Mang Ethernet

Application for Communication

Secure Remote Access to SIMATIC Stations via Internet using GPRS Modem MD740-1 and SCALANCE S612

Configuration 9

Table of Contents

Configuration 9 GPRS Entry ID: 24960449

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Note Configurations do not purport to cover all details or variations in equipment, nor do they provide for every possible contingency. Configurations do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are correctly used. These Configurations do not relieve you of the responsibility in safely and professionally using, installing, operating and servicing equipment. By using this Configuration you accept that Siemens is not liable for any damages except for those specified in the above liability clause. We reserve the right to make changes to these Configurations at any time without prior notice. If there are any deviations between the recommendations provided in these Configurations and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

Warranty, Liability and Support

We accept no liability for information contained in this document.

Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). However, claims arising from a breach of a condition which goes to the root of the contract shall be limited to the foreseeable damage which is intrinsic to the contract, unless caused by intent or gross negligence or based on mandatory liability for injury of life, body or health. The above provisions do not imply a change in the burden of proof to your detriment.

Copyright© 2007 Siemens A&D. It is not permissible to transfer or copy this Configuration or excerpts of them without first having prior authorization from Siemens A&D in writing.

For questions about this document please use the following e-mail address:

mailto:[email protected]

mailto:[email protected]

Table of Contents


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Foreword Configurations are fully functional and tested automation configurations based on A&D standard products for simple, fast and inexpensive implementation of automation tasks. Each of these configurations covers a frequently occurring subtask of a typical customer problem.

The configurations help the customer to obtain answers with regard to required products and how they function in combination. A tested example application is provided for this.

However, depending on the requirements of the system, a variety of other components (e.g., other CPUs, power supplies, etc.) can be used to implement the functionality on which this configuration is based. See respective SIEMENS A&D catalogs for these components.

Table of Contents

Table of Contents ......................................................................................................... 3

1 Application Areas and Usage ........................................................................ 5

2 Setup................................................................................................................ 9

3 Required hardware and software components.......................................... 12

4 Function Principle ........................................................................................ 14 4.1 Radio method ................................................................................................. 14 4.2 GPRS modem MD740-1................................................................................. 15 4.3 SCALANCE S ................................................................................................. 17 4.4 Security........................................................................................................... 18 4.4.1 VPN tunnel...................................................................................................... 18 4.4.2 IPSec .............................................................................................................. 20 4.5 Assessing the data volumes ........................................................................... 23

5 Configuration and Commissioning of the Example .................................. 25 5.1 Hardware configuration / structural setup ....................................................... 26 5.2 Installation of the software .............................................................................. 27 5.3 Install example project .................................................................................... 27 5.4 Configuring the DSL Router............................................................................ 28 5.5 Configuration of the service center ................................................................. 29 5.6 Configuration of the remote stations............................................................... 31 5.6.1 Change IP address of the components .......................................................... 31 5.6.2 Remote Station 1 ............................................................................................ 35 5.6.3 Remote station 2............................................................................................. 39 5.7 Configuring the VPN tunnel ............................................................................ 42 5.8 Configuration of the MD740-1......................................................................... 50 5.8.1 MD740-1 of Remote Station1 ......................................................................... 50

Table of Contents


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5.8.2 MD740-1 of Remote Station2 ......................................................................... 61 5.9 Final configuration .......................................................................................... 61

6 Remote Access Scenarios........................................................................... 62 6.1 Diagnosis scenario 1 for Remote Station 1 (S7 communication).................... 63 6.2 Diagnosis scenario 2 for Remote Station 1 (access to Panel by means of

WinCC flexible) .......................................................................................... 65 6.3 Diagnosis scenario 3 for Remote Station 1 (SOAP) ....................................... 67 6.4 Diagnosis scenario 4 for Remote Station 1 (IP-CP standard page)................ 68 6.5 Diagnosis scenario 5 for Remote Station 2 (S7 routing)................................. 68 6.6 Diagnosis scenario 6 for Remote Station 2 (OPC access) ............................. 69

7 Adjustments / Modifications/ Expansions.................................................. 70 7.1 Adding a remote station.................................................................................. 70 7.2 Maximum number of remote stations ............................................................. 72 7.3 Notes / tips for IP address planning................................................................ 72

8 History ........................................................................................................... 73

Application Areas and Usage


1 Application Areas and Usage

Introduction Remote diagnostics and maintenance of production plants have become an integral part of modern automation technology. The efficiency regarding time hence related costs are significantly higher than sending servicing staff around the world. Error detection and removal is much faster. This reduces machine down-times and increases availability.

The basis for optimum remote maintenance even for plants that are wide-spread or difficult to reach are reliable, always available, secured and cost-efficient data connections. Today’s radio technologies paired with broadband internet connection are increasingly used for this tasks.

Automation Task This Configuration illustrates typical remote access scenarios to distributed S7 stations via a secured, GPRS-based internet connection.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Several SIMATIC Remote stations with devices accessible via Ethernet (S7-CPUs, HMI-devices, Ethernet-CPs) are connected with a service center via a wireless transmission medium.

Via these connections, a PG/PC in the service center should perform all of the functions a cable-based PG can also perform. (e.g. all standard diagnostics functions, uploads and downloads of programs, operator control and monitoring of statuses, OPC etc.) Figure 1-1

Service CenterService Center

RemoteS7-Station 1

RemoteS7-Station 1

RemoteS7-Station 2

RemoteS7-Station 2

RemoteS7-Station N

RemoteS7-Station N

distributed Stations

Internet

GSM/GPRS

DSL

securedConnections



Communication Solution – Configuration 9 As a main SIMATIC component, this solution uses the GPRS modem SINAUT MD740-1 in the stations and the security module SCALANCE S612 in the control center.

Both of these components initiate IPSec-based tunnel connections between

• a service center, which is connected to the internet via DSL and

• several remote stations connected with the internet via GPRS.

The schematic figure below gives an overview of the realized solution of this Configuration:

Figure 1-2

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

ISP

Remote Station 1

Remote Station 2

Service center

STEP 7

PG/PC SCALANCE S61x

DSL-Router

S7-CPU & IE-CP I-Slave

PB

IE

MD

74

0-1

MD 740-1HMI-PanelS7-Station 1S7-CPU & IE-CP

S7-Station 2S7-CPU(PN)

GPRSProvider

A

Internet GPRS Provider

B

VPN-Tunnel 2

VPN-Tunnel 1



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Via the PG/PC in the service center, the STEP 7 standard software and the respective STEP 7 project of the remote station to be maintained can be used to perform.

• any online system diagnosis that is also performed in the IE-LAN (diagnostic buffer of the CPU, module status, operating status, monitoring / control, etc.),

• monitoring and control of variables (variable table and OPC),

• monitoring of program states and

• a download / upload of STEP 7 programs.

A standard web browser on the service PG/PC enables

• via Smart@Service from WinCC flexible

– accessing the mask of the HMI project (operator control and monitoring)

– loading the WinCC flexible project

– diagnosing the panel status

• accessing WinCC flexible variables via a SOAP connection

• accessing all existing web servers in the stations

– e.g. CP343-1 advanced (WebServer, FTP-Server/Client)

This example additionally explains

• the necessary basic terms on GPRS technology and security aspects

• the data volume to be expected in this configuration

• in detail, all configuration steps necessary to initiate a VPN tunnel between the GPRS modem MD740-1 and the security module SCALANCE S612.



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Benefits • Optimized servicing of remote plants

• Outstations can be accessed worldwide

• All remote stations can be parameterized and diagnosed using standard STEP7 tools

• High availability of the communication due to standardized mobile phone and internet technology

• GPRS and INTERNET assure short transfer times and are always online

• Cost-effective data transmission due to payment based on data volumes

• VPN functionality enables a secure, protected and encoded data connection via the standard IPSec.

• High security by means of integrated firewall

• Simple and user-friendly configuration of the VPN tunnels using the Security Configuration Tool

Setup


2 Setup

The figure below shows the hardware setup of this configuration.

