IP-based Remote Networks: SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1, TS Adapter IE Advanced

Application Description 09/2014
IP-based Remote Networks

SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1,
TS Adapter IE Advanced
http://support.automation.siemens.com/WW/view/de/26662448
Warranty and Liability
Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These Application Examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice. If there are any deviations
between the recommendations provided in these Application Examples and
other Siemens publications – e.g. Catalogs – the contents of the other
documents have priority.
We do not accept any liability for the information contained in this document.
Any claims against us – based on whatever legal reason - resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act ("Produkthaftungsgesetz"), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
deficiency or breach of a condition which goes to the root of the contract
Siemens AG 2014 All rights reserved
("wesentliche Vertragspflichten"). The damages for a breach of a substantial

contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of Siemens Industry Sector.
Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, solutions, machines, equipment and/or
tion networks. They are important components in a holistic industrial security
concept. With this in mind, Siemens' products and solutions undergo continuous
development. Siemens recommends strongly that you regularly check for
product updates. Siemens recommends strongly that you regularly check for
product updates.
For the secure operation of Siemens products and solutions, it is necessary to
take suitable preventive action (e.g. cell protection concept) and integrate each
component into a holistic, state-of-the-art industrial security concept. Third-party
products that may be in use should also be considered. For more information
about industrial security, visit http://www.siemens.com/industrialsecurity.
To stay informed about product updates as they occur, sign up for a product-
specific newsletter. For more information, visit
http://support.automation.siemens.com.

Entry ID: 26662448, V2.0, 09/2014 2
Table of Contents
Table of Contents
Warranty and Liability .............................................................................................. 2
1 Remarks on this Document............................................................................ 6
1.1 Reason and objective ........................................................................ 6
1.2 Features and benefits ........................................................................ 6
1.3 Structure of this document ................................................................. 7
2 Introduction to Remote Networks.................................................................. 9
2.1 Remote networks & industrial security................................................ 9
2.2 Security Integrated product portfolio................................................. 11
2.2.1 SCALANCE S.................................................................................. 12
2.2.2 SOFTNET Security Client ................................................................ 12
2.2.3 SCALANCE M-800 .......................................................................... 12
2.2.4 CP x43-1 Advanced ......................................................................... 14
2.2.5 CP 1x43-1 ....................................................................................... 14
2.2.6 CP 1628 .......................................................................................... 15
2.2.7 TS Adapter IE Advanced ................................................................. 15
3 SCALANCE S ................................................................................................ 16
3.1 Static IP address ............................................................................. 17
3.1.1 VPN tunnel between SCALANCE S (VPN server) and
SCALANCE S using a static IP address ........................................... 17
SCALANCE M81x-1 using a static IP address.................................. 18

SOFTNET Security Client using a static IP address ......................... 19
3.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 20
SCALANCE M874-x using a static IP address.................................. 21
3.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile
client using a static IP address ......................................................... 22
3.2 Dynamic IP address......................................................................... 23
SCALANCE S using a dynamic IP address ...................................... 23
SCALANCE M81x-1 using a dynamic IP address ............................. 24
SOFTNET Security Client using a dynamic IP address .................... 25
SCALANCE M874-x using a dynamic IP address ............................. 26
client using a dynamic IP address .................................................... 27
3.3 PPPoE ............................................................................................ 28
SCALANCE S using PPPoE ............................................................ 28
SCALANCE M81x-1 using PPPoE ................................................... 29
SOFTNET Security Client using PPPoE........................................... 30
3.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1
Advanced using PPPoE ................................................................... 31
SCALANCE M874-x using PPPoE ................................................... 32
client using PPPoE .......................................................................... 33

Entry ID: 26662448, V2.0, 09/2014 3
Table of Contents
4 SCALANCE M874-x ...................................................................................... 34

4.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and
4.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP
x43-1 Advanced using a static IP address ........................................ 37
4.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP
1x43-1 using a static IP address ...................................................... 38
4.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a static IP address.............................................. 40
4.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a
mobile client using a dynamic IP address ......................................... 44
5 SCALANCE M81x-1 ...................................................................................... 45

5.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and
5.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
5.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP
1x43-1 using a static IP address ...................................................... 49
5.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a
5.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a
6 CP x43-1 Advanced ...................................................................................... 56
6.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and
SCALANCE S using a static IP address ........................................... 57
6.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP

Entry ID: 26662448, V2.0, 09/2014 4
Table of Contents

6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a
6.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a
7 CP 1x43-1 ...................................................................................................... 67
7.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE
S using a static IP address............................................................... 68
M81x-1 using a static IP address ..................................................... 69
7.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a static IP address .......................................... 70
7.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1
Advanced using a static IP address ................................................. 71
7.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1
using a static IP address .................................................................. 72

M874-x using a static IP address ..................................................... 73
7.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a static IP address ......................................................... 74
M81x-1 using a dynamic IP address ................................................ 75
7.2.2 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET
Security Client using a dynamic IP address...................................... 76
M874-x using a dynamic IP address ................................................ 77
7.2.4 VPN tunnel between CP 1x43-1 (VPN server) and a mobile
client using a dynamic IP address .................................................... 78
8 TS Adapter IE Advanced .............................................................................. 79
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server)
and Windows SSTP client using a static IP address ......................... 80
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server)
and TIA Portal using a static IP address........................................... 80
9 References .................................................................................................... 82
10 History .......................................................................................................... 83

Entry ID: 26662448, V2.0, 09/2014 5
1 Remarks on this Document
1.1 Reason and objective

1.1 Reason and objective
Reason
Based on the Security Integrated product portfolio, there are numerous different
ways of implementing secure communication that are always customized to the
application. For the user, looking for the perfect solution involves the following
questions:
Which solutions are available?
What are the differences between the solutions?
Objective
The Security Integrated portfolio includes several products that can be combined
with each other. This results in a large number of configuration options.
This document helps you find an optimal solution for secure communication
based on VPN.
1.2 Features and benefits

