4.8.1.2
Addressing the CP when using VPN
IP addresses and VPN ports
In normal mobile wireless networks it is not possible to reach a dynamic IP address assigned
to the CP by the mobile wireless network provider from the Internet. For this reason, for
incoming connections make sure that the CP is assigned a fixed public IP address by the
mobile wireless network provider.
You must also make sure that apart from this IP address, the ports required for VPN are
reachable from the Internet.
4.8.1.3
Creating a VPN tunnel for S7 communication between stations
Requirements
To allow a VPN tunnel to be created for S7 communication between two S7 stations or
between an S7 station and an engineering station or an ST7cc/sc PC with a security CP (for
example CP 1628), the following requirements must be met:
● The two stations have been configured.
● The CPs in both stations must support the security functions.
● The Ethernet interfaces of the two stations are located in the same subnet.
● All receiving stations require a fixed IP address to be reachable via the public networks.
Note
Communication also possible via an IP router
Communication between the two stations is also possible via an IP router. To use this
communications path, however, you need to make further settings.
Procedure
To create a VPN tunnel, you need to work through the following steps:
1. Creating a security user
If the security user has already been created: Log on as a user.
2. Select the "Activate security features" check box
3. Creating the VPN group and assigning security modules
4. Configure the properties of the VPN group
5. Configure local VPN properties of the two CPs
You will find a detailed description of the individual steps in the following paragraphs of this
section.
CP 1243-8 IRC
Operating Instructions, 06/2015, C79000-G8976-C385-01
Configuration and operation
4.8 Security functions
91