hit counter script
Siemens SCALANCE M-800 Series Getting Started

Siemens SCALANCE M-800 Series Getting Started

Simatic net industrial remote communication
Hide thumbs Also See for SCALANCE M-800 Series:
Table of Contents

Advertisement

SCALANCE M-800 Getting Started
SIMATIC NET
Industrial Remote Communication
Remote Networks
SCALANCE M-800 Getting Started
Getting Started
06/2015
C79000-G8976-C337-04
___________________
Preface
Connecting SCALANCE M-
___________________
800 to WAN
___________________
SCALANCE M-800 as DHCP
server
VPN tunnel between
SCALANCE M-800 and
S612
VPN tunnel between
SCALANCE M-800 and
security CPs
VPN tunnel between
SCALANCE M87x and
SINEMA RC Server
NETMAP with SCALANCE
___________________
M-800
1
2
3
4
5
6

Advertisement

Table of Contents
loading

Summary of Contents for Siemens SCALANCE M-800 Series

  • Page 1 ___________________ SCALANCE M-800 Getting Started Preface Connecting SCALANCE M- ___________________ 800 to WAN ___________________ SCALANCE M-800 as DHCP SIMATIC NET server VPN tunnel between SCALANCE M-800 and Industrial Remote Communication S612 Remote Networks VPN tunnel between SCALANCE M-800 Getting Started SCALANCE M-800 and security CPs Getting Started...
  • Page 2 Note the following: WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems.
  • Page 3: Preface

    Preface Purpose The configuration of the SCALANCE M is shown based on examples. IP settings for the examples Note The IP settings used in the examples were freely chosen. In a real network, you would need to adapt these IP settings to avoid possible address conflicts.
  • Page 4 "Industrial Ethernet Security - Basics and Application" configuration manual. You will find this document on the Internet under the following entry ID: 56577508 (http://support.automation.siemens.com/WW/view/en/56577508) ● The "SIMATIC NET Industrial Ethernet Network Manual" contains information on other SIMATIC NET products that you can operate along with the devices of this product line in an Industrial Ethernet network.
  • Page 5 Preface SIMATIC NET manuals You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support: ● using the search function: Link to Siemens Industry Online Support (http://support.automation.siemens.com/) Enter the entry ID of the relevant manual as the search item.
  • Page 6 Preface Trademarks The following and possibly other names not identified by the registered trademark sign ® registered trademarks of Siemens AG: SCALANCE, SINEMA, CP 343-1, CP 443-1, CP 1628, C-PLUG, KEY-PLUG SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 7: Table Of Contents

    Table of contents Preface ..............................3 Connecting SCALANCE M-800 to WAN ....................11 Connecting M874 with the mobile wireless network ............... 11 1.1.1 Procedure in principle ......................11 1.1.2 Setting up SCALANCE M874 and network ................13 1.1.3 Launching Web Based Management..................13 1.1.4 Logging in to Web Based Management ..................
  • Page 8 Table of contents 1.3.3.7 Setting the time ........................71 1.3.3.8 Creating IP subnet ......................... 73 1.3.3.9 Configuring SHDSL ........................ 75 1.3.3.10 Configuring routes ........................77 1.3.3.11 Allow access .......................... 78 SCALANCE M-800 as DHCP server ..................... 81 Configuring dynamic IP address assignment ................ 83 Specifying DHCP options .......................
  • Page 9 Table of contents Firewall with a VPN connection .................... 137 3.4.1 Creating firewall rules automatically ..................137 3.4.2 Creating firewall rules manually .................... 139 VPN tunnel between SCALANCE M-800 and security CPs..............143 Procedure in principle ......................143 Secure VPN tunnel with PSK ....................147 4.2.1 Configuring a VPN tunnel with the SCT V3.x ...............
  • Page 10 Table of contents 5.4.1 Secure VPN connection with fingerprint ................194 5.4.2 Secure VPN connection with CA certificate ................. 197 5.4.2.1 Loading a certificate ......................197 5.4.2.2 Configuring a VPN connection to the SINEMA RC Server ..........199 NETMAP with SCALANCE M-800 ......................203 NETMAP for the local network .....................
  • Page 11: Connecting Scalance M-800 To Wan

    Connecting SCALANCE M-800 to WAN Connecting M874 with the mobile wireless network 1.1.1 Procedure in principle In this example the SCALANCE M874 that is in the factory settings status is assigned an IP address. Following this, the device will be configured using Web Based Management (WBM).
  • Page 12 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Note You can also use a SCALANCE M876. The configuration described below relates specifically to the components mentioned in the section "Required devices/components". Steps in configuration To connect an M874 to the mobile wireless network, the following steps are necessary: 1.
  • Page 13: Setting Up Scalance M874 And Network

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 1.1.2 Setting up SCALANCE M874 and network Note Familiarize yourself with the security instructions before you commission the device. You will find the security instructions in the operating instructions. Procedure 1.
  • Page 14 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Procedure 1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left.
  • Page 15 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 6. Confirm the dialogs with "OK" and close the Control Panel. 7. Enter the IP address "192.168.1.1" in the address box of the Web browser. If there is a problem-free connection to the device, the login page of Web Based Management (WBM) is displayed.
  • Page 16: Logging In To Web Based Management

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 1.1.4 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2.
  • Page 17: Changing The Ip Settings Of The M874

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 6. Repeat the password in "Password Confirmation" to confirm it. The entries must match. 7. Click the "Set Values" button. Result The password for the "admin" user is changed. The changes take immediate effect. 1.1.5 Changing the IP settings of the M874 The following IP address settings are made for the devices in this configuration example:...
  • Page 18 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 6. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)" check box. 7. Enter the values assigned to the Admin PC from the table in the relevant boxes. 8.
  • Page 19: Specifying Device Information

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 1.1.6 Specifying device information To allow better identification of the SCALANCE M874, specify general device information. Procedure 1. Click "System" > "General" in the navigation panel and on the "Device" tab in the content area.
  • Page 20: Configuring Access Parameters