Features
The document has the following features:
Clear, compact structure
Concisely outlines the contents and provides an overview graphic of the
individual configurations
Does not describe details; the details are provided in the individual
configurations.
Benefits
The document offers the following benefits to the reader:
Support in planning and configuration
Quick finding of information regarding configuration options
Short, compact overview of the features
Reference to the individual configurations

Entry ID: 26662448, V2.0, 09/2014 6
1.3 Structure of this document

Siemens’ Security Integrated portfolio includes several products that can be
combined with each other. This results in a large number of configuration options.
To present these options in a clear manner, the possible configurations are

classified based on specific criteria.
This document gives you an overview of the configurations with the modules from
the Remote Networks portfolio.
Classification based on SIMATIC dependency

The VPN solutions with the SCALANCE modules / TS Adapter are independent of
SIMATIC, i.e. the application behind the VPN tunnel does not have to be
a SIMATIC application. Access to other applications via the SCALANCE modules /
TS Adapter is possible as well.
The VPN solutions with the CPs are SIMATIC-based as a SIMATIC CPU is
requited to operate the CP. However, these configurations also allow access to
non-SIMATIC plants parts via the CP.
Classification of the configurations

The possible configurations of an IP-based remote network are divided into groups.
The criterion for this subdivision is the module that acts as the VPN server.
There is a separate group for each module that can be configured as a VPN
server. This results in the following subdivision of VPN server groups:
SCALANCE S
SCALANCE M874
SCALANCE M810
CP x43-1 Adv.
CP 1x43-1
CP 1628
TS Adapter IE Advanced
Note For configuration examples for the CP 1628, use the following link: 10
Contents of a group
A group can in turn consist of multiple configurations. All these configurations have
one thing in common: For all configurations, the VPN server is the same security
module - specified by the group. They differ in the module used as the VPN client.
For all possible configurations of a group, Siemens Industry Online Support
provides a document with a specific configuration guide for the settings of the VPN
modules.
The figure below shows the subdivision of the configurations.

Entry ID: 26662448, V2.0, 09/2014 7
Figure 1-1
Overview Remote Access

doc.
(IP-based)
Group VPN Server VPN Server VPN Server VPN Server VPN Server VPN Server
SCALANCE SCALANCE
SCALANCE S CP x43-1 Adv. CP 1x43-1 TS Adapter
M874 M810
Configura-
tions
Configurations that belong to the same group have the same color (e.g., yellow for
the SCALANCE S group).
In the relevant chapter, each configuration is
presented homogeneously in an overview graphic,
including a list of requirements and

the link for the detailed configuration description.
Then the configurations within the group are sorted by access type.
Access using a static public IP address (on the VPN server side)
Access using a dynamic public IP address (on the VPN server side)
PPPoE (only in the SCALANCE S group)

Entry ID: 26662448, V2.0, 09/2014 8
2 Introduction to Remote Networks
2.1 Remote networks & industrial security

Remote networks
Remote networks are public or private communications infrastructures for covering
wide areas or long distances, for example mobile or fixed telephone networks.
The geographical distribution of automation cells increases the demand for
telecontrol (remote control) and teleservice (remote maintenance/diagnostics) in a
remote network.
The comprehensive Remote Networks portfolio from Siemens offers connection to
both conventional (dedicated line, telephone) and IP-based infrastructures (e.g.,
the Internet).
Applications
Possible remote access applications in a remote network:
Telecontrol
Connection of outstations (remote terminal units - RTUs) distributed over a
wide geographical area to one or more central control systems for the purpose
of monitoring and control.
Teleservice
Data exchange with distant technical systems such as machines, plants and
computers for the purpose of error detection, diagnostics, maintenance, repair
and optimization.
Integration into the industrial security concept

This document focuses on IP-based networks.
As remote access to the plant is implemented via a public network (e.g., the
Internet), protection against data manipulation and spying is particularly
important. For this purpose, virtual private networks (VPN) are used.
VPN
A VPN is a private network that uses a public network (e.g., the Internet) as a
transit network for transmitting data to a private destination network. The private
networks and the transit network need not be compatible with one another.
Although VPN uses the addressing mechanisms of the transit network, it
nevertheless uses its own network packets to separate the transport of private data
packets from the others. Due to this fact, the private networks appear as a shared,
logical (virtual) network.
VPN routers are required to set up a VPN. The VPN Security Integrated products
(VPN routers) from Siemens support IPsec (Internet Protocol Security).
The TS Adapter IE Advanced uses Microsoft's SSTP (Secure Socket Tunneling
Protocol).

Entry ID: 26662448, V2.0, 09/2014 9
VPN client and VPN server

Data communication protected using IPsec always starts with negotiating a
preliminary Security Association (IKE phase 1) before algorithms, keys, etc. are
finally agreed upon in phase 2.
The tunnel endpoint that actively starts negotiating a Security Association is
referred to as the VPN client.
The remote end that waits for the VPN client is called the VPN server.
Note For more information on Internet Security Protocol and the Siemens Security
Concept, use the following link: \3\

Entry ID: 26662448, V2.0, 09/2014 10
2.2 Security Integrated product portfolio

Through a combination of different security measures such as firewalls and VPN,
the security modules protect individual devices or even entire automation cells
against:
Data espionage
Data manipulation
Unwanted access
The figure below shows the remote access cells.
Figure 2-1
Service PCs
TIA
SSC SCALANCE
Portal
M874-x
Smartphone with
IPSec Client App
Internet Internet
Router Router Windows
SCALANCE S SSTP
Internet SCALANCE
M81x-1
Router
Internet
Router
Automation Cells
Internet
SCALANCE S Router
Internet SCALANCE
SIMATIC S7 Router M874-x
Stations
Internet Internet
Router Router
SIMATIC S7
Stations
TS Adapter IE
Advanced SIMATIC S7
Stations
SIMATIC S7-300 or SIMATIC S7-1200
S7-400 with CP x43-1 or S7-1500 SCALANCE SIMATIC S7
Advanced with CP 1x43-1 M81x-1 Stations
To help you in selecting products, the following sections describe the most
important features of the respective security modules.

