Академический Документы
Профессиональный Документы
Культура Документы
https://support.industry.siemens.com/cs/ww/de/view/26662448
Table of Contents
We do not accept any liability for the information contained in this document.
Any claims against us – based on whatever legal reason – resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
Siemens AG 2017 All rights reserved
Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, systems, machines and networks.
tion In order to protect plants, systems, machines and networks against cyber
threats, it is necessary to implement – and continuously maintain – a holistic,
state-of-the-art industrial security concept. Siemens’ products and solutions only
form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems,
machines and networks. Systems, machines and components should only be
connected to the enterprise network or the internet if and to the extent necessary
and with appropriate security measures (e.g. use of firewalls and network
segmentation) in place.
Additionally, Siemens’ guidance on appropriate security measures should be
taken into account. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends to apply product updates as soon
as available and to always use the latest product versions. Use of product
versions that are no longer supported, and failure to apply latest updates may
increase customer’s exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial
Security RSS Feed under http://www.siemens.com/industrialsecurity.
Table of Contents
Warranty and Liability ................................................................................................. 2
1 Remarks on this Document .............................................................................. 5
1.1 Purpose and objective .......................................................................... 5
1.2 Features and benefits........................................................................... 5
1.3 Structure of this document ................................................................... 6
2 Introduction into Remote Networks ................................................................. 8
2.1 Remote networks & industrial security ................................................. 8
2.2 Security Integrated product portfolio .................................................. 10
2.2.1 SINEMA Remote Connect.................................................................. 11
2.2.2 SCALANCE S612 and S62x .............................................................. 13
2.2.3 SOFTNET Security Client .................................................................. 13
2.2.4 SCALANCE M-800 ............................................................................. 13
2.2.5 CP x43-1 Advanced ........................................................................... 15
2.2.6 CP 1x43-x ........................................................................................... 15
2.2.7 CP 1628.............................................................................................. 16
2.2.8 TS Adapter IE Advanced .................................................................... 16
2.2.9 LOGO! ................................................................................................ 16
3 SCALANCE S ................................................................................................... 17
3.1 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using a static IP address ............................................ 18
Siemens AG 2017 All rights reserved
5.4 VPN tunnel between SCALANCE S615 and a tablet (iOS) via
the SINEMA RC server ...................................................................... 35
5.5 VPN tunnel between SCALANCE S615 and a smartphone
(Android) via the SINEMA RC server ................................................. 36
5.6 VPN tunnel between two identical cells with S615 and SINEMA
RC Client via the SINEMA RC Server by using the NAT function ..... 37
5.7 JumpHost application with SINEMA RC Server ................................. 39
6 CP x43-1 Advanced ......................................................................................... 41
6.1 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE S using a static IP address ............................................ 42
6.2 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE M81x-1 using a static IP address .................................. 43
6.3 VPN tunnel between CP x43-1 Advanced (VPN server) and
SOFTNET Security Client using a static IP address .......................... 44
6.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP
x43-1 Advanced using a static IP address ......................................... 45
6.5 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE M874-x using a static IP address .................................. 46
6.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a
mobile client using a static IP address ............................................... 47
7 CP 1x43-x .......................................................................................................... 48
7.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
S using a static IP address ................................................................. 49
Siemens AG 2017 All rights reserved
Objective
The Security Integrated portfolio includes several products that can be combined
with each other. This results in a large number of configuration options.
This document helps you find an optimal solution for secure communication
based on VPN.
Siemens AG 2017 All rights reserved
Benefits
The document offers the following benefits to the reader:
Support in planning and configuration
Quick finding of information regarding configuration options
Short, compact overview of the features
Reference to the individual configurations
There is a separate group for each module that can be configured as a VPN
server. This results in the following subdivision of VPN server groups:
SCALANCE S
SCALANCE M874
SCALANCE M810
SINEMA Remote Connect
CP x43-1 Adv.
