Siemens S7-400 Equipment Manual page 79

Requirements
• Software versions:
– STEP 7 as of version V5.6
– Security Configuration Tool (SCT) as of Version V5.0
• S7-400H CPU firmware
– H-CPU with firmware as of V4.5: V4.5.7
– H CPU with firmware as of V6.0: V6.0.8
– CPU 410-5H with firmware as of V8.0: V8.2.1
• CP firmware
– CP 443-1 Advanced: As of firmware version V3.2.17
• The firmware versions of the modules within an H-station must be identical for the
respective module type.
You are recommended to operate all CPs within a VPN group with identical firmware.
• To establish the VPN connections correctly, all VPN nodes need the current time.
Make sure that time synchronization is enabled for all nodes and that the same time
source is used, if possible.
Configuration
General
• Configure the nodes of VPN groups in such a way that each sub-connection and each
connection path of an H-connection can be established over the VPN.
• You are recommended to create a logical network in NetPro for each physical network.
• Create a VPN group with all required nodes for each logical network.
• Multiple H-connections can communicate through the same VPN group.
Rules for configuring the VPN groups
The following conditions apply:
• A maximum of 10 VPN groups are permissible per CP.
• The mode of authentication of the VPN group must be certificate-based.
Pre-shared key-based authentication is not permissible.
• The VPN group must be configured in IKE mode "Main".
IKE mode "Aggressive" is not permissible.
• For key exchange, use only "DH group 14" or "DH group 15".
• In Phase 1 during encryption, use only AES-256 with SHA1 authentication.
• In Phase 2 during encryption, use only AES-128 with SHA1 authentication.
CP 443-1 Advanced
Equipment Manual, 03/2023, C79000-G8976-C256-07
Configuration and operation
6.15 H-connections over VPN
79