Professional Documents
Culture Documents
Remote Networks Overview Doku en
Remote Networks Overview Doku en
http://support.automation.siemens.com/WW/view/de/26662448
The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These Application Examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice. If there are any deviations
between the recommendations provided in these Application Examples and
other Siemens publications e.g. Catalogs the contents of the other
documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us based on whatever legal reason - resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
("wesentliche Vertragspflichten"). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of Siemens Industry Sector.
Security
information
Siemens provides products and solutions with industrial security functions that
support the secure operation of plants, solutions, machines, equipment and/or
networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens' products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a productspecific newsletter. For more information, visit
http://support.automation.siemens.com.
09/2014
Table of Contents
Table of Contents
Warranty and Liability .............................................................................................. 2
1
SCALANCE S ................................................................................................ 16
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
09/2014
Table of Contents
4
09/2014
Table of Contents
6.1.5
6.1.6
6.2
6.2.1
6.2.2
6.2.3
6.2.4
7
CP 1x43-1 ...................................................................................................... 67
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.1.5
7.1.6
7.1.7
7.2
7.2.1
7.2.2
7.2.3
7.2.4
8
References .................................................................................................... 82
10
History .......................................................................................................... 83
09/2014
1.1
Reason
Based on the Security Integrated product portfolio, there are numerous different
ways of implementing secure communication that are always customized to the
application. For the user, looking for the perfect solution involves the following
questions:
Which solutions are available?
What are the differences between the solutions?
Objective
The Security Integrated portfolio includes several products that can be combined
with each other. This results in a large number of configuration options.
This document helps you find an optimal solution for secure communication
based on VPN.
1.2
Features
The document has the following features:
Clear, compact structure
Concisely outlines the contents and provides an overview graphic of the
individual configurations
Does not describe details; the details are provided in the individual
configurations.
Benefits
The document offers the following benefits to the reader:
Support in planning and configuration
Quick finding of information regarding configuration options
Short, compact overview of the features
Reference to the individual configurations
09/2014
1.3
The possible configurations of an IP-based remote network are divided into groups.
The criterion for this subdivision is the module that acts as the VPN server.
There is a separate group for each module that can be configured as a VPN
server. This results in the following subdivision of VPN server groups:
SCALANCE S
SCALANCE M874
SCALANCE M810
CP x43-1 Adv.
CP 1x43-1
CP 1628
TS Adapter IE Advanced
Note
For configuration examples for the CP 1628, use the following link: 10
Contents of a group
A group can in turn consist of multiple configurations. All these configurations have
one thing in common: For all configurations, the VPN server is the same security
module - specified by the group. They differ in the module used as the VPN client.
For all possible configurations of a group, Siemens Industry Online Support
provides a document with a specific configuration guide for the settings of the VPN
modules.
The figure below shows the subdivision of the configurations.
09/2014
Remote Access
(IP-based)
Overview
doc.
Group
VPN Server
VPN Server
VPN Server
VPN Server
VPN Server
VPN Server
SCALANCE S
SCALANCE
M874
SCALANCE
M810
CP x43-1 Adv.
CP 1x43-1
TS Adapter
Configurations
Configurations that belong to the same group have the same color (e.g., yellow for
the SCALANCE S group).
09/2014
2.1
Remote networks
Remote networks are public or private communications infrastructures for covering
wide areas or long distances, for example mobile or fixed telephone networks.
The geographical distribution of automation cells increases the demand for
telecontrol (remote control) and teleservice (remote maintenance/diagnostics) in a
remote network.
The comprehensive Remote Networks portfolio from Siemens offers connection to
both conventional (dedicated line, telephone) and IP-based infrastructures (e.g.,
the Internet).
Applications
Possible remote access applications in a remote network:
Telecontrol
Connection of outstations (remote terminal units - RTUs) distributed over a
wide geographical area to one or more central control systems for the purpose
of monitoring and control.
Teleservice
Data exchange with distant technical systems such as machines, plants and
computers for the purpose of error detection, diagnostics, maintenance, repair
and optimization.
Integration into the industrial security concept
This document focuses on IP-based networks.
As remote access to the plant is implemented via a public network (e.g., the
Internet), protection against data manipulation and spying is particularly
important. For this purpose, virtual private networks (VPN) are used.
VPN
A VPN is a private network that uses a public network (e.g., the Internet) as a
transit network for transmitting data to a private destination network. The private
networks and the transit network need not be compatible with one another.
