Appendices : Device Configuration : IPSec VPN configuration for example 2

IPSec VPN configuration for example 2
After the private subnets, device and user account configuration in Two private subnets and user configuration for example 2 is completed, a VPN connection must be created. This example shows the configuration steps that must be performed by the OnBoard appliance administrator and by a user on a remote workstation for enabling two IPSec VPN connections. One connection supports the IPSec VPN tunnel from the user’s workstation to sp1 and sp2. The second connection supports the IPSec VPN tunnel to sp3 and sp4.
The OnBoard appliance administrator must also do the following to enable an IPSec client to access the private subnets where the devices reside:
Obtain the IP address of the user’s workstation and use it to create two named IPSec connections (connSub1 and connSub2) with the following values specified:
NOTE: The user can test whether the user’s workstation can access the OnBoard appliance by entering the OnBoard appliance’s public IP address in a browser to try to bring up the Web Manager.
The other IPSec configuration parameters (such as Authentication protocol and Boot action) would be determined by the site’s policy, equipment compatibility and site routing requirements.
NOTE: In some circumstances (for example, if packets are being blocked by a firewall on the client’s default gateway), the user’s workstation and the OnBoard appliance are not going to be able to exchange packets. Setting one or both of the Right and Left nexthop parameters to the IP address of a host route and selecting Add and route as the boot action may be needed to create a route that allows the two endpoints to communicate.
Figure D.9 shows the configuration on the Network-VPN connections: IPSec Add new connection dialog for a connection named connSub1, with the values specified from the above list. Configuration of connSub2 would be similar, with a different Connection name and Left subnet values.
Example 2: Configuring IPSec Access to a Private Subnet and Two Devices
In addition, the OnBoard appliance administrator must do the following to enable the IPSec client to access the subnets where the devices reside.:
The OnBoard appliance administrator can send a copy of the relevant portions of the ipsec.conf file after the changes are saved and applied in the Web Manager for the user to insert into the ipsec.conf file on the user’s workstation.
The authorized user must do the following to enable the IPSec client running on the user’s workstation to bring up the VPN tunnel to access the subnets where the devices reside and then to access the native IP features on the devices.
If the OnBoard appliance administrator sends the relevant portions of the ipsec.conf file from the OnBoard appliance’s IPSec configuration, use it to replace the same section in the workstation’s ipsec.conf file.
Depending on the platform and IPSec client being used, the user may use a GUI or execute the ipsec auto -up command. IPSec automatically creates the routes needed to get packets flowing through the tunnel, so neither the user nor the administrator need to create routes to support IPSec access to devices.
See Enabling native IP and accessing a device’s native features using real IP addresses for example 2.