CP 1x43-1
CP 1628
TS Adapter IE Advanced
LOGO! CMR
Note For configuration examples for the CP 1628, use the following link: \10.
Contents of a group
A group can in turn consist of multiple configurations. All these configurations have
one thing in common: for all configurations, the VPN server is the same security
module - specified by the group. They differ in the module used as the VPN client.
For all possible configurations of a group, Siemens Industry Online Support
provides a document with a specific configuration guide for the settings of the VPN
modules.
The figure below shows the subdivision of the configurations.
Figure 1-1
Group VPN server VPN server VPN server VPN server VPN server VPN server
SCALANCE TS-
SINEMA
SCALANCE M-800 CP x43-1 Adapter
Remote CP 1x43-x
S SCALANCE Adv. LOGO!
Connect
S615 CMR
Configurati
on
Configurations that belong to the same group have the same color (e.g., yellow for
the SCALANCE S group).
In the relevant chapter, each configuration is
presented homogeneously in an overview graphic,
including a list of requirements and
the link for the detailed configuration description.
Siemens AG 2017 All rights reserved
Applications
Possible remote access applications in a remote network:
Telecontrol
Connection of outstations (remote terminal units - RTUs) distributed over a
wide geographical area to one or more central control systems for the purpose
of operator control and monitoring.
Siemens AG 2017 All rights reserved
Teleservice
Data exchange with distant technical systems such as machines, plants and
computers for the purpose of error detection, diagnostics, maintenance, repair
and optimization.
VPN
A VPN is a private network that uses a public network (e.g., the Internet) as a
transit network for transmitting data to a private destination network. The private
networks and the transit network need not be compatible with one another.
Although VPN uses the addressing mechanisms of the transit network, it
nevertheless uses its own network packets to separate the transport of private data
packets from the others. Due to this fact, the private networks appear as a shared,
logical (virtual) network.
VPN routers are required to set up a VPN.
The VPN Security Integrated products (VPN routers) by Siemens (SCALANCE S/M
and CPs) support IPsec (IP Security) protocol.
SINEMA Remote Connect as VPN server enables VPN connections via OpenVPN
and IPsec.
LOGO! CMR support the VPN server function with pre-shared key.
SCALANCE S615 supports the IPsec protocol, however, it can also be used as
OpenVPN client.
The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket Tunneling
Protocol).
Note For more information on the Siemens Security Concept, use the following link:
\3\.
Siemens AG 2017 All rights reserved
Figure 2-1
Service PCs
SINEMA
SSC SCALANCE
RC
M874-x
Smartphone with
IPSec Client App
Internet Internet
Router Router Windows
SCALANCE S SSTP
Siemens AG 2017 All rights reserved
SCALANCE
Internet
M81x-1
Router
Internet
Router
Automation Cells
Internet
SCALANCE S Router
Internet SCALANCE
SIMATIC S7 Router M874-x
Stations
Internet Internet
Router Router
SIMATIC S7
Stations
TS Adapter IE
Advanced SIMATIC S7
Stations
SIMATIC S7-300 or SIMATIC S7-1200
S7-400 with CP x43-1 or S7-1500 SCALANCE SIMATIC S7
Advanced with CP 1x43-1 M81x-1 Stations
To help you select products, the following sections describe the most important
features of the respective security modules.
SCALANCE S615
SCALANCE S615 is a Security module for securing devices, automation cells, or
network segments in Ethernet networks against external and internal dangers.
It provides the same functionality and features as the previous SCALANCE M
variants. In addition, there are some specific LAN functions which enable optimized
connection with SINEMA Remote Connect.
Amongst others, SCALANCE S615 is distinguished by the following characteristics:
Support of VPN for secure authentication of network nodes, for data encryption
and verifying data integrity.
– IPsec VPN tunnel (server and client functionality)
– OpenVPN for connecting to SINEMA Remote Connect (client function)
High-quality stateful inspection firewall with filtering of IP-based data traffic and
communication protocols.