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 1.1.7 Configuring access parameters Requirement ● The services are enabled, e.g. Internet. ● The following data is available: – PIN number – APN – User name and password for the APN Enter the PIN number 1.
  • Page 21 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Configure APN 1. Click on the "Operator" tab in the content area. 2. Specify the access data for the APN. – If your mobile wireless provider is included in the table, no further configuration is necessary.
  • Page 22 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Result The PIN number and the APN are configured. The M874 connects to the mobile wireless network after approximately 30 seconds. You can check whether or not the connection is established in "Information"...
  • Page 23: Setting The Time

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network You will find more detailed information on the connection in "Information" > "Mobile". 1.1.8 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of certificates and for the time stamps of log entries.
  • Page 24 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Requirement ● The NTP server is reachable. ● The IP address of the NTP server is known. For this example, a time server (e.g. 192.53.103.108) of the Physikalisch-Technischen Bundesanstalt (PTB) in Braunschweig is used (Federal Institute of Physical and Technical Affairs - metrology institute).
  • Page 25: Allow Access

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 1.1.9 Allow access You have the following options for allowing access: ● Allow globally Here, you use simple, predefined firewall rules.
  • Page 26 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Example 1: Allow HTTPS access globally 1. Click on "Security" > "Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2. Enable "HTTPS" for "vlan1" and "ppp0". 3.
  • Page 27 Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network Allow only a specific device HTTPS access 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2.
  • Page 28: Setting Up The Ddns Hostname

    Connecting SCALANCE M-800 to WAN 1.1 Connecting M874 with the mobile wireless network 1.1.10 Setting up the DDNS hostname DDNS stands for "dynamic domain name system". If you log the SCALANCE M-800 on to a DDNS service, the device can be reached from the external network under a hostname, e.g. "example.no-ip.com".
  • Page 29: Connecting M81X To Adsl

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Connecting M81x to ADSL 1.2.1 Procedure in principle In this example the SCALANCE M81x that is in the factory settings status is assigned an IP address. Following this, the device will be configured using Web Based Management (WBM).
  • Page 30: Setting Up Scalance M81X And Network

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 4. Changing the IP settings of the M81x (Page 34). 5. Configuring the SCALANCE M81x. – Specifying device information (Page 36) – Configuring access parameters (Page 37) – Setting the time (Page 39) –...
  • Page 31 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL In this configuration example, the Admin PC has the following IP address setting to allow it to access the Web Based Management of the M-800. IP address Subnet mask 192.168.1.20 255.255.255.0 Procedure 1.
  • Page 32 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 6. Confirm the dialogs with "OK" and close the Control Panel. 7. Enter the IP address "192.168.1.1" in the address box of the Web browser. If there is a problem-free connection to the device, the login page of Web Based Management (WBM) is displayed.
  • Page 33: Logging In To Web Based Management

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 1.2.4 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2. Confirm the dialog. The "Password" WBM page is opened automatically. 3.
  • Page 34: Changing The Ip Settings Of The M81X

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 6. Repeat the password in "Password Confirmation" to confirm it. The entries must match. 7. Click the "Set Values" button. Result The password for the "admin" user is changed. The changes take immediate effect. 1.2.5 Changing the IP settings of the M81x The following IP address settings are made for the devices in this configuration example:...
  • Page 35 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 5. Click "Network and Sharing Center" and select the "Change Adapter Settings" option in the navigation menu on the left. 6. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4 (TCP/IPv4)"...
  • Page 36: Specifying Device Information

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 1.2.6 Specifying device information To allow better identification of the SCALANCE M81x, specify general device information. Procedure 1. Click "System" > "General" in the navigation panel and on the "Device" tab in the content area.
  • Page 37: Configuring Access Parameters

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 1.2.7 Configuring access parameters Requirement ● The services are enabled, e.g. Internet. ● The following access data is known from your DSL provider: – User name and password for ADSL access –...
  • Page 38 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Result The DSL connection is set up. The device connects to the Internet after approximately 30 seconds. You can check whether or not the connection is established in "Information" > "Start Page".
  • Page 39: Setting The Time

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL You will find more detailed information on the connection in "Information" > "DSL". 1.2.8 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of certificates and for the time stamps of log entries.
  • Page 40 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Requirement ● The NTP server is reachable. ● The IP address of the NTP server is known. For this example, a time server (e.g. 192.53.103.108) of the Physikalisch-Technischen Bundesanstalt (PTB) in Braunschweig is used (Federal Institute of Physical and Technical Affairs - metrology institute).
  • Page 41: Allow Access

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 1.2.9 Allow access The firewall is enabled as default. This means that access from internal to external is not allowed.
  • Page 42 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Allow access to all 1. Click on "Security" > "Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2. Under "From Internal to External", enable "Allow IP Traffic". 3.
  • Page 43 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL Allow a specific device Internet access Disabling predefined firewall rules 1. Click on "Security" > "Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2.
  • Page 44 Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 3. Configure the firewall rule for HTTP with the following settings: Action Accept From Internal External Source (Range) 192.168.100.10 (the required device) Destination (Range) 0.0.0.0/0 (all addresses) Service HTTP 4. Click "Set Values". 5.
  • Page 45: Setting Up The Ddns Hostname

    Connecting SCALANCE M-800 to WAN 1.2 Connecting M81x to ADSL 1.2.10 Setting up the DDNS hostname DDNS stands for "dynamic domain name system". If you log the SCALANCE M-800 on to a DDNS service, the device can be reached from the external network under a hostname, e.g. "example.no-ip.com".
  • Page 46: Connecting M826 With Shdsl

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Connecting M826 with SHDSL 1.3.1 Out-of-the-box 1.3.1.1 Procedure in principle In this example three SCALANCE M826 devices that have the factory settings status are connected together directly. As default, the SHDSL interfaces can establish a point-to-point connection with each other. For this connection, one SHDSL interface must be the CO and the other SHDSL interface the CPE.
  • Page 47 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Master station - connection to SCALANCE M826 ● In the test setup, in the master station, a network node is implemented by an Admin PC connected to an Ethernet interface of the M826. –...
  • Page 48 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Required devices/components Use the following components for setup: ● Connection to SHDSL – 3 x M826 (additional option: a suitably installed standard rail with fittings) – 3 x 24 V power supply with cable connector and terminal block plug –...
  • Page 49: Setting Up Scalance M826 And Network

