Download
Share
Print this page
  1. Manuals
  2. Brands
  3. Siemens Manuals
  4. Control Unit
  5. SCALANCE S623
  6. Manual

Siemens Scalance S623 Manual

Hide thumbs Also See for Scalance S623:

Advertisement

Quick Links

Download this manual
Siemens
Scalance S623

Advertisement

loading

Related Manuals for Siemens Scalance S623

Summary of Contents for Siemens Scalance S623

  • Page 1 Siemens Scalance S623...
  • Page 2 Overview • Basic Configuration • Standard mode Firewall • Advanced Firewall • Password Management • Advanced Password Management • VPN with PreShared Key • VPN with Certificates • Gateway-to-Gateway VPN • VPN with User Authentication...
  • Page 3 Technology Overview • User Authentication On-device Connection with RADIUS server • IPsec end-to-end...
  • Page 4 Necessary Software • Siemens Security Configuration Tool • Siemens SOFTNET Security Client • Siemens Automation License Manager • (Optional) Siemens Primary Setup Tool...
  • Page 5 Basic Configuration In this example we set the IP addresses of all 3 interfaces on the Scalance 623 This will demonstrate configuration steps that will be reused in every following example...
  • Page 6 Basic Configuration 1. Setting up the network 2. Making IP settings for the PC 3. Creating a project and security module 4. Downloading the configuration to the security module...
  • Page 7 Basic Configuration 1. Setting up the network • Connecting the external interface of the Scalance to the • Scalance interfaces External network Red marking = unprotected network area Internal network Green marking = network protected by Scalance DMZ port Yellow marking = unprotected or protected network...
  • Page 8 Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • “Start” > “Control Panel” Open Control Panel • Open “Network and Sharing Center”...
  • Page 9 Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • Select “Change adapter settings” • Open the Local Area Connection Properties Doubleclick “Local Area Connection”, then click “Properties”...
  • Page 10 Basic Configuration 2. Making IP settings for the PC IP address Subnet mask 192.168.10.2 255.255.255.0 • Click the “Properties” button • Select “Use the following IP” • Enter the values from the table in the relevant boxes • Close the dialogs with “Ok” and close Control Panel...
  • Page 11 Basic Configuration 3. Creating a project and security module • Start the Security Configuration Tool • Select the “Project” > “New...” menu command • Create a new user This user is assigned the “administrator” role • Confirm with “OK”...
  • Page 12 Basic Configuration 3. Creating a project and security module • In the “Product type”, “Module” and “Firmware release” areas, select the following options Product type: Scalance S Module: S623 Firmware release: V4...
  • Page 13 Basic Configuration 3. Creating a project and security module • In the “Configuration” area, enter the MAC address The MAC address is printed on the front of the SCALANCE...
  • Page 14 Basic Configuration 3. Creating a project and security module • In the “Configuration” area, enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • From the drop-down list, select the “Routing Mode” • Enter the internal IP address (192.168.9.1) and the internal subnet mask (255.255.255.0) •...
  • Page 15 Basic Configuration 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area • Enter the IP address (192.168.8.1) and the subnet mask (255.255.255.0) for the DMZ interface •...
  • Page 16 Basic Configuration 4. Downloading the configuration to the security module • Select the “Project” > “Save” menu command • Select the security module in the content area • Select the “Transfer” > “To module(s)…” menu command • Start the download with the “Start” button...
  • Page 17 Basic Configuration 4. Downloading the configuration to the security module • If the download was completed successfully, the Scalance is restarted automatically and the configuration activated • The Scalance is now in productive operation • Configurations can be download via all interfaces •...
  • Page 18 Standard mode Firewall In this example, the firewall will be configured to allow IP traffic to only be initiated by the internal network...
  • Page 19 Standard mode Firewall 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring the firewall 5. Downloading the configuration to the security module 6. Testing the firewall function (ping test/logging)
  • Page 20 Standard mode Firewall 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
  • Page 21 Standard mode Firewall 2. Making IP settings for the PCs IP address Subnet mask 192.168.10.2 255.255.255.0 192.168.10.3 255.255.255.0 • Set the IP addresses of the PCs as in the table above...
  • Page 22 Standard mode Firewall 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Confirm with “OK”...
  • Page 23 Standard mode Firewall 4. Configuring the firewall • Select the security module in the content area • Select the “Edit” > “Properties…” menu command • Select the “Firewall” tab in the displayed dialog • Activate the settings shown in the picture Result: IP traffic is only initiated from the internal network •...
