Remote Networks Overview Doku en

Application Description 09/2014
IP-based Remote Networks

SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1,
TS Adapter IE Advanced
http://support.automation.siemens.com/WW/view/de/26662448
Warranty and Liability
Warranty and Liability

Note
The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These Application Examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice. If there are any deviations
between the recommendations provided in these Application Examples and
other Siemens publications e.g. Catalogs the contents of the other
documents have priority.
We do not accept any liability for the information contained in this document.
Siemens AG 2014 All rights reserved
Any claims against us based on whatever legal reason - resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
("wesentliche Vertragspflichten"). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of Siemens Industry Sector.
Security
information
Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, solutions, machines, equipment and/or
networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens' products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit
http://support.automation.siemens.com.

Entry ID: 26662448, V2.0,
09/2014
Table of Contents
Table of Contents
Warranty and Liability .............................................................................................. 2
1
Remarks on this Document............................................................................ 6

1.1
1.2
1.3
Introduction to Remote Networks.................................................................. 9

2.1
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
Remote networks & industrial security................................................ 9

Security Integrated product portfolio................................................. 11
SCALANCE S.................................................................................. 12
SOFTNET Security Client ................................................................ 12
SCALANCE M-800 .......................................................................... 12
CP x43-1 Advanced ......................................................................... 14
CP 1x43-1 ....................................................................................... 14
CP 1628 .......................................................................................... 15
TS Adapter IE Advanced ................................................................. 15
SCALANCE S ................................................................................................ 16
3.1
3.1.1
Reason and objective ........................................................................ 6

Features and benefits ........................................................................ 6
Structure of this document ................................................................. 7
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6

Entry ID: 26662448, V2.0,
Static IP address ............................................................................. 17

VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using a static IP address ........................................... 17
SCALANCE M81x-1 using a static IP address.................................. 18
SOFTNET Security Client using a static IP address ......................... 19
VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 20
SCALANCE M874-x using a static IP address.................................. 21
VPN tunnel between SCALANCE S (VPN server) and a mobile
client using a static IP address ......................................................... 22
Dynamic IP address......................................................................... 23
SCALANCE S using a dynamic IP address ...................................... 23
SCALANCE M81x-1 using a dynamic IP address ............................. 24
SOFTNET Security Client using a dynamic IP address .................... 25
SCALANCE M874-x using a dynamic IP address ............................. 26
client using a dynamic IP address .................................................... 27
PPPoE ............................................................................................ 28
SCALANCE S using PPPoE ............................................................ 28
SCALANCE M81x-1 using PPPoE ................................................... 29
SOFTNET Security Client using PPPoE........................................... 30
VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using PPPoE ................................................................... 31
SCALANCE M874-x using PPPoE ................................................... 32
client using PPPoE .......................................................................... 33
09/2014
Table of Contents
4
SCALANCE M874-x ...................................................................................... 34

4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.2
4.2.1
4.2.2
4.2.3
4.2.4
SCALANCE M81x-1 ...................................................................................... 45

5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.2
5.2.1
5.2.2
5.2.3
5.2.4

VPN tunnel between SCALANCE M874-x (VPN server) and
VPN tunnel between SCALANCE M874-x (VPN server) and CP
x43-1 Advanced using a static IP address ........................................ 37
VPN tunnel between SCALANCE M874-x (VPN server) and CP
1x43-1 using a static IP address ...................................................... 38
VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a static IP address.............................................. 40
VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a dynamic IP address ......................................... 44

VPN tunnel between SCALANCE M81x-1 (VPN server) and
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
1x43-1 using a static IP address ...................................................... 49
VPN tunnel between SCALANCE M81x-1 (VPN server) and a
VPN tunnel between SCALANCE M81x-1 (VPN server) and a
CP x43-1 Advanced ...................................................................................... 56

6.1
6.1.1
6.1.2
6.1.3
6.1.4

Entry ID: 26662448, V2.0,

VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE S using a static IP address ........................................... 57
VPN tunnel between CP x43-1 Advanced (VPN server) and CP
09/2014
Table of Contents
6.1.5
6.1.6
6.2
6.2.1
6.2.2
6.2.3
6.2.4
7
CP 1x43-1 ...................................................................................................... 67
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
7.1.7
7.2
7.2.1
7.2.2
7.2.3
7.2.4
8

VPN tunnel between CP x43-1 Advanced (VPN server) and a
VPN tunnel between CP x43-1 Advanced (VPN server) and a

VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
S using a static IP address............................................................... 68
M81x-1 using a static IP address ..................................................... 69
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a static IP address .......................................... 70
VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 71
VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1
using a static IP address .................................................................. 72
M874-x using a static IP address ..................................................... 73
VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a static IP address ......................................................... 74
M81x-1 using a dynamic IP address ................................................ 75
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a dynamic IP address...................................... 76
M874-x using a dynamic IP address ................................................ 77
VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a dynamic IP address .................................................... 78
TS Adapter IE Advanced .............................................................................. 79

8.1
8.2
VPN tunnel between TS Adapter IE Advanced (VPN server)

and Windows SSTP client using a static IP address ......................... 80
VPN tunnel between TS Adapter IE Advanced (VPN server)
and TIA Portal using a static IP address........................................... 80
References .................................................................................................... 82
10
History .......................................................................................................... 83

Entry ID: 26662448, V2.0,
09/2014
1 Remarks on this Document

1.1 Reason and objective
Remarks on this Document
1.1
Reason and objective
Reason
Based on the Security Integrated product portfolio, there are numerous different
ways of implementing secure communication that are always customized to the
application. For the user, looking for the perfect solution involves the following
questions:
Which solutions are available?
What are the differences between the solutions?
Objective
The Security Integrated portfolio includes several products that can be combined
with each other. This results in a large number of configuration options.
This document helps you find an optimal solution for secure communication
based on VPN.
1.2
Features and benefits
Features
The document has the following features:
Clear, compact structure
Concisely outlines the contents and provides an overview graphic of the
individual configurations
Does not describe details; the details are provided in the individual
configurations.
Benefits
The document offers the following benefits to the reader:
Support in planning and configuration
Quick finding of information regarding configuration options
Short, compact overview of the features
Reference to the individual configurations

Entry ID: 26662448, V2.0,
09/2014

1.3 Structure of this document
1.3
Structure of this document

Siemens Security Integrated portfolio includes several products that can be
combined with each other. This results in a large number of configuration options.
To present these options in a clear manner, the possible configurations are
classified based on specific criteria.
This document gives you an overview of the configurations with the modules from
the Remote Networks portfolio.
Classification based on SIMATIC dependency

The VPN solutions with the SCALANCE modules / TS Adapter are independent of
SIMATIC, i.e. the application behind the VPN tunnel does not have to be
a SIMATIC application. Access to other applications via the SCALANCE modules /
TS Adapter is possible as well.
The VPN solutions with the CPs are SIMATIC-based as a SIMATIC CPU is
requited to operate the CP. However, these configurations also allow access to
non-SIMATIC plants parts via the CP.
Classification of the configurations
The possible configurations of an IP-based remote network are divided into groups.
The criterion for this subdivision is the module that acts as the VPN server.
There is a separate group for each module that can be configured as a VPN
server. This results in the following subdivision of VPN server groups:
SCALANCE S
SCALANCE M874
SCALANCE M810
CP x43-1 Adv.
CP 1x43-1
CP 1628
Note
For configuration examples for the CP 1628, use the following link: 10
Contents of a group
A group can in turn consist of multiple configurations. All these configurations have
one thing in common: For all configurations, the VPN server is the same security
module - specified by the group. They differ in the module used as the VPN client.
For all possible configurations of a group, Siemens Industry Online Support
provides a document with a specific configuration guide for the settings of the VPN
modules.
The figure below shows the subdivision of the configurations.

Entry ID: 26662448, V2.0,
09/2014

1.3 Structure of this document
Figure 1-1
Remote Access
(IP-based)
Overview
doc.
Group
VPN Server
VPN Server
VPN Server
VPN Server
VPN Server
VPN Server
SCALANCE S
SCALANCE
M874
SCALANCE
M810
CP x43-1 Adv.
CP 1x43-1
TS Adapter
Configurations
Configurations that belong to the same group have the same color (e.g., yellow for
the SCALANCE S group).
In the relevant chapter, each configuration is

presented homogeneously in an overview graphic,
including a list of requirements and
the link for the detailed configuration description.
Then the configurations within the group are sorted by access type.
Access using a static public IP address (on the VPN server side)
Access using a dynamic public IP address (on the VPN server side)
PPPoE (only in the SCALANCE S group)

