Administration Tasks Not Performed in the Web Manager : Configuring VPN Connections : IPSec VPN connections

IPSec VPN connections
For a user to access native IP functionality on a connected SP, the user needs to create a VPN connection to the OnBoard appliance; launching an IPSec VPN connection requires the user to have IPSec running on the computer being used to manage devices through the OnBoard appliance.
The ESP and AH authentication protocols (also called encapsulation methods) are supported. RSA Public Keys and Shared Secret are also supported. Authentication information (username and password and connection keys or certificates) is needed.
If the RSA public key authentication method is chosen, the generated keys are different on each end. When shared secret is used, the secret is shared on both ends.
The values needed for configuring IPSec VPN connections can shown in the following table.
AH.
ESP.
Add.
Start.
Leave blank if the user’s workstation and the OnBoard appliance are able to exchange packets. If a route must be set up to enable communications, enter the IP address of a host or network, so the IPSec can use the IP address to set up the needed route. Requires the Add and route boot option to also be selected.
Required if RSA public keys is selected as the authentication method. The generated key for the remote computer, which the OnBoard appliance administrator must obtain from the user.
Leave blank if the user’s workstation and the OnBoard appliance are able to exchange packets. If a route must be set up to enable communications, enter the IP address of a host or network, so the IPSec can use the IP address to set up the needed route. Requires the add and route boot option to also be selected.
Network IP address and netmask for the private subnet where the devices reside that are going to be accessed through the OnBoard appliance.
Required if RSA public keys is selected as the authentication method. The administrator generates an RSA key for the OnBoard appliance.
The OnBoard appliance administrator must do the following tasks:
The OnBoard appliance administrator can send a copy of the relevant portions of the ipsec.conf file after the changes are saved and applied in the Web Manager for the user to insert into the ipsec.conf file on the user’s workstation.
The authorized user must do the following tasks:
If the OnBoard appliance administrator sends the relevant portions of the ipsec.conf file from the OnBoard appliance’s IPSec configuration, use it to replace the same section in the workstation’s ipsec.conf file.
Ensure that routes are in place to allow IPSec communication with the OnBoard appliance and also to allow packets to the device to be routed through that tunnel.
NOTE: If a virtual network has not been configured, the user may need to create a separate tunnel to each private subnet they wish to access. If a virtual network has been configured, the user needs only to create a single tunnel to the virtual network.
Use either a browser or ssh on the command line to access the OnBoard appliance, using the OnBoard appliance-side IP address assigned to the OnBoard appliance. Use the OnBoard appliance-side IP address configured when the private subnet or virtual network to which the tunnel is connected was being configured.