Siemens SIMATIC NET SCALANCE S615 Configuration Manual page 31

Encryption methods
The device also supports the following methods:
● 3DES-168
● AES-128
AES-128 is a commonly used method and is therefore set as default.
● AES-192
● AES-256
Requirements of the VPN partner
The VPN partner must support IPsec with the following configuration to be able to establish
an IPsec connection successfully:
● Authentication with partner certificate, CA certificates or pre-shared key
● IKEv1 or IKEv2
● Support of at least one of the following DH groups: Diffie-Hellman group 1, 2, 5 and 14 - 1
● 3DES or AES encryption
● MD5, SHA1 or SHA512
● Tunnel mode
If the VPN partner is downstream from a NAT router, the partner must support NAT-T. Or,
the NAT router must know the IPsec protocol (IPsec/VPN passthrough).
NAT-T
There may be a NAT router between the device and the VPN gateway of the remote
network. Not all NAT routers allow IPsec frames to pass through. This means that it may be
necessary to encapsulate the IPsec frames in UDP packets to be able to pass through the
NAT router.
Dead peer detection
This is only possible when the VPN partner supports DPD. DPD checks whether the
connection is still operating problem free or whether there has been an interruption on the
line. Without DPD and depending on the configuration, it may be necessary to wait until the
SA lifetime has expired or the connection must be reinitiated manually. To check whether the
IPsec connection is still problem-free, the device itself sends DPD queries to the partner
station. If the partner does not reply, the IPsec connection is considered to be interrupted
after a number of permitted failures.
SCALANCE S615 Web Based Management
Configuration Manual, 05/2015, C79000-G8976-C388-02
Technical basics
2.5 Security functions
31