Entry ID: 26662448, V2.0,
09/2014
2 Introduction to Remote Networks

2.1 Remote networks & industrial security
Introduction to Remote Networks
2.1
Remote networks & industrial security
Remote networks
Remote networks are public or private communications infrastructures for covering
wide areas or long distances, for example mobile or fixed telephone networks.
The geographical distribution of automation cells increases the demand for
telecontrol (remote control) and teleservice (remote maintenance/diagnostics) in a
remote network.
The comprehensive Remote Networks portfolio from Siemens offers connection to
both conventional (dedicated line, telephone) and IP-based infrastructures (e.g.,
the Internet).
Applications
Possible remote access applications in a remote network:
Telecontrol
Connection of outstations (remote terminal units - RTUs) distributed over a
wide geographical area to one or more central control systems for the purpose
of monitoring and control.
Teleservice
Data exchange with distant technical systems such as machines, plants and
computers for the purpose of error detection, diagnostics, maintenance, repair
and optimization.
Integration into the industrial security concept
This document focuses on IP-based networks.
As remote access to the plant is implemented via a public network (e.g., the
Internet), protection against data manipulation and spying is particularly
important. For this purpose, virtual private networks (VPN) are used.
VPN
A VPN is a private network that uses a public network (e.g., the Internet) as a
transit network for transmitting data to a private destination network. The private
networks and the transit network need not be compatible with one another.
Although VPN uses the addressing mechanisms of the transit network, it
nevertheless uses its own network packets to separate the transport of private data
packets from the others. Due to this fact, the private networks appear as a shared,
logical (virtual) network.
VPN routers are required to set up a VPN. The VPN Security Integrated products
(VPN routers) from Siemens support IPsec (Internet Protocol Security).
The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket Tunneling
Protocol).

Entry ID: 26662448, V2.0,
09/2014

2.1 Remote networks & industrial security
VPN client and VPN server
Data communication protected using IPsec always starts with negotiating a
preliminary Security Association (IKE phase 1) before algorithms, keys, etc. are
finally agreed upon in phase 2.
The tunnel endpoint that actively starts negotiating a Security Association is
referred to as the VPN client.
The remote end that waits for the VPN client is called the VPN server.
For more information on Internet Security Protocol and the Siemens Security
Concept, use the following link: \3\
Note

Entry ID: 26662448, V2.0,
09/2014
10

2.2 Security Integrated product portfolio
2.2
Security Integrated product portfolio

Through a combination of different security measures such as firewalls and VPN,
the security modules protect individual devices or even entire automation cells
against:
Data espionage
Data manipulation
Unwanted access
The figure below shows the remote access cells.
Figure 2-1
Service PCs
SSC
Internet
Router
SCALANCE S
TIA
Portal
Internet
Router
SCALANCE
M874-x
Smartphone with
IPSec Client App
Windows
SSTP
SCALANCE
M81x-1
Internet
Router
Internet
Router
Automation Cells
SCALANCE S
Internet
Router
Internet
Router
SIMATIC S7
Stations
Internet
Router
SCALANCE
M874-x
Internet
Router
SIMATIC S7
Stations
TS Adapter IE
Advanced SIMATIC S7
SIMATIC S7-300 or
S7-400 with CP x43-1
Advanced
SIMATIC S7-1200
or S7-1500
with CP 1x43-1
Stations
SCALANCE SIMATIC S7
M81x-1
Stations
To help you in selecting products, the following sections describe the most
important features of the respective security modules.

Entry ID: 26662448, V2.0,
09/2014
11

2.2.1
SCALANCE S
The security modules of the SCALANCE S family are designed specifically for use
in automation but integrate seamlessly with the security structures of the office and
IT world. The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M
modules additionally provide the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
128 VPN tunnels at a time).
IP addresses are automatically obtained from the Internet service provider
using PPPoE; therefore, it is no longer necessary to use a separate DSL router
and a DSL modem can be used instead.
Use of DNS for VPN tunnels using public dynamic IP addresses from the
Internet service provider.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note
2.2.2
For the technical specifications of the SCALANCE S modules, use the following
link: \4\
SOFTNET Security Client

The SOFTNET Security Client allows programming devices, PCs and notebook
computers access to network nodes or automation systems protected by
SCALANCE S, SCALANCE M or CPs.
It is characterized by the following features:
Secure access of programming devices or notebook computers to entire
automation cells.
Easy use on mobile PCs.
Non-secure devices can be integrated into the secure data traffic.
Supports the DNS client function.
2.2.3
SCALANCE M-800
SCALANCE M874
The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGE
router) routers are suited for cellular networks. These modules are characterized
by the following features:
Broad range of applications; can be used wherever a GPRS/UMTS network is
available.
Connection of stationary stations and/or mobile stations.
Simplicity of connecting local networks by means of IP communication via
WAN.
parts.