  • Page 24 Standard mode Firewall 5. Downloading the configuration to the security module • Transfer the configuration to the security module...
  • Page 25 Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC2 “Start” > ”All programs” >”Accessories” > ”Command Prompt” • Enter the ping command from PC2 to PC1 “ping 192.168.10.2” • All packets reach PC1...
  • Page 26 Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.10.3” • All packets are blocked at Scalance...
  • Page 27 Standard mode Firewall 6. Testing the firewall function (ping test/logging) • In the SCT change to online mode by selecting the menu option “View” > “Online” • Select “Edit” > “View Diagnostics” • Select the “Packet filter log” tab...
  • Page 28 Standard mode Firewall 6. Testing the firewall function (ping test/logging) • Click the “Start reading” button • Acknowledge with “OK” • Log entries are read and displayed here...
  • Page 29 Advanced Firewall In this example, the firewall is configured to allow IP traffic from PC2 to PC1. The packets are forwarded to the outside with an IP address translated to the IP address of the security module and a dynamically assigned port number. Only replies to these packets can enter the internal network...
  • Page 30 Advanced Firewall 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring the firewall 5. Downloading the configuration to the security module 6. Testing the firewall function (ping test/logging)
  • Page 31 Advanced Firewall 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
  • Page 32 Advanced Firewall 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
  • Page 33 Advanced Firewall 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 34 Advanced Firewall 4. Configuring the firewall • Change the configuration view to advance mode with the menu command “View” > “Advanced Mode” • Select the module in the content area • Select the “Edit” > “Properties…” menu command • Go to the “NAT/NAPT” tab...
  • Page 35 Advanced Firewall 4. Configuring the firewall • Select the “Activate NAT” checkbox • Click the “Add” button in the “NAT” input area • Configure the NAT rule with the following parameters Action: “Source NAT” From: “Internal” To: “External” Source IP address: “*” Source translation: “192.168.10.1 •...
  • Page 36 Advanced Firewall 4. Configuring the firewall • Select the “Firewall” tab • Expand the firewall rule created by SCT with the following Destination IP address: 192.168.10.2 • Select the “Logging” check box • Confirm with “OK”...
  • Page 37 Advanced Firewall 5. Downloading the configuration to the security module • Transfer the configuration to the security module...
  • Page 38 Advanced Firewall 6. Testing the firewall function (ping test/logging) • Open the command prompt on PC2 • Enter the ping command from PC2 to PC1 “ping 192.168.10.2” • All packets reach PC1...
  • Page 39 Advanced Firewall 6. Testing the firewall function (ping test/logging) • Change to online mode in the SCT with the “View” > “Online” menu command • Select the module in the content area and the menu command “Edit” > “Online diagnostics” •...
  • Page 40 Advanced Firewall 6. Testing the firewall function (ping test/logging) • Click “Start reading…” • Confirm the dialog with “OK”...
  • Page 41 User Management In this example, only a specific user is allowed to access PC2 in the internal network from PC1 in the external network. For other users, access is blocked...
  • Page 42 User Management 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Creating remote access users 5. Setting and assigning a user-specific IP rule set 6. Downloading the configuration to the security module 7.
  • Page 43 User Management 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
  • Page 44 User Management 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
  • Page 45 User Management 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 46 User Management 4. Creating remote access users • Select the “Options” > “User management…” menu command • Click the “Add…” button in the “User” tab • Create a new user with the settings in the figure • Confirm with “OK”...
  • Page 47 User Management 5. Setting and assigning a user-specific IP rule set • Change the configuration to advanced mode via “View” > “Advanced Mode” • Select the “User-specific IP rule sets” object in the navigation panel • Select the “Add rule set…” entry in the shortcut menu...
  • Page 48 User Management 5. Setting and assigning a user-specific IP rule set • Enter a rule in the dialog as shown below • From the “Available users and roles” list, select the “Remote (user)” entry and click the “Assign” button • Confirm with “OK”...
  • Page 49 User Management 5. Setting and assigning a user-specific IP rule set • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall”...
  • Page 50 User Management 5. Setting and assigning a user-specific IP rule set...
  • Page 51 User Management 5. Setting and assigning a user-specific IP rule set • “Expand rule set” shows the user-specific rule in detail...
  • Page 52 User Management 6. Downloading the configuration to the security module • Transfer the configuration to the security module...