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.1.2 Setting up SCALANCE M826 and network Note Familiarize yourself with the security instructions before you commission the device. You will find the security instructions in the operating instructions. Requirement ●...
  • Page 50: Shdsl In 4-Wire Mode

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.2 SHDSL in 4-wire mode 1.3.2.1 Procedure in principle In this example, the two SHDSL interfaces will be put together to form a single connection with a higher transmission rate. The SCALANCE M826 is in bridge mode.
  • Page 51 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Required devices/components Use the following components for setup: ● Connection to SHDSL – 2 x M826 (additional option: a suitably installed standard rail with fittings) – 2 x 24 V power supply with cable connector and terminal block plug ●...
  • Page 52: Setting Up Scalance M826 And Network

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.2.2 Setting up SCALANCE M826 and network Note Familiarize yourself with the security instructions before you commission the device. You will find the security instructions in the operating instructions. Procedure 1.
  • Page 53 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 3. Enter the values assigned to the M826 from the "Settings used (Page 50)" table. 4. Transfer the IP address. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 54: Launching Web Based Management

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.2.4 Launching Web Based Management Procedure 1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left.
  • Page 55 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 6. Confirm the dialogs with "OK" and close the Control Panel. 7. Enter the IP address assigned to the M826 from the "Settings used (Page 50)" table in the address box of the Web browser. If there is a problem-free connection to the device, the login page of Web Based Management (WBM) is displayed.
  • Page 56: Logging In To Web Based Management

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.2.5 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2. Confirm the dialog. The "Password" WBM page is opened automatically. 3.
  • Page 57: Specifying Device Information

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 6. Repeat the password in "Password Confirmation" to confirm it. The entries must match. 7. Click the "Set Values" button. Result The password for the "admin" user is changed. The changes take immediate effect. 1.3.2.6 Specifying device information To allow better identification of the SCALANCE M826, specify general device information.
  • Page 58: Setting The Time

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 4. Enter the identifier for the location at which the device is installed in "System Location", for example the room number. 5. Click the "Set Values" button. Result The general device information for the SCALANCE M826 has been specified. 1.3.2.7 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of...
  • Page 59 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Requirement ● An NTP server can be reached in the local network. ● The IP address of the NTP server is known. For this example, a local time server with the IP address 192.168.100.87 is used. Procedure 1.
  • Page 60: Configuring Shdsl

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 1.3.2.8 Configuring SHDSL Procedure 1. Click "Interfaces" > "SHDSL" in the navigation panel 2. Leave "Enable Layer2 Bridge Mode" selected. 3.
  • Page 61 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 5. For "Link Data Rate" select auto" and for "Target SNR Ration" select "reliability". 6. Click "Set Values". Result The SHDSL connection is set up. The devices negotiate the connection parameters. This means that the devices use the transmission rate at which the data can be sent and received reliably.
  • Page 62: In Routing Mode

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3 In routing mode 1.3.3.1 Procedure in principle In this example, three different IP subnets will be interconnected via the SCALANCE M826. For this connection, there must be a one SHDSL interface of a device in the role of CO and the other in the role of CPE.
  • Page 63 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Station 1 and 2 - connection to SCALANCE M826 ● In the test setup, in the station, a network node is implemented by an Admin PC connected to an Ethernet interface of the M826. –...
  • Page 64: Setting Up Scalance M826 And Network

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Steps in configuration 1. Setting up SCALANCE M826 and network (Page 64). 2. Configuring the SCALANCE M826 with the PST (Page 65) 3. Launching Web Based Management (Page 67) 4. Logging in to Web Based Management (Page 69) 5.
  • Page 65: Configuring The Scalance M826 With The Pst

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3.3 Configuring the SCALANCE M826 with the PST Requirement ● The IP addresses within the IP subnet are unique. Procedure 1. Start the Primary Setter Tool with "Start > SIMATIC > Primary Setup Tool". If several network adapters are installed in the PC, select the network adapter connected to the M826 in "Settings >...
  • Page 66 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 4. Transfer the IP address. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 67: Launching Web Based Management

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3.4 Launching Web Based Management Procedure 1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control Panel". 2. Click "Network and Sharing Center" and select the "Change adapter settings" option in the navigation menu on the left.
  • Page 68 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 5. Confirm the dialogs with "OK" and close the Control Panel. 6. Enter the IP address (vlan 1) assigned to the M826 from the table "Settings used (Page 62)" in the address box of the Web browser. If there is a problem-free connection to the device, the login page of Web Based Management (WBM) is displayed.
  • Page 69: Logging In To Web Based Management

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3.5 Logging in to Web Based Management Procedure 1. Log in with the user name "admin" and the password "admin". You will be prompted to change the password. 2. Confirm the dialog. The "Password" WBM page is opened automatically. 3.
  • Page 70: Specifying Device Information

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 6. Repeat the password in "Password Confirmation" to confirm it. The entries must match. 7. Click the "Set Values" button. Result The password for the "admin" user is changed. The changes take immediate effect. 1.3.3.6 Specifying device information To allow better identification of the SCALANCE M826, specify general device information.
  • Page 71: Setting The Time

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 4. Enter the identifier for the location at which the device is installed in "System Location", for example the room number. 5. Click the "Set Values" button. Result The general device information for the SCALANCE M826 has been specified. 1.3.3.7 Setting the time The date and time are kept on the SCALANCE M-800 to check the validity (time) of...
  • Page 72 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Procedure 1. Click on "System" > "System Time" in the navigation area and on the "NTP Client" tab in the content area. 2. In "Time Zone", enter the local time difference to world time (UTC). For Central European Summer time (CEST) +02:00.
  • Page 73: Creating Ip Subnet