Entry ID: 26662448, V2.0,
09/2014
12

Note
For the technical specifications of the SCALANCE M874 modules, use the
following link: \5\
SCALANCE M810
SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,
secure connection of Ethernet-based subnets and programmable controllers to
wired telephone or DSL networks. They support ADSL2+ (Asynchronous Digital
Subscriber Line).
These modules are characterized by the following features:
VPN and DSL router in a single device; therefore, it is no longer necessary to
use a separate DSL router.
Broad range of applications due to high bandwidth, performance and speed.
Reduced travel expenses and personnel costs due to remote programming

and remote diagnostics via wired telephone or DSL networks.
parts.
Note
For the technical specifications of the SCALANCE M810 modules, use the
following link: \6\

Entry ID: 26662448, V2.0,
09/2014
13

2.2.4
CP x43-1 Advanced
CP 343-1 Advanced and CP 443-1 Advanced are communications processors for
connecting SIMATIC S7 CPUs to PROFINET / Industrial Ethernet networks.
For the SIMATIC S7-300/S7-400, they are the bridge between the field level and
the MES level and integrate seamlessly with the security structures of the office
and IT world.
Firewall, VPN gateway and communications processor in a single device.
Protection of S7-300/S7-400 controllers and their lower-level networks by

IPsec tunnels (support of up to 32 VPN tunnels at a time).
Note
For the technical specifications of the CP 343-1 Advanced, use the following link:
\7\
Note
For the technical specifications of the CP 443-1 Advanced, use the following link:
\8\
2.2.5
CP 1x43-1
The CP 1243-1 communications processor securely connects the SIMATIC
S7-1200 controller to Ethernet networks.
The CP 1543-1 communications processor securely connects the SIMATIC
S7-1500 controller to Ethernet networks.
Protection of S7-1200/S7-1500 controllers and their lower-level networks by
IPsec tunnels (support of up to 16 VPN tunnels at a time).
Note
For the technical specifications of the CP 1243-1, use the following link: \7\
Note
For the technical specifications of the CP 1543-1, use the following link: \8\

Entry ID: 26662448, V2.0,
09/2014
14

2.2.6
CP 1628
CP 1628 is a communications module for securely connecting a PG/PC to
Industrial Ethernet. With a dedicated processor for automation/security tasks, the
CP 1628 reduces the host PC's load and provides constant, stable and secure data
communication.
This module is characterized by the following features:
Note
2.2.7
For the technical specifications of the CP 1628, use the following link: \9\
In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advanced
allows access, through the Internet, to all automation components of a plant (e.g.,
S7 controllers) that are connected to Industrial Ethernet.
This module is characterized by the following features:
Aside from TIA Portal, no other software or hardware is required to establish
the VPN connection (VPN client).1
Protection of S7 controllers and their lower-level networks by SSTP.
Note
For the technical specifications of the TS Adapter IE Advanced, use the following
link: 11
Internet access and a DSL modem are required to access the Internet.

Entry ID: 26662448, V2.0,
09/2014
15
3 SCALANCE S
SCALANCE S
This chapter describes the configurations in which the SCALANCE S is configured as the VPN server.
This group is marked in yellow.
Table 3-1
VPN server
VPN client
SCALANCE S
VPN remote end
Access type
Static IP address
Dynamic IP address
PPPoE
Characteristics
The SCALANCE S can be either behind a DSL router or a DSL modem.
A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.
Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
Due to the routing function, the networks on the internal and external interface become separate subnets.

Entry ID: 26662448, V2.0,
09/2014
16
3 SCALANCE S
3.1 Static IP address
3.1
Static IP address
3.1.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
Overview
Figure 3-1
Service PC
Automation Cell
SCALANCE S
Internet
SCALANCE S
Modem/Router
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-2
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server
Internet router with port forwarding functionality (on the VPN server side)
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681360
Entry ID: 26662448, V2.0,
09/2014
17
3 SCALANCE S
3.1.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 3-2
Automation Cell
Service PC
SCALANCE S
SCALANCE
M81x-1
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-3
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).

Entry ID: 26662448, V2.0,
09/2014
18
3 SCALANCE S
3.1.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 3-3
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SCALANCE S
Static
WAN IP Address
VPN Server
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-4
VPN server
VPN client
Access type
SCALANCE S
Static IP address
Requirements
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).

Entry ID: 26662448, V2.0,
09/2014
19
3 SCALANCE S
3.1.4
VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 3-4
Service PC
Automation Cell
SCALANCE S
Internet
Router
Internet
Modem/Router
SIMATIC S7-300 or S7-400

with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 3-5
VPN server
VPN client
Access type
SCALANCE S
CP x43-1 Advanced
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
20
3 SCALANCE S
3.1.5
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 3-5
Automation Cell
Service PC
SCALANCE S
SCALANCE
M874-x
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-6
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
Static IP address
Requirements
Mobile network operator's default APN (on the VPN client side).

Entry ID: 26662448, V2.0,
09/2014
21
3 SCALANCE S
3.1.6
VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address
Overview
Figure 3-6
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SCALANCE S
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-7
VPN server
VPN client
Access type
SCALANCE S
Mobile client
Static IP address
Requirements
Smartphone with IPSec Client app and Android operating system (on the VPN client side).