Support of NAT/NAPT; also in connection with IPsec and OpenVPN.
Supporting VLAN.
Flexible, reaction-free and protocol-independent protection.
Support of multiple VPN tunnels at a time.
Simplest connection to SINEMA Remote Connect via Auto configuration
interface (can be enabled via KEY-PLUG SINEMA REMOTE CONNECT).
Siemens AG 2017 All rights reserved
The security modules of the SCALANCE S family are designed specifically for use
in automation but integrate seamlessly with the security structures of the office and
IT world.
The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M modules
additionally provide the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
128 VPN tunnels at a time).
IP addresses are automatically obtained from the internet service provider
using PPPoE; therefore, it is no longer necessary to use a separate DSL
router; a DSL modem can be used instead.
Use of DNS for VPN tunnels using public dynamic IP addresses from the
Internet service provider.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note For the technical specifications of the SCALANCE S modules, use the following
link: \4\.
Siemens AG 2017 All rights reserved
The SOFTNET Security Client allows programming devices, PCs and notebook
computers access to network nodes or automation systems protected by
SCALANCE S, SCALANCE M or CPs.
It is characterized by the following features:
Secure access of programming devices or notebook computers to entire
automation cells.
Easy use on mobile PCs.
Non-secure devices can be integrated into the secure data traffic.
Supports the DNS client function.
SCALANCE M874
The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGE
router) routers are suited for cellular networks. These modules are characterized
by the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
10 VPN tunnels at a time).
Broad range of applications; can be used wherever a GPRS/UMTS network is
available.
Connection of stationary stations and/or mobile stations.
Simplicity of connecting local networks by means of IP communication via
WAN.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note For the technical specifications of the SCALANCE M874 modules, use the
following link: \5\.
SCALANCE M81x-1
SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,
secure connection of Ethernet-based subnets and programmable controllers to
wired telephone or DSL networks. They support ADSL2+ (Asynchronous Digital
Subscriber Line).
These modules are characterized by the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
20 VPN tunnels at a time).
VPN and DSL router in a single device; therefore, it is no longer necessary to
use a separate DSL router.
Broad range of applications due to high bandwidth, performance and speed.
Reduced travel expenses and personnel costs due to remote programming
and remote diagnostics via wired telephone or DSL networks.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Siemens AG 2017 All rights reserved
Note For the technical specifications of the SCALANCE M810 modules, use the
following link: \6\.
Note For the technical specifications of CP 343-1 Advanced, use the following link:
\7\.
Note For the technical specifications of CP 443-1 Advanced, use the following link: \8\.
Siemens AG 2017 All rights reserved
2.2.6 CP 1x43-x
Note For the technical specifications of the CP 1243-x, use the following link: \13\
Note For the technical specifications of CP 1543-1, use the following link: \14\.
2.2.7 CP 1628
Note For the technical specifications of CP 1628, use the following link: \9\.
In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advanced
allows access, through the Internet, to all automation components of a plant (e.g.,
S7 controllers) that are connected to Industrial Ethernet.
Siemens AG 2017 All rights reserved
Note For the technical specifications of TS Adapter IE Advanced, use the following
link: \11.
2.2.9 LOGO!
LOGO! Siemens is an intelligent logic module and ideally suitable for the realization
of simple automation tasks in industry and building technology. The use of
expansion modules enables LOGO! to control even complex plants without any
problems.
Using LOGO! CMR in combination with the LOGO! 8 basic modules (BM) makes it
possible for you to monitor and control distributed plants and systems via text
messages. You can remotely access the web interface of LOGO! CMR and LOGO!
BM via mobile wireless network. The remote access makes it possible, for
example, to install the LOGO! BM program remotely.
Note For the technical specifications of LOGO! use the following link: \16.
1
Internet access and a DSL modem are required to access the Internet.