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Result System time using NTP is set. Click "Refresh" to refresh the WBM page. 1.3.3.8 Creating IP subnet In routing mode, the interfaces are handled differently. ● Ethernet interface: Connection of the internal IP subnet (vlan 1) ●...
  • Page 74 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 4. Enter the value assigned to the M826 from the "Settings used (Page 62)" table. 5. Click "Set Values". Result The IP subnets have been created. The IP subnets are displayed in the "Overview" tab. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 75: Configuring Shdsl

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3.9 Configuring SHDSL Procedure 1. Click "Interfaces" > "SHDSL" in the navigation panel 2. Specify the role of the interfaces SHDSL 1 Central Office (CO) (X1) SHDSL 2 Customer Premises Equipment (CPE) (X2) 3.
  • Page 76 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Result The SHDSL connection is set up. The devices negotiate the connection parameters. This means that they use the transmission rate at which the data can be sent and received reliably.
  • Page 77: Configuring Routes

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 1.3.3.10 Configuring routes The master station and the stations are in different IP subnets. To allow the master station to communicate with the stations, the appropriate routes need to be created on the M826. M826 in the master station: Configuring routes 1.
  • Page 78: Allow Access

    Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL M826 in the stations: Configuring routes 1. Click "Layer 3" > "Routes" in the navigation panel. 2. Configure the route to the master station with the following settings: Destination Network 192.168.100.0 Subnetmask 255.255.255.0...
  • Page 79 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL Example 1: Allow HTTPS access globally 1. Click on "Security" > "Firewall" in the navigation area and on the "Predefined IPv4" tab in the content area. 2. Enable "HTTPS" for "vlan 1" and "vlan 2". 3.
  • Page 80 Connecting SCALANCE M-800 to WAN 1.3 Connecting M826 with SHDSL 4. Click "Set Values". Allow only a specific device HTTPS access 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area. 2.
  • Page 81: Scalance M-800 As Dhcp Server

    SCALANCE M-800 as DHCP server If you want to use the device to manage the network configuration, you can use the device as a DHCP server. This allows IP addresses to be assigned automatically to the devices connected to the internal network. In this example, both static and dynamic IP address assignments are configured.
  • Page 82 SCALANCE M-800 as DHCP server Setting used In the configuration example, the SCALANCE M-800 has the following IP address setting: ● IP address 192.168.100.1 ● Subnet mask: 255.255.255.0 Requirement ● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin".
  • Page 83: Configuring Dynamic Ip Address Assignment

    SCALANCE M-800 as DHCP server 2.1 Configuring dynamic IP address assignment Configuring dynamic IP address assignment The devices whose MAC address or whose client ID was not specified specifically, are assigned a random IP address from a specified address range. Procedure 1.
  • Page 84 SCALANCE M-800 as DHCP server 2.1 Configuring dynamic IP address assignment 6. Select the following: – "Enable" to use the address band – "Probe address with ICMP Echo before offer to activate the ping function. With this ping, the DHCP server checks whether or not the IP address has already been assigned.
  • Page 85: Specifying Dhcp Options

    SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options Specifying DHCP options Further information can be transferred to the DHCP client using DHCP options. The various DHCP options are defined in RFC 2132. In this example, the following DHCP options are created. DHCP option Information contained Netmask...
  • Page 86 SCALANCE M-800 as DHCP server 2.2 Specifying DHCP options 2. In "Pool ID", select "1". Enter "1" in "Option Code". 3. Click "Create". A new row is created in the table. The subnet mask 255.255.255.0 is entered automatically. 4. Click "Set Values". 5.
  • Page 87: Configuring Static Ip Address Assignment

    SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Configuring static IP address assignment For nodes in permanent operation, static IP address assignment should be preferred, for example for a local NTP server. The IP address of the NTP server is used in the DHCP option.
  • Page 88 SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment Result The NTP server always has the IP address 192.168.100.87. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 89 SCALANCE M-800 as DHCP server 2.3 Configuring static IP address assignment SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 91: Vpn Tunnel Between Scalance M-800 And S612

    VPN tunnel between SCALANCE M-800 and S612 Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and a SCALANCE S. ● Example 1: Secure VPN tunnel with pre-shared keys (PSK) ● Example 2: Secure VPN tunnel with certificates Structure Internal network 1 - connection to SCALANCE M-800 ●...
  • Page 92 VPN tunnel between SCALANCE M-800 and S612 3.1 Procedure in principle Internal network 2 - attachment to an internal port of the SCALANCE S ● In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module.
  • Page 93 VPN tunnel between SCALANCE M-800 and S612 3.1 Procedure in principle Settings used For the configuration example, the devices are given the following IP address settings Internal address External address Internal network M-800 192.168.100.1 Fixed IP address, e.g. 90.90.90.90 255.255.255.0 Provider dependent As an alternative, the DDNS host- name can also be used.
  • Page 94 VPN tunnel between SCALANCE M-800 and S612 3.1 Procedure in principle Steps in configuration Example 1: Secure VPN tunnel with PSK Configuring a VPN tunnel with the SCT V3.x 1. Creating the project and modules (Page 96) 2. Configuring a tunnel connection (Page 98) 3.
  • Page 95 VPN tunnel between SCALANCE M-800 and S612 3.1 Procedure in principle Configuring the SCALANCE M-800 1. Loading a certificate (Page 129) 2. Activating VPN (Page 131) 3. Configuring the VPN remote end (Page 132) 4. Configuring a VPN connection (Page 132) 5.
  • Page 96: Secure Vpn Tunnel With Psk

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Secure VPN tunnel with PSK 3.2.1 Configuring a VPN tunnel with the SCT V3.x 3.2.1.1 Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2.
  • Page 97 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 5. Enter the values assigned to the S612 from the "Settings used (Page 91)" table. In addition to this, enter the MAC address printed on the front of the security module 6.
  • Page 98: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 8. Enter the values assigned to the M-800 from the "Settings used (Page 91)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules.
  • Page 99 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2.
  • Page 100: Configuring The Properties Of The S612

