Setting up a VPNconnection betweentwo SCALANCEdevices in TIA PortalIndustrial /en/view/99681360SiemensIndustryOnlineSupport

Legal informationLegal informationUse of application examplesApplication examples illustrate the solution of automation tasks through an interaction of several components inthe form of text, graphics and/or software modules. The application examples are a free service by Siemens AGand/or a subsidiary of Siemens AG ("Siemens"). They are non-binding and make no claim to completeness orfunctionality regarding configuration and equipment. The application examples merely offer help with typicaltasks; they do not constitute customer-specific solutions. You yourself are responsible for the proper and safeoperation of the products in accordance with applicable regulations and must also check the function of therespective application example and customize it for your system.Siemens grants you the non-exclusive, non-sublicensable and non-transferable right to have the applicationexamples used by technically trained personnel. Any change to the application examples is your responsibility.Sharing the application examples with third parties or copying the application examples or excerpts thereof ispermitted only in combination with your own products. The application examples are not required to undergo thecustomary tests and quality inspections of a chargeable product; they may have functional and performancedefects as well as errors. It is your responsibility to use them in such a manner that any malfunctions that mayoccur do not result in property damage or injury to persons. Siemens AG 2022 All rights reservedDisclaimer of liabilitySiemens shall not assume any liability, for any legal reason whatsoever, including, without limitation, liability forthe usability, availability, completeness and freedom from defects of the application examples as well as forrelated information, configuration and performance data and any damage caused thereby. This shall not apply incases of mandatory liability, for example under the German Product Liability Act, or in cases of intent, grossnegligence, or culpable loss of life, bodily injury or damage to health, non-compliance with a guarantee,fraudulent non-disclosure of a defect, or culpable breach of material contractual obligations. Claims for damagesarising from a breach of material contractual obligations shall however be limited to the foreseeable damagetypical of the type of agreement, unless liability arises from intent or gross negligence or is based on loss of life,bodily injury or damage to health. The foregoing provisions do not imply any change in the burden of proof toyour detriment. You shall indemnify Siemens against existing or future claims of third parties in this connectionexcept where Siemens is mandatorily liable.By using the application examples you acknowledge that Siemens cannot be held liable for any damage beyondthe liability provisions described.Other informationSiemens reserves the right to make changes to the application examples at any time without notice. In case ofdiscrepancies between the suggestions in the application examples and other Siemens publications such ascatalogs, the content of the other documentation shall have precedence.The Siemens terms of use ( shall also apply.Security informationSiemens provides products and solutions with Industrial Security functions that support the secure operation ofplants, systems, machines and networks.In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement –and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products andsolutions constitute one element of such a concept.Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks.Such systems, machines and components should only be connected to an enterprise network or the Internet ifand to the extent such a connection is necessary and only when appropriate security measures (e.g. firewallsand/or network segmentation) are in place.For additional information on industrial security measures that may be implemented, please emens’ products and solutions undergo continuous development to make them more secure. Siemens stronglyrecommends that product updates are applied as soon as they are available and that the latest product versionsare used. Use of product versions that are no longer supported, and failure to apply the latest updates mayincrease customer’s exposure to cyber threats.To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed rity: SCALANCEArticle ID: 99681360, V3.0,05/20222

Table of contentsTable of contentsLegal information . 21 Siemens AG 2022 All rights reserved2Introduction . 41.1Overview . 41.2Principle of operation . 61.3Components used. 8Engineering . up the environment . 9IP address overview . 9Infrastructure overview . devices .11DSL access (DSL router1) .11SCALANCE SC646-2C . up security .12Integrate SCALANCE .12Make security settings .14Parameterizing the SCALANCE .17Set up VPN connection .21Set WAN IP address .24Loading project into the modules .263Operation .294Appendix .314.1Service and support .314.2Industry Mall .324.3Links and literature .324.4Change documentation .32Security: SCALANCEArticle ID: 99681360, V3.0,05/20223