3 SCALANCE S
3 SCALANCE S
This chapter describes the configurations in which the SCALANCE S is configured as the VPN server.
This group is marked in yellow.
Table 3-1
VPN server VPN client Access type
SCALANCE S VPN remote end Static IP address
Characteristics
The SCALANCE S can be located either behind a DSL router or a DSL modem.
A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.
Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or system on the VPN client side can establish the VPN tunnel only when necessary; a permanent tunnel
connection is not necessary.
By selecting the routing function, the networks at the internal and external interface become separate subnets.
3 SCALANCE S
3.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
3.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
Overview
Figure 3-1
Static
WAN IP Address
VPN Server VPN Client
VPN Tunnel SIMATIC S7
Industrial Ethernet Stations
Table 3-2
VPN server VPN client Access type
SCALANCE S SCALANCE S Static IP address
Requirements
Static public IP address for the Internet router of the VPN server
Internet router with port forwarding functionality (on the VPN server side)
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)
3 SCALANCE S
3.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address
3.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP
address
Overview
Figure 3-2
Static
WAN IP Address
Table 3-3
VPN server VPN client Access type
SCALANCE S SCALANCE M81x-1 Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
3 SCALANCE S
3.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address
3.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static
IP address
Overview
Figure 3-3
Table 3-4
VPN server VPN client Access type
SCALANCE S SOFTNET Security Client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
3 SCALANCE S
3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address
3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP
address
Overview
Figure 3-4
Static
WAN IP Address
VPN Tunnel
VPN Server
Industrial Ethernet VPN Client
Table 3-5
VPN server VPN client Access type
SCALANCE S CP x43-1 Advanced Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
3 SCALANCE S
3.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address
3.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP
address
Overview
Figure 3-5
Static
WAN IP Address
Table 3-6
VPN server VPN client Access type
SCALANCE S SCALANCE M874-x Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
3 SCALANCE S
3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address
3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP
address
Overview
Figure 3-6
Automation Cell
Smartphone with
IPSec Client App Internet SCALANCE S
Router
Static
WAN IP Address
VPN Client VPN Server
VPN Tunnel SIMATIC S7
Industrial Ethernet Stations
Table 3-7
VPN server VPN client Access type
SCALANCE S Mobile client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Table 4-1
VPN server VPN client Access type
SCALANCE M-800, SCALANCE S615 VPN remote end Static IP address
Characteristics
The plant with the SCALANCE M-800/ S615 as the VPN server can be both stationary and mobile.
A static or dynamic public IP address can be used for the SCALANCE M-800/ S615.
Several VPN tunnels can be established in parallel; therefore, multiple secure connections can run simultaneously and independent of
one another.
A service employee or system on the VPN client side can establish the VPN tunnel only when necessary; a permanent tunnel
connection is not necessary.
4.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static
IP address
Overview
Figure 4-1
Static
WAN IP Address
VPN Tunnel VPN Server VPN Client SIMATIC S7
Industrial Ethernet Stations
Table 4-2
VPN server VPN client Access type
SCALANCE M81x-1 SCALANCE M81x-1 Static IP address
Requirements
Static public IP address for the VPN server.
4.2 VPN tunnel between SCALANCE S615 (VPN server) and SOFTNET Security Client using a
static IP address
Overview
Figure 4-2
Table 4-3
VPN server VPN client Access type
SCALANCE S615 SOFTNET Security Client Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
4.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static
IP address
Overview
Figure 4-3
Static
WAN IP Address
VPN Tunnel
VPN Server VPN Client
Industrial Ethernet
Table 4-4
VPN server VPN client Access type
SCALANCE M874-x CP x43-1 Advanced Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
4.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP
address
Overview
Figure 4-4
Static
WAN IP Address
VPN Tunnel VPN Client
VPN Server
Industrial Ethernet
Table 4-5
VPN server VPN client Access type
SCALANCE M874-x CP 1x43-1 Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
4.5 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static
IP address
Overview
Figure 4-5
Static
WAN IP Address
VPN Tunnel SIMATIC S7
VPN Server VPN Client
Industrial Ethernet Stations
Table 4-6
VPN server VPN client Access type
SCALANCE M874-x SCALANCE M874-x Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile to mobile communication (depending on the mobile network operator).
