|
|
Which console server models support IPsec?
IPsec is an end-to-end security scheme used for creating a VPN between two networks separated by the Internet or between a client PC and a remote network. The Openswan IPsec implementation is embedded in the ACM5000, IMG4000 and IM4200 console servers (with firmware V2.8.1 or later). When configured these console servers can function as an IPsec VPN gateway which connects locally networked devices to the Internet.
VPN connection to other IPsec networks and clients
With this IPsec VPN gateway function:
- The administrator can establish encrypted authenticated VPN connections between console serves at remote sites and a VPN gateway on the central office network (such as Cisco router running IOS IPsec).
Users and administrators at the central office can then securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location - as though they were local.
- The road warrior administrator can use a VPN IPsec software client (such as TheGreenBow or Shrew Soft) to remotely access the advanced console server and every machine on the Management LAN subnet at the remote location.
Configuring an IPsec on the console server
To enable the VPN gateway function select IPsec VPN on the Serial & Networks menu and click Add for the Add IPsec Tunnel screen:
- Enter any descriptive name you wish to identify the IPsec tunnel
- Select the Authentication Method to be used
- For RSA digital signatures you will need to generate the Left Public Key for the console server. You will also need to find out the key to be used on the remote gateway, then cut and paste it in as the Right Public Key
- For Shared secret you will need to enter a Pre-shared secret (PSK) which must match the PSK configured at the other end of the tunnel
- Select whether to authenticate as part of ESP (Encapsulating Security Payload) encryption or separately using the AH (Authentication Header) protocol
- Enter a Left ID and Right ID. This is the identifier that the Local host/gateway and remote host/gateway use for IPsec negotiation and authentication. Each ID must include an @ and can include a fully qualified domain name preceded by @ ( e.g. left@example.com )
- Enter the public IP or DNS address of this VPN gateway (or if not an ACM5004G enter the address of the gateway device connecting it to the Internet) as the Left Address. You can leave this blank to use the interface of the default route
- In Right Address enter the public IP or DNS address of the remote end of the tunnel (only if the remote end has a static or dyndns address). Otherwise leave this blank
- If the Opengear VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a Management LAN configured) enter the private subnet details in Left Subnet. Use the CIDR notation (where the IP address number is followed by a slash and the number of one bits in the binary notation of the netmask). For example 192.168.0.0/24 indicates an IP address where the first 24 bits are used as the network address. This is the same as 255.255.255.0. If the VPN access is only to the console server itself and to its attached serial console devices then leave Left Subnet blank
- If there is a VPN gateway at the remote end, enter the private subnet details in Right Subnet. Again use the CIDR notation and leave blank if there is only a remote host
- Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end. This can only be initiated from the VPN gateway (Left) if the remote end was configured with a static (or dyndns) IP address
- Click Apply to save changes
Note: It is essential the configuration details set up on the advanced console server (referred to as the Left or Local host) exactly matches the set up entered when configuring the Remote (Right) host/gateway or software client
|
