You are on page 1of 200

___________________

Preface

Connecting SCALANCE M-
___________________
800 to WAN 1
SCALANCE M-800 as DHCP
___________________
server 2
SIMATIC NET
VPN tunnel between

Industrial Remote Communication


SCALANCE M-800 and 3
S612
Remote Networks
VPN tunnel between
SCALANCE M-800 Getting Started SCALANCE M-800 and 4
security CPs
Getting Started VPN tunnel between
SCALANCE M87x and 5
SINEMA RC Server

___________________
VPN tunnel between two M-
800s 6

___________________
NETMAP with SCALANCE
M-800 7

___________________
Reporting and switching by
SMS 8

07/2017
C79000-G8976-C337-05
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG Document order number: C79000-G8976-C337 Copyright © Siemens AG 2013 - 2017.


Division Process Industries and Drives Ⓟ 06/2017 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Preface

Purpose
The configuration of the SCALANCE M is shown based on examples.

IP settings for the examples

Note
The IP settings used in the examples were freely chosen.
In a real network, you would need to adapt these IP settings to avoid possible address
conflicts.

General naming conventions

The designation . . . stands for . . .


SCT Security Configuration Tool
PST Primary Setup Tool
CP CP 343-1 Advanced GX31, CP 443-1 Advanced GX30,
CP 1628
M87x SCALANCE M874-2
SCALANCE M874-3
SCALANCE M876-3
SCALANCE M876-4
M874 SCALANCE M874-2
SCALANCE M874-3
M876 SCALANCE M876-3
SCALANCE M876-4
M812 SCALANCE M812-1
M816 SCALANCE M816-1
M81x SCALANCE M812-1
SCALANCE M816-1
M826 SCALANCE M826-2
M-800 SCALANCE M874-2
SCALANCE M874-3
SCALANCE M876-3
SCALANCE M876-4
SCALANCE M812-1
SCALANCE M816-1
SCALANCE M826-2

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 3
Preface

Further documentation
● "Industrial Remote Communication Remote Networks - SCALANCE M874" operating
instructions
This document contains information with which you will be able to install and connect up
a device of the SCALANCE M874 product line. The configuration and the integration of
the device in a network are not described in these instructions
● "Industrial Remote Communication Remote Networks - SCALANCE M81x" operating
instructions
This document contains information with which you will be able to install and connect up
a device of the SCALANCE M812, M816 product line. The configuration and the
integration of the device in a network are not described in these instructions
● "Industrial Remote Communication Remote Networks - SCALANCE M-800 Web Based
Management" configuration manual
This document is intended to provide you with the information you require to install,
commission and operate the device. It provides you with the information you require to
configure the devices.
● You will find further information about working with the SCT (Security Configuration Tool)
in the "Industrial Ethernet Security - Basics and Application" configuration manual. You
will find this document on the Internet under the following entry ID: 56577508
(http://support.automation.siemens.com/WW/view/en/56577508)
● The "SIMATIC NET Industrial Ethernet Network Manual" contains information on other
SIMATIC NET products that you can operate along with the devices of this product line in
an Industrial Ethernet network. There, you will find among other things optical
performance data of the communications partners that you require for the installation.
You will find this document on the Internet under the following entry ID: 27069465
(http://support.automation.siemens.com/WW/view/en/27069465)

SIMATIC NET manuals


You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online
Support:
● using the search function:
Link to Siemens Industry Online Support (http://support.automation.siemens.com/)
Enter the entry ID of the relevant manual as the search item.
● In the navigation panel on the left hand side in the area "Industrial Communication":
Link to the area "Industrial Communication"
(http://support.automation.siemens.com/WW/view/en/10805878/133400)
Go to the required product group and make the following settings:
tab "Entry list", Entry type "Manuals"

Training, Service & Support


You will find information on Training, Service & Support in the multi--language document
"DC_support_99.pdf" on the data medium supplied with the documentation.

SCALANCE M-800 Getting Started


4 Getting Started, 07/2017, C79000-G8976-C337-05
Preface

SIMATIC NET glossary


Explanations of many of the specialist terms used in this documentation can be found in the
SIMATIC NET glossary.
You will find the SIMATIC NET glossary on the Internet at the following address:
50305045 (http://support.automation.siemens.com/WW/view/en/50305045)

Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be
connected to an enterprise network or the internet if and to the extent such a connection is
necessary and only when appropriate security measures (e.g. firewalls and/or network
segmentation) are in place.
For additional information on industrial security measures that may be implemented, please
visit https://www.siemens.com/industrialsecurity
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customer’s exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under https://www.siemens.com/industrialsecurity

Firmware
The firmware is signed and encrypted. This ensures that only firmware created by Siemens
can be downloaded to the device.

Trademarks
The following and possibly other names not identified by the registered trademark sign ® are
registered trademarks of Siemens AG:
SCALANCE, SINEMA, CP 343-1, CP 443-1, CP 1628

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 5
Preface

SCALANCE M-800 Getting Started


6 Getting Started, 07/2017, C79000-G8976-C337-05
Table of contents

Preface ................................................................................................................................................... 3
1 Connecting SCALANCE M-800 to WAN ................................................................................................ 11
1.1 Procedure in principle .............................................................................................................11
1.2 Setting up the SCALANCE M-800 and the network ...............................................................13
1.3 Connecting M826 to SHDSL ...................................................................................................14
1.4 Adapting IP settings ................................................................................................................18
1.4.1 Configuration with the Primary Setup Tool (PST) ...................................................................19
1.4.2 Configuration with DCP Discovery..........................................................................................20
1.5 Starting Web Based Management ..........................................................................................22
1.6 Logging in to Web Based Management..................................................................................25
1.7 Specifying device information .................................................................................................26
1.8 Setting the time .......................................................................................................................27
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x ...............29
1.9.1 Configuring access parameters for the SCALANCE M87x ....................................................29
1.9.2 Configuring access parameters for the SCALANCE M81x ....................................................31
1.9.3 Setting up the DDNS hostname ..............................................................................................34
1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation ..................35
1.10.1 Configuring SHDSL.................................................................................................................35
1.11 Additional steps in configuration with the SCALANCE M826 in routing mode .......................37
1.11.1 Creating IP subnet ..................................................................................................................37
1.11.2 Configuring routes ...................................................................................................................38
1.12 Allow access ...........................................................................................................................40
2 SCALANCE M-800 as DHCP server ..................................................................................................... 43
2.1 Configuring dynamic IP address assignment .........................................................................44
2.2 Specifying DHCP options .......................................................................................................45
2.3 Configuring static IP address assignment ..............................................................................47
3 VPN tunnel between SCALANCE M-800 and S612 ............................................................................... 49
3.1 Procedure in principle .............................................................................................................49
3.2 Secure VPN tunnel with PSK ..................................................................................................53
3.2.1 Configuring a VPN tunnel with the SCT V3.x .........................................................................53
3.2.1.1 Creating the project and modules ...........................................................................................53
3.2.1.2 Configuring a tunnel connection .............................................................................................55
3.2.1.3 Configuring the properties of the S612 ...................................................................................57
3.2.1.4 Downloading the configuration to the S612 and saving the M-800 configuration ..................58
3.2.2 Configuring a VPN tunnel with the SCT V4.x .........................................................................60
3.2.2.1 Creating the project and modules ...........................................................................................60

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 7
Table of contents

3.2.2.2 Configuring a tunnel connection ............................................................................................ 63


3.2.2.3 Configuring the properties of the S612 .................................................................................. 64
3.2.2.4 Downloading the configuration to the S612 and saving the M-800 configuration ................. 65
3.2.3 Configuring SCALANCE M-800 ............................................................................................. 66
3.2.3.1 Activating VPN ....................................................................................................................... 66
3.2.3.2 Configuring the VPN remote end ........................................................................................... 66
3.2.3.3 Configuring a VPN connection ............................................................................................... 67
3.2.3.4 Configuring VPN authentication ............................................................................................. 68
3.2.3.5 Configuring phase 1 and phase 2 .......................................................................................... 68
3.2.3.6 Establishing the VPN connection ........................................................................................... 70
3.3 Secure VPN tunnel with certificates ....................................................................................... 71
3.3.1 Configuring a VPN tunnel with the SCT V3.x ........................................................................ 71
3.3.1.1 Creating the project and modules .......................................................................................... 71
3.3.1.2 Configuring a tunnel connection ............................................................................................ 73
3.3.1.3 Configuring the properties of the S612 .................................................................................. 75
3.3.1.4 Downloading the configuration to the S612 and saving the M-800 configuration ................. 76
3.3.2 Configuring a VPN tunnel with the SCT V4.x ........................................................................ 78
3.3.2.1 Creating the project and modules .......................................................................................... 78
3.3.2.2 Configuring a tunnel connection ............................................................................................ 81
3.3.2.3 Configuring the properties of the S612 .................................................................................. 82
3.3.2.4 Downloading the configuration to the S612 and saving the M-800 configuration ................. 83
3.3.3 Configuring SCALANCE M-800 ............................................................................................. 84
3.3.3.1 Loading a certificate ............................................................................................................... 84
3.3.3.2 Configuring the VPN remote end ........................................................................................... 86
3.3.3.3 Configuring a VPN connection ............................................................................................... 87
3.3.3.4 Configuring VPN authentication ............................................................................................. 88
3.3.3.5 Configuring phase 1 and phase 2 .......................................................................................... 88
3.3.3.6 Activating VPN ....................................................................................................................... 90
3.3.3.7 Establishing the VPN connection ........................................................................................... 90
3.4 Firewall with a VPN connection ............................................................................................. 91
3.4.1 Creating firewall rules automatically ...................................................................................... 92
3.4.2 Creating firewall rules manually ............................................................................................. 93
4 VPN tunnel between SCALANCE M-800 and security CPs ................................................................... 95
4.1 Procedure in principle ............................................................................................................ 95
4.2 Secure VPN tunnel with PSK ................................................................................................. 98
4.2.1 Configuring a VPN tunnel with the SCT V3.x ........................................................................ 98
4.2.1.1 Creating project and modules with SCT ................................................................................ 98
4.2.1.2 Configuring a tunnel connection .......................................................................................... 100
4.2.1.3 Downloading the configuration to the CP and saving the M-800 configuration ................... 101
4.2.2 Configuring a VPN tunnel with the SCT V4.x ...................................................................... 103
4.2.2.1 Creating project and modules with SCT .............................................................................. 103
4.2.2.2 Configuring a tunnel connection .......................................................................................... 105
4.2.2.3 Downloading the configuration to the CP and saving the M-800 configuration ................... 107
4.2.3 Configuring SCALANCE M-800 ........................................................................................... 108
4.2.3.1 Configuring the VPN remote end ......................................................................................... 108
4.2.3.2 Configuring a VPN connection ............................................................................................. 108
4.2.3.3 Configuring VPN authentication ........................................................................................... 110
4.2.3.4 Configuring phase 1 and phase 2 ........................................................................................ 110
4.2.3.5 Activating VPN ..................................................................................................................... 112
4.2.3.6 Establishing the VPN connection ......................................................................................... 112

SCALANCE M-800 Getting Started


8 Getting Started, 07/2017, C79000-G8976-C337-05
Table of contents

4.3 Secure VPN tunnel with certificates ......................................................................................113


4.3.1 Configuring a VPN tunnel with the SCT V3.x .......................................................................113
4.3.1.1 Creating project and modules with SCT ...............................................................................113
4.3.1.2 Configuring a tunnel connection ...........................................................................................114
4.3.1.3 Downloading the configuration to the CP and saving the M-800 configuration ....................116
4.3.2 Configuring a VPN tunnel with the SCT V4.x .......................................................................118
4.3.2.1 Creating project and modules with SCT ...............................................................................118
4.3.2.2 Configuring a tunnel connection ...........................................................................................120
4.3.2.3 Downloading the configuration to the CP and saving the M-800 configuration ....................121
4.3.3 Configuring SCALANCE M-800 ............................................................................................122
4.3.3.1 Loading a certificate ..............................................................................................................122
4.3.3.2 Configuring the VPN remote end ..........................................................................................124
4.3.3.3 Configuring a VPN connection ..............................................................................................124
4.3.3.4 Configuring VPN authentication ............................................................................................125
4.3.3.5 Configuring phase 1 and phase 2 .........................................................................................126
4.3.3.6 Activating VPN ......................................................................................................................127
4.3.3.7 Establishing the VPN connection ..........................................................................................128
5 VPN tunnel between SCALANCE M87x and SINEMA RC Server ........................................................ 129
5.1 Procedure in principle ...........................................................................................................129
5.2 Configuring access to the SINEMA RC server .....................................................................133
5.2.1 Activating IP masquerading ..................................................................................................133
5.2.2 Allow access .........................................................................................................................133
5.3 Configuring a remote connection on the SINEMA RC Server ..............................................134
5.3.1 Creating node groups ...........................................................................................................134
5.3.2 Create devices ......................................................................................................................136
5.3.3 Configure communications relations .....................................................................................138
5.4 Configuring a remote connection on the M87x .....................................................................140
5.4.1 Secure VPN connection with fingerprint ...............................................................................140
5.4.2 Secure VPN connection with CA certificate ..........................................................................143
5.4.2.1 Loading a certificate ..............................................................................................................143
5.4.2.2 Configuring a VPN connection to the SINEMA RC Server ...................................................144
6 VPN tunnel between two M-800s ........................................................................................................ 147
6.1 Procedure in principle ...........................................................................................................147
6.2 Configuring a VPN tunnel with the SCT................................................................................150
6.2.1 Creating the project and modules .........................................................................................150
6.2.2 Configuring a tunnel connection ...........................................................................................153
6.2.3 Configuring VPN parameters ................................................................................................155
6.2.4 Saving the configuration .......................................................................................................155
6.3 Configuring the SCALANCE M81x (VPN server) .................................................................156
6.3.1 Loading a certificate ..............................................................................................................156
6.3.2 Configuring the VPN remote end ..........................................................................................158
6.3.3 Configuring a VPN connection ..............................................................................................159
6.3.4 Configuring VPN authentication ............................................................................................159
6.3.5 Configuring phase 1 and phase 2 .........................................................................................160
6.3.6 Activating VPN ......................................................................................................................162
6.3.7 Establishing the VPN connection ..........................................................................................162
6.4 Configuring the SCALANCE M87x (VPN client) ...................................................................163

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 9
Table of contents

6.4.1 Loading a certificate ............................................................................................................. 163


6.4.2 Configuring the VPN remote end ......................................................................................... 165
6.4.3 Configuring a VPN connection ............................................................................................. 166
6.4.4 Configuring VPN authentication ........................................................................................... 166
6.4.5 Configuring phase 1 and phase 2 ........................................................................................ 167
6.4.6 Activating VPN ..................................................................................................................... 169
6.4.7 Establishing the VPN connection ......................................................................................... 169
6.5 Displaying the status of the VPN connection ....................................................................... 170
7 NETMAP with SCALANCE M-800 ........................................................................................................171
7.1 NETMAP for the local network ............................................................................................. 174
7.1.1 Creating a VPN connection .................................................................................................. 175
7.1.2 Creating NETMAP rules ....................................................................................................... 177
7.2 NETMAP for the remote network ......................................................................................... 178
7.2.1 Creating a VPN connection .................................................................................................. 180
7.2.2 Creating NETMAP rules ....................................................................................................... 181
7.3 NETMAP for the local and remote network ......................................................................... 183
7.3.1 Creating a VPN connection .................................................................................................. 184
7.3.2 Creating NETMAP rules ....................................................................................................... 186
8 Reporting and switching by SMS ..........................................................................................................189
8.1 Introduction .......................................................................................................................... 189
8.2 Generating and sending an event SMS message ............................................................... 189
8.2.1 Introduction .......................................................................................................................... 189
8.2.2 Configuring an event ............................................................................................................ 190
8.2.3 Configuring the sending of SMS messages ......................................................................... 191
8.3 Receiving and evaluating a command SMS message ........................................................ 192
8.3.1 Introduction .......................................................................................................................... 192
8.3.2 SINEMA RC Server sends a wake-up SMS message......................................................... 194
8.3.2.1 Configuring settings on the SINEMA RC Server ................................................................. 194
8.3.2.2 Configuring receipt of the command SMS message on the M87x ...................................... 195
8.3.3 Service technician sends a command SMS message ......................................................... 196
8.3.3.1 Start VPN connection with command SMS message .......................................................... 196
8.3.3.2 Querying the status of the VPN connection with command SMS message ........................ 197
Index ...................................................................................................................................................199

SCALANCE M-800 Getting Started


10 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN 1
1.1 Procedure in principle
This section provides an overview of how a SCALANCE M-800 with the factory settings can
be integrated in a network and configured. This can be a mobile wireless network
(SCALANCE M87x) or a wired network (SCALANCE M812, SCALANCE M816 or
SCALANCE M826). The device is assigned an IP address. Configuration is performed using
the Web Based Management (WBM).

Structure for SCALANCE M874 and SCALANCE M81x

Figure 1-1 Internet access via a mobile wireless network with the SCALANCE M874-3 via ADSL
with the SCALANCE M812-1

Required components
● SCALANCE M-800
● Optional if the device is not mounted directly. Standard rail with fittings
● A power supply 24 VDC or 12 VDC with cable connector and terminal block connector
● A network cable complying with the IE FC RJ-45 standard for Industrial Ethernet
● One PC for the configuration
Additionally with the SCALANCE M87x
● A suitable antenna
● A SIM card of your mobile wireless provider (The required services, for example Internet
must be enabled.)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 11
Connecting SCALANCE M-800 to WAN
1.1 Procedure in principle

Additionally with the SCALANCE M81x


● Activation for ADSL

Steps in configuration
The required steps in configuration depend in part on the device you are using. If the
SCALANCE M826 is used in 2-wire operation, only the configuration step "Setting up
SCALANCE M-800 and the network" is required. After this, the SCALANCE M826 is ready
for operation immediately (out of the box).
1. Setting up SCALANCE M-800 and the network.
For the SCALANCE M826, note the additional information in the section "Connecting
SCALANCE M826 with SHDSL"
2. When necessary configure the device with the Primary Setup Tool (PST) or DCP
Discovery
3. If applicable, adapt the IP configuration of the PC.
4. Start Web Based Management.
5. Log in to Web Based Management.
6. Configure the SCALANCE M-800.
– Specify device information
– Set the time of day
– Only with the devices SCALANCE M87x and SCALANCE M81x:
Configure access data
– Only with the devices SCALANCE M87x and SCALANCE M81x:
Set up the host name
– Only with the SCALANCE M826 in 4-wire operation:
Configure SHDSL
– Allow access

SCALANCE M-800 Getting Started


12 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.2 Setting up the SCALANCE M-800 and the network

1.2 Setting up the SCALANCE M-800 and the network

Note
Note the security instructions in the operating instructions before you commission the device.

Procedure
1. Unpack the SCALANCE M-800 and check the device for damage.
2. Only with with the SCALANCE M87x: Insert the SIM card.
3. Connect the power supply.

