×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 24968210, Entry date: 06/27/2013
(1)
Rate

How is a VPN tunnel between two SCALANCE S S61x modules configured in Routing mode via the internet?

  • Entry
  • Associated product(s)
The text below describes how a VPN tunnel between two SCALANCE S61x modules is configured via the Internet.

The SCALANCE S61x modules are operated in Routing mode.

Requirements for this are: 

  • The SCALANCE S61x V2 modules must support the setup of a VPN tunnel through the internet in Routing mode from firmware V2.1.
  • The SCALANCE S612 V3 / V4 modules, SCALANCE S623 V3 / V4 modules and SCALANCE S627-2M V4 modules must support the setup of a VPN tunnel through the internet in Routing mode. The current firmware V4.0.1.1 for the SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M is available to download in Entry ID ID 109477325.
  • You need the Security Configuration Tool V2.1 or higher to configure SCALANCE S61x V2 modules.
  • You need the Security Configuration Tool V3.0 or higher to configure SCALANCE S612 V3 and SCALANCE S623 V3 modules.
  • You need the Security Configuration Tool V4.0.1.1 or higher to configure SCALANCE S612 V4, SCALANCE S623 V4 modules and SCALANCE S627-2M. Latest information on the Security Configuration Tool you can find under Entry ID ID 63111903.
  • You require a fixed WAN IP address for standard router A. The active module (SCALANCE S61x B) initiates the setup of the VPN tunnel over this fixed WAN IP address. The passive module (SCALANCE S61x A) waits for the partner to start the tunnel setup.

Fig. 1
   
Description of the configuration setup
The PC station with IP address 192.168.3.2 is connected to the internal network of SCALANCE S61x A, which protects it against unwanted access from the internet.
The SCALANCE S61x A is the router for the PC station.

The controller, an S7-300 station, for example, is connected to the internal network of SCALANCE S61x B, which protects it against unwanted access from the internet.
The SCALANCE S61x B is the router for the controller.

The standard router A is router for SCALANCE S61x A and the standard router B is router for SCALANCE S61x B.

Define routers in the S7-300 station

  • In the hardware configuration of the S7-300 station, you open the interface properties of the CP343-1.
  • Enable the "Use router" function and enter the internal IP address 140.80.0.2 of the SCALANCE S61x B.



Fig. 2
   
Define the default gateway in the PC station
  • To change the IP address of the PC station and define the default gateway for the PC station, you open the internet protocol (TCP/IP) properties through "Start > Control Panel > Network Connections > Local Connections".
  • Change the IP address of the PC station as shown in Fig. 1. In this example you enter the IP address 192.168.3.2 and the subnet mask 255.255.255.0.
  • For "Default Gateway" you enter the internal IP address 192.168.3.1 of SCALANCE S61x A.

Fig. 3 
 
The standard routers A and B are then configured.

Configuration of the standard routers
Standard router A is connected to the external network of the passive SCALANCE S61x A. SCALANCE S61x A participates passively in the setup of the VPN tunnel. It waits for the partner to start the tunnel setup.

Standard router B is connected to the external network of the active SCALANCE S61x B. SCALANCE S61x B initiates setup of the VPN tunnel over the fixed WAN IP address of the standard router A.

  1. Configure the following port-forwarding rule for the standard router that is connected to the passive SCALANCE S61x (standard router A):
    The UDP packages from the internet that are addressed to ports 500 and 4500 of standard router A are forwarded to the external IP address 192.168.2.200 of SCALANCE S61x A.
       

    Fig. 4
     
  2. Configure the following port-forwarding rule for the standard router that is connected to the active SCALANCE S61x (standard router B):
    The UDP packages from the Internet that are addressed to ports 500 and 4500 of standard router A must be forwarded to the external IP address 192.168.2.2 of SCALANCE S 61x B.
      

    Fig. 5 

     
    Note
    The VPN tunnel is also set up if no port-forwarding rules are configured for the standard router that is connected to the active SCALANCE S61x. 

Configuration of the SCALANCE S61x modules
Now configure the SCALANCE S61x modules with the Security Configuration Tool in accordance with the configuration shown in Fig. 1.

  1. Open the Security Configuration Tool with "START > All Programs > Siemens Automation > SIMATIC > Security > Security Configuration Tool" and create a new project.
  2. Select the "Paste > Module" menu. The "Selection of a module or software configuration" dialog opens.
     

    Fig. 6
     
    Note
    The "Selection of a module or software configuration" dialog opens automatically when a new project is created.
     
  3. In this example the VPN tunnel is configured between two SCALANCE S612 V3 modules. Add a module with product type SCALANCE S, module S612, firmware release V3 and with the following configuration:
    - Name of the module, S61xA, for example, (you can choose any name for the module).
    - For the module with the name "S61xA" you set the factory-set MAC address of the SCALANCE S61x A. The factory-set MAC address is printed on the module.
    - Assign the module with the name "S61xA" the external IP address 192.168.2.200 and the subnet mask 255.255.255.0.
    - For "Interface routing external/internal" you select the Routing mode and assign the module with the name "S61xA" the internal IP address 192.168.3.1 and the subnet mask 255.255.255.0.
    - Apply the settings with "OK".
     