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.1.3 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1.
  • Page 101: Downloading The Configuration To The S612 And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Result The security project is configured. The settings are saved in the configuration file: 3.2.1.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1.
  • Page 102 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Configuration file Settings in WBM Pre Shared Key: 12345678 Security > IPSec VPN > Authentication > PSK und PSK Confirma- tion: 12345678 Remote ID: U28098881@GEA32 Security > IPSec VPN > Authentication > Remote ID not required.
  • Page 103: Configuring A Vpn Tunnel With The Sct V4.X

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.2 Configuring a VPN tunnel with the SCT V4.x 3.2.2.1 Creating the project and modules Procedure 1. Start the Security Configuration Tool V4.x on the PC. 2. Select the menu command "Project" > "New". 3.
  • Page 104 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 5. Enter the values assigned to the S612 from the "Settings used (Page 91)" table. In addition to this, enter the MAC address printed on the front of the security module 6.
  • Page 105 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 8. Enter the values assigned to the M-800 from the "Settings used (Page 91)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules.
  • Page 106: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.2.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the M-800 and the S612 are assigned to the same VPN group. Procedure 1.
  • Page 107: Configuring The Properties Of The S612

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK Result The configuration of the tunnel connection is complete. 3.2.2.3 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly.
  • Page 108: Downloading The Configuration To The S612 And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file. 3.2.2.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612...
  • Page 109: Configuring Scalance M-800

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3 Configuring SCALANCE M-800 3.2.3.1 Activating VPN Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "General" tab in the content area. 2.
  • Page 110: Configuring The Vpn Remote End

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3.2 Configuring the VPN remote end Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Remote End" tab in the content area. 2.
  • Page 111: Configuring A Vpn Connection

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3.3 Configuring a VPN connection Requirement ● The VPN remote end has been created. Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Connection" tab in the content area.
  • Page 112: Configuring Vpn Authentication

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3.4 Configuring VPN authentication Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Authentication" tab in the content area. 2. Configure the VPN authentication with the following settings: Authentication Local ID no entry necessary...
  • Page 113: Configuring Phase 1 And Phase 2

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3.5 Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Phase 1" tab in the content area.
  • Page 114: Establishing The Vpn Connection

    VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK 3.2.3.6 Establishing the VPN connection Procedure 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Connection" tab in the content area. 2. As "Operation", select "start" and click "Set Values". Result The M-800 establishes the VPN tunnel to the S612.
  • Page 115 VPN tunnel between SCALANCE M-800 and S612 3.2 Secure VPN tunnel with PSK SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 116: Secure Vpn Tunnel With Certificates

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Secure VPN tunnel with certificates 3.3.1 Configuring a VPN tunnel with the SCT V3.x 3.3.1.1 Creating the project and modules Procedure 1. Start the Security Configuration Tool V3.x on the PC. 2.
  • Page 117 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 5. Enter the values assigned to the S612 from the "Settings used (Page 91)" table. In addition to this, enter the MAC address printed on the front of the security module 6.
  • Page 118: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 8. Enter the values assigned to the M-800 from the "Settings used (Page 91)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules.
  • Page 119 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2.
  • Page 120: Configuring The Properties Of The S612

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3.1.3 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly. Procedure 1.
  • Page 121: Downloading The Configuration To The S612 And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Result The security project is configured. The settings are saved in the configuration file: 3.3.1.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612 1.
  • Page 122 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates. Configuration file Settings in WBM IPsec VPN > Certificates System >...
  • Page 123: Configuring A Vpn Tunnel With The Sct V4.X

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Configuration file Settings in WBM DPD timeout (seconds): 60 Security > IPSec VPN > Phase 1 > DPD-Timeout [sec]: 60 DPD maximum failures: 5 3.3.2 Configuring a VPN tunnel with the SCT V4.x 3.3.2.1 Creating the project and modules Procedure...
  • Page 124 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 5. Enter the values assigned to the S612 from the "Settings used (Page 91)" table. In addition to this, enter the MAC address printed on the front of the security module 6.
  • Page 125 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 8. Enter the values assigned to the M-800 from the "Settings used (Page 91)" table. 9. Close the dialog with "OK". Result The security module S612 and the SCALANCE M-800 will then be displayed in the list of configured modules.
  • Page 126: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3.2.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M and the S612 are assigned to the same group. Procedure 1.
  • Page 127: Configuring The Properties Of The S612

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Result The configuration of the tunnel connection is complete. 3.3.2.3 Configuring the properties of the S612 Since the S612 is connected to the Internet via a DSL router, the properties of the S612 must be configured accordingly.
  • Page 128: Downloading The Configuration To The S612 And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 7. Click "Apply" and close the dialog with "OK". 8. Select the menu command "Project" > "Save". Save the security project under the required name. Result The security project is configured. The settings are saved in the configuration file. 3.3.2.4 Downloading the configuration to the S612 and saving the M-800 configuration Downloading the configuration to the S612...
  • Page 129: Configuring Scalance M-800

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates Result The following files will be saved in the project directory: ● Configuration file: projectname.M-800.txt ● PKCS12 file: projectname.string.M-800.p12 ● Remote certificate: Projectname.group1.S612.cer The configuration file contains the exported configuration information for the SCALANCE M- 800 including information on the additionally generated certificates.
  • Page 130 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 4. Click on the "HTTP" tab in the content area. 5. Click on the "Load" button beside "IPSecCert" or "X509cert". The dialog for loading a file is opened. Navigate to the remote certificate.
  • Page 131: Activating Vpn

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates As of firmware version 4.0 certificates are displayed in "Security" > "Certificates". 3.3.3.2 Activating VPN Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "General" tab in the content area.
  • Page 132: Configuring The Vpn Remote End

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3.3.3 Configuring the VPN remote end Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Remote End" tab in the content area. 2.
  • Page 133: Configuring Vpn Authentication

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 4. Configure the VPN connection with the following settings: Operation disabled Keying Protocol IKEv1 Remote End S612 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local internal subnet 1 in CIDR notation. 5.
  • Page 134: Configuring Phase 1 And Phase 2