WARNING
Use safety extra-low voltage only
The SCALANCE M874 is designed for operation with safety extra-low voltage. This
means that only safety extra-low voltages (SELV) complying with IEC950/EN60950/
VDE0805 can be connected to the power supply terminals.
The power supply unit for the SCALANCE M power supply must meet NEC Class 2,
according to the National Electrical Code(r) (ANSI / NFPA 70).

4. Connect the device to the network. This step depends on the device and the type of
network:
– SCALANCE M87x (mobile wireless network): Mount the antenna.
– SCALANCE M81x (ADSL): Connect the device to the DSL socket on the splitter.
– SCALANCE M826 (SHDSL): Wire X1 with X2, for detailed information refer to the
section "Connecting SCALANCE M826 to SHDSL".
5. Connect an Ethernet port (P1, P2, P3, P4) to the PC.
6. Turn the device on. After connecting up, the fault LED (F) is lit red
7. Now, turn on the PC.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 13
Connecting SCALANCE M-800 to WAN
1.3 Connecting M826 to SHDSL

1.3 Connecting M826 to SHDSL


The SCALANCE M826 can be operated in two ways:
● 2-wire operation
When supplied, the two SHDSL interfaces are set so that two SCALANCE M826 can be
connected via a point-to-point connection. Interface X1 is configured as CO (Central
Office) and interface X2 a CPE (Customer Premises Equipment).
● 4-wire operation
Both SHDSL interfaces are put together to form a single connection with a higher
transmission rate. The two interfaces X1 and X2 of one device are configured as CO and
the two interfaces X1 and X2 of the other device as CPE.
When supplied the SCALANCE M826 is configured so that there is no distinction between
the internal and external network. The SCALANCE M826 is a transparent bridge and
connects network nodes that are in the same IP subnet.

SCALANCE M-800 Getting Started


14 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.3 Connecting M826 to SHDSL

2-wire operation with factory settings (out of the box)

Figure 1-2 The admin PCs represent network nodes that are connected to an Ethernet interface of the relevant SCALANCE
M826. The SCALANCE M826 are connected together via an in-house 2-wire cable.

Settings used

Figure 1-3 Factory settings for the devices of the configuration example.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 15
Connecting SCALANCE M-800 to WAN
1.3 Connecting M826 to SHDSL

4-wire operation

Figure 1-4 The admin PCs represent network nodes that are connected to an Ethernet interface of
the relevant SCALANCE M826. The two SCALANCE M826 are connected together via
two in-house 2-wire cables.

Settings used

IP address
Subnet mask
Central office M826 192.168.100.1
255.255.255.0
Admin PC 192.168.100.20
255.255.255.0
Station M826 192.168.100.10
255.255.255.0
Admin PC 192.168.100.40
255.255.255.0

SCALANCE M-800 Getting Started


16 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.3 Connecting M826 to SHDSL

In routing mode
In this example, three different IP subnets will be interconnected via the SCALANCE M826.
For this connection, there must be a one SHDSL interface of a device in the role of CO and
the other in the role of CPE. Since the SCALANCE M826 devices operate in routing mode,
there is a division into external and internal networks. This means that the SHDSL interfaces
and the Ethernet interfaces are located in different IP subnets. In this mode, the security
functions (IPsec VPN, firewall, NAT/NAPT) are available.

Figure 1-5 SCALANCE M826 in routing mode: The network nodes are in different IP subnets. The SHDSL interfaces are
connected together via in-house 2-wire cables.

Settings used

Interface IP address
Central M826 SHDSL Vlan 2 192.168.184.2
office (external) 255.255.255.0
Ethernet Vlan 1 192.168.100.1
(internal) 255.255.255.0
Admin PC Ethernet 192.168.100.20
(internal) 255.255.255.0
Station 1 M826 SHDSL Vlan 2 192.168.184.22
(external) 255.255.255.0
Ethernet Vlan 1 192.168.11.2
(internal) 255.255.255.0
Admin PC Ethernet 192.168.11.40
(internal) 255.255.255.0

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 17
Connecting SCALANCE M-800 to WAN
1.4 Adapting IP settings

Interface IP address
Station 2 M826 SHDSL Vlan 2 192.168.184.42
(external) 255.255.255.0
Ethernet Vlan 1 192.168.50.2
(internal) 255.255.255.0
Admin PC Ethernet 192.168.50.40
(internal) 255.255.255.0

1.4 Adapting IP settings

Introduction
To ba able to access a SCALANCE M-800 with the Web Based Management, the device
must have an IP address.
You have the following options for assigning an IP address to devices the first time or
changing already assigned IP addresses.
● Primary Setup Tool (PST)
● DCP Discovery (as of firmware version V4.3)

SCALANCE M826
The SCALANCE M826 is supplied without a preset IP address, because for this device there
are applications that require no further configuration (out of the box). In these cases, no
access to the Web Based Management is necessary and therefore no IP address either. The
device will, however, attempt to obtain an IP address from a DHCP server if it is available in
the network. In all other cases, the device must first be assigned an IP address.

SCALANCE M87x and SCALANCE M81x


The devices SCALANCE M87x and SCALANCE M81x are supplied with the following factory
settings:
● IP address: 192.168.1.1
● Subnet mask: 255.255.255.0
If you enter the IP address "192.168.1.1" in the address box of a Web browser on a
connected PC (in the examples called "admin PC"), you come directly to the WBM of the
device. However, a change to the factory settings may be necessary due to address areas
already configured in the existing network.

SCALANCE M-800 Getting Started


18 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.4 Adapting IP settings

1.4.1 Configuration with the Primary Setup Tool (PST)

Introduction
The following section describes the procedure when using the PST.

Procedure
1. Start the Primary Setter Tool with "Start > SIMATIC > Primary Setup Tool". If several
network adapters are installed in the PC, select the network adapter connected to the
SCALANCE M-800 in "Settings > Network adapter".
2. Click on the magnifier in the toolbar to start the search. After the search, all devices are
listed that can be configured with the PST.
3. Select the entry for the Ethernet interface of the SCALANCE M-800.
4. Select the option button "Assign IP parameters".
5. Enter the required values in the "IP address" und "subnet mask" boxes.

Figure 1-6 User interface of the Primary Setup Tool

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 19
Connecting SCALANCE M-800 to WAN
1.4 Adapting IP settings

Follow the steps below to transfer the parameter assignment to the device:
1. Select the entry for the SCALANCE M-800.
2. Click on the second button from left ("Download") or select the Module > Download menu
command.

Figure 1-7 Transfer the parameters with the "Download" button

1.4.2 Configuration with DCP Discovery

Introduction
This section describes the procedure when using DCP Discovery.

Requirement
● Firmware version V4.3
● The device to be configured can be found in the plant network of the SCALANCE M-800.
Example: The access point to the network is the SCALANCE M87x. The SCALANCE
M826 device to be configured can be reached via the interface of the SCALANCE M87x.

SCALANCE M-800 Getting Started


20 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.5 Starting Web Based Management

Procedure
1. Click "System > DCP Discovery" in the navigation area.
2. Click "Discover" button to start the search. After the search, all devices are listed that can
be reached via the interface.

With the aid of the table you can check the configuration of the devices. The SCALANCE
M826 is supplied without a preset IP address, so it currently has the IP address 0.0.0.0.
3. Enter the required values in the "IP Address" und "Subnet Mask" boxes. The assigned IP
address must match your network and should be unique within the network.
4. Click on "Set Values". The status of the IP address changes from "Discovered" to
"Configured".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 21
Connecting SCALANCE M-800 to WAN
1.5 Starting Web Based Management

1.5 Starting Web Based Management


Depending on the device and the example shown, the admin PC is assigned the following IP
address:
● SCALANCE M87x and SCALANCE M81x

IP address
Subnet mask
Admin PC 192.168.1.20
255.255.255.0

● SCALANCE M826

IP address
Subnet mask
Admin PC 1 192.168.1.20
255.255.255.0
Admin PC 2 192.168.1.40
255.255.255.0

Procedure
1. On the Admin PC, open the Control Panel with the menu command "Start" > "Control
Panel".
2. Click "Network and Sharing Center" and select the "Change adapter settings" option in
the navigation menu on the left.
3. Right-click on the "LAN Connection" symbol and select the "Properties" menu command.
4. In the "Local Area Connection Properties" dialog, enable the "Internet Protocol Version 4
(TCP/IPv4)" check box.

SCALANCE M-800 Getting Started


22 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.5 Starting Web Based Management

5. Enter the values assigned to the admin PC from the table in the relevant boxes.

Note
The IP address used in the following figure for the standard gateway 192.168.1.1 must be
adapted if the factory setting is not used for the IP address of the SCALANCE M-800.

6. Confirm the dialogs with "OK" and close the Control Panel.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 23
Connecting SCALANCE M-800 to WAN
1.5 Starting Web Based Management

7. Enter the IP address "192.168.1.1" in the address box of the Internet browser.
Access via HTTPS is enabled as default. If you access the device via HTTP, the address
is automatically redirected to HTTPS.
A message relating to the security certificate appears. Acknowledge this message and
continue loading the page.

Note
Information on the security certificate
Because the device can only be administered using encrypted access, it is delivered with
a self-signed certificate. If certificates with signatures that the operating system does not
know are used, a security message is displayed. You can display the certificate.

8. If there is a problem-free connection to the device, the logon page of Web Based
Management (WBM)is displayed.

SCALANCE M-800 Getting Started


24 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.6 Logging in to Web Based Management

1.6 Logging in to Web Based Management

Procedure
1. Log in with the user name "admin" and the password "admin". You will be prompted to
change the password.

2. Confirm the dialog. The "Account Passwords" WBM page is opened automatically.

3. Enter the default password "admin" in "Current User Password".


4. For "New Password", enter the new password. The new password must be at least 8
characters long and contain upper case letters, lower case letters, numbers and special
characters.
5. Repeat the new password in "Password Confirmation" as confirmation. The entries must
match.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 25
Connecting SCALANCE M-800 to WAN
1.7 Specifying device information

6. Click the "Set Values" button.


7. The Basic Wizard starts to support you when configuring the device parameters.

Result
The password for the "admin" user is changed. The changes take immediate effect.

1.7 Specifying device information


To allow better identification of the SCALANCE M-800, specify general device information.

Procedure
1. In the navigation area click on "System > General" and in the content area on the
"Device" tab.
2. In "System Name", enter a name for the device.
3. Enter the contact person responsible for the device in "System Contact".
4. Enter the identifier for the location at which the device is installed in "System Location",
for example the room number.

5. Click the "Set Values" button.

Result
The general device information for the SCALANCE M-800 has been specified.

SCALANCE M-800 Getting Started


26 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.8 Setting the time

1.8 Setting the time


The date and time are kept on the SCALANCE M-800 to check the validity (time) of
certificates and for the time stamps of log entries. You can set the system time yourself
manually or have it synchronized automatically with a time server. There are a number of
time servers on the Internet that can be used to obtain the current time precisely. For this
example, the time server is configured using NTP.

Note
Manual time setting - reaction after interrupting the power supply
Note that the time is reset to the factory setting if the power supply is interrupted. On return
of the power, you need to set the system time again. As result, certificates can lose their
validity.
Synchronization using a time server
Synchronization of the system time using a public time server creates additional data traffic
on the connection. This may result in additional costs, depending on your subscriber
contract.

Requirement
● The NTP server is reachable.
● The IP address of the NTP server is known.
For this example, a time server (e.g. 192.53.103.108) of the Physikalisch-Technischen
Bundesanstalt (PTB) in Braunschweig is used (Federal Institute of Physical and
Technical Affairs - metrology institute). As an alternative the Fully Qualified Domain Name
(FQDN) can be specified, for example "pool.ntp.org".

Procedure
1. In the navigation area click on "System > System Time" and in the content area on the
"NTP Client" tab.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 27
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

2. In "Time zone", enter the local time difference to world time (UTC). For Central European
Summer time (CEST) +02:00.
3. Click "Create". A new entry is created in the table.
4. In "NTP Server Address", enter the IP address 192.53.103.108.
5. If necessary, change the port in "NTP Server Port". As default, 123 is set.
6. In "Poll Interval", enter the interval for synchronization. As default, 64 is set.
7. Enable "NTP Client".
8. Click on "Set Values".

Result
System time using NTP is set. Click "Refresh" to refresh the WBM page.

SCALANCE M-800 Getting Started


28 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

1.9 Additional configuration steps with the SCALANCE M87x and


SCALANCE M81x

1.9.1 Configuring access parameters for the SCALANCE M87x

Requirement
● The services are enabled, e.g. Internet.
● The following data is available:
– PIN number
– APN
– User name and password for the APN

Enter the PIN number


1. In the navigation area click on "Interfaces" > "Mobile" and in the content area on the
"SIM" tab.
2. In "PIN", enter the PIN number.
3. Activate the mobile network interface.
4. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 29
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

Configure APN
1. Click on the "Operator" tab in the content area.
2. Specify the access data for the APN.
– If your mobile wireless provider is included in the table, no further configuration is
necessary.
or
– In "Country List", select the country in which the device will be used.
– In "Provider List" select the appropriate mobile wireless provider. If a mobile wireless
provider is listed more than once for a country, select the entry with the PLMNID that
matches the SIM.
or
– If your mobile wireless provider is not included in the table and not in the list of
providers, enable the entry "Manual". When the "Manual" entry is enabled, all other
entries are automatically ignored.
– Complete the boxes PLMNID, Operator Name, APN, User Name (optional), Password
(optional) and Password Confirmation (optional) manually.
– To adopt the entry click on "Create" and "Set Values".

SCALANCE M-800 Getting Started


30 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

Result
The PIN number and the APN are configured. The M87x4 connects to the mobile wireless
network after approximately 30 seconds. You can check whether or not the connection is
established in "Inforrmation > Mobile > Overview". There the name of your mobile wireless
provider should appear in "Provider". For a functioning connection, the signal strength should
be higher than 104 dBm.

Note
This page provides the option of automatic updating. Click on the symbol with the two arrows
in the upper display area to enable this function.

1.9.2 Configuring access parameters for the SCALANCE M81x

Requirement
● The services are enabled, e.g. Internet.
● The following access data is known from your DSL provider:
– User name and password for ADSL access
– DSL parameter

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 31
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

Configuring ADSL
1. Click "Interfaces" > "DSL" in the navigation area

2. Enable the DSL interface.


3. Disable PPPoE passthrough to set up the access data for the SCALANCE M81x. The
connected devices can use this DSL connection.
If "Enable PPPoE Passthrough" is selected, the access data cannot be configured. In this
case the SCALANCE M81x is used as a modem. Each individual connected device
sends its access data to the SCALANCE M81x and establishes its own Internet
connection.
4. Enter the user name and the password for the ADSL access.
5. Enter the settings for VCI / VPI. You will receive the settings from your DSL provider.
6. In "Encapsulation" select the required protocol.
7. Click on "Set Values".

SCALANCE M-800 Getting Started


32 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

Result
The DSL connection is set up. The device connects to the Internet after approximately 30
seconds. You can check whether or not the connection is established in "Information" >
"Start Page".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 33
Connecting SCALANCE M-800 to WAN
1.9 Additional configuration steps with the SCALANCE M87x and SCALANCE M81x

You will find more detailed information on the connection in "Information" > "DSL".

1.9.3 Setting up the DDNS hostname


DDNS stands for "dynamic domain name system". If you log the SCALANCE M-800 on to a
DDNS service, the device can be reached from the external network under a hostname, e.g.
"example.no-ip.com".
The DNS server of the DDNS service manages the assignment of IP address to hostname.
The client informs the DNS server of its currently assigned IP address. The DNS name
server registers the current hostname - IP address assignment and passes this on to other
domain name servers in the Internet. This means that the SCALANCE M-800 can always be
reached using its hostname.

Requirement
● User name and password that give you the right to use the DDNS service.
● Registered hostname, e.g. example.no-ip.com

Procedure
1. Click on "System > "DNS" in the navigation area and on the "DDNS Client" tab in the
content area.
2.
3. In "Host", enter the hostname that you have agreed with your DDNS provider for the
device, e.g. example.no-ip.com.
4. For "User name", enter the user data and for "Password / Password Confirmation" the
password that allows you to use the DDNS service. Your DDNS provider will give you this
information.

SCALANCE M-800 Getting Started


34 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation

5. Select the appropriate check box in the "enabled" column for one of the two services "No-
IP" or "DynDNS".

6. Click on "Set Values".

Result
The DDNS client is activated. The DDNS client on the SCALANCE M-800 synchronizes the
assigned IP address with the hostname registered in the DDNS service.

1.10 Additional steps in configuration with the SCALANCE M826 in 4-


wire operation

1.10.1 Configuring SHDSL

Procedure
1. In the navigation area click "Interfaces" > "SHDSL" > "Configuration".
2. For "Port-Type" leave "Switch-Port VLAN Hybrid" enabled.
3. Specify the role of the interfaces. The two interfaces need to have the same role on both
devices.

M826 in the X1 Central Office (CO)


master X2 Central Office (CO)
station
M826 in the X1 Customer Premises Equipment (CPE)
station X2 Customer Premises Equipment (CPE)

4. For "Predefined Profile", select "Reliability". The following parameters are set
automatically.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 35
Connecting SCALANCE M-800 to WAN
1.10 Additional steps in configuration with the SCALANCE M826 in 4-wire operation

5. Click on "Set Values".

6. In the navigation area click "Interfaces" > "SHDSL" > "Overview".


7. Enable the PME aggregation function.
When enabled, the SHDSL interfaces or the 2-wire cables are put together to form a
single connection with a higher transmission rate.
8. Click on "Set Values".

SCALANCE M-800 Getting Started


36 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.11 Additional steps in configuration with the SCALANCE M826 in routing mode

Result
The SHDSL connection is set up. The devices negotiate the connection parameters. This
means that the devices use the transmission rate at which the data can be sent and received
reliably.

1.11 Additional steps in configuration with the SCALANCE M826 in


routing mode

1.11.1 Creating IP subnet


In routing mode, the interfaces are handled differently.
● Ethernet interface: Connection of the internal IP subnet (vlan 1)
● SHDSL interface: Connection of the external IP subnet (vlan 2)
The Ethernet interface or internal IP subnet has already been configured with the PST. For
this configuration example, only the IP subnet for the SHDSL interface or for the external IP
subnet needs to be configured. The same steps need to be taken on all devices.

Procedure
1. Click on "Layer 3 > Subnetsin the navigation area and on the "Configuration" tab in the
content area.
2. For "Interface (Name)" select the entry "vlan2".
3. For "Interface Name" you can enter a name.
4. Enter the value assigned to the M826 from the "Settings used (Page 14)" table.
5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 37
Connecting SCALANCE M-800 to WAN
1.11 Additional steps in configuration with the SCALANCE M826 in routing mode

Result
The IP subnets have been created. The IP subnets are displayed in the "Overview" tab.

1.11.2 Configuring routes


The master station and the stations are in different IP subnets. To allow the master station to
communicate with the stations, the appropriate routes need to be created on the M826.