Although VPN uses the addressing mechanisms of the transit network, it
nevertheless uses its own network packets to separate the transport of private data
packets from the others. Due to this fact, the private networks appear as a shared,
logical (virtual) network.
VPN routers are required to set up a VPN. The VPN Security Integrated products
(VPN routers) from Siemens support IPsec (Internet Protocol Security).
The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket Tunneling
Protocol).
09/2014
For more information on Internet Security Protocol and the Siemens Security
Concept, use the following link: \3\
Note
09/2014
10
2.2
Figure 2-1
Service PCs
SSC
Internet
Router
Siemens AG 2014 All rights reserved
SCALANCE S
TIA
Portal
Internet
Router
SCALANCE
M874-x
Smartphone with
IPSec Client App
Windows
SSTP
SCALANCE
M81x-1
Internet
Router
Internet
Router
Automation Cells
SCALANCE S
Internet
Router
Internet
Router
SIMATIC S7
Stations
Internet
Router
SCALANCE
M874-x
Internet
Router
SIMATIC S7
Stations
TS Adapter IE
Advanced SIMATIC S7
SIMATIC S7-300 or
S7-400 with CP x43-1
Advanced
SIMATIC S7-1200
or S7-1500
with CP 1x43-1
Stations
SCALANCE SIMATIC S7
M81x-1
Stations
To help you in selecting products, the following sections describe the most
important features of the respective security modules.
09/2014
11
2.2.1
SCALANCE S
The security modules of the SCALANCE S family are designed specifically for use
in automation but integrate seamlessly with the security structures of the office and
IT world. The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M
modules additionally provide the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
128 VPN tunnels at a time).
IP addresses are automatically obtained from the Internet service provider
using PPPoE; therefore, it is no longer necessary to use a separate DSL router
and a DSL modem can be used instead.
Use of DNS for VPN tunnels using public dynamic IP addresses from the
Internet service provider.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note
2.2.2
For the technical specifications of the SCALANCE S modules, use the following
link: \4\
2.2.3
SCALANCE M-800
SCALANCE M874
The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGE
router) routers are suited for cellular networks. These modules are characterized
by the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
10 VPN tunnels at a time).
Broad range of applications; can be used wherever a GPRS/UMTS network is
available.
Connection of stationary stations and/or mobile stations.
Simplicity of connecting local networks by means of IP communication via
WAN.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
09/2014
12
Note
For the technical specifications of the SCALANCE M874 modules, use the
following link: \5\
SCALANCE M810
SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,
secure connection of Ethernet-based subnets and programmable controllers to
wired telephone or DSL networks. They support ADSL2+ (Asynchronous Digital
Subscriber Line).
These modules are characterized by the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
20 VPN tunnels at a time).
VPN and DSL router in a single device; therefore, it is no longer necessary to
use a separate DSL router.
Broad range of applications due to high bandwidth, performance and speed.
Note
For the technical specifications of the SCALANCE M810 modules, use the
following link: \6\
09/2014
13
2.2.4
CP x43-1 Advanced
CP 343-1 Advanced and CP 443-1 Advanced are communications processors for
connecting SIMATIC S7 CPUs to PROFINET / Industrial Ethernet networks.
For the SIMATIC S7-300/S7-400, they are the bridge between the field level and
the MES level and integrate seamlessly with the security structures of the office
and IT world.
These modules are characterized by the following features:
Firewall, VPN gateway and communications processor in a single device.
Note
For the technical specifications of the CP 343-1 Advanced, use the following link:
\7\
Note
For the technical specifications of the CP 443-1 Advanced, use the following link:
\8\
2.2.5
CP 1x43-1
The CP 1243-1 communications processor securely connects the SIMATIC
S7-1200 controller to Ethernet networks.
The CP 1543-1 communications processor securely connects the SIMATIC
S7-1500 controller to Ethernet networks.
These modules are characterized by the following features:
Firewall, VPN gateway and communications processor in a single device.
Protection of S7-1200/S7-1500 controllers and their lower-level networks by
IPsec tunnels (support of up to 16 VPN tunnels at a time).
Note
For the technical specifications of the CP 1243-1, use the following link: \7\
Note
For the technical specifications of the CP 1543-1, use the following link: \8\
09/2014
14
2.2.6
CP 1628
CP 1628 is a communications module for securely connecting a PG/PC to
Industrial Ethernet. With a dedicated processor for automation/security tasks, the
CP 1628 reduces the host PC's load and provides constant, stable and secure data
communication.
