Creating A Vpn Tunnel For S7 Communication Between Stations - Siemens SIMATIC S7-1200 CP 1243-8 IRC Operating Instructions Manual

4.16.8.3

Creating a VPN tunnel for S7 communication between stations

Requirements
To allow a VPN tunnel to be created for S7 communication between two S7 stations or
between an S7 station and an engineering station or an ST7cc/sc PC with a security CP (for
example CP 1628), the following requirements must be met:
● The two stations have been configured.
● The CPs in both stations must support the security functions.
● The Ethernet interfaces of the two stations are located in the same subnet.
● All receiving stations require a fixed IP address to be reachable via the public networks.
Note
Communication also possible via an IP router
Communication between the two stations is also possible via an IP router. To use this
communications path, however, you need to make further settings.
Procedure
To create a VPN tunnel, you need to work through the following steps:
1. Creating a security user
If the security user has already been created: Log on as this user.
2. Enable the "Activate security features" option
3. Creating the VPN group and assigning security modules
4. Configure the properties of the VPN group
5. Configure local VPN properties of the two CPs
You will find a detailed description of the individual steps in the following paragraphs of this
section.
Select "Activate security features"
After logging on, you need to select the "Activate security features" check box in the local
security settings of both CPs.
You now have the security functions available for both CPs.
Creating the VPN group and assigning security modules
1. In the global security settings, select the entry "VPN groups" > "Add new VPN group".
2. Double-click on the entry "Add new VPN group", to create a VPN group.
Result: A new VPN group is displayed below the selected entry.
CP 1243-8 IRC
Operating Instructions, 02/2018, C79000-G8976-C385-03
Configuration
4.16 Security
113