M826 in the master station: Configuring routes


1. Click "Layer 3 > Static Routes" in the navigation area.
2. Configure the routes with the following settings:
– Route to station 1

Destination Network 192.168.11.0


Subnet Mask 255.255.255.0
Gateway 192.168.184.22
external IP address of the M826 in station 1
Administrative Distance -1

– Route to station 2

Destination Network 192.168.50.0


Subnet Mask 255.255.255.0
Gateway 192.168.184.42
external IP address of the M826 in station 2
Administrative Distance -1

SCALANCE M-800 Getting Started


38 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.12 Allow access

3. When you have entered the values, click "Create".


4. To update the display, click "Refresh".

M826 in the stations: Configuring routes


1. Click "Layer 3 > Static Routes" in the navigation area.
2. Configure the route to the master station with the following settings:

Destination Network 192.168.100.0


Subnet Mask 255.255.255.0
Gateway 192.168.184.2
external IP address of the M826 in the master
station
Administrative Distance -1

3. When you have entered the values, click "Create".


4. To update the display, click "Refresh".

Result
The routes have been created. The SCALANCE M826 in the master station can
communicate with the stations.
Using the ping function, the communications connection can be tested. For example, can the
Admin PC in station 1 be reached by the Admin PC in the master station?

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 39
Connecting SCALANCE M-800 to WAN
1.12 Allow access

1.12 Allow access


The firewall is enabled as default. The following access is nor allowed:
● Access from internal to external.
● Access from external to internal.
● Data exchange between different internal VLANs.
● Data exchange with the device from different zones.
You have the following options for allowing access:
● Allow globally
The predefined firewall rules specify which of the zones (VLAN1, VLAN2, ... or PPP) may
access which services of the SCALANCE M-800. With predefined rules it is possible to
permit data exchange between the zones (internal VLAN1 to external PPP0). The firewall
rule for the opposite direction is permitted by stateful packet inspection.
● Allow certain services
Here, you define firewall rules that allow individual services for a single node or all
services for the node for access to the station or network.
In this example, configure the firewall rules that only allow the device with IP address
192.168.100.10 access to the entire Internet. For the access, the services HTTP (TCP
port 80) and DNS (UDP port 53) are required.

Predefined rules
1. Click on "Security > Firewall" in the navigation area and on the "Predefined IPv4" tab in
the content area.
2. Click on "Set Values".

Allow Internet access for a certain device and a certain service (HTTP)
Create HTTP and DNS services
1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the
content area.
2. As the service name, enter e.g. "HTTP" and click "Create". A new entry is created in the
table.

SCALANCE M-800 Getting Started


40 Getting Started, 07/2017, C79000-G8976-C337-05
Connecting SCALANCE M-800 to WAN
1.12 Allow access

3. Configure HTTP with the following settings:

Transportation TCP
Destination Port (Range) 80
(standard port)

4. Click on "Set Values".


5. A new entry is created in the table.
6. As the service name, enter e.g. "DNS" and click "Create". A new entry is created in the
table.
7. Configure DNS with the following settings:

Transportation UDP
Destination Port (Range) 53
(standard port)

8. Click on "Set Values".

Only allow the IP service for a specific device


1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
2. Click "Create". A new entry is created in the table.
3. Configure the firewall rule for HTTP with the following settings:

Action Accept
From vlan1 (INT)
To ppp0 or usb0
Source (Range) 192.168.100.10 (the required device)
Destination (Range) 0.0.0.0/0 (all addresses)
Service HTTP

4. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 41
Connecting SCALANCE M-800 to WAN
1.12 Allow access

5. Click "Create". A new entry is created in the table.


6. Configure the firewall rule for DNS with the following settings:

Action Accept
From vlan1 (INT)
To ppp0 or usb0
Source (Range) 192.168.100.10 (the required device)
Destination (Range) 0.0.0.0/0 (all addresses)
Service DNS

7. Click on "Set Values".

Allow an internal node access to the Internet


1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
2. Click "Create". A new entry is created in the table.
3. Configure the firewall rule for HTTP with the following settings:

Action Accept
From vlan1 (INT)
To ppp0 or usb0 (depending on the device)
Source (Range) 0.0.0.0/0 (all addresses)
Destination (Range) 0.0.0.0/0 (all addresses)
Service all

4. Click on "Set Values".

SCALANCE M-800 Getting Started


42 Getting Started, 07/2017, C79000-G8976-C337-05
SCALANCE M-800 as DHCP server 2
If you want to use the device to manage the network configuration, you can use the device
as a DHCP server. This allows IP addresses to be assigned automatically to the devices
connected to the internal network.
In this example, both static and dynamic IP address assignments are configured.

Note
DHCP client and DHCP server
The device can either be only a DHCP client or only a DHCP server.

SCALANCE M-800 as DHCP server

Required devices/components
● SCALANCE M-800 as DHCP server
1 x M874, 1 x M812 or M816 (optionally also: a suitably installed standard rail with
fittings)
● 1 x 24 V power supply with cable connector and terminal block plug
● 1 x PC with which the SCALANCE M-800 is connected.
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 43
SCALANCE M-800 as DHCP server
2.1 Configuring dynamic IP address assignment

Setting used
In the configuration example, the SCALANCE M-800 has the following IP address setting:
● IP address 192.168.100.1
● Subnet mask: 255.255.255.0

Requirement
● The SCALANCE M-800 can be reached via the admin PC and you are logged in to the
WBM as "admin".

Steps in configuration
1. Configuring dynamic IP address assignment (Page 44)
2. Specifying DHCP options (Page 45)
3. Configuring static IP address assignment (Page 47)

2.1 Configuring dynamic IP address assignment


The devices whose MAC address or whose client ID was not specified specifically, are
assigned a random IP address from a specified address range.

Procedure
1. Click on "System" > "DHCP" in the navigation area and on the "DHCP Server" tab in the
content area.

2. Click "Create". A new row with a unique number (pool ID) is created in the table.
3. Enter the network address range in "Subnet". Since the device being used is operating
both as a gateway and a DNS relay, the IP address 192.168.100.1 must be in the
network address range. In this example the network address: 192.168.100.0/24 (=
192.168.100.0 / 255.255.255.0) is used.

SCALANCE M-800 Getting Started


44 Getting Started, 07/2017, C79000-G8976-C337-05
SCALANCE M-800 as DHCP server
2.2 Specifying DHCP options

4. In "Lower IP Address", enter the IP address 192.168.100.20 that specifies the start of the
dynamic address band and that is located within the network address range.
5. In "Upper IP Address", enter the IP address 192.168.100.120 that specifies the end of the
dynamic address band and that is located within the network address range.
6. Click on "Set Values".
7. To activate the DHCP server, select "DHCP Server".
8. Enable "Probe address with ICMP echo before offer" to enable the ping function. With this
ping, the DHCP server checks whether or not the IP address has already been assigned.
9. To enable the configured DHCP pool, select the check box in the "Enable" column.
10.Click on "Set Values".

Result
The DHCP server can assign up to 100 IP addresses from a set address band. This is only
possible if the connected devices are configured so that they obtain the IP address from a
DHCP server.

2.2 Specifying DHCP options


Further information can be transferred to the DHCP client using DHCP options. The various
DHCP options are defined in RFC 2132.
The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address band
is created. With the exception of option 1, the options can be deleted.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 45
SCALANCE M-800 as DHCP server
2.2 Specifying DHCP options

In this example, the following DHCP options are created.

DHCP option Information contained


1 Netmask The subnet mask to match the IP address
For this example the subnet mask is: 255.255.255.0
3 Default gateway IP address of the default gateway
Without this information, the DHCP client is only assigned an
IP address by the DHCP server and it can only communicate
with the nodes in the internal network.
6 DNS server IP address of the DNS server
Without this information, the DHCP client is not automatically
assigned a DNS server. To allow name resolution, a DNS
server must be known to the DHCP client. This can also be
configured manually.
66 TFTP server TFTP Server Address
This informs the DHCP client of the TFTP server to which it will
connect.
67 Bootfile Name The DHCP client uses this file when it boots.

Procedure
1. Click on "System > "DHCP" in the navigation area and on the "DHCP Options" tab in the
content area.

2. Enable "Use Interface IP" for the DHCP options 3 and 6. Click on "Set Values". The IP
address of the device is entered automatically as the value.
3. Enter "42" in "Option Code".
4. Click "Create". A new row is created in the table.
5. In "Value", enter the IP address of the NTP server.
6. Click on "Set Values".

SCALANCE M-800 Getting Started


46 Getting Started, 07/2017, C79000-G8976-C337-05
SCALANCE M-800 as DHCP server
2.3 Configuring static IP address assignment

Result

The DHCP options are configured. If a DHCP client requests an IP address, in addition to
the host IP address, it also receives the information entered in the DHCP options.

See also
Configuring static IP address assignment (Page 47)

2.3 Configuring static IP address assignment


For nodes in permanent operation, static IP address assignment should be preferred, for
example for a local NTP server. The IP address of the NTP server is used in the DHCP
option.
As long as the NTP server can be reached at the same IP address, the DHCP option will
work correctly. If the IP address changes, the DHCP option contains incorrect information.
For the example, the IP address is assigned to the MAC address of the NTP server. This
means that the NTP server always has the same IP address.
In this configuration example, the NTP server can be reached with the following IP address
setting:

IP address Subnet mask


192.168.100.87 255.255.255.0

Requirement
● The NTP server obtains the IP address from a DHCP server and identification is based
on the MAC address.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 47
SCALANCE M-800 as DHCP server
2.3 Configuring static IP address assignment

Procedure
1. Click on "System > "DHCP" in the navigation area and on the "Static Leases" tab in the
content area.

2. For "Pool ID", select "1".


3. For "Identification Method" select the entry "Ethernet MAC".
4. In "Value", enter the MAC address of the NTP server.
5. Click "Create". A new row is created in the table.
6. In "IP Address", enter the IP address of the NTP server.
7. Click on "Set Values".

Result
The NTP server always has the IP address 192.168.100.87.

SCALANCE M-800 Getting Started


48 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800
and S612 3
3.1 Procedure in principle
In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and a
SCALANCE S.
● Example 1: Secure VPN tunnel with pre-shared keys (PSK)
● Example 2: Secure VPN tunnel with certificates

Structure

Internal network 1 - connection to SCALANCE M-800


● In the test setup, in the internal network, a network node is implemented by an Admin PC
connected to an Ethernet interface of the SCALANCE M-800.
– Admin PC: Represents a node in the internal network
– M-800: SCALANCE M module for protection of the internal network
● Connection to the external, public network:
– Wireless via the antenna of the M874 to the mobile wireless network.
– Wired via the RJ-45 jack of the M81x to ADSL.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 49
VPN tunnel between SCALANCE M-800 and S612
3.1 Procedure in principle

Internal network 2 - attachment to an internal port of the SCALANCE S


● In the test setup, in the internal network, each network node is implemented by one PC
connected to the internal port of the security module.
– PC: Represents a node in the internal network
– S612: Security module for protection of the internal network
● Connection to the external, public network via DSL router
Access to the Internet is via a DSL modem or a DSL router connected to the external port
of the security module.

Required devices/components
Use the following components for setup:
● Connection to the mobile wireless network
– 1 x M874 (additional option: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– 1 x suitable antenna
– 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g.
Internet.
● Connecting to ADSL
– 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– ADSL access is enabled
● 1 x SCALANCE S612, (additional option: a suitably installed DIN rail with fittings)
● 1 x 24 V power supply with cable connector and terminal block plug
● 1 x PC with which the SCALANCE M-800 is connected.
● 1 x PC with which the SCALANCE S612 is connected and on which the "Security
Configuration Tool" is installed.
● 1 x DSL modem or DSL router
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

SCALANCE M-800 Getting Started


50 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.1 Procedure in principle

Settings used
For the configuration example, the devices are given the following IP address settings

Internal address External address


Internal network M-800 192.168.100.1 Fixed IP address, e.g. 90.90.90.90
1 255.255.255.0 Provider dependent
As an alternative, the DDNS hostna-
me can also be used.
Admin PC 192.168.100.20
255.255.255.0
Internal network DSL router 192.168.184.254 Fixed IP address (WAN IP address),
2 255.255.255.0 e.g. 91.19.6.84
S612 Internal port External port
192.168.11.2 192.168.184.2
255.255.255.0 255.255.255.0
PC 192.168.11.100
255.255.255.0

Requirement
● SCALANCE S612 is connected to the Internet via the DSL router.
On the DSL router, the PORT forwarding must be set so that the UDP packets from the
Internet addressed to ports 500 and 4500 of the router are sent to ports 500 and 4500 of
the connected SCALANCE S612 (passive module).
● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M-
800 to the WAN (Page 11)".
● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the
WBM as "admin".

Steps in configuration
Example 1: Secure VPN tunnel with PSK
Configuring a VPN tunnel with the SCT V3.x
1. Creating the project and modules (Page 53)
2. Configuring a tunnel connection (Page 55)
3. Configuring the properties of the S612 (Page 57)
4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 58)
Configuring a VPN tunnel with the SCT V4.x
1. Creating the project and modules (Page 60)
2. Configuring a tunnel connection (Page 63)
3. Configuring the properties of the S612 (Page 64)
4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 65)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 51
VPN tunnel between SCALANCE M-800 and S612
3.1 Procedure in principle

Configuring the SCALANCE M-800


1. Activating VPN (Page 66)
2. Configuring the VPN remote end (Page 66)
3. Configuring a VPN connection (Page 67)
4. Configuring VPN authentication (Page 68)
5. Configuring phase 1 and phase 2 (Page 68)
6. Establishing the VPN connection (Page 70)
Example 2: Secure VPN tunnel with certificates
Configuring a VPN tunnel with the SCT V3.x
1. Creating the project and modules (Page 71)
2. Configuring a tunnel connection (Page 73)
3. Configuring the properties of the S612 (Page 75)
4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 76)
Configuring a VPN tunnel with the SCT V4.x
1. Creating the project and modules (Page 78)
2. Configuring a tunnel connection (Page 81)
3. Configuring the properties of the S612 (Page 82)
4. Downloading the configuration to the S612 and saving the M-800 configuration (Page 83)
Configuring the SCALANCE M-800
1. Loading a certificate (Page 84)
2. Activating VPN (Page 90)
3. Configuring the VPN remote end (Page 86)
4. Configuring a VPN connection (Page 87)
5. Configuring VPN authentication (Page 88)
6. Configuring phase 1 and phase 2 (Page 88)
7. Establishing the VPN connection (Page 90)

SCALANCE M-800 Getting Started


52 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2 Secure VPN tunnel with PSK

3.2.1 Configuring a VPN tunnel with the SCT V3.x

3.2.1.1 Creating the project and modules

Procedure
1. Start the Security Configuration Tool V3.x on the PC.
2. Select the menu command "Project" > "New".
3. In the dialog that follows, create a new user with a user name and the corresponding
password. The "administrator" role is assigned to the user automatically.
4. Confirm the dialog with "OK". A new project has been created and the "Selection of a
module or software configuration" dialog is open.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 53
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In
addition to this, enter the MAC address printed on the front of the security module

6. Close the dialog with "OK".


7. Generate a second module with the "Insert" > "Module" menu command

SCALANCE M-800 Getting Started


54 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table.

9. Close the dialog with "OK".

Result
The security module S612 and the SCALANCE M-800 will then be displayed in the list of
configured modules.

3.2.1.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the S612 are assigned to the same VPN group.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 55
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the M-800 and the S612 in the content area. Drag the modules to "Group1". Both
modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu.
6. For this configuration example, configure the group properties with the following settings.

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.

Result
The configuration of the tunnel connection is complete.

SCALANCE M-800 Getting Started


56 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.1.3 Configuring the properties of the S612


Since the S612 is connected to the Internet via a DSL router, the properties of the S612
must be configured accordingly.

Procedure
1. Select the "S612" in the content area.
2. Select the menu command "Edit" > "Properties". Click the "Routing" tab.
3. For "Default router", enter the internal IP address of the default router "192.168.184.254".
Click "Apply"

4. Click the "VPN" tab.


5. For "Permission to initiate connection establishment", select the "Wait for partner
(responder)" entry.
6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84

7. Click "Apply" and close the dialog with "OK".


8. Select the "Project" > "Save" menu command. Save the security project under the
required name.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 57
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

Result
The security project is configured. The settings are saved in the configuration file:

3.2.1.4 Downloading the configuration to the S612 and saving the M-800 configuration

Downloading the configuration to the S612


1. In the content area, select the "S612" security module and select the menu command
"Transfer" > "To module(s) …". The following dialog opens.

2. Click the "Start" button to start the download.


If the download was completed free of errors, the security module is restarted
automatically and the new configuration activated.

Saving the SCALANCE M-800 configuration


1. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project directory.

Result
The following file will be saved in the project directory:
● Configuration file: projectname.M-800.txt
The configuration file contains the exported configuration information for the SCALANCE M-
800.

Configuration file Settings in WBM


IPsec VPN > Connections > VPN Standard Mode - Security > IPsec VPN > Remote End > Remote Mode: Standard
Edit Settings
Address of the remote site's VPN gateway: Security > IPsec VPN > Remote End > Remote Address:
91.19.6.84 91.19.6.84/32
Authentication method: Pre Shared Key Security > IPsec VPN > Authentication > Authentication: PSK

SCALANCE M-800 Getting Started


58 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

Configuration file Settings in WBM


Pre Shared Key: 12345678 Security > IPsec VPN > Authentication > PSK and PSK Confirmati-
on: 12345678
Remote ID: U28098881@GEA32 Security > IPSec VPN > Authentication > Remote ID:
not required.
The external IP address of the S612 is entered in the WBM. In this
example, this is 192.168.184.2
Local ID: U269159D5@GEA32 Security > IPSec VPN > Authentication > Local ID
not required. The entry remains empty in the WBM.
Remote net address: 192.168.184.0 Security > IPSec VPN > Remote End > Remote Subnet:
Remote subnet mask: 255.255.255.0 192.168.184.0/24
Local net address: 192.168.100.0 Security > IPSec VPN > Connections > Local Subnet:
Local subnet mask: 255.255.255.0 192.168.100.0/24

IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1
Phase 1 - ISAKMP SA --
ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES
ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1
ISAKMP-SA mode: Main mode --
ISAKMP-SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.

Phase 2 - IPSec SA --
IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES
IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1
IPsec SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 2 > Life Time [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.
Perfect Forward Secrecy (PFS): Nein --

DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2
Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2
NAT-T: On --
DPD delay (seconds): 150 --
DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60
DPD maximum failures: 5 --

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 59
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.2 Configuring a VPN tunnel with the SCT V4.x

3.2.2.1 Creating the project and modules

Procedure
1. Start the Security Configuration Tool V4.x on the PC.
2. Select the menu command "Project" > "New".
3. In the dialog that follows, create a new user with a user name and the corresponding
password. The "administrator" role is assigned to the user automatically.
4. Confirm the dialog with "OK". A new project has been created and the "Selection of a
module or software configuration" dialog is open.

SCALANCE M-800 Getting Started


60 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In
addition to this, enter the MAC address printed on the front of the security module

6. Close the dialog with "OK".


7. Generate a second module with the "Insert" > "Module" menu command

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 61
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table.