Entry ID: 26662448, V2.0, 09/2014 11
2.2.1 SCALANCE S
The security modules of the SCALANCE S family are designed specifically for use
in automation but integrate seamlessly with the security structures of the office and
IT world. The SCALANCE S612, SCALANCE S623 and SCALANCE S627-2M
modules additionally provide the following features:
Simultaneous protection of multiple devices by IPsec tunnels (support of up to
128 VPN tunnels at a time).
IP addresses are automatically obtained from the Internet service provider
using PPPoE; therefore, it is no longer necessary to use a separate DSL router
and a DSL modem can be used instead.
Use of DNS for VPN tunnels using public dynamic IP addresses from the
Internet service provider.
User-specific IP firewall to distinguish and differentiate access to specific plant
parts.
Note For the technical specifications of the SCALANCE S modules, use the following
link: \4\
2.2.2 SOFTNET Security Client
The SOFTNET Security Client allows programming devices, PCs and notebook
computers access to network nodes or automation systems protected by
SCALANCE S, SCALANCE M or CPs.
It is characterized by the following features:
Secure access of programming devices or notebook computers to entire
automation cells.
Easy use on mobile PCs.
Non-secure devices can be integrated into the secure data traffic.
Supports the DNS client function.
2.2.3 SCALANCE M-800
SCALANCE M874
The SCALANCE M874-3 (HSPA+ router) and SCALANCE M874-2 (GPRS/EDGE
router) routers are suited for cellular networks. These modules are characterized
by the following features:
Broad range of applications; can be used wherever a GPRS/UMTS network is
available.
Connection of stationary stations and/or mobile stations.
Simplicity of connecting local networks by means of IP communication via
WAN.
parts.

Entry ID: 26662448, V2.0, 09/2014 12
Note For the technical specifications of the SCALANCE M874 modules, use the
following link: \5\
SCALANCE M810
SCALANCE M812-1 and SCALANCE M816-1 are DSL routers for cost-effective,
secure connection of Ethernet-based subnets and programmable controllers to
wired telephone or DSL networks. They support ADSL2+ (Asynchronous Digital
Subscriber Line).
These modules are characterized by the following features:
VPN and DSL router in a single device; therefore, it is no longer necessary to
use a separate DSL router.
Broad range of applications due to high bandwidth, performance and speed.
Reduced travel expenses and personnel costs due to remote programming
and remote diagnostics via wired telephone or DSL networks.
parts.
Note For the technical specifications of the SCALANCE M810 modules, use the
following link: \6\

Entry ID: 26662448, V2.0, 09/2014 13
2.2.4 CP x43-1 Advanced
CP 343-1 Advanced and CP 443-1 Advanced are communications processors for

connecting SIMATIC S7 CPUs to PROFINET / Industrial Ethernet networks.
For the SIMATIC S7-300/S7-400, they are the bridge between the field level and
the MES level and integrate seamlessly with the security structures of the office
and IT world.
Firewall, VPN gateway and communications processor in a single device.
Protection of S7-300/S7-400 controllers and their lower-level networks by
IPsec tunnels (support of up to 32 VPN tunnels at a time).
Note For the technical specifications of the CP 343-1 Advanced, use the following link:
\7\
Note For the technical specifications of the CP 443-1 Advanced, use the following link:
\8\
2.2.5 CP 1x43-1
The CP 1243-1 communications processor securely connects the SIMATIC

S7-1200 controller to Ethernet networks.
The CP 1543-1 communications processor securely connects the SIMATIC
S7-1500 controller to Ethernet networks.
Protection of S7-1200/S7-1500 controllers and their lower-level networks by
IPsec tunnels (support of up to 16 VPN tunnels at a time).
Note For the technical specifications of the CP 1243-1, use the following link: \7\
Note For the technical specifications of the CP 1543-1, use the following link: \8\

Entry ID: 26662448, V2.0, 09/2014 14
2.2.6 CP 1628
CP 1628 is a communications module for securely connecting a PG/PC to

Industrial Ethernet. With a dedicated processor for automation/security tasks, the
CP 1628 reduces the host PC's load and provides constant, stable and secure data
communication.
This module is characterized by the following features:
Note For the technical specifications of the CP 1628, use the following link: \9\
2.2.7 TS Adapter IE Advanced
In conjunction with TIA Portal (V12 SP1 or higher), the TS Adapter IE Advanced
allows access, through the Internet, to all automation components of a plant (e.g.,
S7 controllers) that are connected to Industrial Ethernet.
This module is characterized by the following features:

Aside from TIA Portal, no other software or hardware is required to establish
the VPN connection (VPN client).1
Protection of S7 controllers and their lower-level networks by SSTP.
Note For the technical specifications of the TS Adapter IE Advanced, use the following
link: 11
1
Internet access and a DSL modem are required to access the Internet.