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3.3.6 Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Phase 1" tab in the content area.
  • Page 135: Establishing The Vpn Connection

    VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates 3.3.3.7 Establishing the VPN connection Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Connection" tab in the content area. 2. As "Operation", select "start" and click "Set Values". Result The SCALANCE M establishes the VPN tunnel to the S612.
  • Page 136 VPN tunnel between SCALANCE M-800 and S612 3.3 Secure VPN tunnel with certificates You can also see the status of the tunnel connection in the online view of the SCT. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 137: Firewall With A Vpn Connection

    VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection Firewall with a VPN connection You can create firewall rules for IPsec in the following ways: ● Automatic Here, the firewall rules are created automatically for the specified VPN connection. ●...
  • Page 138 VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection Result If "Auto Firewall Rule" is enabled, the following firewall rules are active. Action From / to Permitted proto- Source IP ad- Dest. IP cols dresses addresses Allow VPN tunnel / TCP / UDP /...
  • Page 139: Creating Firewall Rules Manually

    VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection 3.4.2 Creating firewall rules manually Requirement The IP service HTTP has been created, see the section "Auto-Hotspot". Allow HTTP-based access through the VPN tunnel 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area.
  • Page 140 VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection Allow HTTP-based access through the VPN tunnel for a specific device 1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the content area.
  • Page 141 VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection 9. Configure the second firewall rule with the following settings: Action Drop From Internal IPsec tunnel Source (Range) 0.0.0.0/0 (Prevents TCP data traffic between the internal network and the Destination (Range) remote network connected via the VPN tunnel.) Service...
  • Page 142 VPN tunnel between SCALANCE M-800 and S612 3.4 Firewall with a VPN connection SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 143: Vpn Tunnel Between Scalance M-800 And Security Cps

    VPN tunnel between SCALANCE M-800 and security Procedure in principle In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and the CP 1628. ● Example 1: Secure VPN tunnel with pre-shared keys (PSK) ● Example 2: Secure VPN tunnel with certificates Instead of the CP 1628, a CP 343-1 Advanced or CP 434-1 Advanced can be used.
  • Page 144 VPN tunnel between SCALANCE M-800 and security CPs 4.1 Procedure in principle Internal network 2 - attachment to a port of the CP 1628 ● In the test setup, in the internal network, each network node is implemented by one PC connected to the internal port of the security module.
  • Page 145 VPN tunnel between SCALANCE M-800 and security CPs 4.1 Procedure in principle Internal address External address Internal network DSL router 192.168.184.254 Fixed IP address (WAN IP address), e.g. 91.19.6.84 255.255.255.0 PC1 with CP For CP 1628: The IP address For CP 1628: The IP address of 1628 of the NDIS interface, e.g.
  • Page 146 VPN tunnel between SCALANCE M-800 and security CPs 4.1 Procedure in principle 5. Configuring phase 1 and phase 2 (Page 160) 6. Establishing the VPN connection (Page 161) Example 2: Secure VPN tunnel with certificates Configuring a VPN tunnel with the SCT V3.x 1.
  • Page 147: Secure Vpn Tunnel With Psk

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Secure VPN tunnel with PSK 4.2.1 Configuring a VPN tunnel with the SCT V3.x 4.2.1.1 Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box.
  • Page 148: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 143)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. 4.2.1.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800...
  • Page 149 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Procedure 1. Select "VPN groups" in the navigation area and create a new group with the menu command "Insert" > "Group". The group is automatically given the name "Group1". 2.
  • Page 150: Downloading The Configuration To The Cp And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Result The configuration of the tunnel connection is complete. The settings are saved in the configuration file. 4.2.1.3 Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1.
  • Page 151 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK Configuration file Settings in WBM Local ID: U269159D5@GEA32 Security > IPSec VPN > Authentication > Local ID not required. The entry remains empty in the WBM. Remote net address: 192.168.184.0 Security >...
  • Page 152: Configuring A Vpn Tunnel With The Sct V4.X

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.2 Configuring a VPN tunnel with the SCT V4.x 4.2.2.1 Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box.
  • Page 153 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 143)" table.
  • Page 154: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.2.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same VPN group. Procedure 1.
  • Page 155 VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 6. For this configuration example, configure the group properties with the following settings. If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them.
  • Page 156: Downloading The Configuration To The Cp And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.2.3 Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3.
  • Page 157: Configuring Scalance M-800

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.3 Configuring SCALANCE M-800 4.2.3.1 Activating VPN Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "General" tab in the content area.
  • Page 158: Configuring A Vpn Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4. For the configuration example, configure the VPN remote end with the following settings: Remote Mode Standard Remote Typ manual Remote Address 91.19.6.84/32 WAN IP address of the DSL router Remote Subnet 192.168.184.0/24 5.
  • Page 159: Configuring Vpn Authentication

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4. For the configuration example, configure the VPN connection with the following settings: Operation disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local internal subnet 1 in CIDR notation.
  • Page 160: Configuring Phase 1 And Phase 2

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.3.5 Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Phase 1" tab in the content area.
  • Page 161: Establishing The Vpn Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.2 Secure VPN tunnel with PSK 4.2.3.6 Establishing the VPN connection Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Connection" tab in the content area. 2.
  • Page 162: Secure Vpn Tunnel With Certificates

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Secure VPN tunnel with certificates 4.3.1 Configuring a VPN tunnel with the SCT V3.x 4.3.1.1 Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box.
  • Page 163 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 143)" table. 7. Confirm the dialog with "OK". Result The CP and the SCALANCE M-800 will then be displayed in the list of configured modules. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 164: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.1.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. Procedure 1.
  • Page 165 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them.
  • Page 166: Downloading The Configuration To The Cp And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.1.3 Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3.
  • Page 167 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates Configuration file Settings in WBM Remote ID: U5A634732@GC4D8 Security > IPSec VPN > Authentication > Remote ID: U5A634732@GC4D8 Remote net address: 192.168.184.0 Security > IPSec VPN > Remote End > Remote Subnet: 192.168.184.0/24 Remote subnet mask: 255.255.255.0 Local net address: 192.168.100.0...
  • Page 168: Configuring A Vpn Tunnel With The Sct V4.X