  • Page 53 User Management 7. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
  • Page 54 User Management 7. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
  • Page 55 User Management 7. Logging in on the Web page • Enter the user name “Remote” and corresponding password and click the “Log in” button...
  • Page 56 User Management 7. Logging in on the Web page • The defined IP rule set is enabled for the “Remote” user.
  • Page 57 User Management 8. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2...
  • Page 58 Advanced User Management Internal network External network DMZ network Radius server In this example, a RADIUS server is set up to manage user accounts. Only users that can authenticate to the RADIUS server can access the internal network from the external network...
  • Page 59 Advanced User Management 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Setting up the RADIUS server 5. Configuring the firewall 6. Linking the RADIUS server and security module 7.
  • Page 60 Advanced User Management 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
  • Page 61 Advanced User Management 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 RADIUS 192.168.8.2 255.255.255.0 192.168.8.1 • Set the IP addresses of the PCs as in the table above • The IP address of the Linux PC is preset to the correct value...
  • Page 62 Advanced User Management 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 63 Advanced User Management 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area • Enter the IP address (192.168.8.1) and the subnet mask (255.255.255.0) for the DMZ interface...
  • Page 64 Advanced User Management 4. Setting up the RADIUS server • On the Linux PC open the Web browser and go to “http://freeradius.org/download.html” • Download version 3.0.9 of the RADIUS server • Open the Terminal Open the Dash and type “terminal”...
  • Page 65 Advanced User Management 4. Setting up the RADIUS server • Go to the “Downloads” map (“cd Downloads”) • Unpack the RADIUS server (“tar zxvf freeradius-server- 3.0.9.tar.gz”) • Enter the newly made map (“cd freeradius-server-3.0.9”)
  • Page 66 Advanced User Management 4. Setting up the RADIUS server • Install the server with the following commands “./configure” “make” “sudo make install” The password is...
  • Page 67 Advanced User Management 4. Setting up the RADIUS server • The next step is to configure the clients of the server • Open the file explorer with “gksudo nautilus” Enter the sudo password in the following prompt • Using Nautilus browse to “Computer” >...
  • Page 68 Advanced User Management 4. Setting up the RADIUS server • Open “clients.conf” and add a new client as in the image • Save and close the window • Open “users” and add the following users • Save and close the window...
  • Page 69 Advanced User Management 4. Setting up the RADIUS server • With the server installed and configured, run “sudo radiusd –X” to start the server in debug mode • If this error shows up, check the OpenSSL version with “openssl version –a” This command should show the following date: ‘built on: Thu Jun 11’...
  • Page 70 Advanced User Management 4. Setting up the RADIUS server • If this date is not shown update the library with the following command “sudo apt-get update” “sudo apt-get upgrade” • If OpenSSL is correctly updated, open “radius.conf” and change the “allow_vulnerable_openssl” parameter to yes •...
  • Page 71 Advanced User Management 5. Configuring the firewall • Enter “Advanced mode” in the Security Configuration Tool • Use the menu command “Options” > “User Management“ • Create a new user with the following settings • Confirm with “OK”...
  • Page 72 Advanced User Management 5. Configuring the firewall • Select the “User-specific IP rule sets” in the navigation window • Select the “Add rule set…” option in the shortcut menu...
  • Page 73 Advanced User Management 5. Configuring the firewall • Enter a rule in the dialog as shown below...
  • Page 74 Advanced User Management 5. Configuring the firewall • From the “Available users and roles” list, select the “radius (user)” entry and click the “Assign” button, then select the “radius (role)” entry and click “Assign” • Confirm with “OK”...
  • Page 75 Advanced User Management 5. Configuring the firewall • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall” tab...
  • Page 76 Advanced User Management 6. Linking the RADIUS server and security module • Select the menu option “Options” > “Configuration of the RADIUS server…” • Click the “Add…” button in the dialog...
  • Page 77 Advanced User Management 6. Linking the RADIUS server and security module • Define the server with the following values IP address/FQDN: 192.186.8.2 Shared secret: SiemensSecret Repeat shared secret: SiemensSecret • Confirm with “OK”...
  • Page 78 Advanced User Management 6. Linking the RADIUS server and security module • Open the SCALANCE S module properties and go to the “RADIUS” tab • Check the “Enable RADIUS authentication” box • Click the “Add” button This adds the newly configured RADIUS server...
