×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 24953806, Entry date: 10/26/2009
(0)
Rate

How do you configure a VPN tunnel between a PC station and SCALANCE S61x V2.1 via the Internet with the SOFTNET Security Client Edition 2005 HF1?

  • Entry
  • Associated product(s)
Using the current version of the SOFTNET Security Client (SSC) - Edition 2005 HF1 - a VPN cannot be established with a SCALANCE S 61x V2.1 module in routing mode via the Internet by means of the Security Configuration Tool (SCT).

The text below describes how to set up the VPN tunnel via the Internet by means of a simple modification of the configuration file for the SOFTNET Security Client.

Fig. 1 shows the structure of this configuration.

Requirements for this are: 

  • In order to support the set up of the tunnel via the Internet in routing mode, you require the SCALANCE S 61x with firmware V2.1 and the Security Configuration Tool V2.1.
  • A fixed external IP address is required for the standard DSL router B, which has to be configured on the passive SCALANCE S 61x (B). Passive means here that the SCALANCE S 61x (B) waits for the partner to start the tunnel setup.


Fig. 1  
 
The CPU 315-2 PN/DP is located in the internal Ethernet network which is protected by the SCALANCE S 61x V2.1. The SCALANCE S 61x V2.1 serves as the router or gateway for the CPU 315-2 PN/DP. Therefore, the internal IP address 140.80.0.2 of the SCALANCE S 61x V2.1 has to be entered as the router or gateway in the properties of the integrated PN interface of the CPU 315-2 PN/DP.


Fig. 2
 
The PC station whose IP address is 192.168.2.5 is located in the Ethernet network of the SCALANCE S 61x V2.1. The standard router A is the gateway or router for the PC station. For this reason, enter the internal IP address 192.168.2.1 of the standard router A for the "default gateway" under the Windows network connections in the properties for the local area connection (LAN). Furthermore, the standard router A is used as the DNS server for the PC station. Please ensure that the internal IP address 192.168.2.1 of the standard router A is used and is entered under the Windows network connections in the properties for the local area connection (LAN).
 

Fig 3
 
Note

If the standard router A possesses DHCP capability, the PC can automatically obtain its IP address and DNS server address from router A.

The standard routers A and B are then configured.

  1. There is no need to configure any port forwarding rules for the Softnet Security Client's IPSec packages on the standard router A on the active side (the Softnet Security Client initiates the VPN tunnel).

    Optionally, with fixed IP addresses on the PC, the PORT forwarding is set such that the UDP packages on the Internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 on the connected PC station.

    This means that the PC stations's IP address 192.168.2.5 is indicated on the standard router A.
      

    Fig. 4
     

  2. On standard router B the PORT forwarding has to be set such that the UDP packages on the Internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 on the connected Scalance S 61x. 

    This means that the SCALANCE S 61x's IP address 192.168.2.2 is indicated on the standard router B.
     

    Fig. 5 

 
Now compile and save the configuration data for the SOFTNET Security Client (SSC) and the SCALANCE S 61x V2.1 using the Security Configuration Tool (SCT), following the instructions set out below.
 
Configuration of the SOFTNET Security Client
  1. Open the SCT via the Windows START menu with SIMATIC > SCALANCE > Security.
  2. Once you have created a new project in the SCT, insert a SCALANCE S 61x V2-type module and a SOFTNET Security Client-type module via the menu "Insert > Module".
     

    Fig. 6
     
  3. Assign the SCALANCE S 61x V2-type module the external IP address 192.168.2.2 and enter the MAC address for the SCALANCE S 61x V2.1. Furthermore, you have to enter the internal IP address 192.168.2.1 of the standard router B, to which the SCALANCE S 61x is connected, as the default gateway.
     

    Fig. 7
     
  4. Then create a new group via the menu "Insert > Group". The two SCALANCE S 61x V2-type and SOFTNET Security Client-type modules are assigned to this group by means of drag & drop. This is necessary for generating the configuration data for the SSC. However, the routing mode of the SCALANCE S 61x V2.1 is not activated yet because the SOFTNET Security Client Edition 2005 HF1 can only be used in groups with modules in bridge mode.
     

    Fig. 8
     

    Fig. 9
     
  5. Enable "Advance Mode" via the "View" menu.
      

    Fig. 10
     
  6. The VPN tunnel setup settings are now defined in the "VPN" tab of the properties for the SCALANCE S 61x V2-type module. 

    The SCALANCE S 61x V2.1 is configured as a passive module. In addition, the fixed external IP address of the connected standard router must be assigned here. The active module initiates the setup of the tunnel via this address. In this example the fixed external IP address 217.91.8.166 of standard router B must be specified here.
     

    Fig. 11
     

  7. Furthermore, the following firewall rules have to be added in the "Firewall" tab of the properties for the SCALANCE S 61x V2 module:

    Allow Internal->External
     

    Fig. 12
     

  8. The configuration for the SSC can now be compiled and saved. Mark the SOFTNET Security Client-type module under "All Modules" and click the "Load" button to compile and save the configuration data for the SSC.
      