Entry ID: 26662448, V2.0,
09/2014
22
3 SCALANCE S
3.2 Dynamic IP address
3.2
Dynamic IP address
3.2.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a dynamic IP address
Overview
Figure 3-7
Service PC
Automation Cell
SCALANCE S
Internet
Router
Internet
SCALANCE S
Modem/Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-8
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
In progress
Entry ID: 26662448, V2.0,
09/2014
23
3 SCALANCE S
3.2.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 3-8
Automation Cell
Service PC
SCALANCE S
SCALANCE
M81x-1
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-9
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
24
3 SCALANCE S
3.2.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 3-9
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SCALANCE S
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-10
VPN server
VPN client
Access type
SCALANCE S
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
25
3 SCALANCE S
3.2.4
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 3-10
Service PC
Automation Cell
SCALANCE S
SCALANCE
M874-x
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-11
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router (use of the DDNS providers dyndns.org or no-ip.org)
Internet router with port forwarding functionality
Mobile network operator's default APN
In progress

Entry ID: 26662448, V2.0,
09/2014
26
3 SCALANCE S
3.2.5
VPN tunnel between SCALANCE S (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 3-11
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SCALANCE S
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-12
VPN server
VPN client
Access type
SCALANCE S
Mobile client
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
27
3 SCALANCE S
3.3 PPPoE
3.3
PPPoE
3.3.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using PPPoE
Overview
Figure 3-12
Service PC
Automation Cell
SCALANCE S
VPN Tunnel
Industrial Ethernet
Internet
Modem
Internet
SCALANCE S
Modem/Router
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-13
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic use of the DDNS providers dyndns.org or no-ip.org (VPN client: SCALANCE S (firmware version V4 or higher)) or static
public IP address for the Internet modem.
Standard Internet modem (on the VPN server side).
In progress
Entry ID: 26662448, V2.0,
09/2014
28
3 SCALANCE S
3.3 PPPoE
3.3.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using PPPoE
Overview
Figure 3-13
Automation Cell
Service PC
SCALANCE S
VPN Tunnel
Industrial Ethernet
SCALANCE
M81x-1
Internet
Modem
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-14
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
PPPoE
Requirements
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.
In progress

Entry ID: 26662448, V2.0,
09/2014
29
3 SCALANCE S
3.3 PPPoE
3.3.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using PPPoE
Overview
Figure 3-14
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Modem
VPN Client
SCALANCE S
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-15
VPN server
VPN client
Access type
SCALANCE S
PPPoE
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
30
3 SCALANCE S
3.3 PPPoE
3.3.4
VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using PPPoE
Overview
Figure 3-15
Service PC
Automation Cell
SCALANCE S
Internet
Modem
Internet
Modem/Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 3-16
VPN server
VPN client
Access type
SCALANCE S
CP x43-1 Advanced
PPPoE
Requirements
Static public IP address for the Internet modem of the VPN server.
In progress

Entry ID: 26662448, V2.0,
09/2014
31
3 SCALANCE S
3.3 PPPoE
3.3.5
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using PPPoE
Overview
Figure 3-16
Service PC
Automation Cell
SCALANCE S
VPN Tunnel
Industrial Ethernet
SCALANCE
M874-x
Internet
Modem
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-17
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
PPPoE
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
32
3 SCALANCE S
3.3 PPPoE
3.3.6
VPN tunnel between SCALANCE S (VPN server) and a mobile client using PPPoE
Overview
Figure 3-17
Automation Cell
Smartphone with
IPSec Client App
Internet
Modem
VPN Client
SCALANCE S
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-18
VPN server
VPN client
Access type
SCALANCE S
Mobile client
PPPoE
Requirements
In progress
Entry ID: 26662448, V2.0,
09/2014
33
4 SCALANCE M874-x
3.3 PPPoE
SCALANCE M874-x
This chapter describes the configurations in which the SCALANCE M874-x is configured as the VPN server.
This group is marked in light red.
Table 4-1
VPN server
VPN client
SCALANCE M874-x
VPN remote end
Access type
Static IP address
Dynamic IP address
Characteristics
The plant with the SCALANCE M874-x as the VPN server can be both stationary and mobile.
A static or dynamic public IP address can be used for the SCALANCE M874-x.