1 Introduction1Introduction1.1OverviewIndustry 4.0The Internet serves as an enormous accelerator of business processes and has revolutionizedbusiness operations around the world. The resulting change in the manufacturing industry isalso referred to as Industry 4.0.Industry 4.0 affects all aspects of the industrial value chain, with industrial communication andsecurity being the important aspects here.Industrial securityIn the face of digitization and the increasing networking of machinery and equipment, datasecurity must always be taken into account. The use of industrial security solutions preciselytailored to the needs of industry is therefore of fundamental importance – and should beinseparably linked with industrial communication. Siemens AG 2022 All rights reservedThis includes the following points: Use of robust products with security features and security services Use of concepts such as "Defense in Depth" and a holistic security conceptMeasuresThe measures for safe operation in a digital enterprise are: Encryption and monitoring of communication Access control for industrial components and networks Protection of transfer and saving of data Authentication of devices and usersVPN as a solutionTo ensure secure operation in a digital enterprise, data transmission can be encrypted usingVirtual Private Network (VPN) to protect against data espionage and tampering. Thecommunication partners are securely authenticated.Automation networks, automation systems and industrial communication can be secured withthe SCALANCE S industrial security appliances, the SCALANCE M industrial routers or thesecurity communications processors for SIMATIC.Security: SCALANCEArticle ID: 99681360, V3.0,05/20224

1 IntroductionApplication-level implementationThis application example shows you how to use the SCALANCE S industrial security applianceor the SCALANCE M industrial router to set up a VPN connection. The Internet ProtocolSecurity (short: IPsec) is used.You will configure the security modules via TIA Portal.Advantages Siemens AG 2022 All rights reservedIf you use these security modules, you have the following added advantages:Note Protection of networks and individual TIA components according to the "defense in depth"security concept Flexibly configurable security zones are possible Controlled and encrypted data traffic between bothSCALANCEs via IPsec High security for machines and systems by implementing the cell protection concept Versatile project engineering with TIA Portal, Web Based Management (WBM), CommandLine Interface (CLI) and Simple Network Management Protocol (SNMP) Easy integration into existing networks and protection of devices without their own securityfunctionsThis application example uses a SCALANCE SC-600 to set up a VPN connection. Theconfiguration of a SCALANCE S615 and a SCALANCE M is practically identical.Security: SCALANCEArticle ID: 99681360, V3.0,05/20225

1 Introduction1.2Principle of operationSchematic representationThe following Figure shows a schematic representation of the application example:Service PCAutomation cellSCALANCE SC InternetrouterInternetSCALANCE SCModem/RouterStatic WAN IPaddressVPN serverVPN tunnelIndustrial EthernetVPN clientSIMATIC S7stationsDescriptionThe connection between the service PC (or other nodes/network devices) and the automationcell (nodes such as SIMATIC stations, panels, drives, PCs) is protected by a VPN tunnel.Two SCALANCE SC646-2Cs form the two tunnel endpoints for the secure connection in thisexample. One module acts as VPN server, the other as VPN client. Siemens AG 2022 All rights reservedThe tunnel endpoints are authenticated and verified with X.509 certificates.Access to the SCALANCE SC (VPN server) from the WAN is defined by the use of a staticWAN IP address.Client-side WAN access is flexible; the IP address of the WAN access is not relevant.The role distribution when setting up the VPN tunnel is defined as follows:Table 1-1ComponentNoteVPN roleSCALANCE SC (right)Initiator (VPN client); starts the VPN connectionSCALANCE SC (left)Responder (VPN server); waits for VPN connectionIf you use a SCALANCE M instead of a SCALANCE SC, then you will not need an upstreamDSL router.Security: SCALANCEArticle ID: 99681360, V3.0,05/20226

1 IntroductionSecurity product rangeThe industrial security appliances and industrial routers support the industrial security conceptof "defense in depth". They secure automation networks and seamlessly connect to the securitystructures of the office and IT world.The security components protect devices and networks in discrete manufacturing and theprocess industry and help to set up a flexible security zone concept.The functions they provide include the following:High-quality stateful inspection firewall with filtering of IP-based data traffic Global and user-defined firewall rules Managing of multiple IPsec VPN connections simultaneously NAT/NAPT for communication with serial machines with identical IP addresses Secure remote access via SINEMA Remote Connect Digital input for local activation of secure remote access Redundant power supply Simple device replacement via C-PLUG removable data storage medium for automaticbackup of configuration data Siemens AG 2022 All rights reserved Security: SCALANCEArticle ID: 99681360, V3.0,05/20227

