The customer contacts their Service Provider to request connection provisioning, and obtain configuration information. At this time, the customer may already have the IPSec VPN capable device they will be using as their dedicated VPN gateway, or they may wait to review the available IPSec VPN parameters needed for access.
The Service Provider sends the customer a “VPN provisioning form” that identifies their technical contact name, address, and phone number, along with the equipment parameters on their side. Included will be subnets being made available to the customer, along with available selections for IPSec VPN parameters (a preferred “default set” of parameters may be suggested, and are recommended). Also on this form the customer supplies their credential for authentication, as either a pre-shared key or certificate. Finally, the customer specifies equipment parameters for their side of the VPN tunnel (the IPSec VPN gateway device). For example areas of such a form (Wyless), see Example A..1.
After the customer submits the form back to the Service Provider (information exchanged), the parties responsible for provisioning negotiate an IP range within the Service Provider’s subnet to be used to address the customer’s hosts (GPRS modem-equipped JACEs). It may be requested that one of the IP addresses be available for testing purposes—that is, always connected and “pingable”.
Example A..1. Service Provider’s (Wyless) Customer VPN Information
| Service Provider Details | |
|---|---|
| Name, Site Address, City, Country, Technical Contact, Site Telephone | Wyless PLC, Harman House, 1 George Street, Ukbridge, UK, ContactName, TelephoneNumber |
| Customer Details | |
|---|---|
| Customer Name, Primary Site Address, City, Country, Site Contact, Technical Contact, Site Telephone Number | Tridium, 3951 Westerre Parkway, Richmond VA, USA, SiteContactName, TechnicalContactName, TelephoneNumber |
| Wyless Firewall/VPN Gateway Details | |
|---|---|
| Firewall/VPN Gateway Make and Model | Cisco PIX 515E |
| VPN Protocol | IPSec |
| VPN Termination Address | provider’s public IP address |
| Mobile Device IP Adress/Subnets | |
|---|---|
| Subnet One | 10.120.82.0/24 |
| Subnet Two | 10.117.0.0/22 255.255.252.0 |
| Subnet Three | |
| VPN Parameters | |
|---|---|
| (* Notes information furnished by customer. Wyless-preferred VPN parameters are in [brackets].) | |
| * Customer Firewall/VPN Gateway Make and Model | Linksys RVL200 |
| ISAKMP Encryption (select) |
|
| * Pre-Shared Key[a] | textString |
| * Customer VPN Termination IP Address | IPaddress (public, static IP address for the gateway node)
|
| Diffie-Hellman Group (select) |
|
| IKE Hash (select) |
|
| * IKE Lifetime | 86400 |
| IPSec Transform Set (select) |
|
| * Internal IP address range[b] | 10.11.90.0/24 //negotiated |
| * Pingable Test Host on LAN[c] | 10.11.90.250 //negotiated |
|
[a] Pre-shared key to be used to establish identity before each communications session. Certificates aquired from a trusted authority can replace the use of a pre-shared key. [b] Range of IP addresses local to Wyless available to be assigned to hosts from customer’s network. [c] Customer’s host functioning as a pingable server to the client network, that Wyless can contact for testing purposes. |
|
In the example form above, Tridium verified a proof-of-concept configuration using the following parameters: 3DES, ISAKMP over IKE, a pre-shared key (not revealed), a Diffie-Hellman group of 2, MD5 hash function, and ESP-3DES for the IPSec transformation set. The tunnel connection was established between a Cisco PIX 515E (Wyless) and a Cisco PIX 506 (Tridium).
Copyright © 2000-2014 Tridium Inc. All rights reserved.