This module is characterized by the following features:
Firewall, VPN gateway and communications processor in a single device.
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
64 VPN tunnels at a time).
Note
2.2.7
For the technical specifications of the CP 1628, use the following link: \9\
TS Adapter IE Advanced
In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advanced
allows access, through the Internet, to all automation components of a plant (e.g.,
S7 controllers) that are connected to Industrial Ethernet.
This module is characterized by the following features:
Aside from TIA Portal, no other software or hardware is required to establish
the VPN connection (VPN client).1
Protection of S7 controllers and their lower-level networks by SSTP.
Note
For the technical specifications of the TS Adapter IE Advanced, use the following
link: 11
Internet access and a DSL modem are required to access the Internet.
09/2014
15
3 SCALANCE S
2.2 Security Integrated product portfolio
SCALANCE S
This chapter describes the configurations in which the SCALANCE S is configured as the VPN server.
This group is marked in yellow.
Table 3-1
VPN server
VPN client
SCALANCE S
Access type
Static IP address
Dynamic IP address
PPPoE
Characteristics
The SCALANCE S can be either behind a DSL router or a DSL modem.
A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.
Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
Due to the routing function, the networks on the internal and external interface become separate subnets.
09/2014
16
3 SCALANCE S
3.1 Static IP address
3.1
Static IP address
3.1.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
Overview
Figure 3-1
Service PC
Automation Cell
SCALANCE S
Internet
SCALANCE S
Modem/Router
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-2
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server
Internet router with port forwarding functionality (on the VPN server side)
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681360
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
17
3 SCALANCE S
3.1 Static IP address
3.1.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 3-2
Automation Cell
Service PC
SCALANCE S
SCALANCE
M81x-1
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-3
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681595
09/2014
18
3 SCALANCE S
3.1 Static IP address
3.1.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 3-3
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SCALANCE S
Static
WAN IP Address
VPN Server
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-4
VPN server
VPN client
Access type
SCALANCE S
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681083
09/2014
19
3 SCALANCE S
3.1 Static IP address
3.1.4
VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 3-4
Service PC
Automation Cell
SCALANCE S
Internet
Router
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 3-5
VPN server
VPN client
Access type
SCALANCE S
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681025
09/2014
20
3 SCALANCE S
3.1 Static IP address
3.1.5
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 3-5
Automation Cell
Service PC
SCALANCE S
SCALANCE
M874-x
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-6
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681225
09/2014
21
3 SCALANCE S
3.1 Static IP address
3.1.6
VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address
Overview
Figure 3-6
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SCALANCE S
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-7
VPN server
VPN client
Access type
SCALANCE S
Mobile client
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99680894
09/2014
22
3 SCALANCE S
3.2 Dynamic IP address
3.2
Dynamic IP address
3.2.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a dynamic IP address
Overview
Figure 3-7
Service PC
Automation Cell
SCALANCE S
Internet
Router
Internet
SCALANCE S
Modem/Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-8
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
23
3 SCALANCE S
3.2 Dynamic IP address
3.2.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 3-8
Automation Cell
Service PC
SCALANCE S
SCALANCE
M81x-1
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-9
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
In progress
09/2014
24
3 SCALANCE S
3.2 Dynamic IP address
3.2.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 3-9
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SCALANCE S
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-10
VPN server
VPN client
Access type
SCALANCE S
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
25
3 SCALANCE S
3.2 Dynamic IP address
3.2.4
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 3-10
Service PC
Automation Cell
SCALANCE S
SCALANCE
M874-x
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-11
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router (use of the DDNS providers dyndns.org or no-ip.org)
Internet router with port forwarding functionality
Mobile network operator's default APN
Link to the configuration description:
In progress
09/2014
26
3 SCALANCE S
3.2 Dynamic IP address
3.2.5
VPN tunnel between SCALANCE S (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 3-11
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SCALANCE S
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-12
VPN server
VPN client
Access type
SCALANCE S
Mobile client
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
27
3 SCALANCE S
3.3 PPPoE
3.3
PPPoE
3.3.1
VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using PPPoE
Overview
Figure 3-12
Service PC
Automation Cell
SCALANCE S
VPN Tunnel
Industrial Ethernet
Internet
Modem
Internet
SCALANCE S
Modem/Router
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-13
VPN server
VPN client
Access type
SCALANCE S
SCALANCE S
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic use of the DDNS providers dyndns.org or no-ip.org (VPN client: SCALANCE S (firmware version V4 or higher)) or static
public IP address for the Internet modem.