1 Introduction1.3Components usedSoftware packagesThis solution requires "TIA Portal V17".Install this software on a PC/PG.Install the latest update or Service Pack.If you have network components, such as You do not need a license, for example, toconfigure SCALANCE using the TIA Portal.NoteRequired devices/components: Siemens AG 2022 All rights reservedTo build the application example, use the following components: Two SCALANCE SC646-2C (optional: a appropriately assembled DIN rail with mountingmaterial) One or two 24V power supplies with cable connection and terminal block connector (bothmodules can also be operated with a common power supply) DSL access with dynamic WAN IP address and a DSL router DSL access with static WAN IP address and a DSL router A PG with "TIA Portal V17" installed The required network cables, TP cables (twisted pair) complying with the IE FC RJ45standard for Industrial Ethernet.NoteYou can also use another internet access, e.g. mobile.The configuration described below refers explicitly to the components mentioned in thesection "Required devices/components".NoteInstead of a SCALANCE SC, you can also use a SCALANCE S615 or SCALANCE M.Configuration takes place in the same manner.You do not need an additional internet router if using a SCALANCE M.Security: SCALANCEArticle ID: 99681360, V3.0,05/20228

2 Engineering2Engineering2.1Setting up the environment2.1.1IP address overviewThe assignment of the IP addresses is defined as follows for this example:SC646-2CSC646-2CDSL router2DSL router110.70.0.4172.22.80.2Static WANIP172.16.0.1172.16.47.1DynamicWAN IP192.168.2.1192.168.2.89Table 2-1 Siemens AG 2022 All rights reservedComponentPortIP addressRouterSubnet maskSC646-2CZone INT; LAN-Port:P1 to P4172.22.80.2- EXT; LAN port:P5 or P6172.16.47.1172.16.0.1255.255.0.0DSL router1LAN port172.16.0.1- router1WAN portStatic IP addressof the provider-Assigned by theproviderDSL router2WAN portDynamic IPaddress of theprovider-Assigned by theproviderDSL router2LAN port192.168.2.1- EXT; LAN port:P5 or P6192.168.2.89192.168.2.1255.255.255.0SC646-2CZone INT; LAN-Port:P1 to P410.70.0.4- (forconfiguringtheSCALANCESC-600)LAN port172.22.80.10010.70.0.100255.255.255.0If you replace SCALANCE SC with a SCALANCE M, then observe the following notes:Note The SCALANCE M only requires the internal IP address (Zone INT).The upstream DSL router is not necessary.The SCALANCE M must have access to the internet (e.g. via cellular radio) and, ifnecessary, it must have a static IP address.Security: SCALANCEArticle ID: 99681360, V3.0,05/20229

2 Engineering2.1.2Infrastructure overviewThe Figure below shows how all the components involved in this solution are connected to eachother after completing chapter 2.SC646-2C “Security 1”VPN serverSC646-2C “Security 2”VPN-ClientDSL router1DSL router2P1P1LAN portLAN portWAN portsP5P5Table 2-2 Siemens AG 2022 All rights reservedComponentNoteLocal portPartnersPartner portSC646-2C (VPNserver)"Security 1"Zone INT; LAN portP1 to P4E.g. a PC in the service center (not available inthis solution)SC646-2C (VPNserver)Zone EXT;LAN portP5 or P6DSL router1SC646-2C (VPNserver)SC646-2C (VPN client)"Security 2"Zone EXT; LAN port:P5 or P6DSL router2SC646-2C (VPN client)"Security 2"SC646-2C (VPN client)Zone INT;LAN portP1 to P4E.g. an automation network (not present in thissolution)Note that in the case of all devices that are located in the internal network of the SCALANCESC646-2C, for example, controllers, Panels, the IP address of the internal network of theSCALANCE SC646-2C must be entered as the default gateway.Security: SCALANCEArticle ID: 99681360, V3.0,05/202210