4.6 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP
address
Overview
Figure 4-6
Automation Cell
Smartphone with SCALANCE
IPSec Client App M874-x
Static
WAN IP Adress
VPN Client
VPN Tunnel SIMATIC S7
VPN Server
Industrial Ethernet Stations
Table 4-7
VPN server VPN client Access type
SCALANCE M874-x Mobile client Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile to mobile communication (depending on the mobile network operator).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Table 5-1
VPN server VPN client Access type
SINEMA Remote Connect VPN remote end Static IP address
Characteristics
The VPN client can either be a PC with SINEMA Remote Connect Client or a smartphone/tablet with an “OpenVPN-Client” app.
A service employee or system on the VPN client side can establish the VPN tunnel only when necessary; a permanent tunnel
connection is not necessary.
5.1 VPN tunnel between SINEMA Remote Connect Server and a tablet (iOS)
Overview
Figure 5-1
Table 5-2
VPN server VPN client Access type
SINEMA Remote Connect Tablet (iOS) with “OpenVPN Client” app Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Tablet with “OpenVPN Client” app and iOS operating system (VPN client side).
Standard internet router with WLAN functionality (VPN client side).
Central Station
Service technician with
SINEMA Remote Internet mobile end device
Connect Server Router
WAN
Static
VPN Server
WAN IP Address VPN Client
VPN Tunnel
Industrial Ethernet
Table 5-3
VPN server VPN client Access type
SINEMA Remote Connect Smartphone (Android) with “OpenVPN Client” app Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with “OpenVPN Client” app and Android operating system (VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/109479594
5.3 VPN tunnel between SCALANCE S615 and SINEMA RC client via the SINEMA RC server
Overview
Figure 5-3
WAN
VPN Server Static
WAN IP Address
VPN Client
Service Technician
Internet
Router
VPN Tunnel
Industrial Ethernet VPN Client
Table 5-4
VPN server VPN clients Access type
SINEMA Remote Connect SCALANCE S615, SINEMA Remote Connect client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
5.4 VPN tunnel between SCALANCE S615 and a tablet (iOS) via the SINEMA RC server
Overview
Figure 5-4
WAN
VPN Server Statische
WAN IP Address
Service Technician VPN Client
Internet
Router
VPN Tunnel
VPN Client
Industrial Ethernet
Table 5-5
VPN server VPN clients Access type
SINEMA Remote Connect SCALANCE S615, tablet (iOS) with “OpenVPN Client” app Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Tablet with “OpenVPN Client” app and iOS operating system (VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/109479578
5.5 VPN tunnel between SCALANCE S615 and a smartphone (Android) via the SINEMA RC
server
Overview
Figure 5-5
WAN
Static
VPN Server WAN IP Address
Service Technician VPN Client
Table 5-6
VPN server VPN clients Access type
SINEMA Remote Connect SCALANCE S615, smartphone (Android) with “OpenVPN Client” app Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with “OpenVPN Client” app and Android operating system (VPN client side).
Link to the configuration description:
http://support.automation.siemens.com/WW/view/en/109479641
IP-based Remote Networks
Entry ID: 26662448, V2.1, 03/2017 36
Siemens AG 2017 All rights reserved
5.6 VPN tunnel between two identical cells with S615 and SINEMA RC Client via the SINEMA RC
Server by using the NAT function
Overview
Figure 5-6
Service
Cell 1
VPN client S615
WAN Central
SINEMA Remote Connect
Server
VPN client
VPN tunnel
Industrial Ethernet
VPN client
Table 5-7
VPN server VPN clients Access type
SINEMA Remote Connect SCALANCE S615, SINEMA Remote Connect client Static IP address
Requirements
Static public IP address and port forwarding for the Internet router of the VPN server.