Standard Internet modem (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
28
3 SCALANCE S
3.3 PPPoE
3.3.2
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using PPPoE
Overview
Figure 3-13
Automation Cell
Service PC
SCALANCE S
VPN Tunnel
Industrial Ethernet
SCALANCE
M81x-1
Internet
Modem
VPN Client
VPN Server
SIMATIC S7
Stations
Table 3-14
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M81x-1
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.
Standard Internet modem (on the VPN server side).
Link to the configuration description:
In progress
09/2014
29
3 SCALANCE S
3.3 PPPoE
3.3.3
VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using PPPoE
Overview
Figure 3-14
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Modem
VPN Client
SCALANCE S
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-15
VPN server
VPN client
Access type
SCALANCE S
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.
Standard Internet modem (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
30
3 SCALANCE S
3.3 PPPoE
3.3.4
VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using PPPoE
Overview
Figure 3-15
Service PC
Automation Cell
SCALANCE S
Internet
Modem
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 3-16
VPN server
VPN client
Access type
SCALANCE S
CP x43-1 Advanced
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Static public IP address for the Internet modem of the VPN server.
Standard Internet modem (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
31
3 SCALANCE S
3.3 PPPoE
3.3.5
VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using PPPoE
Overview
Figure 3-16
Service PC
Automation Cell
SCALANCE S
VPN Tunnel
Industrial Ethernet
SCALANCE
M874-x
Internet
Modem
VPN Server
VPN Client
SIMATIC S7
Stations
Table 3-17
VPN server
VPN client
Access type
SCALANCE S
SCALANCE M874-x
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.
Standard Internet modem (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
In progress
09/2014
32
3 SCALANCE S
3.3 PPPoE
3.3.6
VPN tunnel between SCALANCE S (VPN server) and a mobile client using PPPoE
Overview
Figure 3-17
Automation Cell
Smartphone with
IPSec Client App
Internet
Modem
VPN Client
SCALANCE S
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 3-18
VPN server
VPN client
Access type
SCALANCE S
Mobile client
PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.
Standard Internet modem (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
33
4 SCALANCE M874-x
3.3 PPPoE
SCALANCE M874-x
This chapter describes the configurations in which the SCALANCE M874-x is configured as the VPN server.
This group is marked in light red.
Table 4-1
VPN server
VPN client
SCALANCE M874-x
Access type
Static IP address
Dynamic IP address
Characteristics
The plant with the SCALANCE M874-x as the VPN server can be both stationary and mobile.
A static or dynamic public IP address can be used for the SCALANCE M874-x.
Up to 10 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
09/2014
34
4 SCALANCE M874-x
4.1 Static IP address
4.1
Static IP address
4.1.1
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 4-1
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-2
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Link to the configuration description:
In progress
09/2014
35
4 SCALANCE M874-x
4.1 Static IP address
4.1.2
VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 4-2
Service PC with
SOFTNET Security Client
SSC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 4-3
VPN server
VPN client
Access type
SCALANCE M874-x
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
36
4 SCALANCE M874-x
4.1 Static IP address
4.1.3
VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 4-3
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 4-4
VPN server
VPN client
Access type
SCALANCE M874-x
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
37
4 SCALANCE M874-x
4.1 Static IP address
4.1.4
VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 4-4
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 4-5
VPN server
VPN client
Access type
SCALANCE M874-x
CP 1x43-1
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
38
4 SCALANCE M874-x
4.1 Static IP address
4.1.5
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 4-5
Automation Cell
Service PC
SCALANCE
M874-x
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-6
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M874-x
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile to mobile communication (depending on the mobile network operator).
Link to the configuration description:
In progress
09/2014
39
4 SCALANCE M874-x
4.1 Static IP address
4.1.6
VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP address
Overview
Figure 4-6
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M874-x
Static
WAN IP Adress
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
SIMATIC S7
Stations
Table 4-7
VPN server
VPN client
Access type
SCALANCE M874-x
Mobile client
Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile to mobile communication (depending on the mobile network operator).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
40
4 SCALANCE M874-x
4.2 Dynamic IP address
4.2
Dynamic IP address
4.2.1
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 4-7
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-8
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile network operator's default APN (on the VPN server side).