9. Close the dialog with "OK".

Result
The security module S612 and the SCALANCE M-800 will then be displayed in the list of
configured modules.

SCALANCE M-800 Getting Started


62 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.2.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the M-800 and the S612
are assigned to the same VPN group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation panel.
3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu.
6. For this configuration example, configure the group properties with the following settings.

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 63
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

Result
The configuration of the tunnel connection is complete.

3.2.2.3 Configuring the properties of the S612


Since the S612 is connected to the Internet via a DSL router, the properties of the S612
must be configured accordingly.

Procedure
1. Select the "S612" in the content area.
2. Select the menu command "Edit" > "Properties". Click the "Routing" tab.
3. For "Default router", enter the internal IP address of the default router "192.168.184.254".
Click "Apply"

4. Click the "VPN" tab.


5. For "Permission to initiate connection establishment", select the "Wait for partner
(responder)" entry.
6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84

SCALANCE M-800 Getting Started


64 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

7. Click "Apply" and close the dialog with "OK".


8. Select the menu command "Project" > "Save". Save the security project under the
required name.

Result
The security project is configured. The settings are saved in the configuration file.

3.2.2.4 Downloading the configuration to the S612 and saving the M-800 configuration

Downloading the configuration to the S612


1. In the content area, select the "S612" security module and select the menu command
"Transfer" > "To module(s) …". The following dialog opens.

2. Click the "Start" button to start the download.


If the download was completed free of errors, the security module is restarted
automatically and the new configuration activated.

Saving the SCALANCE M-800 configuration


1. In the content area, select the SCALANCE M-800 and select the menu command
"Transfer" > "To module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project directory.

Result
The following file will be saved in the project directory:
● Configuration file: projectname.M-800.txt
The configuration file contains the exported configuration information for the SCALANCE M-
800. Follow the instructions in the configuration file.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 65
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.3 Configuring SCALANCE M-800

3.2.3.1 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

3.2.3.2 Configuring the VPN remote end

M81x in the master station: Configuring the VPN remote end


1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612.
3. Click "Create". A new row is created in the table.
4. Configure the VPN remote end with the following settings from the configuration file:

Remote Mode Standard


Remote Type Manual
Remote Address 91.19.6.84/32
WAN IP address of the DSL router
Remote Subnet 192.168.11.0/24

SCALANCE M-800 Getting Started


66 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

5. Click on "Set Values".

3.2.3.3 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Click "Create". A new row is created in the table.
4. Configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv1
Remote End S612
Name of the VPN remote station
Local Subnet 192.168.100.0/24
The local subnet 1 in CIDR notation.

5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 67
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.3.4 Configuring VPN authentication

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. Configure the VPN authentication with the following settings:

Authentication PSK
Local ID no entry necessary
Remote ID External IP address of the S612, e.g. 162.168.184.2
PSK / PSK Confirmation 12345678
The key that you configured in the SCT.

3. Click on "Set Values".

3.2.3.5 Configuring phase 1 and phase 2

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation DH group 2
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

SCALANCE M-800 Getting Started


68 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

5. Click on "Set Values".

Configuring phase 2
1. Click the "Phase 2" tab.
2. Deselect the "Default Ciphers" check box.
3. Configure phase 2 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation (DFS) DH group 2
Lifetime [min]: 1440

4. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 69
VPN tunnel between SCALANCE M-800 and S612
3.2 Secure VPN tunnel with PSK

3.2.3.6 Establishing the VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "Start" and click "Set Values".

Result
The M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is established, the
LED is lit green on the device.
You will find more detailed information in "Information" > "IPsec VPN".

In the online view of the SCT, you can see the communications status on the S612.

SCALANCE M-800 Getting Started


70 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

3.3 Secure VPN tunnel with certificates

3.3.1 Configuring a VPN tunnel with the SCT V3.x

3.3.1.1 Creating the project and modules

Procedure
1. Start the Security Configuration Tool V3.x on the PC.
2. Select the menu command "Project" > "New".
3. In the dialog that follows, create a new user with a user name and the corresponding
password. The "administrator" role is assigned to the user automatically.
4. Confirm the dialog with "OK". A new project has been created and the "Selection of a
module or software configuration" dialog is open.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 71
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In
addition to this, enter the MAC address printed on the front of the security module

6. Close the dialog with "OK".


7. Generate a second module with the "Insert" > "Module" menu command

SCALANCE M-800 Getting Started


72 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table.

9. Close the dialog with "OK".

Result
The security module S612 and the SCALANCE M-800 will then be displayed in the list of
configured modules.

3.3.1.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the S612 are assigned to the same group.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 73
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the SCALANCE M-800 and the S612 in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu.
6. For this configuration example, configure the group properties with the following settings.
If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.

Result
The configuration of the tunnel connection is complete.

SCALANCE M-800 Getting Started


74 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

3.3.1.3 Configuring the properties of the S612


Since the S612 is connected to the Internet via a DSL router, the properties of the S612
must be configured accordingly.

Procedure
1. Select the "S612" in the content area.
2. Select the menu command "Edit" > "Properties". Click the "Routing" tab.
3. For "Default router", enter the internal IP address of the default router "192.168.184.254".
Click "Apply"

4. Click the "VPN" tab.


5. For "Permission to initiate connection establishment", select the "Wait for partner
(responder)" entry.
6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84

7. Click "Apply" and close the dialog with "OK".


8. Select the "Project" > "Save" menu command. Save the security project under the
required name.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 75
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

Result
The security project is configured. The settings are saved in the configuration file:

3.3.1.4 Downloading the configuration to the S612 and saving the M-800 configuration

Downloading the configuration to the S612


1. In the content area, select the "S612" security module and select the menu command
"Transfer" > "To module(s) …".
The following dialog opens.

2. Click the "Start" button to start the download.


If the download was completed free of errors, the security module is restarted
automatically and the new configuration activated.

Saving the SCALANCE M-800 configuration


1. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a
password for the private key of the certificate, e.g. Di1S+Xo?.

Result
The following files will be saved in the project directory:
● Configuration file: projectname.M-800.txt
● PKCS12 file: projectname.string.M-800.p12
● Remote certificate: Projectname.group1.S612.cer

SCALANCE M-800 Getting Started


76 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

The configuration file contains the exported configuration information for the SCALANCE M-
800 including information on the additionally generated certificates.

Configuration file Settings in WBM


IPsec VPN > Certificates System > Load&Save > HTTP > X509Cert : Download
Upload Remote Site Certificate: Configuration-
1.group1.S612.cer
Upload PKCS12 File (.p12): Configuration-
1.U800CB3FF@G471C.M-800.p12

IPsec VPN > Connections > VPN Standard Mode - Security > IPsec VPN > Remote End > Remote Mode: Standard
Edit Settings
Address of the remote site's VPN gateway: Security > IPsec VPN > Remote End > Remote Address:
91.19.6.84 91.19.6.84/32
Authentication method: X.509 remote certificate Security > IPsec VPN > Authentication > Authentication: Remote
Cert
Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Confi-
guration-1.group1.CP.cer
Remote ID: U5A634732@GC4D8 Security > IPsec VPN > Authentication > Remote ID:
U5A634732@GC4D8
Remote net address: 192.168.184.0 Security > IPsec VPN > Remote End > Remote Subnet:
Remote subnet mask: 255.255.255.0 192.168.184.0/24
Local net address: 192.168.100.0 Security > IPsec VPN > Connections > Local Subnet:
Local subnet mask: 255.255.255.0 192.168.100.0/24

IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1
Phase 1 - ISAKMP SA --
ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES
ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1
ISAKMP-SA mode: Main mode --
ISAKMP-SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.

Phase 2 - IPsec SA --
IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES
IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1
IPsec SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.
Perfect Forward Secrecy (PFS): No --

DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2
Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2
NAT-T: On --
DPD delay (seconds): 150 --

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 77
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

Configuration file Settings in WBM


DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60
DPD maximum failures: 5 --

3.3.2 Configuring a VPN tunnel with the SCT V4.x

3.3.2.1 Creating the project and modules

Procedure
1. Start the Security Configuration Tool V4.x on the PC.
2. Select the menu command "Project" > "New".
3. In the dialog that follows, create a new user with a user name and the corresponding
password. The "administrator" role is assigned to the user automatically.
4. Confirm the dialog with "OK". A new project has been created and the "Selection of a
module or software configuration" dialog is open.

SCALANCE M-800 Getting Started


78 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

5. Enter the values assigned to the S612 from the "Settings used (Page 49)" table. In
addition to this, enter the MAC address printed on the front of the security module

6. Close the dialog with "OK".


7. Generate a second module with the "Insert" > "Module" menu command

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 79
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

8. Enter the values assigned to the M-800 from the "Settings used (Page 49)" table.

9. Close the dialog with "OK".

Result
The security module S612 and the SCALANCE M-800 will then be displayed in the list of
configured modules.

SCALANCE M-800 Getting Started


80 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

3.3.2.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M and
the S612 are assigned to the same group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the SCALANCE M and the S612 in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu.
6. For this configuration example, configure the group properties with the following settings.

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 81
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

Result
The configuration of the tunnel connection is complete.

3.3.2.3 Configuring the properties of the S612


Since the S612 is connected to the Internet via a DSL router, the properties of the S612
must be configured accordingly.

Procedure
1. Select the "S612" in the content area.
2. Select the menu command "Edit" > "Properties". Click the "Routing" tab.
3. For "Default router", enter the internal IP address of the default router "192.168.184.254".
Click "Apply"

4. Click the "VPN" tab.


5. For "Permission to initiate connection establishment", select the "Wait for partner
(responder)" entry.
6. Enter the WAN IP address of the DSL router, e.g. 91.19.6.84

SCALANCE M-800 Getting Started


82 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

7. Click "Apply" and close the dialog with "OK".


8. Select the menu command "Project" > "Save". Save the security project under the
required name.

Result
The security project is configured. The settings are saved in the configuration file.

3.3.2.4 Downloading the configuration to the S612 and saving the M-800 configuration

Downloading the configuration to the S612


1. In the content area, select the "S612" security module and select the menu command
"Transfer" > "To module(s) …".
The following dialog opens.

2. Click the "Start" button to start the download.


If the download was completed free of errors, the security module is restarted
automatically and the new configuration activated.

Saving the SCALANCE M-800 configuration


1. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a
password for the private key of the certificate, e.g. Di1S+Xo?.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 83
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

Result
The following files will be saved in the project directory:
● Configuration file: projectname.M-800.txt
● PKCS12 file: projectname.string.M-800.p12
● Remote certificate: Projectname.group1.S612.cer
The configuration file contains the exported configuration information for the SCALANCE M-
800 including information on the additionally generated certificates. Follow the instructions in
the configuration file.

3.3.3 Configuring SCALANCE M-800

3.3.3.1 Loading a certificate

Requirement
● The correct time is set on the SCALANCE M-800, refer to the section Setting the time
(Page 27).
● Certificates are available.
You saved the required certificates on the PC in the last section and assigned a
password for the private key.
Transfer the certificates for the SCALANCE M-800 to the Admin PC.

Procedure
1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in
the content area.
2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in
"Password" and "Password confirmation".
3. Enable the password

SCALANCE M-800 Getting Started


84 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

4. Click on "Set Values".

5. Click on the "HTTP" tab in the content area.

6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened.
Navigate to the remote certificate.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 85
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

7. Click the "Open" button in the dialog.


The file is now loaded on the device. After loading successfully, confirm the next dialog
with "OK".
8. Repeat steps 5 and 6 for the PKCS12 file.

Result
Certificates are loaded and are displayed in "Security" > "Certificates". The loaded
certificates must have the status "Valid".

3.3.3.2 Configuring the VPN remote end

M81x in the master station: Configuring the VPN remote end


1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612.
3. Click "Create". A new row is created in the table.
4. Configure the VPN remote end with the following settings from the configuration file:

Remote Mode Standard


Remote Type Manual
Remote Address 91.19.6.84/32
WAN IP address of the DSL router
Remote Subnet 192.168.11.0/24

SCALANCE M-800 Getting Started


86 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

5. Click on "Set Values".

3.3.3.3 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Click "Create". A new row is created in the table.
4. Configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv1
Remote End S612
Name of the VPN remote station
Local Subnet 192.168.100.0/24
The local subnet 1 in CIDR notation.

5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 87
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

3.3.3.4 Configuring VPN authentication

M81x in the master station: Configuring VPN authentication


1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. Configure the VPN authentication with the following settings from the configuration file:

Authentication Remote Cert


Local certificate projectname.string.M-800.p12
Remote Certificate Projectname.group1.S612.cer
Remote ID Remote ID from the configuration file

3. Click on "Set Values".

3.3.3.5 Configuring phase 1 and phase 2

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation DH group 2
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

SCALANCE M-800 Getting Started


88 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

5. Click on "Set Values".

Configuring phase 2
1. Click the "Phase 2" tab.
2. Deselect the "Default Ciphers" check box.
3. Configure phase 2 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation (DFS) DH group 2
Lifetime [min]: 1440

4. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 89
VPN tunnel between SCALANCE M-800 and S612
3.3 Secure VPN tunnel with certificates

3.3.3.6 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

3.3.3.7 Establishing the VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "Start" and click "Set Values".

Result
The SCALANCE M-800 establishes the VPN tunnel to the S612. If the VPN tunnel is
established, the LED is lit green on the device.

SCALANCE M-800 Getting Started


90 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.4 Firewall with a VPN connection

You will find more detailed information in "Information" > "IPsec VPN".

You can also see the status of the tunnel connection in the online view of the SCT.

3.4 Firewall with a VPN connection


You can create firewall rules for IPsec in the following ways:
● Automatic
Here, the firewall rules are created automatically for the specified VPN connection.
● Manual
Here, you define your own firewall rules for the specified VPN connection.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 91
VPN tunnel between SCALANCE M-800 and S612
3.4 Firewall with a VPN connection

3.4.1 Creating firewall rules automatically


For the example, the VPN tunnel described in the section "Secure VPN tunnel with
certificates (Page 113)" is used. The devices have the following IP address setting:

Internal address
Local area network SCALANCE M-800 192.168.100.1
255.255.255.0
Remote network S612 internal port
192.168.11.2
255.255.255.0

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the
content area. The setting "Auto Firewall Rules" is enabled as default.

Result
If "Auto Firewall Rules" is enabled, the following firewall rules are active.

Action From / to Permitted proto- For Source IP Dest. IP


cols addresses addresses
Allow Internal network All services all ports or all ICMP 192.168.100.0/ 192.168.11.0
(VLAN1) / remo- packet types 24 /24
te network (IP-
sec tunnel x)
Allow Remote network All services all ports or all ICMP 192.168.11.0/2 192.168.100.
(IPsec tunnel x) / packet types 4 0/24
internal network
(VLAN1)

These firewall rules make data exchange between the internal network and the remote
network possible, however it is not possible for remote clients to reach the modem although
they also belong to the tunnel subnet.
Apart from ICMP Echo Request no access to the remote VPN partner.

See also
Creating firewall rules manually (Page 93)

SCALANCE M-800 Getting Started


92 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and S612
3.4 Firewall with a VPN connection

3.4.2 Creating firewall rules manually

Requirement
The IP service HTTP has been created, see the section "Allow access (Page 40)".

Allow all nodes from the remote subnet HTTP-based access to the SCALANCE M-800.
In the following example an additional firewall rules is specified, that applies in addition to the
automatic firewall rules.
1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
2. Configure the firewall rule for HTTP with the following settings:

Action Accept
From IPsec VPN-1
To Device
Source (Range) 192.168.11.0/24 (all devices of the remote internal network 2)
Destination (Range) 192.168.100.1 (to the required device)
Service HTTP

3. Click on "Set Values". The SCALANCE M can be reached through the VPN tunnel and
can be configured with WBM.

Allow HTTP-based access through the VPN tunnel for a specific device
In the following example, a firewall rule is specified manually, the automatic firewall rules are
deactivated.
1. Click on "Security" > "Firewall" in the navigation area and on the "IP Services" tab in the
content area.
2. As "Service Name", enter "TCP all" and click "Create". A new entry is created in the table.
3. Configure the service with the following setting:

Transportation TCP

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 93
VPN tunnel between SCALANCE M-800 and S612
3.4 Firewall with a VPN connection

4. Click on "Set Values".

5. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
6. Click "Create". A new entry is created in the table.
7. Configure the firewall rule with the following settings:

Action Accept
From vlan1 (INT)
To IPsec VPN-1
Source (Range) 192.168.100.10
(only this device is allowed to communicate from internal net-
work 1 through the VPN tunnel with TCP)
Destination (Range) 0.0.0.0/0 (to all addresses)
Service TCP

8. Click "Create". A new entry is created in the table.


9. Click on "Set Values".

SCALANCE M-800 Getting Started


94 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800
and security CPs 4
4.1 Procedure in principle
In these examples, a secure VPN tunnel is configured between a SCALANCE M-800 and the
CP 1628.
● Example 1: Secure VPN tunnel with pre-shared keys (PSK)
● Example 2: Secure VPN tunnel with certificates
Instead of the CP 1628, a CP 343-1 Advanced or CP 434-1 Advanced can be used.

Structure

Internal network 1 - connection to SCALANCE M-800


● In the test setup, in the internal network, a network node is implemented by an Admin PC
connected to an Ethernet interface of the SCALANCE M.
– Admin PC: Represents a node in the internal network
– M-800: SCALANCE M module for protection of the internal network
● Connection to the external, public network.
– Wireless via the antenna of the M874 to the mobile wireless network.
– Wired via the RJ-45 jack of the M81x to ADSL.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 95
VPN tunnel between SCALANCE M-800 and security CPs
4.1 Procedure in principle

Internal network 2 - attachment to a port of the CP 1628


● In the test setup, in the internal network, each network node is implemented by one PC
connected to the internal port of the security module.
– PC1 with security module 1: PC with CP 1628 for protection of the internal network
– PC2: PC with the Security Configuration Tool and STEP 7
The PC represents a node in the internal network.
● Connection to the external, public network via DSL router
Access to the Internet is via a DSL modem or a DSL router connected to one of the ports
of the security module.

Required devices/components
Use the following components for setup:
● Connection to the mobile wireless network
– 1 x M874 (additional option: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– 1 x suitable antenna
– 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g.
Internet.
● Connecting to ADSL
– 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– ADSL access is enabled
● 1 x PC with CP 1628
● 1 x PC with the Security Configuration Tool and STEP 7.
● 1 x DSL modem or DSL router
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

Settings used
For the configuration example, the devices are given the following IP address settings

Internal address External address


Internal network M-800 192.168.100.1 Fixed IP address, e.g.
1 255.255.255.0 90.90.90.90
Provider dependent
As an alternative, the DDNS
hostname can also be used.
Admin PC 192.168.100.20
255.255.255.0

SCALANCE M-800 Getting Started


96 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.1 Procedure in principle

Internal address External address


Internal network DSL router 192.168.184.254 Fixed IP address (WAN IP
2 255.255.255.0 address), e.g. 91.19.6.84
PC1 with CP For CP 1628: The IP address For CP 1628: The IP address of
1628 of the NDIS interface, e.g. the Industrial Ethernet interface,
192.168.184.10. e.g. 192.168.184.2.
(is configured on PC1) For CP 343-1 Advanced or
For CP 343-1 Advanced or CP 434-1 Advanced:
CP 434-1 Advanced: The IP The IP address of the Gbit
address of the PROFINET interface.
interface.
PC2 192.168.184.20
255.255.255.0

Requirement
● The CP 1628 is connected to the Internet via the DSL router.
● In the properties of the CP, the internal IP address of the DSL router is configured as a
default gateway.
● the SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M-
800 to the WAN (Page 11)".
● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the
WBM as "admin".