2 Engineering2.2Preparing devices2.2.1DSL access (DSL router1)Static IP address with DSL router1The WAN access of the SCALANCE SC646-2C ("Security 2", VPN client) to the SCALANCESC646-2C ("Security 1", VPN server) takes place via a fixed public IP address.Port forwarding on DSL router1By using a DSL router as an internet gateway, you allow the following ports on DSL router1 andforward the data packets to the SCALANCE SC646-2C ("Security 1", VPN server; IP addresson the WAN port): UDP port 500 (ISAKMP) UDP port 4500 (IPsec NAT traversal)VPN function Siemens AG 2022 All rights reservedIf your DSL routers themselves are IPsec-enabled, make sure that this feature is disabled.2.2.2SCALANCE SC646-2CFactory settingTo ensure that no old configurations and certificates are stored in the SCALANCE SC646-2C,reset both modules to their factory settings.You will find instructions in the module manual (see chapter 4.3).Assign IP addressTo open the WBM or to load the configuration into the module via TIA Portal, the SCALANCEneeds an IP address.The initial assignment of an IP address for the device cannot be done with the WBM becausethis configuration tool already requires an IP address.You have the following options for assigning the associated IP address to the unconfigureddevice (see Table 2-1): SINEC PNITo assign the device an IP address with SINEC PNI, the device must be available overEthernet. You can download SINEC PNI for free from the Siemens Industry Online Supportpages (see chapter 4.3). Command line interface (CLI) TIA Portal and the "Accessible Devices " functionFor this, connect the PG to a LAN port (port P1 to port P4) of the SCALANCE and assign thecorresponding IP address to the SCALANCE.Assign the corresponding IP address to both SCALANCE devices in this manner.Security: SCALANCEArticle ID: 99681360, V3.0,05/202211

2 Engineering2.3Setting up securityPreparationYou will configure the VPN tunnel in this configuration example using TIA Portal. TIA Portalserves as a certificate authority and automatically generates the necessary VPN connectioncertificates for all participating modules.NoteYou can also configure the VPN tunnel directly with the WBM or CLI. In this case, you mustgenerate the certificates yourself and load them to the modules.1. Open TIA Portal and create a new project with "Project New ".2. Change to the "Network view".2.3.1Integrate SCALANCE Siemens AG 2022 All rights reservedProceed as follows to integrate the two SCALANCE SC646-2C devices into TIA Portal:1. In the hardware catalog, open the group "Network components Industrial Security SCALANCE S" and select the item number for the SCALANCE SC646-2C.2. Drag and drop the module twice into the network view.Security: SCALANCEArticle ID: 99681360, V3.0,05/202212

2 EngineeringResult:You have placed two SCALANCE SC646-2Cs in the network view.Double-click on the device to open the device view.In the project tree, a separate folder appears for each device with its project-internal name.VPN-ServerYou can modify the display name of the SCALANCE devices in TIA at this time. Siemens AG 2022 All rights reservedNoteVPN-ClientSecurity: SCALANCEArticle ID: 99681360, V3.0,05/202213

2 Engineering2.3.2Make security settingsThe security functions configured in STEP 7 are protected against unauthorized access by theirown user management system. Before you can access the global or local security settings forindustrial security appliances, sign in with a user to the security configuration.Define project administratorTo enable user management and set a project administrator, follow these steps: Siemens AG 2022 All rights reserved1. Open the folder "Security Settings" in the project tree. Double-click on the "Settings"command.2. The user management editor opens and the project protection area is displayed.Click the "Protect this project" button.Security: SCALANCEArticle ID: 99681360, V3.0,05/202214