    Fig. 7 

     
  4.  Add another module with product type SCALANCE S, module S612, firmware release V3 and with the following configuration:
    - Name of the module, S61xB, for example, (you can choose any name for the module).
    - For the module with the name "S61xB" you set the factory-set MAC address of the SCALANCE S61x B. The factory-set MAC address is printed on the module.
    - Assign the module with the name "S61xB" the external IP address 192.168.2.2 and the subnet mask 255.255.255.0.
    - For "Interface routing external/internal" you select the Routing mode and assign the module with the name "S61xB" the internal IP address 140.80.0.2 and the subnet mask 255.255.0.0.
    - Apply the settings with "OK".
       

    Fig. 8
     
    Note
    The SCALANCE S modules' internal IP addresses must be in different IP subnets.
     
  5. The added SCALANCE S61x modules are displayed under "All modules".
     

    Fig. 9
     
  6. Under "All modules" you right-click the module with the name "S61xA". Select the Properties pop-up menu to open the module properties.
    In the "Routing" tab you enter the IP address 192.168.2.1 of standard router A for the Standard router.




    Fig. 10
     
  7. Under "All modules" you right-click the module with the name "S61xB". Select the Properties pop-up menu to open the module properties.
    In the "Routing" tab you enter the IP address 192.168.2.1 of standard router B for the Standard router.
     

    Fig. 11
     
  8. Create a new group via the menu "Paste -> Group".
     

    Fig. 12
     
  9. Drag and drop the two SCALANCE S61x modules to the group which has just been created.
       

    Fig. 13 

Configuring a VPN (Virtual Private Network)

  1. Under "All modules" you right-click the module with the name "S61xA" to open the module properties.
    In the "VPN" tab you select the "Wait for partner (responder)" function.
    Enter the fixed WAN IP address 217.91.8.166 of standard router A as the "WAN IP address".
     

    Fig. 14
     
  2. Under "All modules" you right-click the module with the name "S61xB" to open the module properties.
    In the "VPN" tab you select the "Start connection to partner (initiator/responder)" function.

     

    Fig. 15
     
  3. This concludes the configuration of the SCALANCE S61x modules.

Downloading or saving the configuration

  1. Under "All Modules" you mark the module with the name "S61xA" and click the "Download" button in order to transfer the configuration data to the SCALANCE S61x A.
     

    Fig. 16
     
  2. Under "All Modules" you mark the module with the name "S61xB" and click the "Download" button in order to transfer the configuration data to the SCALANCE S61x B.
     

    Fig. 17 

Tunnel setup
The active SCALANCE S 61x B now attempts to set up the tunnel cyclically. You set the time interval in the "VPN" tab of the module properties of the active SCALANCE S61x B (see Fig. 15). For this the SCALANCE S61x B transmits ISAKMP packages to the fixed WAN IP address 217.91.8.166 of the standard router A. The fixed WAN IP address of the standard router A is known from the configuration on the passive module (SCALANCE S61x A) (see Fig. 14). The standard router A forwards the packages to the SCALANCE S61x through the PORT forwarding set.

As soon as the tunnel is set up, messages exchanged between the nodes in the control center and the remote station, are transmitted encrypted through the VPN tunnel.

Diagnostics
Both modules, the SCALANCE S61x A and B, can be reached from the PC station in the control center. In the Security Configuration Tool you click the "Online view" button to check whether the SCALANCE S61x modules can be reached.
 


Fig. 18
 

Fig. 19  
 
In the Online view you double-click the module with the name "S61xA". The Online view of the SCALANCE S 61x A opens. You can track the status of the VPN tunnel in the Online view > "Communication status" tab for the SCALANCE S61x A connected to the PC station.

When the VPN tunnel between the two SCALANCE S61x modules is set up through the internet, you can access the protected automation cell 2 (S7-300 station) from the PC station; this means

  • You can send a ping from the PC station to the IP address of the Industrial Ethernet CP that is used in the S7-300 station.
  • You can call up the Industrial Ethernet CP's website from the PC station.
  • In STEP 7 you can use the PG/OP functions to access the S7-300 station online so that you can download the STEP 7 project or the configuration to the S7-300 station's CPU or read out the diagnostics buffer of the CPU / Industrial Ethernet CP.

Notes

  1. The VPN tunnel does not support layer 2 protocols, such as the "Show Accessible Nodes" function in STEP 7.
  2. If, in addition, you have activated one or more firewalls in this configuration (see Fig. 01), then the UDP ports 500 and 4500 of the firewall must be enabled.
Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.