Configuration
4.9 Security
CP 1243-1
Operating Instructions, 04/2017, C79000-G8976-C365-03
79
4.9.10.4
Creating the VPN connection telecontrol server
Configuration of a VPN connection between CP and TCSB
For secure communication via a VPN tunnel, the communications partners are assigned to a
common VPN group. The configuration of a VPN connection between CP and TCSB is not
directly possible because the telecontrol server cannot be configured in STEP 7.
To configure the communication between the CP 1243-1 and TCSB via a VPN connection,
follow the steps below:
●
Create a PC station as a substitute for the telecontrol server.
This PC station serves as a placeholder for the telecontrol server only for configuration of
the security group and it is not required for any other purpose.
●
To set up the security functions you then have the following alternative options:
–
Install a CP 1628 (security module) on the computer of the telecontrol server and
assign the CP 1243-1 and the CP 1628 to the same security group in the
configuration.
–
Install the SOFTNET Security Client (license required) on the computer of the
telecontrol server and configure the security functions in the STEP 7 project.
With both options you achieve the requirements at the TCSB end for secure communication
between the CPs of the remote station and the telecontrol server via secure VPN
connections.
Configure the security functions of the CPs as described above.
4.9.10.5
Establishment of VPN tunnel communication between the CP and SCALANCE M
Create a VPN tunnel between the CP and a SCALANCE M router as described for the
stations.
VPN tunnel communication will only be established if you have selected the check box
"Perfect Forward Secrecy" in the global security settings of the created VPN group ("VPN
groups > Authentication").
If the check box is not selected, the CP rejects establishment of the tunnel.
4.9.10.6
CP as passive subscriber of VPN connections
Setting permission for VPN connection establishment with passive subscribers
If the CP is connected to another VPN subscriber via a gateway, you need to set the
permission for VPN connection establishment to "Responder".
This is the case in the following typical configuration:
VPN subscriber (active) ⇔ gateway (dyn. IP address) ⇔ Internet ⇔ gateway (fixed IP
address) ⇔ CP (passive)