Setup of the service center Figure 2-1

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

DSL-Router + ModemInternet connection with fixed IP address

SCALANCE S612Security module as VPN Router

PC/PG• SIMATIC Manager

• Web browser

• OPC Server/ Client

IE Standard Cable

IE Standard CablexDSL

STEP 7

The control center consists of a standard Windows PC/PG. Via the integrated Ethernet interface the PC is connected with the internal (secure) port 1 of the SCALANCE S612 and the external (unsecure) port is connected with a DSL router. On the PG/PC the STEP 7 software, a standard web browser and the SIMATIC NET OPC server has been installed.

Setup


Setup diagram for remote station 1 Figure 2-2

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

MD740-1GPRS modem and VPN router with SIM card of the provider

SIMATIC Station2• PS 307 5A• CPU 315-2 DP• CP 343-1 Advanced

TP277 6‘‘HMI Panel for vizualization

IE Standard Cable

SIMATIC Station1• PS307 5A• CPU 315-2 PN/ DP

IE Standard Cable

SCALANCE X208

Remote station 1 consists of two SIMATIC stations, one HMI operator panel, as well as a GPRS modem MD740-1. Via the integrated Ethernet interface, all components are interconnected using a SCALANCE X208.

Setup


Setup diagram for remote station 2 Figure 2-3

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

MD740-1GRPS modem and VPN router with SIM card of the GPRS-provider

I-Slave ET 200S• IM151-7 CPU• PM-E DC24V• 4DI HF DC24• 4DO DC24V/ 0.5A

IE Standard Cable

SIMATIC Station• PS307 5A• CPU 315-2 DP• CP343-1 Lean

PB Cable

optional: PC/ PG• OPC Server

Remote station 2 consists of a SIMATIC station, a distributed I/O with intelligent interface module as well as a GPRS modem MD740-1. The SIMATIC station is connected

• with the ET200S (IM151-7 CPU) via the PROFIBUS interface of the CPU

• with the GPRS modem MD740-1 via the integrated Ethernet interface of the CP343-1 Lean.

For the diagnosis scenario with OPC server on site, an additional PC/PG can be connected to the Industrial Ethernet network using a SCALANCE X208.

Required hardware and software components


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

3 Required hardware and software components

SIMATIC components Table 3-1

Component No. MLFB / Order number Note CPU 315-2 DP 2 6ES7315-2AG10-0AB0 CPU315-2 PN/DP 1 6ES7315-2EH13-0AB0 CP343-1 Advanced 1 6GK7343-1GX21-0XE0 CP343-1 lean 1 6GK7343-1CX10-0XE0 Power supply PS307 5A

2 6ES7307-1EA00-0AA0

Micro Memory Card 3 6ES7 953-8LF11-0AA0 min. 64 kB IM151-7 CPU 1 6ES7151-7AA10-0BA0 ET200S module Power module for ET200S PM-E DC24V

6ES7138-4CA01-0AA0 ET200S module

Digital input module for ET200S 6ES7131-4BD01-0AB0 4 DI HF DC24V Digital input module for ET200S 6ES7132-4BD01-0AB0 4 DO DC24V/0.5A PG 1 6ES7712-XXXXX-

XXXX Configurator

Touch Panel TP277 1 6AV6643-0AA01-1AX0 License for Sm@rtService 1 6AV6618-7BB01-1AB0

Security Table 3-2

Component No. MLFB / Order number Note

SCALANCE S612 V2.1 1 6GK5612-0BA00-2AA3 Optionally, you can update an existing SCALANCE S to Version 2.1 here.

Security Configuration Tool V2.1

1 Comes with the SCALANCE S V2.1.

GPRS modem MD740-1 2 6NH9740-1AA00 as from version 1.0.3 ANT 794-4MR 2 6NH9860-1AA00 Quadband antennae

Omnidirectional with 5m cable

SIM card 2 Station contract with a GSM network operator; released for GPRS

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10012935&mlfb=6ES7315%2D2AG10%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10026479&mlfb=6ES7315%2D2EH13%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10031216&mlfb=6GK7343%2D1GX21%2D0XE0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10023933&mlfb=6GK7343%2D1CX10%2D0XE0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000595&mlfb=6ES7138%2D4CA01%2D0AA0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000597&mlfb=6ES7131%2D4BD01%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=5000597&mlfb=6ES7131%2D4BD01%2D0AB0&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/configurators/ipc/ipcFrameset.asp?urlParams=PROD%5FID%3D6ES7712&MLFB=&proxy=mall%2Eautomation%2Esiemens%2Ecom&retURL=%2FDE%2Fguest%2Findex%2Easp%3FnodeID%3D9990040%26lang%3Dde&lang=de

http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=de&objid=24457842&caller=nl

Required hardware and software components


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Note When updating your SCALANCE S to V2.1, you must contact your Siemens contact partner for the Security Configuration Tool V 2.1. The contact will forward the software to you.

The SCALANCE S V2.1 can only be configured with the Security Configuration Tool V 2.1.

Software Table 3-3


STEP 7 V5.4 SP1 1 6ES7810-4CC08-0YA5 Or higher SIMATIC NET PC Software Edition 2006

1 6GK1704-1LW64-3AA0 Optional, if you wish to test the OPC scenario

SIMATIC WinCC flexible 2005 SP1 HF6

1 6AV6612-0AA01-1CA5 Or higher

LAN components Table 3-4

Component No. MLFB / Order number Note IE FC TP STANDARD CABLE 5 6XV1840-2AH10 Connecting line IE

minimum length 20m IE TP XP CORD CABLE 1 6XV1870-3RH20 Crossed connecting line IE

minimum length 2m PROFIBUS FC Standard Cable 1 6XV1830-0EH10 Connecting line PB

minimum length 20m Bus connector 2 6ES7972-0BB12-0XA0 SCALANCE X208 1 6GK5208-0BA00-2AA3 RJ45 plug-in connector 10 6GK1901-1BB10-2AA0 Confectionable

Infrastructure Table 3-5


DSL Router + Modem with VPN pass through function (port forwarding)

1 Alternatively router with integrated modem or individually e.g. Netgear RP614GR, Gigaset SE 515

Internet Service Provider 1 Fixed IP address 1 Contract with your Internet

provider

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10018714&mlfb=6AV6612%2D0AA01%2D1CA5&siteID=DE&lang=de

https://mall.automation.siemens.com/DE/guest/bizLogic/bizGotoMLFB.asp?nodeID=10021500&mlfb=6GK5208%2D0BA00%2D2AA3&siteID=DE&lang=de

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4 Function Principle

This chapter briefly discusses the underlying technologies and principles applied here.

4.1 Radio method

Part of the transmission path in this example is the mobile radio service GPRS

GPRS The General Packet Radio Service is a mobile radio technology for packet-switched data transmission via the GSM networks (Global System for Mobile Communications). The GSM radio channels are divided into 8 time slots. A time slot represents one transmission channel.

Packet-switched data transmission means, that as opposed to circuit-switched data transmission (as for GSM), no transmission channel is permanently reserved. At the sender, the message is divided into individual packages provided with additional information (packet order, receiver address). Using the GPRS system, the packages can be sent through different time slots of the network, which enables using free capacities. A GPRS session can also use several time slots parallel. The receiver then compiles the packages in the correct order. GPRS enables data traffic without establishing the connection and only charges for the transmitted data volume.

Packet switching is enabled by the IP (Internet Protocol) technology. GPRS is mainly used for access in IP based networks (e.g. internet).

Data rate for GPRS To obtain higher data rates during transmission, several time slots can be combined, however, eight at most. Per time slot, up to 21.4kbit/s can be transmitted depending on the error protection mechanisms. A maximum theoretical data rate of 171.2 kbit/s (8 x 21.4 kbit/s) results. In practice, this theoretical value is very rarely reached.

