Configuration, programming
4.8 Security
CP 1543-1
Operating Instructions, 12/2019, C79000-G8976-C289-08
65
4.8.2.2
Establishment of VPN tunnel communication between the CP and SCALANCE M
Setting up VPN tunnel communication between the CP and SCALANCE M is essentially the
same as described in Procedure for S7-1500 stations (Page 63).
VPN tunnel communication will only be established if you have enabled the "Perfect Forward
Secrecy" option in the global security settings of the created VPN group ("VPN group >
Authentication").
If the option is disabled, the CP rejects establishment of the connection.
4.8.2.3
VPN tunnel communication with SOFTNET Security Client
Setting up VPN tunnel communication between the SOFTNET Security Client and the CP is
essentially the same as described in Procedure for S7-1500 stations (Page 63).
VPN tunnel communication works only if the internal node is disabled
Under certain circumstances, the establishment of VPN tunnel communication between
SOFTNET Security Client and the CP fails.
SOFTNET Security Client also attempts to establish VPN tunnel communication to a lower-
level internal node. This communication establishment to a non-existing node prevents the
required communication being established to the CP.
To establish successful VPN tunnel communication to the CP, you need to disable the
internal node.
Use the procedure for disabling the node as explained below only if the described problem
occurs.
Disable the node in the SOFTNET Security Client tunnel overview:
1.
Remove the checkmark in the "Enable active learning" check box.
The lower-level node initially disappears from the tunnel list.
2.
In the tunnel list, select the required connection to the CP.
3.
With the right mouse button, select "Enable all members" in the shortcut menu.
The lower-level node appears again temporarily in the tunnel list.
4.
Select the lower-level node in the tunnel list.
5.
With the right mouse button, select "Delete entry" in the shortcut menu.
Result: The lower-level node is now fully disabled. VPN tunnel communication to the CP is
established successfully.
4.8.2.4
CP as passive subscriber of VPN connections
Setting permission for VPN connection establishment with passive subscribers
If the CP is connected to another VPN subscriber via a gateway, you need to set the
permission for VPN connection establishment to "Responder".