Entry ID: 26662448, V2.0, 09/2014 15
3 SCALANCE S
3 SCALANCE S
This chapter describes the configurations in which the SCALANCE S is configured as the VPN server.
This group is marked in yellow.
Table 3-1
VPN server VPN client Access type
SCALANCE S VPN remote end Static IP address
Dynamic IP address
PPPoE
Characteristics
The SCALANCE S can be either behind a DSL router or a DSL modem.
A static or dynamic public IP address can be used for the DSL router/modem on the VPN server side.
Up to 128 VPN tunnels can be established simultaneously; therefore, multiple secure connections can run simultaneously and
independently of one another.
A service employee or plant on the VPN client side can establish the VPN tunnel only when necessary; a permanently established
tunnel connection is not necessary.
Due to the routing function, the networks on the internal and external interface become separate subnets.

Entry ID: 26662448, V2.0, 09/2014 16
3 SCALANCE S
3.1 Static IP address

3.1.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a static IP address
Overview
Figure 3-1
Service PC Automation Cell

SCALANCE S Internet Internet SCALANCE S
Router Modem/Router
Static
WAN IP Address
VPN Server VPN Client
VPN Tunnel SIMATIC S7
Industrial Ethernet Stations
Table 3-2
SCALANCE S SCALANCE S Static IP address
Requirements
Static public IP address for the Internet router of the VPN server
Internet router with port forwarding functionality (on the VPN server side)
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side)
Link to the configuration description:

http://support.automation.siemens.com/WW/view/en/99681360

Entry ID: 26662448, V2.0, 09/2014 17
3 SCALANCE S
3.1.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 3-2

SCALANCE
SCALANCE S Internet M81x-1
Router
Static
WAN IP Address
VPN Tunnel VPN Client SIMATIC S7

VPN Server Stations
Industrial Ethernet
Table 3-3
SCALANCE S SCALANCE M81x-1 Static IP address
Requirements
Static public IP address for the Internet router of the VPN server.
Internet router with port forwarding functionality (on the VPN server side).


Entry ID: 26662448, V2.0, 09/2014 18
3 SCALANCE S
3.1.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 3-3
Service PC with Automation Cell

SOFTNET Security Client Internet Internet SCALANCE S
Modem/Router Router
SSC
Static
WAN IP Address
VPN Client VPN Server
Table 3-4
SCALANCE S SOFTNET Security Client Static IP address
Requirements
Standard Internet modem, router or UMTS router, for example SCALANCE M873 (on the VPN client side).


Entry ID: 26662448, V2.0, 09/2014 19
3 SCALANCE S
3.1.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 3-4

SCALANCE S Internet Internet SIMATIC S7-300 or S7-400
Router Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
VPN Server
Industrial Ethernet VPN Client
Table 3-5
SCALANCE S CP x43-1 Advanced Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 20
3 SCALANCE S
3.1.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 3-5

SCALANCE
SCALANCE S Internet M874-x
Router
Static
WAN IP Address

Table 3-6
SCALANCE S SCALANCE M874-x Static IP address
Requirements
Mobile network operator's default APN (on the VPN client side).


Entry ID: 26662448, V2.0, 09/2014 21
3 SCALANCE S
3.1.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a static IP address
Overview
Figure 3-6
Automation Cell
Smartphone with
IPSec Client App Internet SCALANCE S
Router
Static
WAN IP Address
Table 3-7
SCALANCE S Mobile client Static IP address
Requirements
Smartphone with IPSec Client app and Android operating system (on the VPN client side).


Entry ID: 26662448, V2.0, 09/2014 22
3 SCALANCE S
3.2 Dynamic IP address

3.2.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using a dynamic IP address
Overview
Figure 3-7

Router Modem/Router
Dynamic
WAN IP Address
Table 3-8
SCALANCE S SCALANCE S Dynamic IP address
Requirements
Dynamic public IP address for the Internet router of the VPN server (use of the DDNS providers dyndns.org or no-ip.org).

In progress

Entry ID: 26662448, V2.0, 09/2014 23
3 SCALANCE S
3.2.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 3-8

SCALANCE
Router
Dynamic
WAN IP Address

VPN Server Stations
Industrial Ethernet
Table 3-9
SCALANCE S SCALANCE M81x-1 Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 24
3 SCALANCE S
3.2.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 3-9

Modem/Router Router
SSC
Dynamic
WAN IP Address
Table 3-10
SCALANCE S SOFTNET Security Client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 25
3 SCALANCE S
3.2.4 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 3-10

SCALANCE
Router
Dynamic
WAN IP Address

Table 3-11
SCALANCE S SCALANCE M874-x Dynamic IP address
Requirements
Dynamic public IP address for the Internet router (use of the DDNS providers dyndns.org or no-ip.org)
Internet router with port forwarding functionality
Mobile network operator's default APN

In progress

Entry ID: 26662448, V2.0, 09/2014 26
3 SCALANCE S
3.2.5 VPN tunnel between SCALANCE S (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 3-11
Automation Cell
Smartphone with
Router
Dynamic
WAN IP Address
Table 3-12
SCALANCE S Mobile client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 27
3 SCALANCE S
3.3 PPPoE
3.3 PPPoE
3.3.1 VPN tunnel between SCALANCE S (VPN server) and SCALANCE S using PPPoE
Overview
Figure 3-12

Modem Modem/Router

Table 3-13
SCALANCE S SCALANCE S PPPoE
Requirements
SCALANCE S version 3 or higher (VPN server).
Dynamic use of the DDNS providers dyndns.org or no-ip.org (VPN client: SCALANCE S (firmware version V4 or higher)) or static
public IP address for the Internet modem.
Standard Internet modem (on the VPN server side).

In progress
Entry ID: 26662448, V2.0, 09/2014 28
3 SCALANCE S
3.3 PPPoE
3.3.2 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M81x-1 using PPPoE
Overview
Figure 3-13

SCALANCE
Modem

VPN Server Stations
Industrial Ethernet
Table 3-14
SCALANCE S SCALANCE M81x-1 PPPoE
Requirements
Dynamic (use of the DDNS providers dyndns.org or no-ip.org) or static public IP address for the Internet modem of the VPN server.