This is on the one hand due to the fact, that the number of parallel usable GSM channels varies depending on network load and capability of the mobile device. For today’s mobile devices a maximum number of two timeslots for uplink (from station to control center) and four for downlink (from control center to station) can be utilized. On the other hand, the data rate is adjusted to the quality of the radio network through channel coding (Coding Schemes/CS). For GPRS the data rate in the individual GSM channel is fixed to 13.4 kbit/s (CS2).

This results in a maximum practical data rate of 26.8 kbit/s in uplink (2 GSM channels with CS2) and 53.6 kbit/s in downlink (4 GSM channels with CS2).

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4.2 GPRS modem MD740-1

The SINAUT modem generates a secured IP data connection between remote stations and control center.

Basic requirements for operation For operating the modem, a SIM card with GPRS service is required which is plugged into the modem.

The GPRS modem MD740-1 together with the quad band antennae ANT 794-4MR covers all four bands of the GSM networks and can hence be employed almost world-wide.

• 850 MHz

• 900 MHz

• 1800 MHz

• 1900 MHz

Note Please also note the Country Approvals for the MD740-1.

http://support.automation.siemens.com/WW/view/en/24795895

Properties of the MD740-1 For a secure radio data connection, the modem provides the following core functions:

• VPN Client: supports a secure data connection via a IPSec-secured VPN tunnel (Virtual Private Network)

• 3DES data encoding, AES encoding

• Firewall for protection from unauthorized access. The dynamic packet filter searches data packets using the source and target address (stateful packet inspection) and blocks the undesired data traffic (Anti-Spoofing)

• GPRS modem for a data communication in packages via GSM

• Bi-directional data connection

• Cyclic processing of protocol data for maintaining or monitoring the connection (NAT-T Keep Alive, Dead Peer Detection, Rx-Tx-Delay Trigger)

http://support.automation.siemens.com/WW/view/de/24795895

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Configuration of the modem The configuration of the modem occurs via a standard browser via the web page integrated in the modem via web-based management.

Explanation of important terms In this section, the most important features of the MD740-1 are explained briefly.

Note Further information is available in the manual on MD740-1 http://support.automation.siemens.com/WW/view/en/23940893

Table 4-1

Feature Explanation

VPN (Virtual Private Network)

VPNs connect the computer or networks via the internet and provide for secured data transmission. The so-called tunnel is encoded. Using passwords, public keys or a digital certificate may guarantee the authentication of the VPN end products.

IPSec IPsec is an expansion of the internet protocol (IP) and contains extensive security functions: • AH mechanism (Authentication Header) handles the

authentication and identification of the source. • ESP (Encapsulation-Security-Payload) transmits the data

encoded via UDP port 4500 • IKE (Internet Key Exchange ) for exchanging the key via

UDP Port 500 Anti-Spoofing Anti-Spoofing prevents misuse of IP addresses and obscuring of the

own identity NAT-T Keep Alive The MD740-1 sends UDP packets through the tunnel port 4500 in a

fixed time frame (in this example, every 90 sec), to maintain the connection at the APN. The time the provider cuts the connection (if no data is transfered) differs from provider to provider and has to be adapted individually. For NAT-T Keep Alive no response is expected from the peer so the existence of the VPN tunnel cannot be proven this way.

Dead Peer Detection (DPD)

If no packets have been sent or received through the tunnel for and extended period of time (in this example after 150 seconds at the latest), the MD740-1 sends an UDP packet through port 4500. A response from the peer is expected and hence the status of the VPN tunnel is monitored. If a failure of the VPN tunnel is recognized, the MD740-1 tries to reconnect.

Rx-Tx-Delay Trigger The Rx-Tx-Delay Trigger in the MD740-1 checks the response behavior of the GPRS network. If data are sent but not received, the connection is cancelled after a certain time period (approx.14min). Then the GPRS connection to the APN as well as the VPN tunnel to S612 are initialized again. The time settings for the Rx-Tx-Delay Trigger cannot be parameterized. To prevent unnecessary


Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Feature Explanation connection interruptions by the trigger, the time settings for the Dead Peer Detection should never be higher than 600 seconds.

4.3 SCALANCE S

The SCALANCE S product family supports automation cells / networks from unauthorized access. Models S612/ 613 can be used as VPN-capable peers for the MD740-1.

Properties of the SCALANCE S612/613 models SCALANCE S61x modules have the following core properties:

• Supporting a safe data connection via a IPSec-secured VPN tunnel

• VPN-Server/ Client; supports up to 64 (S612) or 128 (S613) VPN tunnels simultaneously.

• Firewall for protection from unauthorized access. The firewall has the following functionalities:

– Searching the data packets using the source and target address (stateful packet inspection)

– Supporting Ethernet “Non-IP“ messages

– Band width limitation

• Router mode for operating SCALANCE S as NAT/NAPT router. Internal network may be an own subnet.

• Bridge mode to operate SCALANCE S in a flat network. Internal and external network are located in a subnet.

Configuration of the SCALANCE S module The Security Configuration Tool (SCT) serves as a configuration tool for SCALANCE S modules and for generating configuration files for the MD740-1. All stations can be combined into a group here. This assignment defines which modules are allowed to communicate with each other via a VPN tunnel.

Advantages of the interaction with MD740-1 • Both modules can be configured using the Security Configuration tool.

• Very simple configuration process

Note Further information available in the manual on SCALANCE S http://support.automation.siemens.com/WW/view/en/21718449


Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4.4 Security

Security requirements • Data confidentiality: The user data must be encoded and protected from

unauthorized access

• Station authentication: Only defined station must participate in the data communication. An authentication is required.

• Packet identification: It must be ensured, that data packets arrive at their target address unchanged.

• Secrecy: Networks behind the VPN Gateways should be hidden from third parties.

4.4.1 VPN tunnel

A VPN tunnel is a “virtual private network“ (comparable with a LAN) via an unsecured network (Internet). Encoded data packages and authentication of the stations makes this possible. Authentication (proof of one’s own identity or checking the identity of the peer) occurs via a key (Pre-Shared Key) or certificates (X.509v3 certificates).

Pre Shared Key Using a pre-shared key is a symmetrical crypto-system. Each station has only one secret key for coding and decoding of data packets. Authentication occurs via a joint password.

Certificates Using certificates is an asymmetrical crypto-system, where each station has a set of keys. Each station has only one secret, private key and one public key of the peer. The private key enables decoding data, generating digital signatures and authentication. The public key enables encoding data packets for the peer.

The authenticity of the public key of the peer (authentication) is checked via an additional certificate issued by a certification authority. At SCALANCE S the CA is the group from configuration tool SCT, in which the nodes of a VPN tunnel are contained. The group issues certificates to the group members and certifies them with the group certificate (CA certificate).

Note In this example, certificates are used for authentication.

Function Principle


Logic representation of the VPN connection The figure below shows the logic end points of the VPN connection: Figure 4-1

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

MD740-1Remote Station1

SCALANCES612

VPN-TunnelVPN-Tunn

el

MD740-1Remote Station2

- All Groups

Group1

Group2

SCT

Project Display(Security Configurtation Tool)

Logic Display

The exact connections during the configuration are given in chapter 5 and later chapters.

Distribution of certificates Figure 4-2

MD740-1Remote Station2MD740-1

Remote Station1SCALANCE

S612

SecurityConfiguration

ToolCertificates

Download of certificates

Saving the certificates

Importing the certificates

Certificate= *.p12 –File (public & private key) and *.cer-File (CA certificate)

PG/PC

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4.4.2 IPSec

IPSec stands for IP security protocol and works on layer 3 of the OSI reference model. It is a tunneling method used in the internet for safe transmission of data.

Targets The aims of IPSec are:

• Authentication of stations

• Protection from unauthorized and unnoticed changes of the data packets (data integrity)

• confidentiality of the transmitted data packets.