2 Engineering3. The "Protect project" dialog opens.Enter a user name and password.The password must comply with the following guidelines:–Password length: A minimum of eight characters, a maximum of 128 characters–At least one upper-case letter–At least one special character (special characters § and ß are not allowed)–At least one number Siemens AG 2022 All rights reservedEnter the password again to confirm.Confirm your entries with "OK".ResultYou have activated the user management. You are logged on as project administrator and havethe right to add additional users and roles.Security: SCALANCEArticle ID: 99681360, V3.0,05/202215

2 EngineeringAssign permissions to the role "NET Administrator"By default, the user account is assigned the configuration rights in TIA Portal. To configure,diagnose or load the security components, the user also needs the permissions of the role "NETAdministrator" or "NET Standard".To assign additional permissions to the project administrator, follow these steps:1. Open the folder "Security Settings" in the project tree. Double-click on the "Users and roles"command. Siemens AG 2022 All rights reserved2. Open the "User" tab. Here you will find an overview of all users and their roles in TIA Portal.Select the user to whom you want to assign roles (here: project administrator"Project Admin"). Activate the "NET Administrator" role in the lower area "Assigned roles".ResultYou have assigned the project administrator another role with the rights to configure, diagnose,and load security modules.Security: SCALANCEArticle ID: 99681360, V3.0,05/202216

2 Engineering2.3.3Parameterizing the SCALANCEYou will parameterize the system functions of the SCALANCE SC646-2C via TIA Portal.The following settings are relevant for this application example:Note Set IP addresses. Define static route. Set up time synchronization.The following instructions are valid for both SCALANCE SC646-2C devices. Toparameterize the SCALANCE, use the IP addresses assigned to the device (seeTable 2-1).Set the IP addressTo set up the IP addresses in SCALANCE, proceed as follows: Siemens AG 2022 All rights reserved1. Open the device folder of the SCALANCE in the project tree. Double-click the "Deviceconfiguration" command.2. Switch to the "Properties" tab in the Inspector window. This tab displays the properties ofthe SCALANCE. Properties that are editable can be changed here.In the "General" tab, switch to the "Layer 3 Subnets Configuration" menu.Security: SCALANCEArticle ID: 99681360, V3.0,05/202217

2 Engineering3. For VLAN1, enter the IP address that is specified for this SCALANCE for the internalnetwork (Port 1 to Port 4) (see Table 2-1). Leave the status of the interface on "enabled". Siemens AG 2022 All rights reserved4. Change the interface to VLAN2. Leave the status of the interface on "enabled". DisableDHCP. For VLAN2, enter the IP address that is specified for this SCALANCE for theexternal network (Port 5 to Port 6) (see Table 2-1).ResultThe IP addresses for the modules have been set.You can see the IP addresses under "Layer 3 Subnets Overview".Security: SCALANCEArticle ID: 99681360, V3.0,05/202218

2 EngineeringDefine default routerWith a static route, you specify the routes through which data can be exchanged between thevarious subnets.To store a static route in the SCALANCE, proceed as follows:1. In the "General" tab, switch to the "Layer 3 Static Routes" menu. Siemens AG 2022 All rights reserved2. To reach all subnets, enter the following values:–In the field "Destination network" and in the field "Subnet mask", enter the networkaddress "".–In the field "Gateway", enter the corresponding router (see Table 2-1).Right-click on an empty row in the table and select the "New Entry".ResultThe static route for the module has been set up.Security: SCALANCEArticle ID: 99681360, V3.0,05/202219

2 EngineeringSet up time synchronizationThe VPN connection in this configuration example is secured with certificates. If you work withcertificates, it is essential that the correct time is entered in the VPN participant. If the time in thedevice is incorrect, then the certificates will be considered invalid and discarded.To set the system time of the device, you have several options: Manual setup Time synchronization protocol, e.g. SNTP, NTP.It is recommended to use a time synchronization protocol.To set up a time synchronization, proceed as follows:1. In the "General" tab, change to the "System System time" menu. Siemens AG 2022 All rights reserved2. Several options to synchronize the time are offered at this point. Select one option, e.g.SNTP, and enter parameters in the required fields.Security: SCALANCEArticle ID: 99681360, V3.0,05/202220