In progress

Entry ID: 26662448, V2.0, 09/2014 29
3 SCALANCE S
3.3 PPPoE
3.3.3 VPN tunnel between SCALANCE S (VPN server) and SOFTNET Security Client using PPPoE
Overview
Figure 3-14

Modem/Router Modem
SSC

Table 3-15
SCALANCE S SOFTNET Security Client PPPoE
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 30
3 SCALANCE S
3.3 PPPoE
3.3.4 VPN tunnel between SCALANCE S (VPN server) and CP x43-1 Advanced using PPPoE
Overview
Figure 3-15

Modem Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
VPN Server
Industrial Ethernet VPN Client
Table 3-16
SCALANCE S CP x43-1 Advanced PPPoE
Requirements
Static public IP address for the Internet modem of the VPN server.

In progress

Entry ID: 26662448, V2.0, 09/2014 31
3 SCALANCE S
3.3 PPPoE
3.3.5 VPN tunnel between SCALANCE S (VPN server) and SCALANCE M874-x using PPPoE
Overview
Figure 3-16

SCALANCE
Modem

Table 3-17
SCALANCE S SCALANCE M874-x PPPoE
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 32
3 SCALANCE S
3.3 PPPoE
3.3.6 VPN tunnel between SCALANCE S (VPN server) and a mobile client using PPPoE
Overview
Figure 3-17
Automation Cell
Smartphone with
Modem

Table 3-18
SCALANCE S Mobile client PPPoE
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 33
4 SCALANCE M874-x
3.3 PPPoE
4 SCALANCE M874-x
This chapter describes the configurations in which the SCALANCE M874-x is configured as the VPN server.
This group is marked in light red.
Table 4-1
SCALANCE M874-x VPN remote end Static IP address
Dynamic IP address
Characteristics
The plant with the SCALANCE M874-x as the VPN server can be both stationary and mobile.
A static or dynamic public IP address can be used for the SCALANCE M874-x.

Entry ID: 26662448, V2.0, 09/2014 34
4 SCALANCE M874-x

4.1.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 4-1

SCALANCE SCALANCE
M81x-1 M874-x
Static
WAN IP Address
VPN Tunnel VPN Client VPN Server SIMATIC S7

Table 4-2
SCALANCE M874-x SCALANCE M81x-1 Static IP address
Requirements
Static public IP address from the mobile network operator that can also be accessed from the Internet (on the VPN server side).
Mobile network operator's default APN (on the VPN server side).

In progress

Entry ID: 26662448, V2.0, 09/2014 35
4 SCALANCE M874-x
4.1.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 4-2

SOFTNET Security Client SCALANCE
Internet M874-x
Modem/Router
SSC
Static
WAN IP Address
VPN Client
VPN Server
Table 4-3
SCALANCE M874-x SOFTNET Security Client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 36
4 SCALANCE M874-x
4.1.3 VPN tunnel between SCALANCE M874-x (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 4-3

SCALANCE
M874-x Internet SIMATIC S7-300 or S7-400
Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
Table 4-4
SCALANCE M874-x CP x43-1 Advanced Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 37
4 SCALANCE M874-x
4.1.4 VPN tunnel between SCALANCE M874-x (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 4-4

SCALANCE
M874-x Internet SIMATIC S7-1200 or
Modem/Router S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
Table 4-5
SCALANCE M874-x CP 1x43-1 Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 38
4 SCALANCE M874-x
4.1.5 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 4-5

SCALANCE SCALANCE
M874-x M874-x
Static
WAN IP Address
Table 4-6
SCALANCE M874-x SCALANCE M874-x Static IP address
Requirements
Mobile to mobile communication (depending on the mobile network operator).

In progress

Entry ID: 26662448, V2.0, 09/2014 39
4 SCALANCE M874-x
4.1.6 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a static IP address
Overview
Figure 4-6
Automation Cell
Smartphone with SCALANCE
IPSec Client App M874-x
Static
WAN IP Adress
VPN Client
VPN Server
Table 4-7
SCALANCE M874-x Mobile client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 40
4 SCALANCE M874-x

4.2.1 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 4-7

SCALANCE SCALANCE
M81x-1 M874-x
Dynamic
WAN IP Address
VPN Tunnel VPN Client VPN Server SIMATIC S7

Table 4-8
SCALANCE M874-x SCALANCE M81x-1 Dynamic IP address
Requirements
Dynamic public IP address from the mobile network operator for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).

In progress

Entry ID: 26662448, V2.0, 09/2014 41
4 SCALANCE M874-x
4.2.2 VPN tunnel between SCALANCE M874-x (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 4-8

Internet M874-x
Modem/Router
SSC
Dynamic
WAN IP Address
VPN Client
VPN Server
Table 4-9
SCALANCE M874-x SOFTNET Security Client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 42
4 SCALANCE M874-x
4.2.3 VPN tunnel between SCALANCE M874-x (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 4-9

SCALANCE SCALANCE
M874-x M874-x
Dynamic
WAN IP Address
Table 4-10
SCALANCE M874-x SCALANCE M874-x Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 43
4 SCALANCE M874-x
4.2.4 VPN tunnel between SCALANCE M874-x (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 4-10
Automation Cell
IPSec Client App M874-x
Dynamic
WAN IP Address
VPN Client
VPN Server
Table 4-11
SCALANCE M874-x Mobile client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 44
5 SCALANCE M81x-1
5 SCALANCE M81x-1
This chapter describes the configurations in which the SCALANCE M81x-1 is configured as the VPN server.
This group is marked in light green.
Table 5-1
SCALANCE M81x-1 VPN remote end Static IP address
Dynamic IP address
Characteristics
The DSL router and VPN server settings are made directly in the SCALANCE M81x-1; a separate DSL router is not required.
A static or dynamic public IP address can be used for the SCALANCE M81x-1.