• Protection against replay attacks; prevents repeated receiving of the same data package

• Key management

Protocols • IPSec is a standard which uses various protocols for security. The

safety functions are achieved using the following mechanisms:

• The IP authentication header handles the authentication and identification of the source and provides data integrity.

• ESP (Encapsulation Security Payload) encodes the data and prevents unauthorized access.

• The Security Association (SA) is an agreement between the stations regarding the live of the key, the encoding algorithm, time for a new authentication etc.

• The Internet Key Exchange Protocol (IKE) is based on the Internet Security Association and Key Management Protocol (ISAKMP). It manages the key exchange in two phases and enables communication between the stations.

– In phase 1 a key is agreed, on how the public keys of the peer can be exchanged safely (ISAKMP-SA). Then the public keys are exchanged with each other (authentication). Using the CA certificate, the authenticity of the key is checked (authentication). If the life of the key has elapsed, a new key is generated for safe transmission of the public key.

– Phase 2 is the encoded data transmission using the p12 certificate. If the life of the p12 certificate has elapsed, a new certificate is generated (IPSec-SA). Phase 1 starts again.

http://dict.leo.org/ende?lp=ende&p=/gQPU.&search=confidentiality

http://de.wikipedia.org/w/index.php?title=ISAKMP&action=edit

Function Principle


Operating modes IPSec offers two operation modes. These operating modes define how the IP data packets must be expanded to fulfill the aims of IPSec.

• The transport mode is used if the cryptographic end points are also communication end points (PC-PC connection)

• The tunnel mode is selected if the cryptographic end points are only safety gateways and remote subnets are connected via an unsecured network.

IPSec data packets Between the VPN connection SCALANCE S612 and MD740-1 the data packets are transmitted in tunnel mode. The VPN end points decode them and forward the data packets to the actual recipient.

There is the possibility of securing the data packets by means of ESP and / or authentication header(AH). The MD740-1 only uses encoding via ESP.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

In tunnel mode, the entire IP data packet is embedded into a new IP packet. The original IP address is no longer visible from outside.

Figure 4-3

IP Header TCP/UDP Header Data

Tunnel IPHeader

ESP Header DataIP Header TCP/UDP

Header ESP Trailer

Data packet prior to encoding

After encoding by means of ESP

encoded

authenticated

ESP Authtrailer

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

The following table provides a brief overview of the meaning and function of the respective headers. Table 4-2

Header Function

Tunnel IP-Header This IP header contains the address of the cryptographic end point (VPN gateway).

ESP header ESP encodes the original IP data packet and the ESP trailer. The ESP header offers protection from replay attacks and contains the SPI (Security Parameters Index)

ESP trailer If the user data volume is smaller than the block size, the ESP trailer fills up the missing numbers and saves the number of included bits.

ESP authentication trailer

Contains the integrity test value for authentication and integrity of the message

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4.5 Assessing the data volumes

GPRS is charged on the basis of the transmitted data volume. So it is important to know which data volumes are roughly expected for a standard diagnostics session.

Data volumes for automation functions The following table shows, using the example of some function calls to the remote stations, which net data volumes must be expected approximately.

Table 4-3

Automation function Explanation Data volume / hour

STEP 7 project Download of the STEP 7 example project Remote Station1 (CPU315-2 DP+ CP343-1 Advanced)

once, approx. 77 Kbytes

Diagnostics buffer calls

Go online with STEP 7 project and call the module group status of the CPU

once 16.3 kByte

Variable table Two variables are continuously monitored in the variable table.

approx. 960 Kbytes/h

Call of the TP277 Panel operator page on a web browser with Sm@rtService function (initial call until the operator screen has been loaded completely)

once, approx. 90 Kbytes (for this example)

WinCC flexible Sm@rt Service

Delta operator screen display on the browser approx. 1.2 Kbytes / h

Load the TP277 operator screen using the Sm@rt Viewers from WinCC flexible (initial call)

once approx. 14 kByte

WinCC flexible Sm@rt Service

Delta operator screen display on the browser approx. 855 Kbytes / h

Note These values are only guide values for orientation!

Function Principle


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Additional data volumes caused by VPN monitoring functions Maintaining the VPN connection “costs“ data volume. To keep the NAT gateway at the APN (Access Point Name) open, packets are sent through the tunnel in fixed time intervals.

The following table gives an overview of the additional data volumes: Table 4-4

Packet Size per packet incl. Header

Data volume / hour

Note

NAT-T Keep Alive 43 bytes 1.72kBytes/ h Time interval every 90 sec. Sent by the MD740-1

DPD 260 bytes 6.24 Kbyte/h Time interval every 150 sec. Only sent if within 150 sec no data are received or sent. Sent by MD740-1

TCP/ IP-Keep Alive

234 bytes 28.08 Kbyte/h

Time interval every 30 sec. Sent by SIMATIC CP as soon as a connection is configured. Only sent if within 30 sec no data are received or sent.

Configuration and Commissioning of the Example


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5 Configuration and Commissioning of the Example

Preliminary remark For startup we offer you a complete STEP 7 example project as a download. This software example supports you in the first steps and tests with this configuration. It enables a quick function test of hardware and software interfaces between the here described products. The software example is always assigned to the components used in this configuration and shows their principal interaction. However, it is not a real application in the sense of technological problem solving with definable properties. The following chapters take you step by step through the necessary configuration.

Download The STEP 7 and WinCC flexible example projects are available on the HTML page from which you downloaded this document. Upon downloading, extract the zip-file with any zip-program, such as Winzip. Store the files on the hard disk and retrieve the STEP 7 project by means of the STEP 7 software. Table 5-1

File name Content

24960449_RemoteAccess_GPRS_CODE_V10.zip All files of this configuration consisting of

STEP7_REMOTE1.zip STEP 7 project for Remote Station1

STEP7_REMOTE2.zip STEP 7 project for Remote Station2

SOAP.htm HTML file for the SOAP connection

Functionality The example only serves for demonstrating a PLC base load for displaying certain diagnostic scenarios. An automation task is not the main focus here.



5.1 Hardware configuration / structural setup

Figure 5-1

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

The following table gives you an overview of the IP addresses used. Cells with the same color belong to one subnet respectively. Modules with two addresses (internal/external) work as routers for the respective other subnet. Table 5-2

IP address Module

Internal External CP 343-1 Advanced 140.70.0.2 CPU 315-2 PN/DP 140.70.0.3 TP 277 6’’ 140.70.0.4 R

MT

1

MD740-1 140.70.0.1 Dynamic from APN CP343-1 lean 140.80.0.12

RM

T 2

MD740-1 140.80.0.11 Dynamic from APN DSL-Router 192.168.2.1 Fixed IP from provider SCALANCE S612 192.168.2.2 192.168.3.1

Serv

ice

cent

er

PC/ PG 192.168.3.3



In the following chapters, the necessary configuration steps of the individual components are explained in greater detail.

Table 5-3

Number Configuration step Chapter

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Configuration of the DSL Router 5.41

Configuration of the service center 5.5

Configuration of the remote stations 5.63

2

Configuration of SCALANCE S and the VPN tunnels

5.74

Configuration of the MD740-1 5.85

5.2 Installation of the software

For this configuration the following software packages are required:

• STEP 7

• WinCC flexible 2005 with Sm@rtViewer

• Security Configuration Tool V2.1

•

Note Follow the instructions of the installation program.

5.3 Install example project

Table 5-4

No. Instructions Remark/figure 1. Unzip the file

24960449_RemoteAccess_GPRS_CODE_V10.zip The directory <Drive>\GPRS_Configuration9 is used below as project directory.

3. Start STEP 7 and retrieve STEP7_REMOTE1.zip to <Drive>\GPRS_Configuration9

The STEP 7 project is now filed at <Drive>\GPRS_Configuration9\ GPRS_RMT1

3. Start STEP 7 and retrieve STEP7_REMOTE2.zip to <Drive>\GPRS_Configuration9

The STEP 7 project is now filed at <Drive>\GPRS_Configuration9\ GPRS_RMT2



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5.4 Configuring the DSL Router

No specific router is discussed for the configuration as the operating screens differ from router to router.