Steps in configuration
Example 1: Secure VPN tunnel with PSK
Configuring a VPN tunnel with the SCT V3.x
1. Creating project and modules with SCT (Page 98)
2. Configuring a tunnel connection (Page 100)
3. Downloading the configuration to the CP and saving the M-800 configuration (Page 101)
Configuring a VPN tunnel with the SCT V4.x
1. Creating project and modules with SCT (Page 103)
2. Configuring a tunnel connection (Page 105)
3. Downloading the configuration to the CP and saving the M-800 configuration (Page 107)
Configuring SCALANCE M-800
1. Activating VPN (Page 112)
2. Configuring the VPN remote end (Page 108)
3. Configuring a VPN connection (Page 108)
4. Configuring VPN authentication (Page 110)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 97
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

5. Configuring phase 1 and phase 2 (Page 110)


6. Establishing the VPN connection (Page 112)
Example 2: Secure VPN tunnel with certificates
Configuring a VPN tunnel with the SCT V3.x
1. Creating project and modules with SCT (Page 113)
2. Configuring a tunnel connection (Page 114)
3. Downloading the configuration to the CP and saving the M-800 configuration (Page 116)
Configuring a VPN tunnel with the SCT V3.x
1. Creating project and modules with SCT (Page 118)
2. Configuring a tunnel connection (Page 120)
3. Downloading the configuration to the CP and saving the M-800 configuration (Page 121)
Configuring SCALANCE M-800
1. Loading a certificate (Page 122)
2. Activating VPN (Page 127)
3. Configuring the VPN remote end (Page 124)
4. Configuring a VPN connection (Page 124)
5. Configuring VPN authentication (Page 125)
6. Configuring phase 1 and phase 2 (Page 126)
7. Establishing the VPN connection (Page 128)

4.2 Secure VPN tunnel with PSK

4.2.1 Configuring a VPN tunnel with the SCT V3.x

4.2.1.1 Creating project and modules with SCT

Procedure
1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security"
check box.
2. In the dialog that follows, create a new user with a user name and the corresponding
password.
The "administrator" role is assigned to the user automatically.
3. Confirm the dialog with "OK". A new project is created.

SCALANCE M-800 Getting Started


98 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security
Configuration Tool" menu command.
The created CP is displayed in the list of configured modules.
5. Generate a second module with the "Insert" > "Module" menu command.
6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)"
table.

7. Confirm the dialog with "OK".

Result
The CP and the SCALANCE M-800 will then be displayed in the list of configured modules.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 99
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.1.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the CP are assigned to the same VPN group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu
6. For this configuration example, configure the group properties with the following settings.

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.
7. Save the project with the "Project" > "Save" menu command.

SCALANCE M-800 Getting Started


100 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

Result
The configuration of the tunnel connection is complete. The settings are saved in the
configuration file.

4.2.1.3 Downloading the configuration to the CP and saving the M-800 configuration

Downloading the configuration to the CP


1. Close the Security Configuration Tool.
2. In HW Config, select the "Station" > "Save and Compile" menu.
3. Download the new configuration to the security module using the "PLC" > "Download to
Module …" menu.
– For CP 1628: If the download was completed free of errors, the security module
restarts automatically and the new configuration is activated.
– For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the
download, to activate the new configuration

Saving the SCALANCE M-800 configuration


1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration
Tool" menu command.
2. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
3. Save the configuration file "Projectname.M-800.txt" in your project directory.

Result
The following file will be saved in the project directory:
● Configuration file: projectname.M-800.txt
The configuration file contains the exported configuration information for the SCALANCE M-
800.

Configuration file Settings in WBM


IPsec VPN > Connections > VPN Standard Mode - Security > IPsec VPN > Remote End > Remote Mode: Standard
Edit Settings
Address of the remote site's VPN gateway: Security > IPsec VPN > Remote End > Remote Address:
91.19.6.84 91.19.6.84/32
Authentication method: Pre Shared Key Security > IPsec VPN > Authentication > Authentication: PSK
Pre Shared Key: 12345678 Security > IPsec VPN > Authentication > PSK and PSK Confirmati-
on: 12345678
Remote ID: U28098881@GEA32 Security > IPSec VPN > Authentication > Remote ID:
not required.
The external IP address of the S612 is entered in the WBM. In this
example, this is 192.168.184.2

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 101
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

Configuration file Settings in WBM


Local ID: U269159D5@GEA32 Security > IPSec VPN > Authentication > Local ID
not required. The entry remains empty in the WBM.
Remote net address: 192.168.184.0 Security > IPSec VPN > Remote End > Remote Subnet:
Remote subnet mask: 255.255.255.0 192.168.184.0/24

Local net address: 192.168.100.0 Security > IPSec VPN > Connections > Local Subnet:
Local subnet mask: 255.255.255.0 192.168.100.0/24

IPSec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1
Phase 1 - ISAKMP SA --
ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES
ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1
ISAKMP-SA mode: Main mode --
ISAKMP-SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.

Phase 2 - IPSec SA --
IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES
IPSec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1
IPSec SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.
Perfect Forward Secrecy (PFS): Nein --

DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2
Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2
NAT-T: On --
DPD delay (seconds): 150 --
DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60
DPD maximum failures: 5 --

SCALANCE M-800 Getting Started


102 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.2 Configuring a VPN tunnel with the SCT V4.x

4.2.2.1 Creating project and modules with SCT

Procedure
1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security"
check box.
2. In the dialog that follows, create a new user with a user name and the corresponding
password.
The "administrator" role is assigned to the user automatically.
3. Confirm the dialog with "OK". A new project is created.
4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security
Configuration Tool" menu command.
The created CP is displayed in the list of configured modules.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 103
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

5. Generate a second module with the "Insert" > "Module" menu command.

6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)"
table.
7. Confirm the dialog with "OK".

Result
The CP and the SCALANCE M-800 will then be displayed in the list of configured modules.

SCALANCE M-800 Getting Started


104 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.2.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the CP are assigned to the same VPN group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation panel.
3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 105
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

6. For this configuration example, configure the group properties with the following settings.

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.
7. Save the project with the "Project" > "Save" menu command.

Result
The configuration of the tunnel connection is complete. The settings are saved in the
configuration file.

SCALANCE M-800 Getting Started


106 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.2.3 Downloading the configuration to the CP and saving the M-800 configuration

Downloading the configuration to the CP


1. Close the Security Configuration Tool.
2. In HW Config, select the "Station" > "Save and Compile" menu.
3. Download the new configuration to the security module using the "PLC" > "Download to
Module …" menu.
– For CP 1628: If the download was completed free of errors, the security module
restarts automatically and the new configuration is activated.
– For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the
download, to activate the new configuration

Saving the SCALANCE M-800 configuration


1. In STEP 7, open the Security Configuration Tool with the "Edit" > "Security Configuration
Tool" menu command.
2. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
3. Save the configuration file "Projectname.M-800.txt" in your project directory.

Result
The following file will be saved in the project directory:
● Configuration file: projectname.M-800.txt
The configuration file contains the exported configuration information for the SCALANCE M-
800. Follow the instructions in the configuration file.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 107
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.3 Configuring SCALANCE M-800

4.2.3.1 Configuring the VPN remote end

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612.
3. Click "Create". A new row is created in the table.
4. For the configuration example, configure the VPN remote end with the following settings:

Remote Mode Standard


Remote Type Manual
Remote Address 91.19.6.84/32
WAN IP address of the DSL router
Remote Subnet 192.168.11.0/24

5. Click on "Set Values".

4.2.3.2 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Click "Create". A new row is created in the table.

SCALANCE M-800 Getting Started


108 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4. For the configuration example, configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv1
Remote End CP1628
Name of the VPN remote station
Local Subnet 192.168.100.0/24
The local subnet 1 in CIDR notation.

5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 109
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.3.3 Configuring VPN authentication

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. Configure the VPN authentication with the following settings:

Authentication PSK
Local ID no entry necessary
Remote ID 192.168.184.2
The IP address of the VPN remote station.
PSK / PSK Confirmation 12345678
The key that you configured in the SCT.

3. Click on "Set Values".

4.2.3.4 Configuring phase 1 and phase 2

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation DH group 2
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

SCALANCE M-800 Getting Started


110 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

5. Click on "Set Values".

Configuring phase 2
1. Click the "Phase 2" tab.
2. Deselect the "Default Ciphers" check box.
3. Configure phase 2 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation (DFS) DH group 2
Lifetime [min]: 1440

4. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 111
VPN tunnel between SCALANCE M-800 and security CPs
4.2 Secure VPN tunnel with PSK

4.2.3.5 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

4.2.3.6 Establishing the VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "Start" and click "Set Values".

SCALANCE M-800 Getting Started


112 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

Result
The M-800 establishes the VPN tunnel to the CP 128. If the VPN tunnel is established, the
LED is lit green on the device.
You will find more detailed information in "Information" > "IPsec VPN".

4.3 Secure VPN tunnel with certificates

4.3.1 Configuring a VPN tunnel with the SCT V3.x

4.3.1.1 Creating project and modules with SCT

Procedure
1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security"
check box.
2. In the dialog that follows, create a new user with a user name and the corresponding
password.
The "administrator" role is assigned to the user automatically.
3. Confirm the dialog with "OK". A new project is created.
4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security
Configuration Tool" menu command.
The created CP is displayed in the list of configured modules.
5. Generate a second module with the "Insert" > "Module" menu command.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 113
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)"
table.

7. Confirm the dialog with "OK".

Result
The CP and the SCALANCE M-800 will then be displayed in the list of configured modules.

4.3.1.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the CP are assigned to the same group.

SCALANCE M-800 Getting Started


114 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu
6. For this configuration example, configure the group properties with the following settings:

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.
7. Select the menu command "Project" > "Save". Save the security project under the
required name.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 115
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

Result
The configuration of the tunnel connection is complete. The settings are saved in the
configuration file.

4.3.1.3 Downloading the configuration to the CP and saving the M-800 configuration

Downloading the configuration to the CP


1. Close the Security Configuration Tool.
2. In HW Config, select the "Station" > "Save and Compile" menu.
3. Download the new configuration to the security module using the "PLC" > "Download to
Module …" menu.
– For CP 1628: If the download was completed free of errors, the security module
restarts automatically and the new configuration is activated.
– For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the
download, to activate the new configuration.

Saving the SCALANCE M configuration


1. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a
password for the private key of the certificate, e.g. Di1S+Xo?.

Result
The following files will be saved in the project directory:
● Configuration file: projectname.M-800.txt
● PKCS12 file: projectname.string.M-800.p12
● Remote certificate: Projectname.group1.CP.cer
The configuration file contains the exported configuration information for the SCALANCE M-
800 including information on the additionally generated certificates.

Configuration file Settings in WBM


IPsec VPN > Certificates System > Load&Save > HTTP > X509Cert : Download
Upload Remote Site Certificate: Configuration-
1.group1.S612.cer
Upload PKCS12 File (.p12): Configuration-
1.U800CB3FF@G471C.M-800.p12

IPsec VPN > Connections > VPN Standard Mode - Security > IPsec VPN > Remote End > Remote Mode: Standard
Edit Settings

SCALANCE M-800 Getting Started


116 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

Configuration file Settings in WBM


Address of the remote site's VPN gateway: Security > IPsec VPN > Remote End > Remote Address:
91.19.6.84 91.19.6.84/32
Authentication method: X.509 remote certificate Security > IPsec VPN > Authentication > Authentication: Remote
Cert
Remote Certificate: Configuration-1.group1.S612.cer Security > IPsec VPN > Authentication > Remote Certificate: Confi-
guration-1.group1.CP.cer
Remote ID: U5A634732@GC4D8 Security > IPsec VPN > Authentication > Remote ID:
U5A634732@GC4D8
Remote net address: 192.168.184.0 Security > IPsec VPN > Remote End > Remote Subnet:
Remote subnet mask: 255.255.255.0 192.168.184.0/24
Local net address: 192.168.100.0 Security > IPsec VPN > Connections > Local Subnet:
Local subnet mask: 255.255.255.0 192.168.100.0/24

IPsec VPN > Connections > Edit IKE Security > IPsec VPN > Connections > Keying Protocol: IKEv1
Phase 1 - ISAKMP SA --
ISAKMP-SA encryption: 3DES-168 Security > IPsec VPN > Phase 1 > Encryption: 3DES
ISAKMP-SA hash: SHA-1 Security > IPsec VPN > Phase 1 > Authentication: SHA-1
ISAKMP-SA mode: Main mode --
ISAKMP-SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 1 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.

Phase 2 - IPsec SA --
IPsec SA encryption: 3DES-168 Security > IPsec VPN > Phase 2 > Encryption: 3DES
IPsec SA hash: SHA-1 Security > IPsec VPN > Phase 2 > Authentication: SHA-1
IPsec SA lifetime (seconds): 86400 Security > IPsec VPN > Phase 2 > Lifetime [min]: 1440
The value is specified in seconds in the text file. In
the WBM, the value must be entered in minutes.
Perfect Forward Secrecy (PFS): No --

DH/PFS group: DH-2 1024 Security > IPsec VPN > Phase 1 > Key Derivation: DH group 2
Security > IPsec VPN > Phase 2 > Key Derivation: DH group 2
NAT-T: On --
DPD delay (seconds): 150 --
DPD timeout (seconds): 60 Security > IPsec VPN > Phase 1 > DPD Timeout [sec]: 60
DPD maximum failures: 5 --

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 117
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.2 Configuring a VPN tunnel with the SCT V4.x

4.3.2.1 Creating project and modules with SCT

Procedure
1. On the "Security" tab of the object properties of the CP 1628, select the "Enable security"
check box.
2. In the dialog that follows, create a new user with a user name and the corresponding
password.
The "administrator" role is assigned to the user automatically.
3. Confirm the dialog with "OK". A new project is created.
4. In HW Config, open the Security Configuration Tool with the "Edit" > "Security
Configuration Tool" menu command.
The created CP is displayed in the list of configured modules.

SCALANCE M-800 Getting Started


118 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

5. Generate a second module with the "Insert" > "Module" menu command.

6. Enter the values assigned to the SCALANCE M-800 from the "Settings used (Page 95)"
table.
7. Confirm the dialog with "OK".

Result
The CP and the SCALANCE M-800 will then be displayed in the list of configured modules.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 119
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.2.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M-800
and the CP are assigned to the same group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the SCALANCE M-800 and the CP in the content area. Drag the modules to
"Group1". Both modules are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu
6. For this configuration example, configure the group properties with the following settings:

If you use different parameter settings, it is possible that the two tunnel partners will not
be able to set up a VPN connection between them.

SCALANCE M-800 Getting Started


120 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

7. Select the menu command "Project" > "Save". Save the security project under the
required name.

Result
The configuration of the tunnel connection is complete. The settings are saved in the
configuration file.

4.3.2.3 Downloading the configuration to the CP and saving the M-800 configuration

Downloading the configuration to the CP


1. Close the Security Configuration Tool.
2. In HW Config, select the "Station" > "Save and Compile" menu.
3. Download the new configuration to the security module using the "PLC" > "Download to
Module …" menu.
– For CP 1628: If the download was completed free of errors, the security module
restarts automatically and the new configuration is activated.
– For CP 343-1 Advanced or CP 434-1 Advanced: Restart the S7 CPU following the
download, to activate the new configuration.

Saving the SCALANCE M-800 configuration


1. In the content area, select the "M-800" and select the menu command "Transfer" > "To
module(s) …".
2. Save the configuration file "Projectname.M-800.txt" in your project folder and assign a
password for the private key of the certificate, e.g. Di1S+Xo?.

Result
The following files will be saved in the project directory:
● Configuration file: projectname.M-800.txt
● PKCS12 file: projectname.string.M-800.p12
● Remote certificate: Projectname.group1.CP.cer
The configuration file contains the exported configuration information for the SCALANCE M-
800 including information on the additionally generated certificates. Follow the instructions in
the configuration file.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 121
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.3 Configuring SCALANCE M-800

4.3.3.1 Loading a certificate

Requirement
● The correct time is set on the SCALANCE M-800, refer to the section Setting the time
(Page 27).
● Certificates are available.
You saved the required certificates on the PC in the last section and assigned a
password for the private key.
Transfer the certificates for the SCALANCE M-800 to the Admin PC.

Procedure
1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in
the content area.
2. In the line "X509Cert" enter the password that you specified for the PKCS12 file in
"Password" and "Password confirmation".
3. Enable the password
4. Click on "Set Values".

SCALANCE M-800 Getting Started


122 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

5. Click on the "HTTP" tab in the content area.

6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened.
Navigate to the remote certificate.
7. Click the "Open" button in the dialog.
The file is now loaded on the device. After loading successfully, confirm the next dialog
with "OK".
8. Repeat steps 5 and 6 for the PKCS12 file.

Result
Certificates are loaded and are displayed in "Security" > "Certificates". The loaded
certificates must have the status "Valid".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 123
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.3.2 Configuring the VPN remote end

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g. S612.
3. Click "Create". A new row is created in the table.
4. For the configuration example, configure the VPN remote end with the following settings:

Remote Mode Standard


Remote Type Manual
Remote Address 91.19.6.84/32
WAN IP address of the DSL router
Remote Subnet 192.168.11.0/24

5. Click on "Set Values".

4.3.3.3 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Click "Create". A new row is created in the table.

SCALANCE M-800 Getting Started


124 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4. For the configuration example, configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv1
Remote End CP1628
Name of the VPN remote station
Local Subnet 192.168.100.0/24
The local subnet 1 in CIDR notation.

5. Click on "Set Values".

4.3.3.4 Configuring VPN authentication

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. For the configuration example, configure the VPN authentication with the following
settings:

Authentication Remote Cert


Local certificate projectname.string.M-800.p12
Remote Certificate Projectname.group1.CP.cer
Remote ID Remote ID from the configuration file

3. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 125
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.3.5 Configuring phase 1 and phase 2

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation DH group 2
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

5. Click on "Set Values".

Configuring phase 2
1. Click the "Phase 2" tab.
2. Deselect the "Default Ciphers" check box.
3. Configure phase 2 with the following settings from the configuration file:

Encryption 3DES
Authentication SHA1
Key Derivation (DFS) DH group 2
Lifetime [min]: 1440

SCALANCE M-800 Getting Started


126 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4. Click on "Set Values".

