresses” option is deactivated. A separate security rule exists for the data traffic from the PC to the SCALANCE S module.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 25/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-25 Defining name and properties of the IP filter
The “channel_from_SCALANCE_to_PC” IP filter is now included in the IP filter list. Select the “channel_from_SCALANCE_to_PC” IP filter and subsequently select the “Filter Action” tab in the New Rule Properties window to assign the already defined “IPSec Configuration” filter action to the IP filter. Figure 4-26 Selecting IP filter
4.5.2 Assigning filter action
In the “Filter Action” tab of the New Rule Properties window, the “IPSec Configuration” filter action is selected.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 26/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-27 Selecting filter action
4.5.3 Authentication method
Now define the authentication method for the second security rule as described in chapter 4.4.3.
4.5.4 Defining tunnel settings
The PC station initiates the establishment of the IPsec tunnel.
This means: The IP address of the PC station is the tunnel endpoint for the SCALANCE S module.
Define the tunnel endpoint in the New Rule Properties window in the “Tunnel Setting” tab. Enter the IP address 192.168.2.7 of the PC station for the tunnel endpoint.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 27/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-28 Defining tunnel setting
IP address of the PC station
After defining the tunnel endpoint, exit the New Rule Properties window by selecting the “OK” button.
The Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy is displayed.
Select the two following created security rules and apply the selection:
• channel_from_PC_to_SCALANCE
• channel_from_SCALANCE_to_P
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 28/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 4-29 Selecting security rules
Use the “Close” button to exit the Properties window of the “VPNtunnel_PC_ScalanceS” IP security policy.
Subsequently, configure SCALANCE S 61x V2.1 using the Security Configuration Tool V2.1.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 29/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
5 SCALANCE S 61x Configuration
The SCALANCE S 61x V2.1 module is configured using the Security Configuration Tool V2.1.
Open the Security Configuration Tool (SCT) via the Windows START menu -> SIMATIC -> SCALANCE -> Security.
After creating a new project in the SCT, insert one module of the S612 V2 type and one of the MD740-1 type via the Insert Module menu. The module of the MD740-1 type is inserted to model the part of the configuration that is created by the standard DSL router A and the PC station. Figure 5-1 Inserting module
The external IP address 192.168.2.5 in subnet 255.255.255.0 is assigned to the SCALANCE S module. In addition, you have to enter the MAC address of SCALANCE S in the SCT.
The standard DSL router B is the gateway for SCALANCE S. For this reason, the internal IP address 192.168.2.1 of the standard DSL router B is specified for the default gateway of the S612 V2 module.
The external and internal IP address of the standard DSL router A is entered for the module of the MD740-1 type. In this example, the external IP address of the standard DSL router A is 217.91.50.138. The internal IP address of the standard DSL router A is 192.168.2.1.
In addition, the module names “SCALANCE” and “RouterA” are assigned. Figure 5-2 Inserted modules
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 30/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Select the “View” menu and activate “Advanced Mode”.
Figure 5-3 Activating Advanced Mode
Activate the routing mode for the SCALANCE S module in the “SCALANCE” Module Properties window in the “Routing Modus” tab. Enter the internal IP address 140.80.0.2 and the subnet mask 255.255.0.0 of SCALANCE S. Figure 5-4 Activating Routing Modus
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 31/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Subsequently, create a new group by selecting Insert Group. Figure 5-5 Group
Use drag & drop to assign the two modules of the type S612 V2 and MD740-1 to this group. Figure 5-6 Assigning modules to group
Drag & drop
In the Group Properties, make the settings for authentication and security method.
The settings for authentication and security method are made analogously to the configuration in the MMC, i.e.:
• Enter the preshared key “scalance”.
• Enter the integrity algorithm “SHA1” for phase 1 and 2 of the data exchange via IPsec.
• Enter the encryption algorithm “3DES” for phase 1 and 2 of the data exchange via IPsec.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 32/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 5-7 Group properties
In the “SCALANCE“ Module Properties window in the “VPN” tab, make the settings for establishing the VPN tunnel.
SCALANCE S 61x V2.1 is parameterized as a passive module. In addition, you have to enter a fixed external IP address of the connected standard DSL router via which the active module initiates the tunnel establishment. In this example, enter the fixed external IP address 217.91.8.166 of the standard DSL router B.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 33/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 5-8 Module Properties “VPN” tab
To complete the SCALANCE S configuration, transfer the configuration data from the Security Configuration Tool to the SCALANCE S 61x V2.1 module. In “All Modules”, select the corresponding module of the S612 V2 type and use the “Load” button. Figure 5-9 Loading the configuration into the SCALANCE S 61x module
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 34/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
6 Establishing VPN Tunnel
6.1 Checking IPsec services
After configuring the IPsec tunnel using the MMC and the Security Configuration Tool, the VPN tunnel between PC station and SCALANCE S can be established via the internet. It is required that the “IPSEC Services” service is started and active. This can be checked in the Microsoft Management Console. In the MMC console root, select the “Services (Local)” snap-in. You see an overview of the services provided by your PC station. In this overview, search for “IPSEC Services”. Figure 6-1 IPSEC Services
Now double-click “IPSEC Services”. The IPSEC Services Properties window opens.
In the “General” tab, check the service status. The service status must be “Started”.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 35/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 6-2. IPSEC Services Properties window, “General” tab
In the “Log On” tab, you can check whether the “IPSEC Services” service is activated on your PC station. Figure 6-3 IPSEC Services Properties window, “Log On” tab
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 36/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
6.2 Establishing IPsec tunnel
The establishment of the IPsec tunnel between the PC station with Windows XP SP2 and the SCALANCE S61x V2.1 module is initiated using the MMC. In the MMC console root, select the “IP Security Policies on Local Computer” snap-in. Now select the “VPNtunnel_PC_ScalanceS” IP security policy and assign it to the PC station by selecting Action “Assign”. Figure 6-4 Assigning IP security policy to the PC station
6.3 Checking IPsec tunnel status
When the IPsec tunnel between the PC station and the SCALANCE S module has been established via the internet, the protected automation cell (CP 343-1) can be accessed from the PC station, i.e.
• You can access SCALANCE S 61x V2.1 online using the Security Configuration Tool. To do this, use the “Online” button. If this online access has been successful, you can access the SCALANCE S 61x module via the VPN tunnel. In the Online View of the “SCALANCE” module “Communication Status” tab, the “enabled” tunnel status is displayed.
Figure 6-5 Online access to SCALANCE S 61x V2.1 using SCT
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 37/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
Figure 6-6 IPsec tunnel status
• A ping can be sent from the PC station to the IP address of the
CP 343-1. In addition, a ping can be sent to the internal IP address of the SCALANCE S 61x module.
• In STEP 7, you can use the PG/OP functions for the online access to the S7-300 controller so that you can load the STEP 7 project or the configuration into the CPU of the S7 300 controller or read out the CPU diagnostics buffer.
Note Layer2 protocols such as the “Accessible Nodes” function in STEP 7 are not possible via the VPN tunnel.
A firewall that is additionally installed on the PC may cause problems.
ATTENTION This configuration was tested on several standard PCs with Windows XP SP2. It cannot be guaranteed that this example works correctly in all PC configurations.
VPN Tunnel between PC Station with Win XP SP2 and
SCALANCE S 61x V2.1 via Internet
ID Number:
V1.0 07/13/07 38/38
Cop
yrig
ht ©
Sie
men
s A
G 2
007
All
right
s re
serv
ed
VP
N_T
unne
l_In
tern
et_e
.doc
7 History
Version Date Modification
V 1.0 First edition