2 Engineering2.3.4Set up VPN connectionRequirementTo set up a VPN connection, it is important that you have completed the instructions inchapter 2.3.3 for both modules. This includes the items: Assigning IP addresses for the internal and external network. Creating static routes. Set up time synchronization.Create VPN groupTo create a new VPN group, proceed as follows: Siemens AG 2022 All rights reservedOpen the folder "Security settings Security features VPN groups" in the project tree. Doubleclick on the command "Add new VPN group".Security: SCALANCEArticle ID: 99681360, V3.0,05/202221

2 EngineeringResultYou have created a new VPN group. The VPN group "VPN 1" appears in the folder "VPNgroups".Assign VPN participantsTo assign the two SCALANCEs to the new VPN group, proceed as follows: Siemens AG 2022 All rights reserved1. In the folder "VPN groups", double-click on the VPN group "VPN 1" you have just created.2. In the working window you will see two tables:–"Assigned modules"–"Available modules"Security: SCALANCEArticle ID: 99681360, V3.0,05/202222

2 Engineering3. The SCALANCE SC646-2C ("Security 2", VPN client) works as an initiator and activelyestablishes the connection.The SCALANCE SC646-2C ("Security 1", VPN server) works as a responder and waits forthe connection.In the "Available modules" table, select the SCALANCE that serves as the VPN server.Change the role to "Responder". Siemens AG 2022 All rights reserved4. In the "Available modules" table, highlight both modules and use the arrow button to movethem to the "Assigned modules" table.ResultYou have defined the roles of the modules and integrated them into a common VPN group.Both modules are now in the "Assigned modules" table.Security: SCALANCEArticle ID: 99681360, V3.0,05/202223

2 Engineering2.3.5Set WAN IP addressThe VPN connection between the two SCALANCE SC646-2Cs is established via the Internet.The SCALANCE that has the role of the VPN client (here: "Security 2") and thus activelyestablishes the connection to the VPN server requires the WAN IP address of the router (DSLrouter1). This WAN IP address is the remote access point to the VPN server for the VPN client.To enter the WAN IP address, proceed as follows:1. Open the device folder of the SCALANCE ("Security 2", VPN client) in the project tree.Double-click the "Device configuration" command. Siemens AG 2022 All rights reserved2. Switch to the "Properties" tab in the Inspector window. Open the menu "Security IPsecVPN" and then the submenu "Connections".In the "Operation" column, open the selection list and select the command "Disabled".Security: SCALANCEArticle ID: 99681360, V3.0,05/202224

2 Engineering3. Change to the "Remote End" submenu. In the "Remote Address" column, enter the WAN IPaddress of your DSL router1 including the subnet mask as CIDR suffix. Siemens AG 2022 All rights reserved4. Switch back to the "Connections" submenu. In the "Operation" column, open the selectionlist and select the "Start" command.ResultYou have changed the remote endpoint in the SCALANCE ("Security 2", VPN client). TheSCALANCE now initiates the VPN connection to the entered WAN IP address.Security: SCALANCEArticle ID: 99681360, V3.0,05/202225

2 Engineering2.3.6Loading project into the modulesRequirementBefore you load the configuration to each of the modules, save and compile the TIA Portalproject.If there are errors during compilation, fix them first.Connect PG with SCALANCEThe SCALANCE devices are loaded via the internal network.Connect the PG to a LAN port (Port P1 to Port P4) of the SCALANCE.NoteThe SCALANCE must have an IP address in the internal network (zone: INT).Loading a configurationThe configuration is loaded into the SCALANCE via the HTTPS protocol.To load the configuration into the module, proceed as follows: Siemens AG 2022 All rights reserved1. In the project tree, select the SCALANCE to which you are connected.2. Click on the "Load" icon in the TIA Portal menu bar.3. The dialog for loading the module appears. Define your PG

DSL access with dynamic WAN IP address and a DSL router DSL access with static WAN IP address and a DSL router A PG with "TIA Portal V17" installed The required network cables, TP cables (twisted pair) complying with the IE FC RJ45 standard for Industrial Ethernet. Note You can also use another internet access, e.g. mobile.