A customer’s business network has some number of hosts (often PCs) that typically include one or more Supervisors, often which need to communicate with GPRS modem-equipped JACEs. This network is managed by the customer’s IT department, and typically includes some combination of devices and software such as routers, firewall, and a gateway to the Internet.

To best integrate the external VPN network (with JACEs) into the customer’s network, another dedicated device (router or firewall) must be placed on the customer’s network, and configured to act as a client “tunnel connection”, or gateway, to this “server network.”

Selection advice for the customer’s IPSec VPN gateway device is beyond the scope of this document. However, Tridium configured and used a Linksys RVL200 router, a relatively inexpensive device.

The IPSec VPN gateway negates the need for “VPN client software” on any of the customer’s hosts—as would be required for any PPTP (one-to-one) connection. Instead, this gateway automatically links the customer’s designated IP subnet to the remote subnet(s) of the Service Provider’s VPN network.

This “tunnel connection” uses IPSec (IP Security Architecture) associations, as configured on both “sides” of the tunnel. IPSec associations include various security parameters such as algorithms and keys. These parameters must be selected and known on both sides of the tunnel—meaning both to the customer and to the Service Provider.

To do this, upon customer request, a Service Provider sends the customer a “VPN provisioning form” that identifies the IP address, machine type, and protocol(s) used on the firewall/VPN gateway on their side of the connection, along with at technical contact for VPN provisioning. The customer then completes other areas of the form, selecting among various types of IPSec parameters. Also, the customer identifies the machine type of their dedicated gateway device, along with its static, public IP address, and technical contact information. For more details, see the next section Provisioning request to Service Provider.

The customer submits this completed form back to the Service Provider. Following this exchange of information, an IP address range within the Service Provider’s VPN network is provisioned (made available) to the customer’s network. Any subsequent configuration information is supplied back to the customer. After the customer completes the configuration of their IPSec VPN gateway, the GPRS modem equipped JACEs should be able to communicate as if they were on the customer’s own subnet, securely.