Entry ID: 26662448, V2.0,
09/2014
34
4 SCALANCE M874-x
4.1
Static IP address
4.1.1
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 4-1
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-2
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
In progress

Entry ID: 26662448, V2.0,
09/2014
35
4 SCALANCE M874-x
4.1.2
VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 4-2
Service PC with
SSC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 4-3
VPN server
VPN client
Access type
SCALANCE M874-x
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
36
4 SCALANCE M874-x
4.1.3
VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 4-3
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 4-4
VPN server
VPN client
Access type
SCALANCE M874-x
CP x43-1 Advanced
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
37
4 SCALANCE M874-x
4.1.4
VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 4-4
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 4-5
VPN server
VPN client
Access type
SCALANCE M874-x
CP 1x43-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
38
4 SCALANCE M874-x
4.1.5
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 4-5
Automation Cell
Service PC
SCALANCE
M874-x
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-6
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M874-x
Static IP address
Requirements
Mobile to mobile communication (depending on the mobile network operator).
In progress

Entry ID: 26662448, V2.0,
09/2014
39
4 SCALANCE M874-x
4.1.6
VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP address
Overview
Figure 4-6
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M874-x
Static
WAN IP Adress
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
SIMATIC S7
Stations
Table 4-7
VPN server
VPN client
Access type
SCALANCE M874-x
Mobile client
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
40
4 SCALANCE M874-x
4.2
Dynamic IP address
4.2.1
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 4-7
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-8
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
In progress

Entry ID: 26662448, V2.0,
09/2014
41
4 SCALANCE M874-x
4.2.2
VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 4-8
Service PC with
SSC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 4-9
VPN server
VPN client
Access type
SCALANCE M874-x
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
42
4 SCALANCE M874-x
4.2.3
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 4-9
Automation Cell
Service PC
SCALANCE
M874-x
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-10
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M874-x
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
43
4 SCALANCE M874-x
4.2.4
VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 4-10
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
SIMATIC S7
Stations
Table 4-11
VPN server
VPN client
Access type
SCALANCE M874-x
Mobile client
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
44
5 SCALANCE M81x-1
SCALANCE M81x-1
This chapter describes the configurations in which the SCALANCE M81x-1 is configured as the VPN server.
This group is marked in light green.
Table 5-1
VPN server
VPN client
SCALANCE M81x-1
VPN remote end
Access type
Static IP address
Dynamic IP address
Characteristics
The DSL router and VPN server settings are made directly in the SCALANCE M81x-1; a separate DSL router is not required.
A static or dynamic public IP address can be used for the SCALANCE M81x-1.

Entry ID: 26662448, V2.0,
09/2014
45
5 SCALANCE M81x-1
5.1
Static IP address
5.1.1
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 5-1
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M81x-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 5-2
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the VPN server.
In progress

Entry ID: 26662448, V2.0,
09/2014
46
5 SCALANCE M81x-1
5.1.2
VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 5-2
Service PC with
SSC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 5-3
VPN server
VPN client
Access type
SCALANCE M81x-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
47
5 SCALANCE M81x-1
5.1.3
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 5-3
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 5-4
VPN server
VPN client
Access type
SCALANCE M81x-1
CP x43-1 Advanced
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
48
5 SCALANCE M81x-1
5.1.4
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 5-4
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 5-5
VPN server
VPN client
Access type
SCALANCE M81x-1
CP 1x43-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
49
5 SCALANCE M81x-1
5.1.5
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 5-5
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 5-6
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M874-x
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
50
5 SCALANCE M81x-1
5.1.6
VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 5-6
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M81x-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 5-7
VPN server
VPN client
Access type
SCALANCE M81x-1
Mobile client
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
51
5 SCALANCE M81x-1
5.2
Dynamic IP address
5.2.1
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 5-7
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M81x-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 5-8
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
In progress

Entry ID: 26662448, V2.0,
09/2014
52
5 SCALANCE M81x-1
5.2.2
VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 5-8
Service PC with
SSC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 5-9
VPN server
VPN client
Access type
SCALANCE M81x-1
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
53
5 SCALANCE M81x-1
5.2.3
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 5-9
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 5-10
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M874-x
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
54
5 SCALANCE M81x-1
5.2.4
VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 5-10
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M81x-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 5-11
VPN server
VPN client
Access type
SCALANCE M81x-1
Mobile client
Dynamic IP address
Requirements
Smartphone with IPSec Client app and Android operating system (on the VPN server side).
In progress

Entry ID: 26662448, V2.0,
09/2014
55
6 CP x43-1 Advanced
CP x43-1 Advanced
This chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.
This group is marked in dark blue.
Table 6-1
VPN server
VPN client
CP x43-1 Advanced
VPN remote end
Access type
Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CCP x43-1 Advanced; the security functions are
integrated in the communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.