Link to the configuration description:
In progress
09/2014
41
4 SCALANCE M874-x
4.2 Dynamic IP address
4.2.2
VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 4-8
Service PC with
SOFTNET Security Client
SSC
Automation Cell
SCALANCE
M874-x
Internet
Modem/Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 4-9
VPN server
VPN client
Access type
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
42
4 SCALANCE M874-x
4.2 Dynamic IP address
4.2.3
VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 4-9
Automation Cell
Service PC
SCALANCE
M874-x
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 4-10
VPN server
VPN client
Access type
SCALANCE M874-x
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile to mobile communication (depending on the mobile network operator).
Link to the configuration description:
In progress
09/2014
43
4 SCALANCE M874-x
4.2 Dynamic IP address
4.2.4
VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 4-10
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
SIMATIC S7
Stations
Table 4-11
VPN server
VPN client
Access type
SCALANCE M874-x
Mobile client
Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile to mobile communication (depending on the mobile network operator).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
44
5 SCALANCE M81x-1
4.2 Dynamic IP address
SCALANCE M81x-1
This chapter describes the configurations in which the SCALANCE M81x-1 is configured as the VPN server.
This group is marked in light green.
Table 5-1
VPN server
VPN client
SCALANCE M81x-1
Access type
Static IP address
Dynamic IP address
Characteristics
The DSL router and VPN server settings are made directly in the SCALANCE M81x-1; a separate DSL router is not required.
A static or dynamic public IP address can be used for the SCALANCE M81x-1.
Up to 20 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
09/2014
45
5 SCALANCE M81x-1
5.1 Static IP address
5.1
Static IP address
5.1.1
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 5-1
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M81x-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 5-2
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the VPN server.
Link to the configuration description:
In progress
09/2014
46
5 SCALANCE M81x-1
5.1 Static IP address
5.1.2
VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 5-2
Service PC with
SOFTNET Security Client
SSC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 5-3
VPN server
VPN client
Access type
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the VPN server.
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
47
5 SCALANCE M81x-1
5.1 Static IP address
5.1.3
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 5-3
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 5-4
VPN server
VPN client
Access type
SCALANCE M81x-1
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address for the VPN server.
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
48
5 SCALANCE M81x-1
5.1 Static IP address
5.1.4
VPN tunnel between SCALANCE M81x-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 5-4
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 5-5
VPN server
VPN client
Access type
SCALANCE M81x-1
CP 1x43-1
Static IP address
Requirements
Static public IP address for the VPN server.
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
49
5 SCALANCE M81x-1
5.1 Static IP address
5.1.5
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 5-5
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 5-6
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M874-x
Static IP address
Requirements
Static public IP address for the VPN server.
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
In progress
09/2014
50
5 SCALANCE M81x-1
5.1 Static IP address
5.1.6
VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 5-6
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M81x-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 5-7
VPN server
VPN client
Access type
SCALANCE M81x-1
Mobile client
Static IP address
Requirements
Static public IP address for the VPN server.
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
51
5 SCALANCE M81x-1
5.2 Dynamic IP address
5.2
Dynamic IP address
5.2.1
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 5-7
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M81x-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
SIMATIC S7
Stations
Table 5-8
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Link to the configuration description:
In progress
09/2014
52
5 SCALANCE M81x-1
5.2 Dynamic IP address
5.2.2
VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 5-8
Service PC with
SOFTNET Security Client
SSC
Automation Cell
SCALANCE
M81x-1
Internet
Modem/Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
VPN Server
Table 5-9
VPN server
VPN client
Access type
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
53
5 SCALANCE M81x-1
5.2 Dynamic IP address
5.2.3
VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 5-9
Service PC
Automation Cell
SCALANCE
M81x-1
SCALANCE
M874-x
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
SIMATIC S7
Stations
Table 5-10
VPN server
VPN client
Access type
SCALANCE M81x-1
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
In progress
09/2014
54
5 SCALANCE M81x-1
5.2 Dynamic IP address
5.2.4
VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 5-10
Automation Cell
Smartphone with
IPSec Client App
SCALANCE
M81x-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 5-11
VPN server
VPN client
Access type
SCALANCE M81x-1
Mobile client
Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN server side).
Link to the configuration description:
In progress
09/2014
55
6 CP x43-1 Advanced
5.2 Dynamic IP address
CP x43-1 Advanced
This chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.
This group is marked in dark blue.