  • Page 79 Advanced User Management 6. Linking the RADIUS server and security module • In the “RADIUS setting” area, check the “Allow RADIUS authentication of non-configured users” box • Confirm with “OK”...
  • Page 80 Advanced User Management 7. Downloading the configuration to the security module • Transfer the configuration to the SCALANCE S module...
  • Page 81 Advanced User Management 8. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
  • Page 82 Advanced User Management 8. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
  • Page 83 Advanced User Management 8. Logging in on the Web page • Enter the user name “radius” and corresponding password and click the “Log in” button...
  • Page 84 Advanced User Management 8. Logging in on the Web page • The defined IP rule set is enabled for the “radius” user.
  • Page 85 Advanced User Management 8. Logging in on the Web page • Now click the “Log out” button • Enter the user name “radius2” and corresponding password and click the “Log in” button...
  • Page 86 Advanced User Management 8. Logging in on the Web page • The defined IP rule set for the “radius” role is enabled  Users that are not defined on the module can log in...
  • Page 87 Advanced User Management 9. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2...
  • Page 88 VPN with Preshared Key In this example, a VPN tunnel is configured between a security module and the SOFTNET Security Client With this configuration, IP traffic is possible only over the established VPN tunnel connection between the two authorized partners...
  • Page 89 VPN with Preshared Key 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 6.
  • Page 90 VPN with Preshared Key 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the switch to the external network interface • Connect the PC with the Security Configuration Tool (PC1) and the PC with the SOFTNET Security Client (PC2) to the switch...
  • Page 91 VPN with Preshared Key 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.10.3 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
  • Page 92 VPN with Preshared Key 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 93 VPN with Preshared Key 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
  • Page 94 VPN with Preshared Key 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the Scalance S Module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
  • Page 95 VPN with Preshared Key 4. Configuring a VPN group • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
  • Page 96 VPN with Preshared Key 4. Configuring a VPN group • Select the VPN group “Group1” in the Navigation windows and select the menu command “Edit” > “Properties” • Select the “Preshared key” option in the “Authentication method” area • Confirm with “OK”...
  • Page 97 VPN with Preshared Key 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
  • Page 98 VPN with Preshared Key 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Confirm the popup with “OK”...
  • Page 99 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
  • Page 100 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
  • Page 101 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button...
  • Page 102 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
  • Page 103 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
  • Page 104 VPN with Preshared Key 6. Setting up a tunnel with the SOFTNET Security Client • In the Logging Console, the sequence of executed connection attempts is displayed • The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel...
  • Page 105 VPN with Preshared Key 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • All packets reach PC3 through the tunnel...
  • Page 106 VPN with Preshared Key 7. Test the tunnel function • Open the command prompt on PC1 • Enter the ping command from PC1 to PC3 “ping 192.168.9.2” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
  • Page 107 VPN with Certificates In this example, a VPN tunnel is configured between a security module and the SOFTNET Security Client The endpoints authenticate using certificates...
  • Page 108 VPN with Certificates 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration 6.
  • Page 109 VPN with Certificates 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the switch to the external network interface • Connect the PC with the Security Configuration Tool (PC1) and the PC with the SOFTNET Security Client (PC2) to the switch •...
  • Page 110 VPN with Certificates 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.10.3 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 • Set the IP addresses of the PCs as in the table above...
  • Page 111 VPN with Certificates 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 112 VPN with Certificates 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
  • Page 113 VPN with Certificates 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the Scalance S Module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
  • Page 114 VPN with Certificates 4. Configuring a VPN group • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
  • Page 115 VPN with Certificates 4. Configuring a VPN group • Select the VPN group “Group1” in the Navigation windows and select the menu command “Edit” > “Properties” • Select the “Certificate” option in the “Authentication method” area • Confirm with “OK”...
  • Page 116 VPN with Certificates 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
  • Page 117 VPN with Certificates 5. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Assign a password to the certificate • Confirm the popup with “OK”...
  • Page 118 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
  • Page 119 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
  • Page 120 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button • Enter the certificate password in the dialog...
  • Page 121 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
  • Page 122 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
  • Page 123 VPN with Certificates 6. Setting up a tunnel with the SOFTNET Security Client • In the Logging Console, the sequence of executed connection attempts is displayed • The SCALANCE S module and the SOFTNET Security Client have established a communication tunnel...
  • Page 124 VPN with Certificates 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • All packets reach PC3 through the tunnel...