Entry ID: 26662448, V2.0, 09/2014 45
5 SCALANCE M81x-1

5.1.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 5-1

SCALANCE SCALANCE
M81x-1 M81x-1
Static
WAN IP Address
VPN Tunnel VPN Server VPN Client SIMATIC S7
Table 5-2
SCALANCE M81x-1 SCALANCE M81x-1 Static IP address
Requirements
Static public IP address for the VPN server.

In progress

Entry ID: 26662448, V2.0, 09/2014 46
5 SCALANCE M81x-1
5.1.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 5-2

Internet M81x-1
Modem/Router
SSC
Static
WAN IP Address
VPN Client
VPN Tunnel VPN Server SIMATIC S7
Table 5-3
SCALANCE M81x-1 SOFTNET Security Client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 47
5 SCALANCE M81x-1
5.1.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 5-3

SCALANCE
M81x-1 Internet SIMATIC S7-300 or S7-400
Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
Table 5-4
SCALANCE M81x-1 CP x43-1 Advanced Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 48
5 SCALANCE M81x-1
5.1.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 5-4

SCALANCE
M81x-1 Internet SIMATIC S7-1200 or
Modem/Router S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
Table 5-5
SCALANCE M81x-1 CP 1x43-1 Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 49
5 SCALANCE M81x-1
5.1.5 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 5-5

SCALANCE SCALANCE
M81x-1 M874-x
Static
WAN IP Address
Table 5-6
SCALANCE M81x-1 SCALANCE M874-x Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 50
5 SCALANCE M81x-1
5.1.6 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 5-6
Automation Cell
IPSec Client App M81x-1
Static
WAN IP Address
VPN Client SIMATIC S7
VPN Tunnel VPN Server
Table 5-7
SCALANCE M81x-1 Mobile client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 51
5 SCALANCE M81x-1

5.2.1 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 5-7

SCALANCE SCALANCE
M81x-1 M81x-1
Dynamic
WAN IP Address
VPN Tunnel VPN Server VPN Client SIMATIC S7
Table 5-8
SCALANCE M81x-1 SCALANCE M81x-1 Dynamic IP address
Requirements
Dynamic public IP address for the VPN server (use of the DDNS providers dyndns.org or no-ip.org).

In progress

Entry ID: 26662448, V2.0, 09/2014 52
5 SCALANCE M81x-1
5.2.2 VPN tunnel between SCALANCE M81x-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 5-8

Internet M81x-1
Modem/Router
SSC
Dynamic
WAN IP Address
VPN Client
VPN Tunnel VPN Server SIMATIC S7
Table 5-9
SCALANCE M81x-1 SOFTNET Security Client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 53
5 SCALANCE M81x-1
5.2.3 VPN tunnel between SCALANCE M81x-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 5-9

SCALANCE SCALANCE
M81x-1 M874-x
Dynamic
WAN IP Address
Table 5-10
SCALANCE M81x-1 SCALANCE M874-x Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 54
5 SCALANCE M81x-1
5.2.4 VPN tunnel between SCALANCE M81x-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 5-10
Automation Cell
IPSec Client App M81x-1
Dynamic
WAN IP Address
VPN Client SIMATIC S7
Table 5-11
SCALANCE M81x-1 Mobile client Dynamic IP address
Requirements
Smartphone with IPSec Client app and Android operating system (on the VPN server side).

In progress

Entry ID: 26662448, V2.0, 09/2014 55
6 CP x43-1 Advanced
6 CP x43-1 Advanced
This chapter describes the configurations in which the CP x43-1 Advanced is configured as the VPN server.
This group is marked in dark blue.
Table 6-1
CP x43-1 Advanced VPN remote end Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CCP x43-1 Advanced; the security functions are
integrated in the communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.

Entry ID: 26662448, V2.0, 09/2014 56
6 CP x43-1 Advanced

6.1.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE S using a static IP address
Overview
Figure 6-1

Modem/Router Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet
Table 6-2
CP x43-1 Advanced SCALANCE S Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 57
6 CP x43-1 Advanced
6.1.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 6-2

SCALANCE
Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet VPN Client VPN Server
Table 6-3
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 58
6 CP x43-1 Advanced
6.1.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 6-3

SOFTNET Security Client Internet Internet SIMATIC S7-300 or S7-400
SSC
Static
WAN IP Address
VPN Client
VPN Tunnel
Industrial Ethernet VPN Server
Table 6-4
CP x43-1 Advanced SOFTNET Security Client Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 59
6 CP x43-1 Advanced
6.1.4 VPN tunnel between CP x43-1 Advanced (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 6-4
Automation Cell A Automation Cell B
SIMATIC S7-300 or S7-400 Internet Internet SIMATIC S7-300 or S7-400

with CP x43-1 Advanced Router Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet VPN Server VPN Client
Table 6-5
CP x43-1 Advanced CP x43-1 Advanced Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 60
6 CP x43-1 Advanced
6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 6-5

SCALANCE
Static
WAN IP Address
VPN Tunnel
Table 6-6
CP x43-1 Advanced SCALANCE M874-x Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 61
6 CP x43-1 Advanced
6.1.6 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a static IP address
Overview
Figure 6-6
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-300 or S7-400
Static
WAN IP Address
VPN Client
VPN Tunnel
Table 6-7
CP x43-1 Advanced Mobile client Static IP address
Requirements


Entry ID: 26662448, V2.0, 09/2014 62
6 CP x43-1 Advanced

6.2.1 VPN tunnel between CP x43-1 Advanced (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 6-7

SOFTNET Security Client Internet Internet SIMATIC S7-300 or S7-400
SSC
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Table 6-8
CP x43-1 Advanced SOFTNET Security Client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 63
6 CP x43-1 Advanced
6.2.2 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 6-8