4.3.3.6 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 127
VPN tunnel between SCALANCE M-800 and security CPs
4.3 Secure VPN tunnel with certificates

4.3.3.7 Establishing the VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "Start" and click "Set Values".

Result
The SCALANCE M-800 establishes the VPN tunnel to the CP 1628. If the VPN tunnel is
established, the LED is lit green on the device.
You will find more detailed information in "Information" > "IPsec VPN".

SCALANCE M-800 Getting Started


128 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and
SINEMA RC Server 5
5.1 Procedure in principle
In this sample configuration, two distributed stations are connected using the SCALANCE
M87x. The devices communicate via the SINEMA RC Server located in the master station.
The SINEMA RC is addressed using a WAN IP address obtained from a provider. As an
alternative, you can also address the SINEMA RC Server using a defined name (FQDN).
A KEY-PLUG SINEMA Remote Connect is required for each SCALANCE M87x device. The
KEY-PLUG enables the connection from SCALANCE M87x to SINEMA RC.
To do this, the devices need to log on to the SINEMA RC Server. The VPN tunnel between
the device and the SINEMA RC Server is established only after successful authentication.
Depending on the configured communication relations and the security settings, the SINEMA
RC server connects the individual VPN tunnels.

Structure

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 129
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.1 Procedure in principle

Master station - connection to SINEMA RC Server


● In the test setup in the internal network, a network node is implemented by a PC
connected to the LAN interface of the SINEMA RC Server.
– PC: represents a participant in internal network 3
– SINEMA RC Server
● Connection to the external network via a router
Access to the external network is via a router connected to the WAN interface of the
SINEMA RC Server.
Station 1 / 2 - connection to SCALANCE M87x
● In the test setup in the internal network, a network node is implemented by a PC
connected to the Ethernet interface P1 of the M-800.
– PC: represents a participant in internal network 1/2
– M-87x: SCALANCE M module for protection of the internal network 1/2
● Connection to the external, public network
– Wireless via the antenna of the M87x on the mobile wireless network (as of firmware
4.0)

Required devices/components
Use the following components for setup:
● 2 x M874 (additional option: a suitably installed standard rail with fittings)
● 2 x KEY-PLUG SINEMA RC
● 2 x 24 V power supply with cable connector and terminal block plug
● 2 x PC each connected to a SCALANCE M874.
● 2 x suitable antennas
● 2 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g.
Internet.
● 1 x PC on which the SINEMA RC Server is installed.
● 1 x PC that is connected to the SINEMA RC Server.
● 1 x router
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

Note
You can also use a SCALANCE M876. The configuration described below relates
specifically to the components mentioned in the section "Required devices/components".

SCALANCE M-800 Getting Started


130 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.1 Procedure in principle

Settings used
For the configuration example, the devices are given the following IP address settings:

Name Interface IP address


Station -1 M874-2 #1 LAN interface 192.168.100.1
LAN1 P1 255.255.255.0
(vlan1)
WAN interface Dynamic IP address from provider
(ppp0)
PC1 LAN interface 192.168.100.20
255.255.255.0
Station-2 M874-2 #2 LAN interface 192.168.10.1
LAN2 P1 255.255.255.0
(vlan1)
WAN interface Dynamic IP address from provider
(ppp0)
PC2 Ethernet 192.168.10.20
(LAN 2) 255.255.255.0
Master station SINEMA WAN interface 192.168.20.250
LAN3 RC Server 255.255.255.0
The WAN IP address via which the SINEMA RC
Server can be reached is the WAN IP address of
the router in this example.
90.90.90.90
The default gateway is the LAN IP address of the
router
192.168.20.1
As an alternative, the SINEMA RC Server can also
be addressed using a defined host name (FQDN).
PC3 Ethernet 192.168.20.20
(LAN3) 255.255.255.0
Router 3 LAN interface 192.168.20.1
255.255.255.0
WAN interface Static IP address from the provider e.g.
90.90.90.90

Note
The IP settings used in the configuration example were freely chosen.
In a real network, you would need to adapt these IP settings to avoid possible address
conflicts.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 131
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.1 Procedure in principle

Requirement
SINEMA RC Server
● The SINEMA RC Server is connected to the WAN. You will find the configuration steps in
the Getting Started "SINEMA Remote Connect".

Note
Port forwarding at the router
By using a router as a gateway you must enable the following ports on the router and
forward the data packets to the SINEMA RC Server:
• TCP 443
• TCP 5443
• UDP 1194
Router with VPN capability
If your router itself has VPN capability, make sure that the ports do not overlap or this
function is disabled.
You will find further information on this in the documentation of the router.

SCALANCE M874
● The M874 is connected to the WAN, refer to "Connecting SCALANCE M800 to the WAN".
The steps in configuration are the same for all devices, the only difference being the
settings, see table "Settings used (Page 129)".
● The M874 can be reached via PC1 or PC2 and you are logged in to the WBM as a user
with the role "admin".
● A valid KEY-PLUG SINEMA Remote Connect is inserted in the SCALANCE M.

Steps in configuration
Configuring access to the SINEMA RC Server
For the PC to be able to access the WBM of the SINEMA RC Server via the M874, the
following steps are necessary on the M874:
1. Activate IP masquerading (Page 133)
2. Allow access (Page 133)
Configure a remote connection on the SINEMA RC Server
1. Creating participant groups (Page 134)
2. Create devices (Page 136)
3. Configure communication relations (Page 138)

SCALANCE M-800 Getting Started


132 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.2 Configuring access to the SINEMA RC server

Configure a remote connection on the M874


● Secure VPN connection with fingerprint (Page 140)
● Secure VPN connection with CA certificate
– Loading a certificate (Page 143)
– Configuring a VPN connection to the SINEMA RC Server (Page 144)

5.2 Configuring access to the SINEMA RC server

5.2.1 Activating IP masquerading


IP masquerading is used so that the internal IP addresses are not forwarded to external. In
addition to this, no further routing settings are necessary on the router.

Procedure
1. Click on "Layer 3" > "NAT" in the navigation area and on the "Masquerading" tab in the
content area.
2. Activate "Enable Masquerading" on the WAN interface.
– M874, M876-3: ppp0
– M876-4: usb0
– M826-2: vlan1
3. Click on "Set Values".

Result
Masquerading is enabled on the WAN interface. When a packet is sent via this interface, the
source address is rewritten to the IP address assigned to the WAN interface.

5.2.2 Allow access


So that the PC can access the SINEMA RC Server, on the device access from vlan1 to the
WAN interface is enabled.

Procedure
1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
2. Click "Create". A new entry is created in the table.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 133
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

3. Configure the firewall rule with the following settings:

Action Accept
From vlan1 (internal)
To external
M874, M876-3: ppp0
M876-4: usb0
Source (Range) 0.0.0.0 (all IP addresses)
Destination (Range) 0.0.0.0 (all IP addresses)
Service all
As default, the service is always available

4. Click on "Set Values".

Result
Due to this firewall rule, all services between vlan1 and ppp0 or usb0 are possible without
restrictions, e.g. HTTPS

5.3 Configuring a remote connection on the SINEMA RC Server

5.3.1 Creating node groups


Users and devices can be put together in participant groups. You can also specify whether
the communication between the participants of an individual group is permitted or forbidden.
For this sample configuration, the following groups are created.
● Station1
● Station2
● Service
The Service group is required for the configuration example "OpenVPN tunnel between
SINEMA RC Client and SINEMA RC Server". You will find this example in the Getting
Started SINEMA RC Server.

SCALANCE M-800 Getting Started


134 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

Requirement
● The SINEMA RC Server is connected to the WAN.

Procedure
1. In the address box of the Web browser, enter the WAN IP address of the SINEMA RC
Server "https://<WAN IP address>", see table "Settings used (Page 129)".
2. Log in as the "admin" user and with the corresponding password.
3. In the navigation area, click "Remote connections" > "Participant groups". The participant
groups that have already been created are listed in the content area.
4. Click "Create". The page "New participant group" is opened.
5. For group name enter "Station1". Enable the setting "Members may communicate" and
click "Save".
6. Repeat steps 1 - 3 for the groups "Station2" and "Service"

Result
The participant groups have been created.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 135
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

5.3.2 Create devices

Procedure
1. In the navigation area, click "Remote connections" > "Devices". The devices that have
already been created are listed in the content area.
2. Click "Create" button to create a new device.
3. Enter the device name for the device e.g. "M874_1" for station 1 and "M874_2" for station
2.
4. Click "Continue".
5. For "VPN connection mode", select "OpenVPN". Click "Continue".
6. Enable the parameter "Connected local subnets".
7. Enable the parameter "Device is a network gateway".
8. Configure the devices with the following settings:

Local LAN IP address IP address for vlan1 according to the table "Settings used
(Page 129)".
Network mask 255.255.255.0

9. Click "Continue". The "Group memberships" tab is displayed.


10.Enable the appropriate group.
For the device "M874_1" the group "Station1"
For the device "M874_2"" the group "Station2"
11.Click "Continue". The "Password" tab is displayed.
12.Specify the password for the access e.g. An:t_010 for M874_1 and An:t_020 for M874_2.
The password must be made up of uppercase and lowercase letters, numbers and
special characters.
13.Click "Exit".

Result
The devices are listed with the devices that have already been created.
● Device password
● Device ID
● Fingerprint
You will find the device ID and the fingerprint in the device information. Click on the
symbol to open the device information.

SCALANCE M-800 Getting Started


136 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 137
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

5.3.3 Configure communications relations


So that participant groups can communicate with each other, communication relations are
necessary. A communication relation can be created for every direction.
For this sample configuration, the following communication relations are created:

from group to the destination group


Service Station1
Station2
Station1 Station2

In this configuration example, communication is only from the group "Station 1" to the group
"Station 2". In the opposite direction, no communication is possible. For the communication
from the group "Station2" to the group "Station1" another communication relation is
necessary.
The group "Service" can also communicate with the groups "Station1" and "Station2" but
they cannot communicate with "Service".

Procedure
1. In the navigation area, click "Remote connections" > "Participant groups". The participant
groups that have already been created are listed in the content area.
2. For "Station1" in the "Actions" column click on the icon . The page "Destination group"
is opened.
3. Enable "Station2" and click on "Save".
4. Click "Exit dialog".
5. For "Service", click the symbol in the "Actions" column. The page "Destination group"
is opened.
6. Enable "Station1" and "Station2". Click "Save".
7. Click "Exit dialog".

SCALANCE M-800 Getting Started


138 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.3 Configuring a remote connection on the SINEMA RC Server

Result
The communication relations have been created.
Click "Remote connections" > "Communication relations" in the navigation area. The created
relations are listed in the content area.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 139
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

5.4 Configuring a remote connection on the M87x

5.4.1 Secure VPN connection with fingerprint

Requirement
● On PC1/2 there are two Web browser windows open.
● Web browser 1 for access to Web Based Management of SCALANCE M874.
● Web browser 2 for access to SINEMA RC.
● A valid KEY-PLUG is inserted in the M87x.

Procedure
1. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– In the address box of the Web browser, enter the LAN IP address of the SCALANCE
M874, see table "Settings used (Page 129)".
– Log in as the "admin" user and with the corresponding password.
– Click "System" > "SINEMA RC" in the navigation area.
– For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see
table "Settings used (Page 129)".
2. Change to the Web browser for access to SINEMA RC.
– In the address box of the Web browser, enter the WAN IP address of the server, see
table "Settings used (Page 129)".
– Log in as the "admin" user and the corresponding password.
– In the navigation area, click "Remote connections" > "Devices".
– Click on the symbol in "Actions" to open the device information.
– Holding down the left mouse button, select the entry for device ID.
– Right-click on the selection and in the shortcut menu, select the copy command.
3. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– Right click in the input box of "Device ID".
– In the shortcut menu, select the menu command for inserting.
– For "Device Password" enter the password that you configured for access, An:t_010
for M874-1 and An:t_020 for M874-2.
– Enable "Auto Firewall / NAT Rules".
When enabled, the suitable NAT and firewall rules are created automatically.
For "Verification Type" select "Fingerprint".

SCALANCE M-800 Getting Started


140 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

4. Change to the Web browser for access to SINEMA RC.


– Holding down the left mouse button, select the entry for fingerprint.
– Right-click on the selection and in the shortcut menu, select the copy command.
5. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– Right click in the input box of "Fingerprint".
– In the shortcut menu, select the menu command for inserting.
– Select "Enable SINEMA RC".
– Click "Set Values".

Result
The device establishes a VPN tunnel to the SINEMA RC Server.
You can check in the WBM to see whether the connection was successful.
In the Web browser for access to Web Based Management of SCALANCE M874: In the
navigation area, click "Information" > "SINEMA RC".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 141
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

Web browser for access to SINEMA RC: Click "Remote connections" > "Devices" in the
navigation area.

SCALANCE M-800 Getting Started


142 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

5.4.2 Secure VPN connection with CA certificate

5.4.2.1 Loading a certificate

Requirement
● The correct time is set on the M874 and the SINEMA RC Server.
● On PC1/2 there are two Web browser windows open.

Procedure
1. Change to the Web browser for access to SINEMA RC.
– In the address box of the Web browser, enter the WAN IP address of the SINEMA RC
Server, see table "Settings used (Page 129)".
– Log in as the "admin" user and the corresponding password.
– Click "Security" > "Certificates" in the navigation area.
– Click on the symbol in "Actions" to export the certificate.
2. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– In the address box of the Web browser, enter the LAN IP address of the M874, see
table "Settings used (Page 129)".
– Log in as the "admin" user and with the corresponding password.
– Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab
in the content area.
– Enter the device password in "X509Cert". Enable the entry and click on "Set Values".
– Click on the "HTTP" tab in the content area.
– Click the "Load" button next to "X509Cert". The dialog for loading a file is opened.
– Navigate to the exported server certificate. Click the "Open" button in the dialog.
The file is now loaded on the device. After loading successfully, confirm the next
dialog with "OK".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 143
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

Result
The certificates are loaded. Certificates are displayed in "Security" > "Certificates". The
loaded certificates must have the status "Valid".

5.4.2.2 Configuring a VPN connection to the SINEMA RC Server

Requirement
● A valid SINEMA RC KEY-PLUG is inserted in the M87x.

Procedure
1. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– Click "System > SINEMA RC" in the navigation area.
– For "Sinema RC Address", enter the WAN IP address of the SINEMA RC Server, see
table "Settings used (Page 129)".
2. Change to the Web browser for access to SINEMA RC.
– In the navigation area, click "Remote connections" > "Devices".
– Click on the symbol in "Actions" to open the device information.
– Holding down the left mouse button, select the entry for device ID.
– Right-click on the selection and in the shortcut menu, select the copy command.

SCALANCE M-800 Getting Started


144 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

3. Change to the Web browser for access to Web Based Management of the SCALANCE
M874.
– Right click in the input box of "Device ID".
– In the shortcut menu, select the menu command for inserting.
– For "Device Password" enter the password that you configured for access, An:t_010
for M874-1 and An:t_020 for M874-2.
– Enable "Auto Firewall / NAT Rules".
When enabled, the suitable NAT and firewall rules are created automatically.
For "Verification Type" select "CA Certificate".
– In "CA Certificate" select the server certificate. Only loaded certificates can be
selected.

– Activate "Enable SINEMA RC" and click on "Set Values".

Result
The device establishes a VPN tunnel to the SINEMA RC Server.
You can check in the WBM to see whether the connection was successful.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 145
VPN tunnel between SCALANCE M87x and SINEMA RC Server
5.4 Configuring a remote connection on the M87x

Web browser 1: In the navigation area, click "Information" > "SINEMA RC".

Web browser 2: Click "Remote connections" > "Devices" in the navigation area.

SCALANCE M-800 Getting Started


146 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s 6
6.1 Procedure in principle
In this example a secure VPN connection with certificates is established between two
SCALANCE M-800 devices.
In this example of a configuration the SCALANCE M81x in the master station is the VPN
server and this can be reached from the WAN via its fixed IP address. The SCALANCE
M87x in the station is the VPN client that establishes the connection to the VPN server when
necessary.

Layout

Internal network 1 / 2 - connection to SCALANCE M


● In the test setup in the internal network, a network node is implemented by an Admin PC
or SIMATIC station connected to an Ethernet interface of the SCALANCE M-800.
– Admin PC: Represents a node in the internal network
– M87x\M81x: SCALANCE M module for protection of the internal network
● Connection to the external, public network:
– Wireless via the antenna of the M87x to the mobile wireless network.
– Wired via the RJ-45 jack of the M81x to ADSL.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 147
VPN tunnel between two M-800s
6.1 Procedure in principle

Required devices/components
Use the following components to set up the network:
● Connection to the mobile wireless network
– 1 x M874 (additional option: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– 1 x suitable antenna
– 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g.
Internet.
● Connecting to ADSL
– 1 x M812 or 1 x M816 (optionally also: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– ADSL access is enabled
● 1 x PC with which the SCALANCE M is connected.
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

Settings used
For the configuration example, the devices are given the following IP address settings

Interface IP address
Master M81x ADSL Vlan 2 Fixed IP address, e.g. 90.90.90.90 (VPN ser-
station (external) ver)
Provider dependent
As an alternative, the DDNS hostname can
also be used.
Ethernet Vlan 1 192.168.100.1
(internal) 255.255.255.0
Admin PC Ethernet 192.168.100.20
(internal) 255.255.255.0
Station 1 M87x Mobile wirel- Vlan 2 Dynamic IP address
ess (VPN client)
(external)
Ethernet Vlan 1 192.168.11.2
(internal) 255.255.255.0
Admin PC Ethernet 192.168.11.40
(internal) 255.255.255.0

SCALANCE M-800 Getting Started


148 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.1 Procedure in principle

Note
For the devices located in the internal network, the IP address of the internal port must be
entered as the standard gateway.

Requirement
● The SCALANCE M87x/SCALANCE M81x is connected to the WAN, refer to "Connecting
SCALANCE M to the WAN (Page 11)".
● The SCALANCE M87x/SCALANCE M81x can be reached via the Admin PC and you are
logged in to the WBM as "admin".
● The "Security Configuration Tool V4.x" is installed

Steps in configuration
1. Configuring a VPN tunnel with the SCT
– Creating the project and modules (Page 150)
– Configuring a tunnel connection (Page 153)
– Configuring VPN parameters (Page 155)
– Saving the M-800 configuration (Page 155)
2. Configuring the SCALANCE M81x (VPN server)
– Loading a certificate (Page 156)
– Configuring the VPN remote end (Page 158)
– Configuring a VPN connection (Page 159)
– Configuring VPN authentication (Page 159)
– Configuring phase 1 and phase 2 (Page 160)
– Activating VPN (Page 162)
– Establishing the VPN connection (Page 162)
3. Configuring the SCALANCE M87x (VPN client)
– Loading a certificate (Page 163)
– Configuring the VPN remote end (Page 165)
– Configuring a VPN connection (Page 166)
– Configuring VPN authentication (Page 166)
– Configuring phase 1 and phase 2 (Page 167)
– Activating VPN (Page 169)
– Establishing the VPN connection (Page 169)
4. Displaying the status of the VPN connection (Page 170)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 149
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

6.2 Configuring a VPN tunnel with the SCT

6.2.1 Creating the project and modules

Procedure
1. Start the Security Configuration Tool V4.x on the PC.
2. Select the menu command "Project" > "New".
3. In the dialog that follows, create a new user with a user name and the corresponding
password. The "administrator" role is assigned to the user automatically.
4. Confirm the dialog with "OK". A new project has been created and the "Selection of a
module or software configuration" dialog is open.