  • Page 125 VPN with Certificates 7. Test the tunnel function • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.9.2” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
  • Page 126 Gateway-to-Gateway with VPN In this example, a VPN tunnel is set up between two security modules With this configuration, IP traffic is possible only over the established tunnel connections with authorized partners...
  • Page 127 Gateway-to-Gateway with VPN 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a VPN group 5. Downloading the configuration to the security module 6. Testing the tunnel function (ping test)
  • Page 128 Gateway-to-Gateway with VPN 1. Setting up the network • Connect the PC with the Security Configuration Tool (PC1) to the switch • Connect both SCALANCE S modules to the switch through their external interface • Connect PC2 and PC3 to the internal interface of a SCALANCE S module...
  • Page 129 Gateway-to-Gateway with VPN 2. Making IP settings for the PCs IP address Subnet mask 192.168.10.2 255.255.0.0 192.168.10.3 255.255.0.0 192.168.10.4 255.255.0.0 • Set the IP addresses of the PCs as in the table above...
  • Page 130 Gateway-to-Gateway with VPN 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.201) and the external subnet mask (255.255.0.0) • Confirm with “OK”...
  • Page 131 Gateway-to-Gateway with VPN 3. Creating a project and security module • Select the menu command “Insert” > “Module” • Select the same options as for the previous module but with the following address parameters MAC address: MAC address of the module IP address (ext): 192.186.10.202 Subnet mask (ext): 255.255.0.0 •...
  • Page 132 Gateway-to-Gateway with VPN 4. Configuring a VPN group • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the SCALANCE S Module to the VPN group “Group1”...
  • Page 133 Gateway-to-Gateway with VPN 4. Configuring a VPN group • Drag the second SCALANCE S module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue...
  • Page 134 Gateway-to-Gateway with VPN 5. Downloading the configuration to the security module • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
  • Page 135 Gateway-to-Gateway with VPN 6. Testing the tunnel function (ping test) • Open the command prompt on PC2 • Enter the ping command from PC2 to PC3 “ping 192.168.10.4” • All packets reach PC3 through the tunnel...
  • Page 136 Gateway-to-Gateway with VPN 6. Testing the tunnel function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC3 “ping 192.168.10.4” • The packets cannot reach PC3 since there is no tunnel communication between these two devices...
  • Page 137 VPN with User Authentication PC1 with SOFTNET Security Client RADIUS server In this example, a VPN tunnel is established between a PC and a security module using the SOFTNET Security Client The firewall is configured so that the access from PC1 in the external network to PC2 in the internal network is possible for a specific user only, who needs to log in at the RADIUS server...
  • Page 138 VPN with User Authentication 1. Setting up the network 2. Making IP settings for the PCs 3. Creating a project and security module 4. Configuring a RADIUS server 5. Configuring the firewall 6. Linking the RADIUS server and security module 7.
  • Page 139 VPN with User Authentication 1. Setting up the network • Reset the Scalance to factory settings by pressing the Reset button and holding it down for at least 5 seconds • Connect the PC with the Security Configuration Tool (PC1) to the external network interface •...
  • Page 140 VPN with User Authentication 2. Making IP settings for the PCs IP address Subnet mask Default Gateway 192.168.10.2 255.255.255.0 192.168.10.1 192.168.9.2 255.255.255.0 192.168.9.1 RADIUS 192.168.8.2 255.255.255.0 192.168.8.1 • Set the IP addresses of the PCs as in the table above •...
  • Page 141 VPN with User Authentication 3. Creating a project and security module • Create a new project • In the “Configuration” area enter the MAC address • Enter the external IP address (192.168.10.1) and the external subnet mask (255.255.255.0) • Select the “Routing mode” •...
  • Page 142 VPN with User Authentication 3. Creating a project and security module • Select the security module created and select the “Edit” > “Properties” menu command, “Interfaces” tab • Select the “Activate Interface” check box in the “DMZ port (X3)” area •...
  • Page 143 VPN with User Authentication 3. Creating a project and security module • Use the “Insert” > “Module” menu command with the following parameters Product type: SOFTNET configuration Module: SOFTNET Security Client Firmware release: V4 • Confirm with “OK”...
  • Page 144 VPN with User Authentication 4. Configuring a RADIUS server • We’ll use the previously configured RADIUS server for this example...
  • Page 145 VPN with User Authentication 5. Configuring the firewall • Select “VPN groups” in the navigation • Select the “Insert” > “Group” menu command • In the navigation panel, click the “All modules” entry • Drag the SCALANCE S Module to the VPN group “Group1”...