Most routers have a web page for the configuration.

Required PC/PG IP address For the configuration of the router you must assign an IP address to your PG/PC which is located in the same network than your router.

Configuration Table 5-5

No. Instructions Remark / Note

1. Open the configuration user interface of the router

This may be an additional software, “Telnet” or a web page.

2. Enter the connection data for your internet connection.

Login, password etc, which you received from your provider.

3. Switch off the DynDNS server. Your internet access has a fixed IP address.

4. Enter your DNS server. The address is available together with the access data.

5. Specify a LAN IP address for the router

192.168.2.1

6. Switch off the DHCP server. The SCALANCE S and the PC receive a fixed address.

7. Forward UDP port 500 and 4500 to the same ports of the SCALANCE S.

UDP port 500 to UDP port 500 of 192.168.2.2 UDP port 4500 to UDP port 4500 of 192.168.2.2



5.5 Configuration of the service center

Change IP address The figure shows the network settings to which you must change the PG/PC at the beginning for setting the PC station and at the end of the configuration (according to chapter 5.8)! Loading the various modules (SCALANCE S, MD740-1, CPUs, Touch Panel) requires changing the IP address of the PCs/PGs frequently.

Table 5-6


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

8. Open the Internet Protocol (TCP/IP) Properties by selecting Start -> Settings -> Network Connection ->Local Connections. Select the option field Use following IP-address and fill in the field according to the screenshot. Select the option field Use following DNS Server and enter the DNS server according to the screenshot. Close the dialog boxes with “OK”.

9. If your PG has an IWLAN interface, switch this off.



PC station initial startup A “PC station“ is a PC with communication modules and software components within an automation solution with SIMATIC.

The hardware configuration of a PC station in SIMATIC is comparable with that of an S7 station. Components of a PC station such as modules or software interfaces are assigned to a virtual slot and parameterized in the same way.

Table 5-7

N0. Instruction Remark/Screenshot 1. Open the Component Configurator.

Start -> Station Configurator Alternatively you can also double-click the icon in Windows SYSTRAY. The empty configuration list appears initially.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

2. Import the XDB file <Drive>\GPRS_Configuration9\ GPRS_RMT2\XDBs\pcst_1.xdb via the Import Station… button.

3. Attention The import is only possible if the imported configuration corresponds with the locally existing configuration. For unsuitable components, the faulty component is selected.



N0. Instruction Remark/Screenshot 4. Execute the import with OK. The

components are restarted.

Should the components not be started immediately without error, please perform a RESTART of the PC.

5.6 Configuration of the remote stations

Note The provided STEP 7 project, which has already been configured with the correct IP addresses, serves as a basis for configuring the STEP 7 stations.

5.6.1 Change IP address of the components

CPU/ CP

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Prior to loading the STEP 7 project into the CPU, the IP address of the module, via which the project is loaded to the CPU, must be changed according to Table 5-2. This may be the CPU itself or a CP.

Table 5-8

N0. Instruction Remark / Screenshot

1. Open a STEP 7 project in the SIMATIC Manager.

2. In the PLC menu you select the Edit Ethernet Node… option.



N0. Instruction Remark / Screenshot

3. Click the Browse… button.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

4. Select the desired module and

acknowledge the selection with OK.

5. In the Set IP configurations window which appears you enter the IP address according to Table 5-2. Click the Assign IP Configuration button. Close the dialog with the Close button.



Touch Panel Prior to loading the WinCC flexible project into the Touch Panel, the IP address of the panel must be changed according to Table 5-2.

Table 5-9

No. Instructions Note

1. Change to the Control Panel of TP 277 6’’ and select Transfer.

2. Change the transfer settings according to the screenshot on the right. Click the Advanced button.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

3. In the dialog which appears you select the

Onboard LAN Ethernet Driver and via the Properties you change to Properties.



Table 5-10


4. Change the IP address of the panel according to the screenshot and acknowledge the dialog with OK.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5. A change of the IP address requires rebooting the panel. Change back to Control Panel and double-click OP. The OP Properties screen opens. Change to the Device tab and reboot the panel by pressing the Reboot button.



5.6.2 Remote Station 1

Required PC/PG IP address Table 5-11

Instructions Setting

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

For loading the SIMATIC station please change the IP address of your PC/PG according to the screenshot.

Connect the PC/ PG with the SCALANCE X208 via a standard Ethernet connection.

The PC/ PG can now initialize a connection with CPU315-2 PN/ DP, CP 343-1 Advanced, TP277 and MD740-1.

Loading the SIMATIC stations

Tabelle 5-12


6. Change the IP address of the CPU 315-2 PN/DP and the CP343-1 Advanced according to Table 5-2.

This is described in greater detail in chapter 5.6.1.

7. In the SIMATIC Manager you select the first SIMATIC 300 station (station1) and with PLC -> Download you load it to the CPU via the CP.

8. Then you select the second SIMATIC 300 station (station2) and load it directly to the CPU via PLC -> Download.



Loading the WinCC flexible project Table 5-13


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

1. In the SIMATIC Manager you open the SIMATIC HMI-Station(1) and select WinCC flexible RT. Via Right mouse button -> Open Object you open the WinCC flexible project.

2. As soon as WinCC flexible has been

started, you reach the transfer settings via Project -> Transfer -> Transfer Settings. Change the dialog according to the screenshot on the right. Mode: Ethernet IP address: 140.70.0.4

3. Set your panel to transfer mode. Über den Button Transfer laden Sie das WinCC flexible Projekt in das Panel.



NetPro The connection between the service center and the remote station resembles a pure point-to-point Ethernet connection due to the VPN tunnel. The following figure displays an extract from NetPro:

Figure 5-2

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Default Router In reality, the connection via GPRS and internet runs via several subnets. The remote station components and the service center must be notified of their default router, the GPRS modem MD740-1.

The following screenshots show the entry of the respective default router in the network properties:

CPU315-2 PN / DP Figure 5-3



CP343-1 Advanced Figure 5-4

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

TP277 6’’Figure 5-5



5.6.3 Remote station 2



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

For loading the SIMATIC station please change the IP address of your PC/PG according to the screenshot.

Connect the PC/ PG with the CP343-1 Lean via a crossed Ethernet cable.

Loading the SIMATIC stationsTable 5-15


1. , Change the IP address of the CP343-1 Lea according to Table 5-2.

This is described in greater detail in chapter 5.6.1.

2. In the SIMATIC Manager you select the first SIMATIC 300 station (station1) and with PLC -> Download you load it to the CPU via the CP.

3. Then you select the second SIMATIC 300 station (I_SLAVE) and with PLC -> Download you load it directly to the CPU via Station1.



NetPro The connection between the service center and the remote station resembles a pure point-to-point Ethernet connection due to the VPN tunnel. The following figure displays an extract from NetPro: Figure 5-6

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc



Default Router In reality, the connection via GPRS and internet runs via several subnets. The remote station components and the service center must be notified of their default router, the GPRS modem MD740-1.

The following screenshots show the entry of the respective default router in the network properties:

CP343-1 Lean Figure 5-7

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc



5.7 Configuring the VPN tunnel

This section shows the necessary steps in the Security Configuration Tool, to generate two VPN tunnels. Figure 5-8

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Group 1

Group 2

MD740-1

Remote Station 1

MD740-1

Remote Station 2 VPN Tunnel 2

VPN Tunnel 1

SCALANCE S612

Note Reset the SCALANCE S612 to the factory settings prior to configuration. This ensures, that no other certificates / VPN connections are saved in the SCALANCE S and the IP address of SCALANCE S is set to 0.0.0.0.

An instruction for resetting the configuration to factory settings is available in the SCALANCE S Manual chapter 2.1.7







V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

For configuring the SCALANCE S please enter the IP address for your PC/PG according to the screenshot.



