6.3.1
Rules for forming VPN groups
Remember the following rules:
● For SCALANCE S612 / S613 / S623 / S627-2M / SCALANCE M / VPN device
The first module assigned in a VPN group decides which other modules can be added to it.
If the first added SCALANCE S module is in routing mode or if the first module is a SCALANCE M module or a VPN device, then only SCALANCE S modules with activated routing or SCALANCE M modules or VPN devices can be
added because SCALANCE M modules and VPN devices always operate in routing mode.
If the first added SCALANCE S module is in bridge mode, then only SCALANCE S modules in bridge mode can be added.
A CP or an SSC and an NCP VPN client (Android) can be added to a VPN group with a SCALANCE S in bridge or routing mode.
● For CP / SSC / NCP VPN client (Android)
If a CP / SSC / NCP VPN client (Android) is the first module in a VPN group, modules in any mode can be added until a SCALANCE S or SCALANCE M module is added. From this point on, the rules for SCALANCE S and SCALANCE M modules apply, see above. ● It is not possible to add a SCALANCE M module to a VPN group that contains a
SCALANCE S module in bridge mode.
Refer to the following table to see which modules can be grouped together in a VPN group: Table 6- 1 Rules for forming VPN groups
Module The following can be included in a VPN group containing the following module:
SCALANCE S in
bridge mode SCALANCE S in routing mode / SCALANCE M / VPN device / NCP
VPN client (An- droid)
CP / SSC
SCALANCE S in bridge mode x - x
SCALANCE S in routing mode - x x
CP x43-1 Adv. x x x
6.3 VPN groups
Module The following can be included in a VPN group containing the following module:
SCALANCE S in
bridge mode SCALANCE S in routing mode / SCALANCE M / VPN device / NCP VPN client (An- droid) CP / SSC SCALANCE M / VPN device - x x NCP VPN client (Android) - x x
6.3.2
Supported tunnel communication relations
Meaning
The following tables show which tunnel interfaces can establish a tunnel between them. Here, a distinction is made depending on whether the SCALANCE S module is in routing or in bridge mode.
Regardless of the interface via which the VPN tunnel is established, as default the nodes of the internal subnets of the security modules can always communicate with each other. If communication via the VPN tunnel should also extend to other subnets, these can be enabled for tunnel communication in the "VPN" tab in the advanced module properties, see following section:
● Configuring other nodes and subnets for the VPN tunnel (Page 214) Subnets that need to be enabled for tunnel communication are as follows:
● Subnet on the external interface (if the external interface is not a VPN endpoint) ● Subnet on the DMZ interface (if the DMZ interface is not a VPN endpoint)
● Other subnets that can be reached by the router on the various interfaces (if these are not VPN endpoints)
Table 6- 2 Tunnel communication between CPs, SCALANCE M modules, SOFTNET Security Clients and SCALANCE S modules in routing mode
Responder interface Initiator interface External (SCALANCE
M875) External (SCALANCE M-800) GBit, IE (CP) External (SCALANCE S) DMZ (SCALANCE S623 / S627-2M) PC/PG (SSC) x x x x x External (SCALANCE M875) - x x x x External (SCALANCE M- 800) - x x x x Gbit, IE (CP) - - x x x External (SCALANCE S) - - x x x DMZ (SCALANCE S623 / S627-2M) - - x x x x is supported - is not supported
Table 6- 3 Tunnel communication between CPs, SOFTNET Security Clients and SCALANCE S modules in bridge mode Responder interface
Initiator interface GBit, IE (CP) External (SCALANCE S) DMZ (SCALANCE S623 / S627-2M) PC/PG (SSC) x x - GBit, IE (CP) x x - External (SCALANCE S) x x - DMZ (SCALANCE S623 / S627-2M) - - - x is supported - is not supported
6.3 VPN groups
6.3.3
Creating VPN groups and assigning modules
Requirement
Note
Current date and current time of day on the modules
When using secure communication (for example HTTPS, VPN...), make sure that the modules involved have the current time of day and the current date. Otherwise the
certificates used will not be evaluated as valid and the secure communication will not work.
How to access this function
1. Create a VPN group with the "Insert" > "Group" menu command.
2. Assign the modules, SOFTNET Security Clients, VPN devices and NCP VPN clients (Android) intended for a VPN group to the group by dragging the modules to the required VPN group with the mouse.
Configuring properties
Just as when configuring modules, the two selectable operating views in the Security Configuration Tool have an effect on configuring VPN groups:
● Standard mode
In standard mode, you retain the defaults set by the system. Even without expert knowledge, you can configure IPsec tunnels in this way and operate secure data communication.
● Advanced mode
The advanced mode provides you with options for setting specific configurations for tunnel communication.
Displaying all configured VPN groups and their properties
● Select the "VPN groups" object in the navigation panel. The following properties of the groups are displayed in columns:
Property/column Meaning Comment/selection
Name Group Name Freely selectable
Authentication Type of authentication • Pre-shared key • Certificate
Group membership until Life of certificates See section "Setting the lifetime of certificates"
Comment Comment Freely selectable
Setting the life of certificates
Open the dialog in which you can set the expiry date of the certificate as follows: 1. In the navigation panel, select the VPN group for which you want to configure a
certificate.
2. Right-click on the security module in the content area and select the "New certificate…" command in the shortcut menu.
Note
Expiry of a certificate
Communication through the VPN tunnel continues after the certificate has expired until the tunnel is terminated or the SA lifetime expires. You will find more information on certificates, in the following section:
• Managing certificates (Page 77)