  • Page 146 VPN with User Authentication 5. Configuring the firewall • Drag the SOFTNET Security Client module to the VPN group “Group1” in the navigation panel The module is now assigned to the VPN group The color of the key symbol changes to blue •...
  • Page 147 VPN with User Authentication 5. Configuring the firewall • Use the menu command “Options” > “User Management“ • Create a new user with the following settings • Confirm with “OK”...
  • Page 148 VPN with User Authentication 5. Configuring the firewall • Select the “User-specific IP rule sets” in the navigation window • Select the “Add rule set…” option in the shortcut menu...
  • Page 149 VPN with User Authentication 5. Configuring the firewall • Enter a rule in the dialog as shown below...
  • Page 150 VPN with User Authentication 5. Configuring the firewall • From the “Available users and roles” list, select the “radius (user)” entry and click the “Assign” button, then select the “radius (role)” entry and click “Assign” • Confirm with “OK”...
  • Page 151 VPN with User Authentication 5. Configuring the firewall • Select the security module in the navigation panel and drag it to the newly created user-specific IP rule set • The assignment can be checked by opening the module properties and selecting the “Firewall” tab...
  • Page 152 VPN with User Authentication 5. Configuring the firewall • Open the properties of the SCALANCE module and go to the “Firewall” tab • Add a firewall rule as in the image • Confirm with “OK”...
  • Page 153 VPN with User Authentication 6. Linking the RADIUS server and security module • Select the menu option “Options” > “Configuration of the RADIUS server…” • Click the “Add…” button in the dialog...
  • Page 154 VPN with User Authentication 6. Linking the RADIUS server and security module • Define the server with the following values IP address/FQDN: 192.186.8.2 Shared secret: SiemensSecret Repeat shared secret: SiemensSecret • Confirm with “OK”...
  • Page 155 VPN with User Authentication 6. Linking the RADIUS server and security module • Open the SCALANCE S module properties and go to the “RADIUS” tab • Check the “Enable RADIUS authentication” box • Click the “Add” button This adds the newly configured RADIUS server...
  • Page 156 VPN with User Authentication 6. Linking the RADIUS server and security module • In the “RADIUS setting” area, check the “Allow RADIUS authentication of non-configured users” box • Confirm with “OK”...
  • Page 157 VPN with User Authentication 7. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the project • Use the menu command “Transfer” > “To all modules…” • Start the download with the “Start” button...
  • Page 158 VPN with User Authentication 7. Downloading the configuration to the security module and saving the SOFTNET Security Client configuration • Save the configuration file “projectname.Module2.dat” in your project folder • Assign a password to the certificate • Confirm the popup with “OK”...
  • Page 159 VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • Open the SOFTNET Security Client on PC2 • Select “Load Configuration” and browse to where “projectname.Module2.dat” has been saved • Open the configuration with the “Open” button...
  • Page 160 VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • Loading a new configuration will delete any previous configurations • When the dialog above pops up, select “deleted” and confirm with “Next”...
  • Page 161 VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • The VPN tunnel can now be opened by clicking the “Enable” button • Enter the certificate password in the dialog...
  • Page 162 VPN with User Authentication 8. Setting up a tunnel with the SOFTNET Security Client • “Tunnel Overview” shows the status of the tunnel • The green circle shows that the tunnel has been established...
  • Page 163 VPN with User Authentication 6. Setting up a tunnel with the SOFTNET Security Client • If the tunnel does not get set up, check whether the Windows Firewall has been enabled • Open the “Control Panel” > “Windows Firewall” • If the firewall is not enabled, click “Turn Windows Firewall on or off”...
  • Page 164 VPN with User Authentication 9. Logging in on the Web page • In the Web browser of PC1, enter the address “https://192.168.10.1”...
  • Page 165 VPN with User Authentication 9. Logging in on the Web page • If the web page does not show the login fields, try changing the language in the upper right corner...
  • Page 166 VPN with User Authentication 9. Logging in on the Web page • Enter the user name “radius” and corresponding password and click the “Log in” button...
  • Page 167 VPN with User Authentication 9. Logging in on the Web page • The defined IP rule set is enabled for the “radius” user.
  • Page 168 VPN with User Authentication 10. Testing the firewall function (ping test) • Open the command prompt on PC1 • Enter the ping command from PC1 to PC2 “ping 192.168.9.2” • All packets reach PC2 through the tunnel...