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.2 Configuring a VPN tunnel with the SCT V4.x 4.3.2.1 Creating project and modules with SCT Procedure 1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security" check box.
  • Page 169 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 5. Generate a second module with the "Insert" > "Module" menu command. 6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 143)" table.
  • Page 170: Configuring A Tunnel Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.2.2 Configuring a tunnel connection A VPN tunnel for secure communication can only be established if the SCALANCE M-800 and the CP are assigned to the same group. Procedure 1.
  • Page 171 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 6. For this configuration example, configure the group properties with the following settings: If you use different parameter settings, it is possible that the two tunnel partners will not be able to set up a VPN connection between them.
  • Page 172: Downloading The Configuration To The Cp And Saving The M-800 Configuration

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.2.3 Downloading the configuration to the CP and saving the M-800 configuration Downloading the configuration to the CP 1. Close the Security Configuration Tool. 2. In HW Config, select the "Station" > "Save and Compile" menu. 3.
  • Page 173: Configuring Scalance M-800

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.3 Configuring SCALANCE M-800 4.3.3.1 Loading a certificate Requirement ● The correct time is set on the SCALANCE M, refer to the section Setting the time (Page 23).
  • Page 174 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4. Click on the "HTTP" tab in the content area. 5. Click on the "Load" button beside "IPSecCert" or "X509cert". The dialog for loading a file is opened.
  • Page 175: Activating Vpn

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates As of firmware version 4.0 certificates are displayed in "Security" > "Certificates". 4.3.3.2 Activating VPN Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "General" tab in the content area.
  • Page 176: Configuring The Vpn Remote End

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.3.3 Configuring the VPN remote end Procedure 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Remote End" tab in the content area. 2.
  • Page 177: Configuring Vpn Authentication

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4. For the configuration example, configure the VPN connection with the following settings: Operation disabled Keying Protocol IKEv1 Remote End CP1628 Name of the VPN remote station Local Subnet 192.168.100.0/24 The local internal subnet 1 in CIDR notation.
  • Page 178: Configuring Phase 1 And Phase 2

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.3.6 Configuring phase 1 and phase 2 Configuring phase 1 1. Click on "Security" > "IPSecVPN" in the navigation area and on the "Phase 1" tab in the content area.
  • Page 179: Establishing The Vpn Connection

    VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates 4.3.3.7 Establishing the VPN connection Procedure 1. Click on "Security" > "IPSec VPN" in the navigation area and on the "Connection" tab in the content area. 2.
  • Page 180 VPN tunnel between SCALANCE M-800 and security CPs 4.3 Secure VPN tunnel with certificates SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 181: Vpn Tunnel Between Scalance M87X And Sinema Rc Server

    VPN tunnel between SCALANCE M87x and SINEMA RC Server Procedure in principle In this sample configuration, two distributed stations are connected using the SCALANCE M87x. The devices communicate via the SINEMA RC Server located in the master station. The SINEMA RC is addressed using a WAN IP address obtained from a provider. As an alternative, you can also address the SINEMA RC Server using a defined name (FQDN).
  • Page 182 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Master station - connection to SINEMA RC Server ● In the test setup in the internal network, a network node is implemented by a PC connected to the LAN interface of the SINEMA RC Server. –...
  • Page 183 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Settings used For the configuration example, the devices are given the following IP address settings: Name Interface IP address Station -1 M874-1 LAN interface 192.168.100.1 LAN1 255.255.255.0 (vlan1) WAN interface Dynamic IP address from provider...
  • Page 184 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Requirement SINEMA RC Server ● The SINEMA RC Server is connected to the WAN. You will find the configuration steps in the Getting Started "SINEMA Remote Connect". Note Port forwarding at the router By using a router as a gateway you must enable the following ports on the router and...
  • Page 185 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.1 Procedure in principle Steps in configuration Configuring access to the SINEMA RC Server For the PC to be able to access the WBM of the SINEMA RC Server via the M874, the following steps are necessary on the M874: 1.
  • Page 186: Configuring Access To The Sinema Rc Server

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.2 Configuring access to the SINEMA RC Server Configuring access to the SINEMA RC Server 5.2.1 Activating IP masquerading IP masquerading is used so that the internal IP addresses are not forwarded to external. In addition to this, no further routing settings are necessary on the router.
  • Page 187 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.2 Configuring access to the SINEMA RC Server 3. Configure the firewall rule with the following settings: Action Accept From vlan1 (internal) external M874, M876-3: ppp0 M876-4: usb0 Source (Range) 0.0.0.0 (all IP addresses) Destination (Range) 0.0.0.0 (all IP addresses) Service...
  • Page 188: Configure A Remote Connection On The Sinema Rc Server

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server Configure a remote connection on the SINEMA RC Server 5.3.1 Creating node groups Users and devices can be put together in participant groups. You can also specify whether the communication between the participants of an individual group is permitted or forbidden.
  • Page 189 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server Result The participant groups have been created. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 190: Create Devices

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server 5.3.2 Create devices Procedure 1. In the navigation area, click "Remote connections" > "Devices". The devices that have already been created are listed in the content area. 2.
  • Page 191 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 192: Configure Communications Relations

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server 5.3.3 Configure communications relations So that participant groups can communicate with each other, communication relations are necessary. A communication relation can be created for every direction. For this sample configuration, the following communication relations are created: from group to the destination group...
  • Page 193 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.3 Configure a remote connection on the SINEMA RC Server Result The communication relations have been created. Click "Remote connections" > "Communication relations" in the navigation area. The created relations are listed in the content area. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 194: Configuring A Remote Connection On The M87X

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Configuring a remote connection on the M87x 5.4.1 Secure VPN connection with fingerprint Requirement ● On PC1/2 there are two Web browser windows open. ●...
  • Page 195 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 3. Change to Web browser 1. – Right click in the input box of "Device ID". – In the shortcut menu, select the menu command for inserting. –...
  • Page 196 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. Web browser 1: In the navigation area, click "Information"...
  • Page 197: Secure Vpn Connection With Ca Certificate