VPN tunnel configurationTable 5-17


1. Open the Security Configuration Tool (SCT).

2. Create a new project with

Project -> New. You will be prompted for User Name and Password. Fill in the dialog (e.g. User Name: Admin, Password: VPN) and close with OK.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

3. The first module is automatically

added. Change the module line as follows: Name: S612 Type: S612 V2 IP Address ext.: 192.168.2.2 Subnet Mask ext: 255.255.255.0. Default Router: 192.168.2.1 The MAC address is available at your SCALANCE S. It is printed on the front casing.

4. Insert a new module with Insert -> Module.




5. Change the second module line as follows. Name: Remote1 Type: MD740-1 IP Address ext.: leave default settings Subnet mask ext: leave default settings IP Address int: 140.70.0.1 Subnet mask int: 255.255.0.0

Note: The SCT requires an external IP address for the MD740-1. However, it is specified dynamically by the mobile radio network provider and cannot be entered here. Leave the default IP address of the SCT (here: 192.168.10.1).

6. Insert a new module with Insert -> Module.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

7. Change the third module line as follows. Name: Remote2 Type: MD740-1 IP-Adresse ext: leave default settings Subnet mask ext: leave default settings IP Address int: 140.80.0.11 Subnet mask int: 255.255.0.0

8. Select View -> Advanced Mode to change to the advanced mode of the SCT. Confirm the dialog with Yes. In the advanced mode there are further settings options.

9. Select the first module line (SCALANCE S module). Double-click Properties to open it.




10. Switch to the Routing Modus tab. Activate the Routing active mode and enter internal IP address (192.168.3.1) and subnet mask (255.255.255.0). Also activate NAT and “Allow Internal -> External for all users“ Close Module Properties dialog with OK.

11. Select VPN Groups in Offline

View. Now create a new group via Insert-> Group. Repeat this process a second time

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

12. S612 and MD740-1 Remote1

are placed in Group1. Select the modules S612 and Remote1 individually in the same column and draw them to the Group1 via drag&drop.

13. S612 and MD740-1 Remote2

are placed in Group2. Select the modules S612 and Remote2 individually in the same column and draw them to the Group2 via drag&drop.

Note: A group represents a VPN connection. Only nodes which are part of this group can participate at the VPN tunnel communication.

14. Select Group1 in the column. All stations of the group hence a VPN connection are listed.




15. For each group, the group properties must be adjusted. Select group 1 and 2 successively. With Right mouse button -> Properties you open the dialog.

16. Change the SA Lifetimes to 1440

minutes. Click OK to close the dialog box. Repeat the process for a different group!

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

17. Change back to the module lines

by selecting All Modules the same column.

18. Select the first module line again

and open the Module Properties of the SCALANCE S. Now change to the VPN tab. Switch off the Dead Peer Detection of the S612. The SCALANCE S waits for the connection of the MD740-1. Change the permission to initiate the connection accordingly. As the WAN-IP Address you specify the fixed IP-Address of your DSL router. Click OK to close the dialog box.

19. Connect your PC/PG with the external port of the SCALANCE S.

The SCALANCE S has no default IP Address. Loading occurs via the given MAC Address




20. Load the configuration into the SCALANCE S. Select the SCALANCE S module line for this and click Transfer.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

21. In the following dialog you start the transmission to SCALANCE S by pressing Start

22. In D:\GPRS_Configuration9 you generate a directory MD740_Remote1. There you save the configuration for the MD740-1 of Remote Station1. Select the modem module line 2 and click Transfer. As target directory you specify the genereated directory for the configuration files and certificates. Acknowledge the following dialog with Yes for a new certificate password or with No for a default password.

The .p12 certificate is password protected. You have the option of using the project name of the SCT as a password or to assign a different one. Note: It is recommended to assign a new password.

23. In D:\GPRS_Configuration9 you generate a further directory MD740_Remote2. There you save the configuration for the MD740-1 of Remote Station2. Proceed as for the other MD740-1 of Remote Station1.

24. In the target directory, a text file

is saved for configuring the MD740-1, the CA certificate and the p12 certificate.



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Note The default firewall setting of the S612 enables only data traffic between a VPN tunnel and another VPN station. A connection, for example, from PC to router for internet access is then not possible. If you wish to lead the connection outside of the VPN tunnel as well, you must adjust the firewall accordingly.



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5.8 Configuration of the MD740-1

Commissioning the MD740-1 occurs in three steps:

• execute PIN configuration

• insert SIM card into the device

• further configurations



For the configuration of the MD740-1 you assign an IP address to your PG/PC which is located in the same network as your MD740-1.

According to the factory settings the MD740-1 has the address 192.168.1.1.

Reconnect the PC/ PG with the SCALANCE X208.

5.8.1 MD740-1 of Remote Station1

Note This information is also available in the Manual on MD740-1 http://support.automation.siemens.com/WW/view/en/23940893

Step 1: PIN configuration For the MD740-1 to be able to communicate via the GPRS network, the PIN of the SIM card must be announced to the device.

WARNING First announce the PIN to the MD740-1 and then insert the SIM card.

Table 5-19


1. Connect the PC with the Ethernet connector of the MD740-1.

According to the factory settings the MD740-1 has the address 192.168.1.1.

2. Start a browser and enter the address https://[ip-adresse MD740-1].

After successful connection, a security dialog appears which you acknowledge with Yes.

3. Enter user name and password. The default settings are: User name: admin Password: sinaut





4. The administrator website opens

5. Change to Network -> GPRS.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6. In User and Password (identical in both

lines) you enter the access data for your APN. For Vodafone: User: guest Password: guest In APN you enter the address of your Access Point name. For Vodafone: web.vodafone.de Under PIN you enter the PIN of your SIM in both lines. Adopt the settings to the MD740-1 with Set Values.



Step 2: Insert SIM card Table 5-20


1. Separate the MD740-1 from the power supply

2. Open the casing of the device to insert the SIM card.

Please note the manual on MD740-1. http://support.automation.siemens.com/WW/view/en/23940893

3. Insert the SIM card and close the casing. Connect the modem to the power supply.

Note The MD740-1 will now attempt to initiate a connection with the GPRS network. When the connection has been established, the LED S (status) and C (connect) light up statically. LED Q (quality) indicates the field intensity.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Step 3: further configurations

IP address Table 5-21


1. Open the administrator website of the MD740-1 again.

2. Change to Network -> Local. Change the internal IP address of the MD740-1 according to Table 5-2. Accept the settings with Set Values. Note: You have to adjust the IP address of your PCs/PGs accordingly (e.g. 140.70.0.20) and then open the website of the MD740-1 again.





Create VPN connection Table 5-22


1. Change to VPN -> Connections.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

2. Generate a new connection with New. In this example REMOTE1 was used for the connection name. Accept the settings with Set Values.



For further configurations, the text file helps which was generated with the Security Configuration tool.

Note

Figure 5-9

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc



1 Load p12 certificate Figure 5-10

VPN > [email protected]

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Table 5-23


3. Use the Browse… button to change to the directory in which you have saved the configuration data and certificates for the MD740-1.

D:\GPRS_Configuration9\MD740_Remote1

4. Open the certificate which is given in your text file

Here: [email protected]

5. Enter the password you have specified for the certificate in the Security Configuration tool.

Either the SCT project name or a new password.

6. Import the certificate with Import. Accept the settings with Set Values.



Edit the connection Figure 5-11

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

VPN > Connections

Address of the remote site´s VPN Gateway 217.175.91.54Connection between MD740 and S612

Authentification method: X.509 Zertifikat Configuration1.S612.cer Remote-ID: MC268@G9A54

Table 5-24


7. Use the Edit button to switch to the connection properties.

8. As remote Gateway Address you enter the fixed IP Address of your DSL connection

Here: 217.175.91.54

9. Click the Configure button to edit the X509 certificate.

2




10. Use the Browse… button to change to the directory in which you have saved the configuration data and certificates for the MD740-1.