Table 6-1
VPN server
VPN client
CP x43-1 Advanced
Access type
Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CCP x43-1 Advanced; the security functions are
integrated in the communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.
09/2014
56
6 CP x43-1 Advanced
6.1 Static IP address
6.1
Static IP address
6.1.1
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address
Overview
Figure 6-1
Automation Cell
Service PC
SCALANCE S
Internet
Modem/Router
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-2
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE S
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108910593
09/2014
57
6 CP x43-1 Advanced
6.1 Static IP address
6.1.2
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 6-2
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-3
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108910139
09/2014
58
6 CP x43-1 Advanced
6.1 Static IP address
6.1.3
VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 6-3
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-4
VPN server
VPN client
Access type
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108910602
09/2014
59
6 CP x43-1 Advanced
6.1 Static IP address
6.1.4
VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 6-4
Automation Cell A
SIMATIC S7-300 or S7-400
with CP x43-1 Advanced
Automation Cell B
Internet
Router
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 6-5
VPN server
VPN client
Access type
CP x43-1 Advanced
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108910347
09/2014
60
6 CP x43-1 Advanced
6.1 Static IP address
6.1.5
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 6-5
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-6
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108913753
09/2014
61
6 CP x43-1 Advanced
6.1 Static IP address
6.1.6
VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address
Overview
Figure 6-6
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-7
VPN server
VPN client
Access type
CP x43-1 Advanced
Mobile client
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/108909919
09/2014
62
6 CP x43-1 Advanced
6.2 Dynamic IP address
6.2
Dynamic IP address
6.2.1
VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 6-7
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-8
VPN server
VPN client
Access type
CP x43-1 Advanced
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
63
6 CP x43-1 Advanced
6.2 Dynamic IP address
6.2.2
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 6-8
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-9
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
In progress
09/2014
64
6 CP x43-1 Advanced
6.2 Dynamic IP address
6.2.3
VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 6-9
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 6-10
VPN server
VPN client
Access type
CP x43-1 Advanced
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN
Link to the configuration description:
In progress
09/2014
65
6 CP x43-1 Advanced
6.2 Dynamic IP address
6.2.4
VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 6-10
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet
VPN Server
Table 6-11
VPN server
VPN client
Access type
CP x43-1 Advanced
Mobile client
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
66
7 CP 1x43-1
6.2 Dynamic IP address
CP 1x43-1
This chapter describes the configurations in which the CP 1x43-1 is configured as the VPN server.
This group is marked in gray.
Table 7-1
VPN server
VPN client
CP 1x43-1
Access type
Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CP 1x43-1; the security functions are integrated in the
communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.
09/2014
67
7 CP 1x43-1
7.1 Static IP address
7.1
Static IP address
7.1.1
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
Overview
Figure 7-1
Service PC
Automation Cell
SCALANCE S
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-2
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE S
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
68
7 CP 1x43-1
7.1 Static IP address
7.1.2
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 7-2
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-3
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M81x-1
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
In progress
09/2014
69
7 CP 1x43-1
7.1 Static IP address
7.1.3
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 7-3
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-4
VPN server
VPN client
Access type
CP 1x43-1
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
70
7 CP 1x43-1
7.1 Static IP address
7.1.4
VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 7-4
Automation Cell A
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Automation Cell B
Internet
Router
Internet
Modem/Router
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 7-5
VPN server
VPN client
Access type
CP 1x43-1
CP x43-1 Advanced
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
71
7 CP 1x43-1
7.1 Static IP address
7.1.5
VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 7-5
Automation Cell A
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Automation Cell B
Internet
Router
Internet
Modem/Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Server
VPN Client
Table 7-6
VPN server
VPN client
Access type
CP 1x43-1
CP 1x43-1
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
72
7 CP 1x43-1
7.1 Static IP address
7.1.6
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 7-6
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-7
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M874-x
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
In progress
09/2014
73
7 CP 1x43-1
7.1 Static IP address
7.1.7
VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 7-7
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-8
VPN server
VPN client
Access type
CP 1x43-1
Mobile client
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
74
7 CP 1x43-1
7.2 Dynamic IP address
7.2
Dynamic IP address
7.2.1
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 7-8
Service PC
Automation Cell
SCALANCE
M81x-1
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-9
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M81x-1
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Link to the configuration description:
In progress
09/2014
75
7 CP 1x43-1
7.2 Dynamic IP address
7.2.2
VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 7-9
Service PC with
SOFTNET Security Client
SSC
Automation Cell
Internet
Modem/Router
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-10
VPN server
VPN client
Access type
CP 1x43-1
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Link to the configuration description:
In progress
09/2014
76
7 CP 1x43-1
7.2 Dynamic IP address
7.2.3
VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 7-10
Service PC
Automation Cell
SCALANCE
M874-x
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Tunnel
Industrial Ethernet
VPN Client
VPN Server
Table 7-11
VPN server
VPN client
Access type
CP 1x43-1
SCALANCE M874-x
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Link to the configuration description:
In progress
09/2014
77
7 CP 1x43-1
7.2 Dynamic IP address
7.2.4
VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 7-11
Automation Cell
Smartphone with
IPSec Client App
Internet
Router
SIMATIC S7-1200 or
S7-1500 with CP 1x43-1
Dynamic
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
Table 7-12
VPN server
VPN client
Access type
CP 1x43-1
Mobile client
Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app on Android operating system (on the VPN client side).