Identical IP subnet in the automation cells
Service technician
VPN client
WAN
Data center/ DMZ
VPN client
enterprise
VPN Tunnel network
Industrial Ethernet
Table 5-8
VPN-Server VPN-Clients Zugriffsart
SINEMA Remote Connect SCALANCE S615, SINEMA Remote Connect-Client Static IP address
Voraussetzungen
Static public IP address and port forwarding for the Internet router of the VPN server.
DMZ with SINEMA Remote Connect Server and JumpHost Virtual Desktop
6 CP x43-1 Advanced
6 CP x43-1 Advanced
This chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.
This group is marked in dark blue.
Table 6-1
VPN server VPN client Access type
CP x43-1 Advanced VPN remote end Static IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CP x43-1 Advanced; the security functions are integrated
in the communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.
6 CP x43-1 Advanced
6.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address
6.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP
address
Overview
Figure 6-1
Static
WAN IP Address
Table 6-2
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE S Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
6 CP x43-1 Advanced
6.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address
6.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static
IP address
Overview
Figure 6-2
Static
WAN IP Address
Table 6-3
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
6 CP x43-1 Advanced
6.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address
6.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a
static IP address
Overview
Figure 6-3
Table 6-4
VPN server VPN client Access type
CP x43-1 Advanced SOFTNET Security Client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
6 CP x43-1 Advanced
6.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address
6.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static
IP address
Overview
Figure 6-4
Static
WAN IP Address
VPN tunnel
Industrial Ethernet VPN Server VPN Client
Table 6-5
VPN server VPN client Access type
CP x43-1 Advanced CP x43-1 Advanced Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
6 CP x43-1 Advanced
6.5 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address
6.5 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static
IP address
Overview
Figure 6-5
Static
WAN IP Address
VPN tunnel
Industrial Ethernet VPN Client VPN Server
Table 6-6
VPN server VPN client Access type
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
6 CP x43-1 Advanced
6.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address
6.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP
address
Overview
Figure 6-6
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-300 or S7-400
Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Client
VPN tunnel
Industrial Ethernet VPN Server
Table 6-7
VPN server VPN client Access type
CP x43-1 Advanced Mobile client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
7 CP 1x43-x
7 CP 1x43-x
This chapter describes the configurations in which the CP 1x43-x is configured as the VPN server.
This group is marked in gray.
Table 7-1
VPN server VPN client Access type
CP 1x43-1 VPN remote end Static IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CP 1x43-x; the security functions are integrated in the
communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.
7 CP 1x43-x
7.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
7.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
Overview
Figure 7-1
Static
WAN IP Address
Table 7-2
VPN server VPN client Access type
CP 1x43-1 SCALANCE S Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
7 CP 1x43-x
7.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address
7.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP
address
Overview
Figure 7-2
Static
WAN IP Address
Table 7-3
VPN server VPN client Access type
CP 1x43-1 SCALANCE M81x-1 Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
7 CP 1x43-x
7.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address
7.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP
address
Overview
Figure 7-3
Table 7-4
VPN server VPN client Access type
CP 1x43-1 SOFTNET Security Client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
7 CP 1x43-x
7.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address
7.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP
address
Overview
Figure 7-4
Static
WAN IP Address
VPN tunnel
Industrial Ethernet VPN Server VPN Client
Table 7-5
VPN server VPN client Access type
CP 1x43-1 CP x43-1 Advanced Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
7 CP 1x43-x
7.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
7.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 7-5
Static
WAN IP Address
Table 7-6
VPN server VPN client Access type
CP 1x43-1 CP 1x43-1 Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
7 CP 1x43-x
7.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address
7.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP
address
Overview
Figure 7-6
Static
WAN IP Address
Table 7-7
VPN server VPN client Access type
CP 1x43-1 SCALANCE M874-x Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
7 CP 1x43-x
7.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
7.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 7-7
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-1200 or
Router S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Client
VPN tunnel VPN Server
Industrial Ethernet
Table 7-8
VPN server VPN client Access type
CP 1x43-1 Mobile client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Mobile network operator's default APN (on the VPN client side).