D:\GPRS_Configuration9\MD740_Remote1

11. Open the certificate which is given in your text file

Here: Configuration1.S612.cer

12. Import the certificate with Import. 13. Specify the Remote ID given in your text

file. Here: MC268@G9A54

14. Exit the X509 with the back button. Certificate configuration site.

15. Accept the settings with Set Values.

3 Tunnel properties Figure 5-12

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Tunnel SettingsLocal network address: 140.70.0.0

The appropriate local network:255.255.0.0Remote network address: 192.168.3.0The appropriate remote netmask: 255.255.255.0

Enter the settings according to your text file. Accept the settings with Set Values.



IKE settings

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5 4

Table 5-25


16. The Configure… button takes you to the additional IKE settings.

17. Enter the settings according to your text file.

The next point (6 Lifetime) is based on this site.

Figure 5-13

IPSec SA (Phase 2)Encryption Algorithm: 3DES-168

Hash Algorithm: SHA1

Perfect Forward Secrecy (PFS): No

ISAKMP SA (Phase 1)Encryption Algorithm: 3DES-168Hash Algorithm: SHA1



Life time

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Figure 5-14

LifetimesISAKMP SA Lifetime Phase1 (seconds): 86400

IPSec SA Lifetime Phase2 (seconds): 86400

Hier kann das zyklische Zeitfenster für die Dead Peer Detection geändert werden. Default ist 150 sek eingestellt

6

Table 5-26


18. Enter the settings according to your text file.

19. Exit the IKE configuration site with the back button.

20. Accept the settings with Set Values. Then disconnect SCALANCE S and MD740-1 briefly from the power supply so they are both rebooted.



NAT-T Keep Alive To maintain the NAT gateway at the APN, the NAT-T Keep Alive is sent after a certain time. The default value has been set to 90 sec.. You can change this time on the website of the MD740-1 at VPN -> Extended.

Figure 5-15

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

VPN connection test As soon as all settings have been transferred to the MD740-1, the GPRS modem automatically initiates a VPN tunnel to SCALANCE S612. This can be viewed

• at the green LED VPN at the MD740-1 and

• on the website of the modem at VPN -> IPSec-Status Figure 5-16



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

5.8.2 MD740-1 of Remote Station2

This GPRS modem MD740-1 is configured analog to the MD740-1 of the other remote station and is therefore not discussed in detail.

Perform the following steps using the text file, which was genereated for this modem.

• execute PIN configuration

• insert SIM card into the device

• further configurations

• Use the connection name REMOTE2.

• The text file and the certificates are available at <Drive>\GPRS_Configuration9\ MD740_Remote2.

Note For the configuration you connect the PC/ PG with the MD740-1 in Remote Station2 via a standard Ethernet cable. The MD740-1 supports the “autocrossing“ function, which enables a point-to-point connection with an uncrossed Ethernet cable.

5.9 Final configuration

If all modules have been loaded, you change the IP address of the PCs/PGs according to chapter 5.5. Connect all stations according to Figure 5-1

Remote Access Scenarios


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6 Remote Access Scenarios

Overview The following table lists the remote access scenarios which were tested in this configuration.

Table 6-1

Access function Function test Scenario

Standard diagnosis: – Module status, – Diagnostic buffer – CPU messages – Variable table – DB editor

OK OK OK OK OK

Chapter 6.1

STEP 7 project – Upload – Download

OK OK

Chapter 6.1

S7 Routing OK Chapter 6.5S7 c

omm

unic

atio

n

OPC access – Server and client in the service center – Server on PC in remote station, Client in

service center

OK OK

Chapter 6.6

SOA

P

WinCC flexible – SOAP connection between PG and Panel

OK

Sm@rtService – Remote Control – Smart@Service Download – Sm@rt Viewer

OK OK OK

Chapter 6.2

WinCC flexible project – Upload – Download

*

OK

Chapter 6.2

Http

/ VN

C

CP343-1 Advanced – Standard Website – Loading S7 applets

OK OK

Chapter 6.3

Ethe

rnet

WinCC flexible project – Upload – Download

* *

Chapter 6.2

Note The functions labeled with * are not possible with this constellation (secured remote access via GPRS).



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6.1 Diagnosis scenario 1 for Remote Station 1 (S7 communication)

The following situation is replayed for this scenario:

• Service center permanently on the net

• Connection with remote station only initialized on demand to save data volume.

In this diagnosis scenario it is proven, that communication via a VPN tunnel can take place even with several S7 stations, and the entire PG functionality is available.

Table 6-2

Instructions Action steps Note

Connection with remote station should be established

• Call in remote station for switching on the modem.

• Waiting for connection initialization (modem initializes the connection with the S612 actively)

If the VPN tunnel has been initialized, this becomes apparent • in the remote station at

the lighting LED VPN at the MD740-1

• In the online function Communication status of the SCT

Read module status and diagnosis buffer of Station 1 and Station 2.

• Open the respective STEP 7 project with the SIMATIC Manager and switch it online.

• Select CPU in Station 1 and view diagnostic butter / module status.

• Select CPU in Station 2 and view diagnostic butter / module status.

Receive CPU messages • Select the CPU of Station 2 and open the window for the CPU message via PLC -> CPU Messages

• Activate checkbox W, to receive diagnostic events.

To receive a message, please set the CPU to stop and back to RUN mode.

View variables • Open the variable table of Station 2 and go online via Variable -> Monitor .

Here you can monitor 27 variables almost in real-time.




Upload program sequence

• Create a new STEP 7 project in the SIMATIC Manager.

• With PLC-> Upload Station to PG you can load a STEP 7 project from a CPU.

• In the following dialog you enter the Rack or Slot number of the CPU and IP address, via which the CPU can be reached. The target station can be reached locally. Note: The IP address of the

connection of the target station can be the DPU itself (PROFINET SS) or a CP.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

The download of a STEP 7 project via a VPN tunnel takes longer, however, it runs very stable.

Programming sequence Download

• Select the SIMATIC 7 station in your STEP 7 project and load it into the CPU via PLC -> Download.

DB editor • The SFC 51 is implemented in the OB100 of station 1. It reads the module status of the CPU and saves the data record in DB 2.

• Open the data block (RDSYSST_DB). Go online to view the current values.

Perform a restart at station 1 so the OB 100 is called up.



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6.2 Diagnosis scenario 2 for Remote Station 1 (access to Panel by means of WinCC flexible)

In this diagnosis scenario the remote control is demonstrated via a secured connection. Operating and monitoring of a process is possible without restriction.

Table 6-3


WinCC flexible project Download

• For the transfer of the WinCC flexible project to the Panel please follow the instructions in chapter 5.6.2.

• Change the transfer settings dialog as follows: Mode: HTTP

IP Address: 140.70.0.4 User Name:Administrator HTTP Password: 100

The download of a WinCC flexible project via a VPN tunnel takes longer, however, it runs very stable.

Sm@rtService sequence Remote Diagnosis

• Start a standard web browser e.g. internet explorer and enter the address of the Panel (http://140.70.0.4)

• On the web page of the Panel you find the control functions, the panel status and a file Explorer

Loading the website of the Panel takes few seconds despite VPN tunnel. (approx. 10sec.)

Sm@rtService sequence Remote Control

• In the navigation bar of the website you click Remote Control and start the Sm@rtClient.

• The applet for the VNC password is loaded. Enter 100 as a password.

• As soon as the operator screen is loaded, you can operate and monitor.

Loading the operator screen via Sm@rtService takes very long and “costs“ a lot of data volume, as before that, the website for the panel and the applet for the VNC password are loaded first. If the operator screen has been loaded it is polled regularly which causes enormous data volumes (1.2 MByte/h). Loading the operator screen via GPRS is not recommended!



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc


Sm@rtService sequence Sm@rtViewer

• With START-> SIMATIC -> WinCC flexible 2005 you start the Sm@rt Viewer.