Link to the configuration description:
In progress
09/2014
78
8 TS Adapter IE Advanced
7.2 Dynamic IP address
TS Adapter IE Advanced
This chapter describes the configurations in which the TS Adapter IE Advanced is configured as the VPN server.
This group is marked in dark yellow.
Table 8-1
VPN server
VPN client
Access type
TS Adapter IE Advanced
Static IP address
Characteristics
Aside from TIA Portal, no other software or hardware is required on the VPN client side to establish the VPN connection.
Either TIA Portal or the Windows SSTP client can be used as the VPN client.
09/2014
79
8 TS Adapter IE Advanced
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using a static IP address
8.1
VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using
a static IP address
Overview
Figure 8-1
Service
Service
PC PC
Automatisierungszelle
Automation Cell
Internet
Router
Internet
Internet
Modem/Router
Modem/ Router
SCALANCE
TS Adapter
M874-x
IE Advanced
Static
WAN IP Address
Statische
WAN-IP-Adresse
VPN Client
VPN Server
VPN-Server
VPN tunnel
Tunnel
VPN
IndustrialEthernet
Ethernet
Industrial
SIMATIC S7
Stationen
Stations
Table 8-2
VPN server
VPN client
Access type
TS Adapter IE Advanced
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Windows 7 or Windows Server 2008 or higher.
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681037
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
80
8 TS Adapter IE Advanced
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static IP address
8.2
VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static
IP address
Overview
Figure 8-2
Service PC
TIA
Portal
Automation Cell
Internet
Modem/Router
Internet
Router
TS Adapter
IE Advanced
Static
WAN IP Address
VPN Client
VPN Server
VPN Tunnel
Industrial Ethernet
SIMATIC S7
Stations
Table 8-3
VPN server
VPN client
Access type
TS Adapter IE Advanced
TIA Portal
Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
TIA Portal V12 SP1 or higher.
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/99681624
IP-based Remote Networks
Entry ID: 26662448, V2.0,
09/2014
81
8 TS Adapter IE Advanced
8.3
References
Table 8-4
Subject
Title
\1\
Siemens Industry
Online Support
http://support.automation.siemens.com
\2\
http://support.automation.siemens.com/WW/view/de/26662448
\3\
Security with
SIMATIC NET
http://support.automation.siemens.com/WW/view/en/27043887
\4\
SIMATIC NET
Industrial Ethernet
Security SCALANCE
S V4
http://support.automation.siemens.com/WW/view/en/63207600
\5\
SIMATIC NET
Industrial Remote
Communication
Remote Networks
SCALANCE M874
Operating Instructions
http://support.automation.siemens.com/WW/view/en/78389136
\6\
SIMATIC NET
Industrial Remote
Communication
Remote Networks
SCALANCE M812,
M816 Operating
Instructions
http://support.automation.siemens.com/WW/view/en/90316607
\7\
http://support.automation.siemens.com/WW/view/en/62046619
\8\
http://support.automation.siemens.com/WW/view/en/59187252
\9\
http://support.automation.siemens.com/WW/view/en/62611659
10
Industrial Ethernet
Security
Setting up security
http://support.automation.siemens.com/WW/view/en/63207571
11
TS Adapter IE
Advanced
Manual
http://support.automation.siemens.com/WW/view/en/85517232
12
http://www.siemens.com/tia-selection-tool
09/2014
9 History
History
Table 9-1
Date
V1.0
08/2014
First version
V2.0
07/2014
First version
Version
09/2014
Modifications