    Fig. 13
     
  9. The configuration data for the SSC is now saved in a "*.dat" format file. In this example the configuration file is called "Configuration1.Module2.dat".
     

    Fig. 14

       
    Note
    When you download the configuration data for the SSC, the module certificate (*.cer) and the group certificate (*.p12) are created among others. Do not store the export file with the configuration data "Configuration1.Modul2.dat" in the same folder as the project. Otherwise the module certificate (*.cer) is deleted again when the modules of the type SOFTNET Security Client and SCALANCE S 61x V2 are removed later from the group to which they are still currently assigned.

Adapting a configuration file for the SOFTNET Security Client  

In order to enable the SOFTNET Security Client Edition 2005 HF1 to set up the VPN tunnel between a PC station and the SCALANCE S 61x V2.1 in routing mode via the Internet, the configuration file "Configuration1.Module2.dat" must be extended manually. This procedure is described below.
The configuration file "Configuration1.Module2.dat" is based on the UNIX format and can, therefore, be opened for editing using a UNIX text editor. This enables you to add the information about the internal subnet (subnet 2) 140.80.0.0. In addition, the "Learn the internal nodes" function must be disabled.
  
  

Fig. 15
   
Now save the changes made to the configuration file "Configuration1.Module2.dat".

The attached PDF file contains an example of the adapted configuration file "Configuration1.Module2.dat".

Configuration1.Modul2.pdf ( 56 KB )

Configuration of the SCALANCE S 61x V2 in routing mode

Once you have adapted the configuration file "Configuration1.Module2.dat", the SCALANCE S 61x V2.1's routing mode is activated. This takes place in the same SCT project as the configuration of the SSC.

  1. Remove the two SCALANCE S 61x V2-type and SOFTNET Security Client-type modules from the group to which they had previously been assigned.

    Note
    The group to which the modules had previously been assigned and the modules themselves may not be deleted. Otherwise, this would change the configuration data for the SSC, and a new configuration file would have to be created for the SSC.

  2. Then activate the routing mode in the "Routing Mode" tab of the properties for the SCALANCE S 61x V2-type module and assign the internal IP address 140.80.0.2 and the subnet mask 255.255.0.0.
     

    Fig. 16
     

  3. Now assign the SCALANCE S 61x V2-type module to the existing group by drag & drop.
     

    Fig. 17
     

  4. Then load the configuration into the SCALANCE S 61x V2.1. In order to transfer the configuration data to the SCALANCE S 61x V2.1, mark the SCALANCE S 61x V2-type module under "All Modules" and click the "Load" button.
     

    Fig. 18

Setting up a VPN tunnel with the SOFTNET Security Client

The SOFTNET Security Client Edition 2005 HF1 sets up the VPN tunnel from the PC station to the SCALANCE S 61x V2.1.

  1. Open the SSC via the Windows START menu with SIMATIC > SCALANCE.

    Note
    If you have installed multiple interfaces on your PC station for accessing the Internet (e.g. WLAN, UMTS card ...), then when you open the SOFTNET Security Client, a dialog window is displayed. In this dialog window you mark the interface that you want to use for Internet access.

  2. First of all, load the configuration data into the SSC.
     

    Fig. 19
     

  3. This involves opening and loading the adapted configuration file "Configuration1.Module2.dat".
     

    Fig. 20
     

  4. Open the tunnel overview by clicking the "Tunnel overview" button.
     

    Fig. 21
     

  5. The modules or subnets are displayed here which can be reached via the VP tunnel. 
     

    Fig. 22
     

  6. The "Test Tunnel" function allows you to check whether the VPN tunnel from the SSC to the SCALANCE S 61x V2.1 is set up in routing mode.
     

    Fig. 23
     

  7. If the VPN tunnel is successfully set up, and the SCALANCE S 61x V2.1 can be reached from the PC station, the following message appears:
     

    Fig. 24

If the VPN tunnel between the PC station and the SCALANCE S 61x V2.1 is set up via the Internet, you can access the protected automation cell (CPU 315-2 PN/DP) from the PC station, i.e.

  • A ping can be transmitted from the PC station to the CPU 315-2PN/DP.
  • In STEP 7 you can use the PG/OP functions to access the S7-300 controller online so as to enable you to load the STEP 7 project or the configuration into the S7-300 controller's CPU or to read out the CPU's diagnostic buffer.

Note

  1. The VPN tunnel does not support layer 2 protocols, such as the "accessible nodes" function in STEP 7.
    Problems can also arise if there is a firewall additionally installed on the PC.
  2. If, in addition, you have activated one or more firewalls in this configuration (see Fig. 01), then ports 500 and 4500 of the firewall must be enabled.

Important!
This constellation has also been tested on several standard PCs in Windows XP SP2. However, we cannot guarantee that this example will work properly in all PC configurations.

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
http://www.siemens.com/industrialsecurity.