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 5.4.2 Secure VPN connection with CA certificate 5.4.2.1 Loading a certificate Requirement ● The correct time is set on the M874 and the SINEMA RC Server. ●...
  • Page 198 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Result The certificates are loaded. With "Security" > "Certificates", you can display the certificates. The loaded certificates must have the status "valid". SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 199: Configuring A Vpn Connection To The Sinema Rc Server

    VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x 5.4.2.2 Configuring a VPN connection to the SINEMA RC Server Requirement ● A valid KEY-PLUG is inserted in the M87x. Procedure 1. Change to Web browser 1. –...
  • Page 200 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x – In "CA Certificate" select the server certificate. Only loaded certificates can be selected. – Select "Enable SINEMA RC" and click on "Set Values". SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 201 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x Result The device establishes a VPN tunnel to the SINEMA RC Server. You can check in the WBM to see whether the connection was successful. Web browser 1: In the navigation area, click "Information"...
  • Page 202 VPN tunnel between SCALANCE M87x and SINEMA RC Server 5.4 Configuring a remote connection on the M87x SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 203: Netmap With Scalance M-800

    NETMAP with SCALANCE M-800 In these examples, two different IP subnets are connected together via a SCALANCE M- 800. Between the two SCALANCE M devices a VPN tunnel is established. The VPN connection is initiated by the M876. Via the established tunnel, the addresses are translated with NETMAP.
  • Page 204 NETMAP with SCALANCE M-800 Remote network - connection to M-800 ● In the test setup, in the remote network, the network node is implemented by a PC in each case connected to an Ethernet interface of the SCALANCE M-800. – PC: represents a node in the remote network –...
  • Page 205 NETMAP with SCALANCE M-800 Settings used For the configuration example, the devices are given the following IP address settings: Name Interface IP address Station M876 LAN interface 192.168.20.1 IP subnet 1 255.255.255.0 (vlan1) WAN interface Dynamic IP address from the provider (ppp0) The device is, however, reachable via a dynamic DNS service, e.g.
  • Page 206: Netmap For The Local Network

    NETMAP with SCALANCE M-800 6.1 NETMAP for the local network NETMAP for the local network ① With NETMAP of the local network, the source address e.g. 192.168.20.20 is translated. In this translation, the subnet part of the IP address is changed and the host part remains. In the example, the subnet part is 192.168.20.0.
  • Page 207: Creating A Vpn Connection

    NETMAP with SCALANCE M-800 6.1 NETMAP for the local network Requirement ● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M- 800 to the WAN (Page 81)". ● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin".
  • Page 208 NETMAP with SCALANCE M-800 6.1 NETMAP for the local network 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 On the M876 Authentication Local ID Remote ID PSK / PSK Confirma- e.
  • Page 209: Creating Netmap Rules

    NETMAP with SCALANCE M-800 6.1 NETMAP for the local network 6.1.2 Creating NETMAP rules Requirement ● The VPN connection M876_to_M816 is configured, see Creating a VPN connection (Page 207). Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area.
  • Page 210 NETMAP with SCALANCE M-800 6.1 NETMAP for the local network Result The rules for the outgoing and incoming queries have been created. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 211: Netmap For The Remote Network

    NETMAP with SCALANCE M-800 6.2 NETMAP for the remote network NETMAP for the remote network ① With NETMAP of the remote network, the destination e.g. 192.168.100.10 is translated. In the example, the subnet part is 192.168.100.0 and this is replaced by 192.168.10.0. This means that the remote network can also be reached in addition to 192.168.10.0 also via ②...
  • Page 212: Creating A Vpn Connection

    NETMAP with SCALANCE M-800 6.2 NETMAP for the remote network Requirement ● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M- 800 to the WAN (Page 11)". ● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the WBM as "admin".
  • Page 213 NETMAP with SCALANCE M-800 6.2 NETMAP for the remote network 5. Click on the "Authentication" tab in the content area and configure the VPN authentication with the following settings: On the M816 On the M876 Authentication Local ID Remote ID PSK / PSK Confirma- e.
  • Page 214: Creating Netmap Rules

    NETMAP with SCALANCE M-800 6.2 NETMAP for the remote network 6.2.2 Creating NETMAP rules Requirement ● The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection (Page 212). Procedure 1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content area.
  • Page 215 NETMAP with SCALANCE M-800 6.2 NETMAP for the remote network Result The rules for the outgoing and incoming queries have been created. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...
  • Page 216: Netmap For The Local And Remote Network

    NETMAP with SCALANCE M-800 6.3 NETMAP for the local and remote network NETMAP for the local and remote network In this example, the NETMAP rules from NETMAP for the local network (Page 206)and from NETMAP for the remote network (Page 211) are combined. There is, however, a special feature with the outgoing queries.
  • Page 217: Creating A Vpn Connection

    NETMAP with SCALANCE M-800 6.3 NETMAP for the local and remote network Remote network > local network: The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24 The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24 The two devices should also communicate with each other via a VPN tunnel. Requirement ●...
  • Page 218 NETMAP with SCALANCE M-800 6.3 NETMAP for the local and remote network 4. Click on the "Connections" tab in the content area and create the VPN connection with the following settings: On the M816 On the M876 Connection Name M816_to_M876 M876_to_M816 Operation disable...
  • Page 219: Creating Netmap Rules

    NETMAP with SCALANCE M-800 6.3 NETMAP for the local and remote network For "Operation" select the following and click "Set Values" On the M816 On the M876 Operation wait start (Responder) (Initiator) The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the LED is lit green on the devices.
  • Page 220 NETMAP with SCALANCE M-800 6.3 NETMAP for the local and remote network Result The rules for the outgoing and incoming queries have been created. SCALANCE M-800 Getting Started Getting Started, 06/2015, C79000-G8976-C337-04...

Table of Contents