Smartphone with IPSec Client app and Android operating system (on the VPN client side).
Table 8-1
VPN server VPN client Access type
TS Adapter IE Advanced VPN remote end Static IP address
Characteristics
Aside from a PC, no other hardware is required on the VPN client side to establish the VPN connection.
Using the TS Adapter, either TIA Portal or the Windows SSTP client can be used as the VPN client.
Using the LOGO!, the OpenVPN client must support
– OpenVPN V2.3.11 or higher
– Pre-Shared Key coding.
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using
a static IP address
Overview
Figure 8-1
Service
Service
PC PC Automatisierungszelle
Automation Cell
SCALANCE
TS Adapter
Internet
Internet Internet M874-x
IE Advanced
Modem/
Modem/
Router
Router Router
Statische Static
WAN-IP-Adresse WAN IP Address
VPN Client VPN Server
VPN tunnel
VPN tunnel SIMATIC S7
VPN-Server
IndustrialEthernet
Industrial Ethernet Stationen
Stations
Table 8-2
VPN server VPN client Access type
TS Adapter IE Advanced Windows SSTP client Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Windows 7 or Windows Server 2008 or higher.
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static IP
address
Overview
Figure 8-2
Table 8-3
VPN server VPN client Access type
TS Adapter IE Advanced TIA Portal Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
TIA Portal V12 SP1 or higher.
8.3 VPN tunnel between LOGO! (VPN server) and a PC using a static IP address
Overview
Figure 8-3
Table 8-4
VPN server VPN client Access type
LOGO! CMR OpenVPN client Static IP address
Requirements
Static public IP address for the SIM card of the VPN server.
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).
Industrial Remote
Communication
Remote Networks
SCALANCE M812,
M816 Operating
Instructions
\7\ SIMATIC NET http://support.automation.siemens.com/WW/view/en/62046619
S7-300 - Industrial
Ethernet S7-CPs for
Industrial Ethernet
CP 343-1 Advanced
Manual Part B
\8\ SIMATIC NET http://support.automation.siemens.com/WW/view/en/59187252
S7-400 - Industrial
Ethernet CP 443-1
Advanced (GX30)
Manual Part B
\9\ SIMATIC NET http://support.automation.siemens.com/WW/view/en/62611659
PG/PC - Industrial
Ethernet CP 1628
Operating
Instructions
\10\ Industrial Ethernet http://support.automation.siemens.com/WW/view/en/63207571
Security
Setting up security
\11\ TS Adapter IE http://support.automation.siemens.com/WW/view/en/85517232
Advanced Manual
\12\ TIA Selection Tool http://www.siemens.en/tia-selection-tool
\13\ SIMATIC NET S7- http://support.automation.siemens.com/WW/view/en/67700710
1500 - Industrial
Ethernet CP 1543-1
Manual
\14\ SIMATIC NET S7- http://support.automation.siemens.com/WW/view/en/103948898
Topic Title
1200 - TeleControl
CP 1243-1
Operating
Instructions
\15\ Getting Started with http://support.automation.siemens.com/WW/view/en/64721753
Industrial Remote
Communication
\16\ SIMATIC NET https://support.industry.siemens.com/cs/ww/en/view/10947
LOGO! - Industrial 7418
Ethernet LOGO!
CMR2020, LOGO!
CMR2040 -
Operating
Instructions
10 History
Table 10-1
Version Date Modifications
V1.0 08/2014 First version
Siemens AG 2017 All rights reserved