Entry ID: 26662448, V2.0,
09/2014
56
6 CP x43-1 Advanced
6.1
Static IP address
6.1.1
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address
Overview
Figure 6-1
Automation Cell
Service PC
SCALANCE S
Internet
Modem/Router
Internet
Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-2
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE S
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
57
6 CP x43-1 Advanced
6.1.2
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 6-2
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-3
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
58
6 CP x43-1 Advanced
6.1.3
VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 6-3
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router

Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-4
VPN server
VPN client
Access type
CP x43-1 Advanced
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
59
6 CP x43-1 Advanced
6.1.4
VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 6-4
Automation Cell A
Automation Cell B
Internet
Router
Internet
Modem/Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 6-5
VPN server
VPN client
Access type
CP x43-1 Advanced
CP x43-1 Advanced
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
60
6 CP x43-1 Advanced
6.1.5
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 6-5
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-6
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
61
6 CP x43-1 Advanced
6.1.6
VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address
Overview
Figure 6-6
Automation Cell
Smartphone with
IPSec Client App
Internet
Router

Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-7
VPN server
VPN client
Access type
CP x43-1 Advanced
Mobile client
Static IP address
Requirements

Entry ID: 26662448, V2.0,
09/2014
62
6 CP x43-1 Advanced
6.2
Dynamic IP address
6.2.1
VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 6-7
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router

Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-8
VPN server
VPN client
Access type
CP x43-1 Advanced
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
63
6 CP x43-1 Advanced
6.2.2
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 6-8
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router

Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-9
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
64
6 CP x43-1 Advanced
6.2.3
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 6-9
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router

Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-10
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Dynamic IP address
Requirements
Mobile network operator's default APN
In progress

Entry ID: 26662448, V2.0,
09/2014
65
6 CP x43-1 Advanced
6.2.4
VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 6-10
Automation Cell
Smartphone with
IPSec Client App
Internet
Router

Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-11
VPN server
VPN client
Access type
CP x43-1 Advanced
Mobile client
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
66
7 CP 1x43-1
CP 1x43-1
This chapter describes the configurations in which the CP 1x43-1 is configured as the VPN server.
This group is marked in gray.
Table 7-1
VPN server
VPN client
CP 1x43-1
VPN remote end
Access type
Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CP 1x43-1; the security functions are integrated in the
communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.

Entry ID: 26662448, V2.0,
09/2014
67
7 CP 1x43-1
7.1
Static IP address
7.1.1
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
Overview
Figure 7-1
Service PC
Automation Cell
SCALANCE S
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-2
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE S
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
68
7 CP 1x43-1
7.1.2
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 7-2
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-3
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M81x-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
69
7 CP 1x43-1
7.1.3
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 7-3
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-4
VPN server
VPN client
Access type
CP 1x43-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
70
7 CP 1x43-1
7.1.4
VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 7-4
Automation Cell A
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Automation Cell B
Internet
Router
Internet
Modem/Router

Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 7-5
VPN server
VPN client
Access type
CP 1x43-1
CP x43-1 Advanced
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
71
7 CP 1x43-1
7.1.5
VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 7-5
Automation Cell A
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Automation Cell B
Internet
Router
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 7-6
VPN server
VPN client
Access type
CP 1x43-1
CP 1x43-1
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
72
7 CP 1x43-1
7.1.6
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 7-6
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-7
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M874-x
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
73
7 CP 1x43-1
7.1.7
VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 7-7
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-8
VPN server
VPN client
Access type
CP 1x43-1
Mobile client
Static IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
74
7 CP 1x43-1
7.2
Dynamic IP address
7.2.1
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 7-8
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-9
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M81x-1
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
75
7 CP 1x43-1
7.2.2
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 7-9
Service PC with
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-10
VPN server
VPN client
Access type
CP 1x43-1
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
76
7 CP 1x43-1
7.2.3
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 7-10
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-11
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M874-x
Dynamic IP address
Requirements
In progress

Entry ID: 26662448, V2.0,
09/2014
77
7 CP 1x43-1
7.2.4
VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 7-11
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-12
VPN server
VPN client
Access type
CP 1x43-1
Mobile client
Dynamic IP address
Requirements
Smartphone with IPSec Client app on Android operating system (on the VPN client side).
In progress

Entry ID: 26662448, V2.0,
09/2014
78
8 TS Adapter IE Advanced
This chapter describes the configurations in which the TS Adapter IE Advanced is configured as the VPN server.
This group is marked in dark yellow.
Table 8-1
VPN server
VPN client
Access type
VPN remote end
Static IP address
Characteristics
Aside from TIA Portal, no other software or hardware is required on the VPN client side to establish the VPN connection.
Either TIA Portal or the Windows SSTP client can be used as the VPN client.

