What can you do if there isn't a VPN tunnel set up in the SCALANCE S 61x, the SOFTNET Security Client or the MD740-1?
Setting up a VPN tunnel via the Internet can be actively initiated by the following components (see Fig. 01):
- SCALANCE S 61x
- SOFTNET Security Client
- MD 740-1
The active component now makes cyclic attempts (at the configured time interval) to set up the tunnel. To do this, it transmits ISAKMP packages to the fixed external IP address of the standard DSL router on the passive side. The standard DSL router's fixed external IP address is identified on the passive SCALANCE S 61x module through the configuration. The standard DSL router forwards the packages to the SCALANCE S 61x through the PORT forwarding setting.
As soon as the tunnel is set up, the above components identify the nodes in the protected area behind the SCALANCE S 61x and send packages, which are addressed to these nodes, via the tunnel.
Consequently, the SCALANCE S 61x, with the external IP address 192.168.2.2, can be contacted from the control center with a PG via the Security Configuration Tool. This is visible in the online view in the SCT (see Fig. 02).
Furthermore, using a PG in the control centre, the user can
- successfully transmit a ping to the nodes of IP subnet in the remote station;
- with STEP 7, the PG/OP functions can be used to access the S7-300/400 controller online in the remote station so as to enable the STEP 7 project or the configuration to be loaded into the S7-300 controller's CPU or the CPU's diagnostic buffer to be read out.
If the VPN tunnel isn't successfully set up, perform the following measures to establish the cause:
- You require a SCALANCE S 61x with firmware V2.1 or higher or an MD 740-1 with firmware V1.0.3 or higher.
- Checking PORT forwarding:
On the standard DSL router, the PORT forwarding must be set such that the UDP packages on the Internet, which are addressed to ports 500 and 4500 of the router, are sent to ports 500 and 4500 on the connected SCALANCE S 61x (passive module).
- Checking the configuration:
Are the correct IP addresses configured for all components? Are the correct gateways specified in all these modules?
- Record the networks on the active and passive sides between the standard DSL router and the SCALANCE S or SOFTNET Security Client.
Are ISAKMP and ESP frames visible?
- Install the following hotfix (KB889527) for Windows XP to ensure that ICMP (Internet Control Message Protocol) frames are not lost, even if the Windows firewall is configured to support ICMP frames.
- The IP addresses in the control center and in the remote station must be different.
- N.B. If you wish to access multiple remote stations from a control center or have multiple SCALANCE S 61x modules in a remote station, the IP subnets in the remote stations or behind the SCALANCE S 61x modules must be different.
- You may not use routers with VPN capability (or the VPN functionality for these routers must be disabled). The following standard DSL routers have been successfully tested for setting up a VPN tunnel via the Internet:
Netgear RP614 V3
Netgear FVS338 ProSafe
Netgear RP614 V4
TCOM Speedport W500 (HW: 01A/FW: 1.00)
SOFTNET security client
- When a VPN tunnel is set up between a SOFTNET security client and SCALANCE S 61x, the following firewall rule must be configured in the SCALANCE: allow internal -> external
- There may not be any VPN client other than the SOFTNET security client active on the PC station, i.e. set up a VPN tunnel.
- Turn off the Windows firewall!
- If the VPN tunnel setup is initiated by the SOFTNET security client, one possibility is to switch PCs.
- Check whether your SIM card supports GPRS.
- If the VPN tunnel setup is initiated by an MD 740-1, please check that the remote station's IP subnet is specified in the MD 740-1 under the address of the opposing address.