SCALANCE
Dynamic
WAN IP Address
VPN Tunnel
Table 6-9
CP x43-1 Advanced SCALANCE M874-x Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 64
6 CP x43-1 Advanced
6.2.3 VPN tunnel between CP x43-1 Advanced (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 6-9

SCALANCE
Dynamic
WAN IP Address
VPN Tunnel
Table 6-10
CP x43-1 Advanced SCALANCE M874-x Dynamic IP address
Requirements
Mobile network operator's default APN

In progress

Entry ID: 26662448, V2.0, 09/2014 65
6 CP x43-1 Advanced
6.2.4 VPN tunnel between CP x43-1 Advanced (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 6-10
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-300 or S7-400
Dynamic
WAN IP Address
VPN Client
VPN Tunnel
Table 6-11
CP x43-1 Advanced Mobile client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 66
7 CP 1x43-1
7 CP 1x43-1
This chapter describes the configurations in which the CP 1x43-1 is configured as the VPN server.
This group is marked in gray.
Table 7-1
CP 1x43-1 VPN remote end Static IP address
Dynamic IP address
Characteristics
The firewall, VPN server and communication settings are made directly in the CP 1x43-1; the security functions are integrated in the
communications processor.
A static or dynamic public IP address can be used for the DSL router on the VPN server side.

Entry ID: 26662448, V2.0, 09/2014 67
7 CP 1x43-1

7.1.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE S using a static IP address
Overview
Figure 7-1

SCALANCE S Internet Internet SIMATIC S7-1200 or
Modem/Router Router S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel VPN Client VPN Server

Industrial Ethernet
Table 7-2
CP 1x43-1 SCALANCE S Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 68
7 CP 1x43-1
7.1.2 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a static IP address
Overview
Figure 7-2

SCALANCE
Router S7-1500 with CP 1x43-1
Static
WAN IP Address

Industrial Ethernet
Table 7-3
CP 1x43-1 SCALANCE M81x-1 Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 69
7 CP 1x43-1
7.1.3 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a static IP address
Overview
Figure 7-3

SOFTNET Security Client Internet Internet SIMATIC S7-1200 or
SSC
Static
WAN IP Address
VPN Client
Industrial Ethernet
Table 7-4
CP 1x43-1 SOFTNET Security Client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 70
7 CP 1x43-1
7.1.4 VPN tunnel between CP 1x43-1 (VPN server) and CP x43-1 Advanced using a static IP address
Overview
Figure 7-4

SIMATIC S7-1200 or Internet Internet SIMATIC S7-300 or S7-400
S7-1500 with CP 1x43-1 Router Modem/Router with CP x43-1 Advanced
Static
WAN IP Address
VPN Tunnel
Industrial Ethernet VPN Server VPN Client
Table 7-5
CP 1x43-1 CP x43-1 Advanced Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 71
7 CP 1x43-1
7.1.5 VPN tunnel between CP 1x43-1 (VPN server) and CP 1x43-1 using a static IP address
Overview
Figure 7-5

SIMATIC S7-1200 or Internet Internet SIMATIC S7-1200 or
S7-1500 with CP 1x43-1 Router Modem/Router S7-1500 with CP 1x43-1
Static
WAN IP Address
VPN Tunnel VPN Server VPN Client

Industrial Ethernet
Table 7-6
CP 1x43-1 CP 1x43-1 Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 72
7 CP 1x43-1
7.1.6 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a static IP address
Overview
Figure 7-6

SCALANCE
Static
WAN IP Address

Industrial Ethernet
Table 7-7
CP 1x43-1 SCALANCE M874-x Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 73
7 CP 1x43-1
7.1.7 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a static IP address
Overview
Figure 7-7
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-1200 or
Static
WAN IP Address
VPN Client
Industrial Ethernet
Table 7-8
CP 1x43-1 Mobile client Static IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 74
7 CP 1x43-1

7.2.1 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M81x-1 using a dynamic IP address
Overview
Figure 7-8

SCALANCE
Dynamic
WAN IP Address

Industrial Ethernet
Table 7-9
CP 1x43-1 SCALANCE M81x-1 Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 75
7 CP 1x43-1
7.2.2 VPN tunnel between CP 1x43-1 (VPN server) and SOFTNET Security Client using a dynamic IP address
Overview
Figure 7-9

SOFTNET Security Client Internet Internet SIMATIC S7-1200 or
SSC
Dynamic
WAN IP Address
VPN Client
Industrial Ethernet
Table 7-10
CP 1x43-1 SOFTNET Security Client Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 76
7 CP 1x43-1
7.2.3 VPN tunnel between CP 1x43-1 (VPN server) and SCALANCE M874-x using a dynamic IP address
Overview
Figure 7-10

SCALANCE
Dynamic
WAN IP Address

Industrial Ethernet
Table 7-11
CP 1x43-1 SCALANCE M874-x Dynamic IP address
Requirements

In progress

Entry ID: 26662448, V2.0, 09/2014 77
7 CP 1x43-1
7.2.4 VPN tunnel between CP 1x43-1 (VPN server) and a mobile client using a dynamic IP address
Overview
Figure 7-11
Automation Cell
Smartphone with
IPSec Client App Internet SIMATIC S7-1200 or
Dynamic
WAN IP Address
VPN Client
Industrial Ethernet
Table 7-12
CP 1x43-1 Mobile client Dynamic IP address
Requirements
Smartphone with IPSec Client app on Android operating system (on the VPN client side).