SCALANCE M-800 Getting Started


150 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

5. Enter the values assigned to the M87x from the "Settings used (Page 147)" table.
With the M87x, the external IP address is not relevant. For the IP address (ext) use the
default settings.

6. Close the dialog with "OK".


7. Generate a second module with the "Insert" > "Module" menu command

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 151
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

8. Enter the values assigned to the M81x from the "Settings used (Page 147)" table.

9. Close the dialog with "OK".

Result
The devices will then be displayed in the list of configured modules.

SCALANCE M-800 Getting Started


152 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

6.2.2 Configuring a tunnel connection


A VPN tunnel for secure communication can only be established if the SCALANCE M81x
and the SCALANCE M87x are assigned to the same group.

Procedure
1. Select "VPN groups" in the navigation area and create a new group with the menu
command "Insert" > "Group". The group is automatically given the name "Group1".
2. Select the "All modules" entry in the navigation area.
3. Select the two entries in the content area. Drag the modules to "Group1". Both modules
are now assigned to "Group1".
4. Change to advanced mode with the menu command "View" > "Advanced mode".
5. Open the group properties of Group1 by selecting the "Properties ..." shortcut menu.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 153
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

6. For this configuration example, configure the group properties with the following settings.

7. Close the dialog with "OK".

Result
The configuration of the tunnel connection is complete.

SCALANCE M-800 Getting Started


154 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.2 Configuring a VPN tunnel with the SCT

6.2.3 Configuring VPN parameters


In this configuration example, the M81x (VPN server) is "passive". The M81x waits for the
partner M87x to initiate the connection establishment.

Procedure
Configuring VPN parameters for M81x (VPN server)
1. Select the "M81xServer" in the content area.
2. Select the menu command "Edit" > "Properties". Click the "VPN" tab.
3. Click on the "VPN" tab.
4. For "Permission to initiate connection establishment", select the "Wait for partner
(responder)" entry.
5. Enter the WAN IP address e.g. 90.90.90.90
6. Click "Apply" and close the dialog with "OK".
Configuring VPN parameters for M87x (VPN client)
1. Select the "M81xServer" in the content area.
2. Select the menu command "Edit" > "Properties". Click on the "VPN" tab.
3. Click on the "VPN" tab.
4. For "Permission to initiate connection establishment", select the "Start connection to
partner (initiator/responder)" entry.
5. Click "Apply" and close the dialog with "OK".
6. Select the "Project" > "Save" menu command. Save the security project under the
required name.

Result
The security project is configured. The settings are saved in the configuration file.

6.2.4 Saving the configuration

Procedure
1. In the content area, select the "M81xServer" and select the menu command "Transfer" >
"To module(s) …".
2. Save the configuration file "Projectname.M81xServer.txt" in your project folder and assign
a password for the private key of the certificate, e.g. Di1S+Xo?.
3. In the content area, select the "M87xClient" and select the menu command "Transfer" >
"To module(s) …".
4. Save the configuration file "Projectname.M87xClient.txt" in your project folder and assign
a password for the private key of the certificate, e.g. Di1S+Xo?.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 155
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

Result
The following files will be saved in the project directory:
● Configuration file: Project name of the module.txt
● PKCS12 file: Project name.string.name of the module.p12
● Remote certificate: Projectname.group1module name.cer
The configuration file contains the exported configuration information for the SCALANCE M-
800 devices including information on the additionally generated certificates. Follow the
instructions in the configuration file.

6.3 Configuring the SCALANCE M81x (VPN server)

6.3.1 Loading a certificate


The certificates are necessary to authenticate the VPN node and therefore for the
establishment of a secure VPN connection.
You obtain the information which certificate is to be loaded on which device from the
configuration file.

Requirement
● The correct time is set on the SCALANCE M-800, refer to the section Setting the time
(Page 27).
● Certificates are available.
You saved the required certificates on the PC in the last section and assigned a
password for the private key.
Transfer the certificates for the SCALANCE M-800 to the Admin PC.

Procedure
1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in
the content area.
2. To load the file successfully on the SCALANCE M enter the password specified for the
file in the line "X509Cert" in "Password" and "Password confirmation"
When you saved the configuration files of the SCALANCE M from the Security
Configuration Tool, you were requested to assign a password for the private key of the
certificate or to use the project name for this.
3. Enable the password

SCALANCE M-800 Getting Started


156 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

4. Click on "Set Values".

5. Click on the "HTTP" tab in the content area.

6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 157
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

7. Click the "Open" button in the dialog.


The file is now loaded on the device. After loading successfully, confirm the next dialog
with "OK".
8. Repeat steps 5 and 6 for the PKCS12 file.

Result
Certificates are loaded and are displayed in "Security" > "Certificates". The loaded
certificates must have the status "Valid".

6.3.2 Configuring the VPN remote end


In this example of a configuration the M81x in the master station is the VPN server that
accepts the connection of VPN partners with any IP address.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g.
VPN_Client_M87x.
3. Click "Create". A new row is created in the table.
4. Configure the VPN remote end with the following settings from the configuration file:

Remote Mode Standard


Remote Type Any
Accepts the connection from VPN partners with any IP address
address from the remote subnet.
Remote Subnet 192.168.11.0/24
The subnet that can be reached through the VPN tunnel

5. Click on "Set Values".

SCALANCE M-800 Getting Started


158 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

6.3.3 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv2
Remote End VPN_Client_M87x
Name of the VPN remote station
Local Subnet 192.168.100.0/24
The local subnet 1 in CIDR notation.

4. Click on "Set Values".

6.3.4 Configuring VPN authentication


For secure communication via VPN, all VPN partners need to authenticate themselves with
each other. In this configuration example, the certificate of the VPN remote station.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. Configure the VPN authentication with the following settings:

Authentication Remote Cert


Local certificate The precise names of the certificates and the remote ID can be
Remote Certificate found in the relevant configuration file.

Remote ID

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 159
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

3. Click on "Set Values".

6.3.5 Configuring phase 1 and phase 2


The settings must match on both devices.

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption AES 128


Authentication SHA1
Key Derivation DH group 14
Lifetime [min]: 2880
DPD Period [sec] 60
Aggressive Mode no

5. Click on "Set Values".

SCALANCE M-800 Getting Started


160 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

Configuring phase 2
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the
content area.
2. Leave the "Default Ciphers" check box enabled.
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN
connection partner must support at least one of the combinations. The selection depends
on the key exchange method.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption AES128
Authentication SHA1
Key Derivation DH group 14
Lifetime [min]: 2880

5. Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN
connection.

6. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 161
VPN tunnel between two M-800s
6.3 Configuring the SCALANCE M81x (VPN server)

6.3.6 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

6.3.7 Establishing the VPN connection


The M81x (VPN server) is configured as the reponder.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "wait" and click "Set Values".

SCALANCE M-800 Getting Started


162 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

6.4 Configuring the SCALANCE M87x (VPN client)

6.4.1 Loading a certificate


The certificates are necessary to authenticate the VPN node and therefore for the
establishment of a secure VPN connection.
You obtain the information which certificate is to be loaded on which device from the
configuration file.

Requirement
● The correct time is set on the SCALANCE M-800, refer to the section Setting the time
(Page 27).
● Certificates are available.
You saved the required certificates on the PC in the last section and assigned a
password for the private key.
Transfer the certificates for the SCALANCE M-800 to the Admin PC.

Procedure
1. Click on "System" > "Load&Save" in the navigation area and on the "Passwords"" tab in
the content area.
2. To load the file successfully on the SCALANCE M enter the password specified for the
file in the line "X509Cert" in "Password" and "Password confirmation"
When you saved the configuration files of the SCALANCE M from the Security
Configuration Tool, you were requested to assign a password for the private key of the
certificate or to use the project name for this.
3. Enable the password

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 163
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

4. Click on "Set Values".

5. Click on the "HTTP" tab in the content area.

6. For "X509Cert" click the "Loading" button. The dialog for loading a file is opened.

SCALANCE M-800 Getting Started


164 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

7. Click the "Open" button in the dialog.


The file is now loaded on the device. After loading successfully, confirm the next dialog
with "OK".
8. Repeat steps 5 and 6 for the PKCS12 file.

Result
Certificates are loaded and are displayed in "Security" > "Certificates". The loaded
certificates must have the status "Valid".

6.4.2 Configuring the VPN remote end


In the configuration example, the M87x in the station is the VPN client that establishes the
connection to the VPN server with a fixed IP address.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Remote End" tab in
the content area.
2. Enter the name of the VPN partner (tunnel endpoint) in "Remote End Name", e.g.
VPN_Server_M81x.
3. Click "Create". A new row is created in the table.
4. Configure the VPN remote end with the following settings from the configuration file:

Remote Mode Standard


Remote Type Manual
Remote Address Fixed external IP address of the M81x e.g. 90.90.90.90
Remote Subnet 192.168.100.0/24
The subnet that can be reached through the VPN tunnel

5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 165
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

6.4.3 Configuring a VPN connection

Requirement
● The VPN remote end has been created.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. In "Connection Name" enter a name for the VPN connection.
3. Configure the VPN connection with the following settings:

Operation Disabled
Keying Protocol IKEv2
Remote End VPN_Server_M81x
Name of the VPN remote station
Local Subnet 192.168.11.0/24
The local subnet 1 in CIDR notation.

4. Click on "Set Values".

6.4.4 Configuring VPN authentication


For secure communication via VPN, all VPN partners need to authenticate themselves with
each other. In this configuration example, the certificate of the VPN remote station.

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Authentication" tab
in the content area.
2. Configure the VPN authentication with the following settings:

Authentication Remote Cert


Local certificate The precise names of the certificates and the remote ID can be
Remote Certificate found in the relevant configuration file.

Remote ID

SCALANCE M-800 Getting Started


166 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

3. Click on "Set Values".

6.4.5 Configuring phase 1 and phase 2


The settings must match on both devices.

Configuring phase 1
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 1" tab in the
content area.
2. Deselect the "Default Ciphers" check box.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption AES 128


Authentication SHA1
Key Derivation DH group 14
Lifetime [min]: 2880
DPD Period [sec] 60
Aggressive Mode no

5. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 167
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

Configuring phase 2
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Phase 2" tab in the
content area.
2. Leave the "Default Ciphers" check box enabled.
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN
connection partner must support at least one of the combinations. The selection depends
on the key exchange method.
3. Select the "DPD" check box.
4. Configure phase 1 with the following settings from the configuration file:

Encryption AES128
Authentication SHA1
Key Derivation DH group 14
Lifetime [min]: 2880

5. Enable "Auto Firewall Rules" The firewall rule is created automatically for the VPN
connection.

6. Click on "Set Values".

SCALANCE M-800 Getting Started


168 Getting Started, 07/2017, C79000-G8976-C337-05
VPN tunnel between two M-800s
6.4 Configuring the SCALANCE M87x (VPN client)

6.4.6 Activating VPN

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Enable the "IPsec VPN" setting.

3. Click on "Set Values".

6.4.7 Establishing the VPN connection


The M87x (VPN client) is configured as the initiator of the VPN tunnel and establishes the
VPN connection to the SCALANCE M87x (VPN server)

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "Connections" tab in
the content area.
2. As "Operation", select "start" and click "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 169
VPN tunnel between two M-800s
6.5 Displaying the status of the VPN connection

6.5 Displaying the status of the VPN connection


The devices are configured and connected to the Internet. The M87x (VPN client) starts
connection establishment to the M81x (VPN server). To display the status of the VPN
connection, you have the following options:
● Status display in the WBM
● LED display

Status display in the WBM


In the navigation area, click "Information" > "IPsec VPN". "Status" displays the status of the
configured VPN connection.

LED display
If the VPN connection is established, the LED is lit green on the device.

SCALANCE M-800 Getting Started


170 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800 7
In these examples, two different IP subnets are connected together via a SCALANCE M-
800. Between the two SCALANCE M devices a VPN tunnel is established. The VPN
connection is initiated by the M876. Via the established tunnel, the addresses are translated
with NETMAP. In this translation, the subnet part of the IP address is changed and the host
part remains.
NETMAP can translate both the source IP address and the destination IP address.

Local area network - connection to SCALANCE M-800


● In the test setup, in the local network, a network node is implemented by a PC connected
to an Ethernet interface of the SCALANCE M-800.
– PC: represents a node in the local network
– M-800: SCALANCE M module for protection of the internal network
● Connection to the external network:
– Wireless via the antenna of the M87x to the mobile wireless network.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 171
NETMAP with SCALANCE M-800

Remote network - connection to M-800


● In the test setup, in the remote network, the network node is implemented by a PC in
each case connected to an Ethernet interface of the SCALANCE M-800.
– PC: represents a node in the remote network
– M-800: SCALANCE M module for protection of the external network
● Connection to the external network
Wired via the RJ-45 jack of the M816 to ADSL.

Required devices/components
Use the following components to set up the network:
● Connection to the mobile wireless network
– 1 x M876 (additional option: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– 1 x suitable antenna
– 1 x SIM card of your mobile wireless provider. Suitable services are enabled, e.g.
Internet.
● Connecting to ADSL
– 1 x M816 (additional option: a suitably installed standard rail with fittings)
– 1 x 24 V power supply with cable connector and terminal block plug
– ADSL access is enabled
● 2 x PCs connected to the SCALANCE M-800.
● The required network cable, TP cable (twisted pair) complying with the IE FC RJ-45
standard for Industrial Ethernet

Note
You can also use other SCALANCE M-800 devices. The configuration described below
relates explicitly to the components mentioned in the Section "Required
devices/components".

SCALANCE M-800 Getting Started


172 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800

Settings used
For the configuration example, the devices are given the following IP address settings:

Name Interface IP address


Station M876 LAN interface 192.168.20.1
IP subnet 1 P1 255.255.255.0
(vlan1)
WAN interface Dynamic IP address from the provider
(ppp0) The device is, however, reachable via a dynamic
DNS service, e.g. example.no-ip.com
PC1 LAN interface 192.168.20.20
255.255.255.0
Master station M816 LAN interface 192.168.10.1
IP subnet 2 P1 255.255.255.0
(vlan1)
WAN interface Fixed IP address (WAN IP address), e.g.
(ppp0) 91.19.6.84
PC2 Ethernet 192.168.10.10
(LAN 2) 255.255.255.0

Examples
There are the following examples of NETMAP
1. NETMAP for the local network (Page 174)
2. NETMAP for the remote network (Page 178)
3. NETMAP for the local and remote network (Page 183)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 173
NETMAP with SCALANCE M-800
7.1 NETMAP for the local network

7.1 NETMAP for the local network

With NETMAP of the local network, the source address ① e.g. 192.168.20.20 is translated.
In this translation, the subnet part of the IP address is changed and the host part remains. In
the example, the subnet part is 192.168.20.0. This subnet part is replaced by 192.168.200.0.
The source IP address is translated by the M876 ② and forwarded to the destination ③.
With incoming queries ③, the destination IP address 192.168.200.0 is replaced by
192.168.20.0. The destination IP address is translated by the M876 ② and forwarded to the
destination ①. Only the NETMAP rules for the direction of the query are necessary. The
NETMAP rules for the replies are added implicitly. When PC1 sends a query to PC2, the
reply is translated based on it. This, however, does not apply to queries from PC2 to PC1.
For this, the following NETMAP rules are created on the M876 (initiator):

Local network > remote network:


The source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24.
Remote network > local network:
The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24
The two devices also communicate via a VPN tunnel.

SCALANCE M-800 Getting Started


174 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.1 NETMAP for the local network

Requirement
● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M-
800 to the WAN (Page 43)".
● The SCALANCE M-800 can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".

Steps in configuration
The following steps are necessary to create NETMAP rules:
1. Creating a VPN connection (Page 175)
2. Creating NETMAP rules (Page 177)

7.1.1 Creating a VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Activate "Enable IPsec VPN" and click "Set Values".
3. Click on the "Remote End" tab in the content area and create the VPN partner with the
following settings:

On the M816 On the M876


Remote End Name M876 M816
Remote Mode Standard Standard
Remote Type Manual Manual
Remote Address Reachable via a dynamic DNS Fixed IP address (WAN IP address) of
service, e.g. example.no-ip.com the M816, e.g. 91.19.6.84
Remote Subnet 192.168.200.0/24 192.168.10.0/24

4. Click on the "Connections" tab in the content area and create the VPN connection with
the following settings:

On the M816 On the M876


Connection Name M816_to_M876 M876_to_M816
Operation Disabled Disabled
Keying Protocol IKv2 IKv2
Remote End M876 M816
Local Subnet 192.168.10.0/24 192.168.20.0/24

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 175
NETMAP with SCALANCE M-800
7.1 NETMAP for the local network

5. Click on the "Authentication" tab in the content area and configure the VPN authentication
with the following settings:

On the M816 On the M876


Authentication PSK PSK
Local ID - -
Remote ID - -
PSK / PSK Confirma- e. g. 12345678 e. g. 12345678
tion

6. Click on the "Phase 1" tab in the content area and configure the following settings:

M816 / M876
DPD enabled
Encryption AES256 CBC (M87x)
AES256 (M81x)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

7. Click on the "Phase 2" tab in the content area and configure the following settings:

M816 / M876
Encryption AES256 CBC (M87x)
AES256 (M816)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440

Result
The VPN connection on the devices is configured. To establish the VPN connection, click on
the "Connections" tab in the content area.
For "Operation" select the following and click "Set Values"

On the M816 On the M876


Operation wait start
(Responder) (Initiator)

The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the
LED is lit green on the devices.

SCALANCE M-800 Getting Started


176 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.1 NETMAP for the local network

7.1.2 Creating NETMAP rules

Requirement
● The VPN connection M876_to_M816 is configured, see Creating a VPN connection
(Page 175).

Procedure
1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content
area.
2. Specify the NETMAP rule for the outgoing queries with the following settings:

Type Source
Source Interface vlan1
Destination Interface IPsec M876_to_M816
Source IP Subnet 192.168.20.0/24
Translated Source IP Subnet 192.168.200.0/24
Destination IP Subnet 192.168.10.0/24

3. Click "Create". A new row is created in the table with the settings.
4. Specify the NETMAP rule for the incoming queries with the following settings:

Type Destination
Source Interface IPsec M876_to_M816
Destination Interface vlan1
Source IP Subnet 192.168.10.0/24
Destination IP Subnet 192.168.200.0/24
Translated Destination IP Subnet 192.168.20.0/24

5. Click "Create". A new row is created in the table with the settings.
6. Click on "Set Values".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 177
NETMAP with SCALANCE M-800
7.2 NETMAP for the remote network

Result
The rules for the outgoing and incoming queries have been created.