• As Server you enter the IP address of the panel and activate LAN.

• The Session password is default at 100.

• As soon as the operator screen is loaded, you can operate and monitor.

The Sm@rtViewer is a sensible alternative for remote control of panel and visualization user interface. Only the user interface of the Panel is loaded here. If the operator screen has been loaded it is polled regularly which causes enormous data volumes (0.86 MByte/h). Loading the operator screen via GPRS is not recommended!

Note If the transmission is performed via VPN tunnel and GPRS, the packets are in the Ethernet mode fragmented too heavily, which WinCC flexible cannot take. When transferring via a VPN tunnel and GPRS only the http mode can be used.

However, a transfer back from panel to the PC/ PG only works in Ethernet mode and is not possible for this constellation.



6.3 Diagnosis scenario 3 for Remote Station 1 (SOAP)

In this diagnosis scenario it is proven, that a SOAP(Simple Object Access Protocol) connection between panel and PC/ PG can also be generated via a VPN tunnel and variables can be read and written.

Table 6-4


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Change host file at PC • Open the "lmhosts file" with the Editor (C:\Windows\System32\Drivers\ETC\Imhosts). At the end of this file you enter the IP address of the panel (140.70.0.4) as well as its device name.

• The device name of the panel is available at the panel in the Menu > Control Panel > Communications Properties > Device Name

• Save this file without the ending .sam.

For the change of the LMhost file please also not the FAQ 13336639 (http://support.automation.siemens.com/WW/view/en/13336639). An instruction for this is available in the section Initializing a network connection number 3.

HTML page with SOAP connection

• Open the HTML page SOAP.htm.

• Here you can read and write WinCC flexible variables






V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6.4 Diagnosis scenario 4 for Remote Station 1 (IP-CP standard page)

In this diagnosis scenario, calling a HTML page of the IT-CP is indicated via a VPN tunnel which contains diagnosis entries of the CPU and the CP as well as other relevant information.

Table 6-5


IT-CP website • Start a standard web browser e.g. internet explorer and enter the address of the IT-CP (http://140.70.0.2)

On the website of the CP you find server information, the current rack setup, diagnostic buffer entries and additional information

S7 applets • Generate a HTML page with S7applets

• Store the files in the file system of the IT-CP

• Start a standard web browser e.g. internet explorer and enter the address of your generated HTML page in IT-CP

Loading S7 applets via a secured VPN tunnel takes very long and “costs“ a lot of data volume depending on the applet size! This is not recommended to load a Java applet via GPRS.

Note Further information is available in the Manual on CP343-1 Advanced


6.5 Diagnosis scenario 5 for Remote Station 2 (S7 routing)

In this diagnosis scenario it is demonstrated that stations connected to PROFIBUS can be addressed via a secured connection. The communication occurs via a DP master connected to the Ethernet network. The S7 routing function occurs automatically.

Table 6-6


S7 Routing • Open the STEP 7 project for remote station 2.

• Open the variable table of the I_SLAVE station and go online. The variables are now read from the I_SLAVE station via Station1.

Via PROFIBUS the ET200S is connected with Station 1, Station 1 in return is connected with the MD740-1 via Ethernet.




V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

6.6 Diagnosis scenario 6 for Remote Station 2 (OPC access)

In this diagnosis scenario, it is proven, that a communication via OPC makes no problems despite VPN tunnel and can be used without restrictions. The variables are transferred in real-time.

Table 6-7


OPC access OPC server and client in the service center

• Start the OPC Scout at START -> SIMATIC -> SIMATIC NET

• Connect by clicking the OPC.Simatic.NET Server and assign a group name

• Double-click the generated group. Select the IM151-7 CPU at \SYM->ET200S.

• Select the variable you wish to monitor and add it to the group with the -> icon. Acknowledge with OK.

• The variables are now displayed with parameters (value, format, type etc.).

Monitoring the variables via OPC occurs in real time. As a standard, the variables in the OPC client are updated every 500ms. Reduce this value to save data volume.

OPC access OPC server to PG in Remote Station OPC client in the service center

• For this OPC connection you must assign access rights on both computers in the DCOM settings.

• Start the OPC Scout and add a Remote Server. Node name: IP address of the PG/PC, on which the OPC server is running

OPC Server Name: OPC.SimaticNET

Please note the corresponding SIMATIC NET manual http://support.automation.siemens.com/WW/view/de/13542666




Adjustments / Modifications/ Expansions


7 Adjustments / Modifications/ Expansions

7.1 Adding a remote station

This section describes the steps necessary for connecting another remote station to the service center using the GPRS modem MD740-1.

For each further remote station a VPN tunnel to the SCALANCE S612 must be configured (i.e. a further group be generated).

Teh following table shows the necessary steps for adding another station to the existing remote stations.

Table 7-1


21. With the Security Configuration Tool you open the project generated in chapter 5.7.

This requires authentication with username and password

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

22. Insert a new module with Insert -> Module. Change the module line as follows: Name: Remote3 Type: MD740-1 IP address ext.: leave default settings Subnet mask ext: leave default settings IP address int: 140.60.0.1 Subnet mask int: 255.255.0.0

Note: Each station must have its own network ID.

23. Select VPN Groups in Offline View. Now create a new group via Insert-> Group.

24. S612 and MD740-1 Remote3 are placed in Group3. Select the modules S612 and Remote3 individually in the same column and draw them to Group3.

25. SCALANCE and MD740-1 must be

reloaded.

26. Connect your PC/PG with the external port of the SCALANCE S.

27. Load the configuration into the SCALANCE S. Select the SCALANCE S module line for this and click Transfer.



V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc


28. In D:\GPRS_Configuration9 you generate a new directory MD740_Remote3. There you save the configuration for the MD740-1 of Remote Station3. Select the modem module line 4 and click Transfer. As target directory you specify the genereated directory for the configuration files and certificates. Acknowledge the following dialog with Yes for a new certificate password or with No for a default password.

29. Connect the PC/ PG with the MD740-1 to configure the module.

30. The configuration of the MD740-1 of Remote Station 3 is available in chapter 5.8.1.

Use the connection name REMOTE3. The text file and the certificates are available at <Drive>\GPRS_Configuration9\ MD740_Remote3.



7.2 Maximum number of remote stations

Quantity framework SCALANCE S61x For remote maintenance of more than 64 remote stations an S613 module can be used. Instead of the S612 V2 you enter an S613 V2 into your Security Configuration Tool project. Then proceed as described in chapter 5.7.

• SCALANCE S612 : up to 64 VNP tunnel

• SCALANCE S613 : up to 127 VNP tunnel

7.3 Notes / tips for IP address planning

If the SCALANCE S communicates with several MD740-1, it is necessary that each remote station has a different network ID. SCALANCE S only knows from the configured network ID which data packets need to be sent to which tunnel.

V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

Figure 7-1

140.60.0.8140.60.0.11

SCALANCE S612Security

ConfigurationTool

PG/PCSTEP7

Remote Station 1

Net ID: 140.60.0.0

Remote Station 2

Net ID: 140.70.0.0

Remote Station 3

Net ID: 140.80.0.0

140.60.0.4

140.60.0.4 140.70.0.11 140.80.0.8

Configuraton

Data packets are forwarded to SCALANCE S(Default-Router of the PGs).

SCALANCE S knows from the SCT configuration,which data packet needs to go in which tunnel.

Subnet: 255.255.0.0 Subnet: 255.255.0.0 Subnet: 255.255.0.0

STEP 7project 1

STEP 7project 2

STEP 7project 3

History


V1.0 Apr. 4th 2007 /73

Cop

yrig

ht ©

Sie

men

s A

G 2

007

All

right

s re

serv

ed

2496

0449

_Rem

oteA

cces

s_G

PR

S_D

OK

U_V

10_e

.doc

8 History Table 8-1

Version Date Change

V1.0 Apr. 4th 2007 First edition

Mang Ethernet

Documents

Transcript of Mang Ethernet