In progress

Entry ID: 26662448, V2.0, 09/2014 78
8 TS Adapter IE Advanced
This chapter describes the configurations in which the TS Adapter IE Advanced is configured as the VPN server.
This group is marked in dark yellow.
Table 8-1
TS Adapter IE Advanced VPN remote end Static IP address
Characteristics
Aside from TIA Portal, no other software or hardware is required on the VPN client side to establish the VPN connection.
Either TIA Portal or the Windows SSTP client can be used as the VPN client.

Entry ID: 26662448, V2.0, 09/2014 79
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using a static IP address
8.1 VPN tunnel between TS Adapter IE Advanced (VPN server) and Windows SSTP client using
a static IP address
Overview
Figure 8-1
Service
Service
PC PC Automatisierungszelle
Automation Cell
SCALANCE
TS Adapter
Internet
Internet Internet M874-x
IE Advanced
Modem/Router
Modem/ Router Router
Statische Static
WAN-IP-Adresse WAN IP Address
VPN tunnel
VPN-Server
IndustrialEthernet
Industrial Ethernet Stationen
Stations
Table 8-2
TS Adapter IE Advanced Windows SSTP client Static IP address
Requirements
Windows 7 or Windows Server 2008 or higher.


Entry ID: 26662448, V2.0, 09/2014 80
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static IP address
8.2 VPN tunnel between TS Adapter IE Advanced (VPN server) and TIA Portal using a static
IP address
Overview
Figure 8-2

TS Adapter
Internet Internet IE Advanced
TIA Modem/Router Router
Portal
Static
WAN IP Address
Table 8-3
TS Adapter IE Advanced TIA Portal Static IP address
Requirements
TIA Portal V12 SP1 or higher.


Entry ID: 26662448, V2.0, 09/2014 81
8.3 References
Table 8-4
Subject Title
\1\ Siemens Industry http://support.automation.siemens.com
Online Support
\2\ Download page of the http://support.automation.siemens.com/WW/view/de/26662448
entry
\3\ Security with http://support.automation.siemens.com/WW/view/en/27043887
SIMATIC NET
\4\ SIMATIC NET http://support.automation.siemens.com/WW/view/en/63207600
Industrial Ethernet
Security SCALANCE
S V4
Industrial Remote
Communication
Remote Networks
SCALANCE M874
Operating Instructions
Industrial Remote
Communication
Remote Networks
SCALANCE M812,
M816 Operating
Instructions
\7\ SIMATIC NET S7-300 http://support.automation.siemens.com/WW/view/en/62046619
- Industrial Ethernet
S7 CPs for Industrial
Ethernet CP 343-1
Advanced
Manual
Part B
\8\ SIMATIC NET S7-400 http://support.automation.siemens.com/WW/view/en/59187252
CP 443-1 Advanced
(GX30) Manual
Manual
Part B
\9\ SIMATIC NET PG/PC http://support.automation.siemens.com/WW/view/en/62611659
CP 1628 Operating
Instructions
10 Industrial Ethernet http://support.automation.siemens.com/WW/view/en/63207571
Security
Setting up security
11 TS Adapter IE http://support.automation.siemens.com/WW/view/en/85517232
Advanced
Manual
12 TIA Selection Tool http://www.siemens.com/tia-selection-tool

Entry ID: 26662448, V2.0, 09/2014
9 History
9 History
Table 9-1
Version Date Modifications
V1.0 08/2014 First version
V2.0 07/2014 First version

Entry ID: 26662448, V2.0, 09/2014

IP-based Remote Networks: SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1, TS Adapter IE Advanced

Uploaded by

Copyright:

Available Formats

IP-based Remote Networks: SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1, TS Adapter IE Advanced

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IP-based Remote Networks: SCALANCE M, SCALANCE S, CP x43-1 Advanced, CP 1x43-1, TS Adapter IE Advanced

Uploaded by

Copyright:

Available Formats

Application Description 09/2014

IP-based Remote Networks

Warranty and Liability

("wesentliche Vertragspflichten"). The damages for a breach of a substantial

IP-based Remote Networks

SCALANCE M81x-1 using a static IP address.................................. 18

IP-based Remote Networks

4 SCALANCE M874-x ...................................................................................... 34

5.1 Static IP address ............................................................................. 46

IP-based Remote Networks

6.1.5 VPN tunnel between CP x43-1 Advanced (VPN server) and

using a static IP address .................................................................. 72

IP-based Remote Networks

1 Remarks on this Document

1.2 Features and benefits

IP-based Remote Networks

1.3 Structure of this document

To present these options in a clear manner, the possible configurations are

Classification based on SIMATIC dependency

Classification of the configurations

IP-based Remote Networks

Overview Remote Access

including a list of requirements and

IP-based Remote Networks

2 Introduction to Remote Networks

Integration into the industrial security concept

IP-based Remote Networks

VPN client and VPN server

IP-based Remote Networks

2.2 Security Integrated product portfolio

The figure below shows the remote access cells.

IP-based Remote Networks

2.2.2 SOFTNET Security Client

2.2.3 SCALANCE M-800

IP-based Remote Networks

IP-based Remote Networks

2.2.4 CP x43-1 Advanced

CP 343-1 Advanced and CP 443-1 Advanced are communications processors for

The CP 1243-1 communications processor securely connects the SIMATIC

IP-based Remote Networks

CP 1628 is a communications module for securely connecting a PG/PC to

2.2.7 TS Adapter IE Advanced

This module is characterized by the following features:

IP-based Remote Networks

IP-based Remote Networks

3.1 Static IP address

Service PC Automation Cell

Link to the configuration description:

IP-based Remote Networks

Service PC Automation Cell

VPN Tunnel VPN Client SIMATIC S7

Link to the configuration description:

IP-based Remote Networks

Service PC with Automation Cell

Link to the configuration description:

IP-based Remote Networks

Service PC Automation Cell

Link to the configuration description:

IP-based Remote Networks