Entry ID: 26662448, V2.0,
09/2014
79
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using a static IP address
8.1
VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using
a static IP address
Overview
Figure 8-1
Service
Service
PC PC
Automatisierungszelle
Automation Cell
Internet
Router
Internet
Internet
Modem/Router
Modem/ Router
SCALANCE
TS Adapter
M874-x
IE Advanced
Static
WAN IP Address
Statische
WAN-IP-Adresse
VPN Client
VPN Server
VPN-Server
VPN tunnel
Tunnel
VPN
IndustrialEthernet
Ethernet
Industrial
SIMATIC S7
Stationen
Stations
Table 8-2
VPN server
VPN client
Access type
Windows SSTP client
Static IP address
Requirements
Windows 7 or Windows Server 2008 or higher.
Entry ID: 26662448, V2.0,
09/2014
80
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static IP address
8.2
VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static
IP address
Overview
Figure 8-2
Service PC
TIA
Portal
Automation Cell
Internet
Modem/Router
Internet
Router
TS Adapter
IE Advanced
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 8-3
VPN server
VPN client
Access type
TIA Portal
Static IP address
Requirements
TIA Portal V12 SP1 or higher.
Entry ID: 26662448, V2.0,
09/2014
81
8.3
References
Table 8-4
Subject
Title
\1\
Siemens Industry
Online Support
http://support.automation.siemens.com
\2\
Download page of the

entry
http://support.automation.siemens.com/WW/view/de/26662448
\3\
Security with
SIMATIC NET
\4\
SIMATIC NET
Industrial Ethernet
Security SCALANCE
S V4
\5\
SIMATIC NET
Industrial Remote
Communication
Remote Networks
SCALANCE M874
Operating Instructions
\6\
SIMATIC NET
Industrial Remote
Communication
Remote Networks
SCALANCE M812,
M816 Operating
Instructions
\7\
SIMATIC NET S7-300

- Industrial Ethernet
S7 CPs for Industrial
Ethernet CP 343-1
Advanced
Manual
Part B
\8\
SIMATIC NET S7-400

CP 443-1 Advanced
(GX30) Manual
Manual
Part B
\9\
SIMATIC NET PG/PC

CP 1628 Operating
Instructions
10
Industrial Ethernet
Security
Setting up security
11
TS Adapter IE
Advanced
Manual
12
TIA Selection Tool
http://www.siemens.com/tia-selection-tool

Entry ID: 26662448, V2.0,
09/2014
9 History
History
Table 9-1
Date
V1.0
08/2014
First version
V2.0
07/2014
First version
Version

Entry ID: 26662448, V2.0,
09/2014
Modifications

Remote Networks Overview Doku en

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Remote Networks Overview Doku en

Uploaded by

Copyright:

Available Formats

Application Description 09/2014

IP-based Remote Networks

Warranty and Liability

Warranty and Liability

Siemens AG 2014 All rights reserved

IP-based Remote Networks

Remarks on this Document............................................................................ 6

Introduction to Remote Networks.................................................................. 9

Remote networks & industrial security................................................ 9

Siemens AG 2014 All rights reserved

Reason and objective ........................................................................ 6

IP-based Remote Networks

Static IP address ............................................................................. 17

SCALANCE M874-x ...................................................................................... 34

Siemens AG 2014 All rights reserved

SCALANCE M81x-1 ...................................................................................... 45

Static IP address ............................................................................. 35

Static IP address ............................................................................. 46

CP x43-1 Advanced ...................................................................................... 56

IP-based Remote Networks

Static IP address ............................................................................. 57

Siemens AG 2014 All rights reserved

VPN tunnel between CP x43-1 Advanced (VPN server) and

Static IP address ............................................................................. 68

TS Adapter IE Advanced .............................................................................. 79

VPN tunnel between TS Adapter IE Advanced (VPN server)

IP-based Remote Networks

1 Remarks on this Document

Remarks on this Document

Reason and objective

Siemens AG 2014 All rights reserved

Features and benefits

IP-based Remote Networks

1 Remarks on this Document

Structure of this document

Classification based on SIMATIC dependency

IP-based Remote Networks

1 Remarks on this Document

Siemens AG 2014 All rights reserved

In the relevant chapter, each configuration is

IP-based Remote Networks

2 Introduction to Remote Networks

Introduction to Remote Networks

Remote networks & industrial security

Siemens AG 2014 All rights reserved

IP-based Remote Networks

2 Introduction to Remote Networks

Siemens AG 2014 All rights reserved

IP-based Remote Networks

2 Introduction to Remote Networks

Security Integrated product portfolio

IP-based Remote Networks

2 Introduction to Remote Networks

Siemens AG 2014 All rights reserved

SOFTNET Security Client

IP-based Remote Networks

2 Introduction to Remote Networks

Siemens AG 2014 All rights reserved

Reduced travel expenses and personnel costs due to remote programming

IP-based Remote Networks

2 Introduction to Remote Networks

Siemens AG 2014 All rights reserved