7.2 NETMAP for the remote network

SCALANCE M-800 Getting Started


178 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.2 NETMAP for the remote network

With NETMAP of the remote network, the destination ① e.g. 192.168.100.10 is translated.
In the example, the subnet part is 192.168.100.0 and this is replaced by 192.168.10.0. This
means that the remote network can also be reached in addition to 192.168.10.0 also via
192.168.100.0. The destination IP address is translated by the M876 ② and forwarded to
the destination ③.
With incoming queries ③, the source IP address 192.168.10.0 is replaced by
192.168.100.0. The source IP address is translated by the M876 ② and forwarded to the
destination ①.
Only the NETMAP rules for the direction of the query are necessary. The NETMAP rules for
the replies are added implicitly. When PC1 sends a query to PC2, the reply is translated
based on it. This, however, does not apply to queries from PC2 to PC1.
For this, the following NETMAP rules are created on the M876 (initiator):

Local network > remote network:


The destination IP subnet 192.168.100.0/24 is replaced by 192.168.10.0/24.
Remote network > local network:
The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24
The two devices should also communicate with each other via a VPN tunnel.

Requirement
● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M-
800 to the WAN (Page 11)".
● The SCALANCE M-800 can be reached via the Admin PC and you are logged in to the
WBM as "admin".

Steps in configuration
The following steps are necessary
1. Creating a VPN connection (Page 180)
2. Creating NETMAP rules (Page 181)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 179
NETMAP with SCALANCE M-800
7.2 NETMAP for the remote network

7.2.1 Creating a VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Activate "Enable IPsec VPN" and click "Set Values".
3. Click on the "Remote End" tab in the content area and create the VPN partner with the
following settings:

On the M816 On the M876


Remote End Name M876 M816
Remote Mode Standard Standard
Remote Type Manual Manual
Remote Address Reachable via a dynamic DNS Fixed IP address (WAN IP address) of
service, e.g. example.no-ip.com the M816, e.g. 91.19.6.84
Remote Subnet 192.168.20.0/24 192.168.10.0/24

4. Click on the "Connections" tab in the content area and create the VPN connection with
the following settings:

On the M816 On the M876


Connection Name M816_to_M876_2 M876_to_M816_2
Operation Disabled Disabled
Keying Protocol IKv2 IKv2
Remote End M876 M816
Local Subnet 192.168.10.0/24 192.168.20.0/24

5. Click on the "Authentication" tab in the content area and configure the VPN authentication
with the following settings:

On the M816 On the M876


Authentication PSK PSK
Local ID - -
Remote ID - -
PSK / PSK Confirma- e. g. 12345678 e. g. 12345678
tion

SCALANCE M-800 Getting Started


180 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.2 NETMAP for the remote network

6. Click on the "Phase 1" tab in the content area and configure the following settings:

M816 / M876
DPD enabled
Encryption AES256 CBC (M87x)
AES256 (M81x)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

7. Click on the "Phase 2" tab in the content area and configure the following settings:

M816 / M876
Encryption AES256 CBC (M87x)
AES256 (M81x)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440

Result
The VPN connection on the devices is configured. To establish the VPN connection, click on
the "Connections" tab in the content area.
For "Operation" select the following and click "Set Values"

On the M816 On the M876


Operation wait start
(Responder) (Initiator)

The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the
LED is lit green on the devices.

7.2.2 Creating NETMAP rules

Requirement
● The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection
(Page 180).

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 181
NETMAP with SCALANCE M-800
7.2 NETMAP for the remote network

Procedure
1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content
area.
2. Specify the NETMAP rule for the outgoing queries with the following settings:

Type Destination
Source Interface vlan1
Destination Interface IPsec M876_to_M816_2
Source IP Subnet 192.168.20.0/24
Destination IP Subnet 192.168.100.0/24
Translated Destination IP Subnet 192.168.10.0/24

3. Click "Create". A new row is created in the table with the settings.
4. Specify the NETMAP rule for the incoming queries with the following settings:

Type Source
Source Interface IPsec M876_to_M816_2
Destination Interface vlan1
Source IP Subnet 192.168.10.0/24
Translated Source IP Subnet 192.168.100.0/24
Destination IP Subnet 192.168.20.0/24

5. Click "Create". A new row is created in the table with the settings.
6. Click on "Set Values".

Result
The rules for the outgoing and incoming queries have been created.

SCALANCE M-800 Getting Started


182 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

7.3 NETMAP for the local and remote network

In this example, the NETMAP rules from NETMAP for the local network (Page 174)and from
NETMAP for the remote network (Page 178) are combined. There is, however, a special
feature with the outgoing queries. Outgoing queries, whose source IP address is translated
from 192.168.20.0 to 192.168.200.0, must be able to have both the IP address
192.168.10.10 as well as 192.168.100.10 as the destination IP address. For translating the
destination IP address a further NETMAP rule is required. The addresses are translated by
the M876 ② and forwarded to the destination ③.
With the incoming query both IP addresses are exchanged.

Local network > remote network:


The source IP subnet 192.168.20.0/24 is replaced by 192.168.200.0/24.
The destination IP subnet 192.168.100.0/24 is replaced by 192.168.10.0/24.

With queries with the destination IP subnet 192.168.100.0/24 the source IP subnet
192.168.20.0/24 is replaced by 192.168.200.0/24.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 183
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

Remote network > local network:


The destination IP subnet 192.168.200.0/24 is replaced by 192.168.20.0/24
The source IP subnet 192.168.10.0/24 is replaced by 192.168.100.0/24

The two devices should also communicate with each other via a VPN tunnel.

Requirement
● The SCALANCE M-800 is connected to the WAN , refer to "Connecting SCALANCE M-
800 to the WAN (Page 11)".
● The SCALANCE M-800 can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".

Steps in configuration
The following steps are necessary
1. Creating a VPN connection (Page 184)
2. Creating NETMAP rules (Page 186)

7.3.1 Creating a VPN connection

Procedure
1. Click on "Security" > "IPsec VPN" in the navigation area and on the "General" tab in the
content area.
2. Activate "Enable IPsec VPN" and click "Set Values".
3. Click on the "Remote End" tab in the content area and create the VPN partner with the
following settings:

On the M816 On the M876


Remote End Name M876 M816
Remote Mode Standard Standard
Remote Type Manual Manual
Remote Address Reachable via a dynamic DNS Fixed IP address (WAN IP address) of
service, e.g. example.no-ip.com the M816, e.g. 91.19.6.84
Remote Subnet 192.168.200.0/24 192.168.10.0/24

SCALANCE M-800 Getting Started


184 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

4. Click on the "Connections" tab in the content area and create the VPN connection with
the following settings:

On the M816 On the M876


Connection Name M816_to_M876 M876_to_M816
Operation Disabled Disabled
Keying Protocol IKv2 IKv2
Remote End M876 M816
Local Subnet 192.168.10.0/24 192.168.20.0/24

5. Click on the "Authentication" tab in the content area and configure the VPN authentication
with the following settings:

On the M816 On the M876


Authentication PSK PSK
Local ID - -
Remote ID - -
PSK / PSK Confirma- e. g. 12345678 e. g. 12345678
tion

6. Click on the "Phase 1" tab in the content area and configure the following settings:

M816 / M876
DPD enabled
Encryption AES256 CBC (M87x)
AES256 (M81x)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440
DPD Period [sec] 60
Aggressive Mode no

7. Click on the "Phase 2" tab in the content area and configure the following settings:

M816 / M876
Encryption AES256 CBC (M87x)
AES256 (M816)
Authentication SHA512
Key Derivation DH group 14
Lifetime [min]: 1440

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 185
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

Result
The VPN connection on the devices is configured. To establish the VPN connection, click on
the "Connections" tab in the content area.
For "Operation" select the following and click "Set Values"

On the M816 On the M876


Operation wait start
(Responder) (Initiator)

The M876 establishes the VPN tunnel to the M816. If the VPN tunnel is established, the
LED is lit green on the devices.

7.3.2 Creating NETMAP rules

Requirement
● The VPN connection M876_to_M816_2 is configured, see Creating a VPN connection
(Page 184).
● The NETMAP rules for the local network (Page 181)have been created.
● The NETMAP rules for the remote network (Page 177)have been created.

Procedure
1. Click on "Layer 3" > "NAT" in the navigation area and on the "NETMAP" tab in the content
area.
2. Specify the NETMAP rule for the outgoing queries with the following settings:

Type Source
Source Interface vlan1
Destination Interface IPSec M876_to_M816_2
Source IP Subnet 192.168.20.0/24
Translated Source IP Subnet 192.168.100.0/16
Destination IP Subnet 192.168.200.0/24

3. Click "Create". A new row is created in the table with the settings.
4. Click on "Set Values".

SCALANCE M-800 Getting Started


186 Getting Started, 07/2017, C79000-G8976-C337-05
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

Result
The rules for the outgoing and incoming queries have been created.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 187
NETMAP with SCALANCE M-800
7.3 NETMAP for the local and remote network

SCALANCE M-800 Getting Started


188 Getting Started, 07/2017, C79000-G8976-C337-05
Reporting and switching by SMS 8
8.1 Introduction
A SCALANCE M87x should be able to send important information about the plant status,
alarm messages or warnings to a service employee or a master station as an event SMS
message. In the other direction the device should be able to receive and interpret command
SMS messages.

Examples
For the SMS there are the following configuration examples
1. The SCALANCE M87x generates an event SMS message and sends this to certain
recipients.
2. The SCALANCE M87x receives a command SMS message and evaluates it.

8.2 Generating and sending an event SMS message

8.2.1 Introduction
A service technician wants to monitor the connection on the Ethernet interface from a
distance. If the Ethernet interface changes from "Link up" to "Link down" the technician
should receive a corresponding event SMS message (event link).
In addition to this the technician wants to monitor the digital input. Each time the door in the
station is opened (event Door), the signal at the digital input changes from 0 (LOW) to 1
(HIGH) (rising edge).

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 189
Reporting and switching by SMS
8.2 Generating and sending an event SMS message

Requirement
● The SCALANCE M87x is connected to the WAN, refer to "Connecting SCALANCE M87x
to the WAN (Page 11)".
● The access parameters for the SCALANCE M87x are configured.
● The SCALANCE M87x can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".

Steps in configuration
The following steps are necessary:
1. Configuring an event (Page 190)
2. Configuring sending of an SMS message (Page 191)

8.2.2 Configuring an event

Enabling fault monitoringr check Link Change


1. Click on "System > "Fault Monitoring" in the navigation area and on the "Link Change" tab
in the content area.
2. For P1 and P2 select the entry "Down".
3. Click on "Set Values".

Enabling SMS for an event


1. Click on "System" > "Events" in the navigation area and on the "Configuration" tab in the
content area.
2. For the event enable "Link Change" and "Digital Input" "SMS"
3. Click on "Set Values".

Result
Event link: When the Ethernet interface loses the connection to the node, this causes the
fault LED to light up on the device and the sending of an event SMS message.
Event Door: Each time the digital input switches, an event SMS message is sent. So that the
SMS message is sent, you need to configure the sending of SMS messages.

SCALANCE M-800 Getting Started


190 Getting Started, 07/2017, C79000-G8976-C337-05
Reporting and switching by SMS
8.2 Generating and sending an event SMS message

8.2.3 Configuring the sending of SMS messages

Configuring the sending of SMS messages


1. Click "System" > "SMS" in the navigation area.
2. On the "General" tab only change the phone number of the SMS master station if you do
not use the standard SMS master station. The standard SMS master station is stored on
the SIM card.
3. Click the "Event SMS" tab.
4. Enable the "Event SMS " function.
5. In "Phone Number" enter the full telephone number of the recipient including the country
dialing code e.g. +49xxxxxxxx.
6. Click "Create". A new row with a unique number is created in the table.
You can also specify several recipients. To do this repeat steps 5 and 6.
7. Enable the setting "Send" for the required recipient. The recipient only receives an event
SMS message when the setting is enabled.
8. Click on "Set Values".

Result
The service technician is configured as the recipient. When the Ethernet interface changes
from "Link up" to "Link down", the device generates an event SMS message and sends this
to the configured recipient.

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 191
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

Adapting an SMS message for the digital input


1. Enter the required SMS text. A maximum of 160 characters are permitted as SMS text.
– On a "Rising edge" e.g. Door open.
– On a "Falling edge" e.g. Door closed.

Note
Characters permitted for the SMS text
The following characters are permitted in the text:
• 0123456789
• A...Z a...z
• Space
• !%&/()=*+<>',.-

2. So that the service technician receives an event SMS message for both switching
operations select "Both" for "Sending Option".
3. Click on "Set Values".

8.3 Receiving and evaluating a command SMS message

8.3.1 Introduction
This configuration example is based on the section "VPN tunnel between an M87x and a
SINEMA RC server (Page 129)". The VPN tunnel should be established as the result of a
command SMS message. The configuration example contains the following descriptions.
● To wake a station, the SINEMA RC Server sends an e-mail. The e-mail is sent to an SMS
gateway via an SMTP server. The SMS gateway converts the e-mail into a wake-up SMS
message and transfers this to the M87x device. When the SMS message is accepted, the
device establishes the connection to the SINEMA RC Server.
● The service technician sends a wake-up SMS message to the M87x in station 2. The
device starts the VPN connection and establishes the VPN tunnel to SINEMA RC Server.
To check whether the VPN connection to the SINEMA RC Server still exists, it checks the
status with a command SMS message.

SCALANCE M-800 Getting Started


192 Getting Started, 07/2017, C79000-G8976-C337-05
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

Requirement
● Configuration example VPN tunnel between an M87x and a SINEMA RC Server
(Page 129).

Steps in configuration
The SINEMA RC Server sends a wake-up SMS message
1. Configure settings on the SINEMA RC Server V1.2
– Configure SMS message & e-mail (Page 194)
– Change device settings (Page 195)
2. Configure receipt of the command SMS message on the M87x (Page 195)
Service technician sends a command SMS message
1. Start VPN connection with command SMS message (Page 196)
2. Query status of the VPN connection with command SMS message (Page 197)

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 193
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

8.3.2 SINEMA RC Server sends a wake-up SMS message

8.3.2.1 Configuring settings on the SINEMA RC Server

Configuring SMS message & e-mail

Requirement
● The SINEMA RC Server V1.2 is connected to the WAN.
● The SINEMA RC Server V1.2 can be reached via PC3 and you are logged in to the WBM
as a user with the role "admin".

Procedure
1. Click "System > SMS & E-mail" in the navigation area and on "SMS gateway provider" in
the content area.
2. A list of the already existing SMS gateway providers is displayed. As default the data of
four network providers is already set In this configuration example, the relevant SMS
gateway provider is included in the llst.
3. For the SMS gateway provider in the "Actions" click on "Edit SMS gateway provider".
4. Configure the following settings

Sender number Identification that is transferred in the e-mail.


Address Email address of the recipient of the SMS message
The e-mail address is generally made up of the call number of the
SIM card and the SMS gateway name.
Check with your network provider whether or not it is necessary to
send an activation SMS message.
You will find further information on this in the Operating Instruc-
tions of the SINEMA RC Server.

1. Click "Save".
2. Click on the "Settings" tab in the content area.

SCALANCE M-800 Getting Started


194 Getting Started, 07/2017, C79000-G8976-C337-05
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

3. Configure the following settings

Method of delivery SMTP relay server


Sender E-mail address of the user account of the SMTP relay server
SMTP relay server Enter the name or the IP address of the SMTP relay server that
forwards the received e-mails.
SMTP relay port Specify the port on which the SMTP relay server accepts connec-
tions. As default port 587 is set so that mail is received only from
authenticated users.
Transport Layer Security Opportunistic
(TLS)
Server requires authenticati- Some SMTP relay servers require a login. Enter the user name
on and the password. Some providers use the e-mail address as the
user name. You will obtain more detailed information from your
provider.

4. Click "Save".

Result
The settings for SMS and e-mail are configured. To test them you can send an e-mail. Click
on "Test E-Mail" in the content area. To do this, enter the recipient, the subject and a text.
Then click the "Send" button.

Changing device settings

Procedure
1. In the navigation area, click "Remote connections" > "Devices". The devices that have
already been created are listed in the content area.
2. For the entry "M874_2" in the actions, click on "Edit device".
3. Change the following device settings:

Connection type Wake-up SMS


SMS gateway provider Select the SMS gateway provider.
GSM number Call number of the end device to which a wake-up SMS is sent.

4. Click "Save".
5. Click "Exit dialog".

8.3.2.2 Configuring receipt of the command SMS message on the M87x

Requirement
● The SCALANCE M87x can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 195
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

Procedure
1. Click on "System" > "SMS" in the navigation area and on the "SMS Command" tab in the
content area.
2. Select "Enable Command SMS".
3. For "Phone Number / Sender Identifier" specify the "Sender Number" you specified in
"Configuring SMS message & e-mail".
The sender number is for identification. The device accepts the command SMS only if the
sender number is included.
4. Click "Create". A new row with a unique number is created in the table.
5. Enable "Relay" and "System".
6. Click on "Set Values".

8.3.3 Service technician sends a command SMS message

8.3.3.1 Start VPN connection with command SMS message

Requirement
● The SCALANCE M87x can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".

Procedure
1. Click on "System" > "SMS" in the navigation area and on the "SMS Command" tab in the
content area.
2. Select "Enable Command SMS".
3. Enter the "Phone Number" of the service technician in "Phone Number / Sender
Identifier". The phone number is necessary for the device to accept the command SMS
from the mobile phone of the service technician.
4. Click "Create". A new row with a unique number is created in the table.
5. Enable "Relay" and "System".
6. Click on "Set Values".
7. The service technician sends a command SMS to start the connection to the SINEMA RC
Server.
SYS SRC UP <address of the SINEMA RC Server>, e.g. SYS SRC UP 90.90.90.90

Result
The device establishes the connection to the SINEMA RC Server.

SCALANCE M-800 Getting Started


196 Getting Started, 07/2017, C79000-G8976-C337-05
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

8.3.3.2 Querying the status of the VPN connection with command SMS message

Requirement
● The SCALANCE M87x can be reached via the admin PC and you are logged in to the
WBM as a user with the role "admin".
● Sending from the device to the service technician is configured, see Configuring the
sending of SMS messages (Page 191).
● The device accepts the command SMS message from the mobile phone of the service
technician, see Configuring receipt of the command SMS message on the M87x
(Page 195).

Procedure
1. The service technician sends a command SMS to query the status of the VPN connection
to the SINEMA RC Server.
SYS SRC STATUS<address of the SINEMA RC Server>, e.g. SYS SRC STATUS
90.90.90.90

Result
The service technician receives a corresponding reply SMS message from the device at the
phone numbers specified in "Event SMS".

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 197
Reporting and switching by SMS
8.3 Receiving and evaluating a command SMS message

SCALANCE M-800 Getting Started


198 Getting Started, 07/2017, C79000-G8976-C337-05
Index

G
Glossary, 5

S
Service & Support, 4
SIMATIC NET glossary, 5

T
Training, 4

SCALANCE M-800 Getting Started


Getting Started, 07/2017, C79000-G8976-C337-05 199
Index

SCALANCE M-800 Getting Started


200 Getting Started, 07/2017, C79000-G8976-C337-05

You might also like