This syntax enables users to set up SSH tunnels to all serial ports with a single IP port 22 having to be opened in their firewall/gateway
NOTE In console server mode, you connect to a serial port via pmshell. To generate a BREAK on the serial port, type the character sequence ~b. If you’re doing this over OpenSSH, type ~~b.

TCP

RAW TCP allows connections to a TCP socket. While communications programs like PuTTY

also support RAW TCP, this protocol is usually used by a custom application

For RAW TCP, the default port address is IP Address _ Port (4000 + serial port

) i.e. 4001 ­ 4048

RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 3.1.6 ­ Serial Bridging)

RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port address is IP Address _ Port (5000 + serial port #) i.e. 5001 ­ 5048
Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual com ports, so a remote host can monitor and manage remote serially attached devices as though they are connected to the local serial port (see Chapter 3.6 ­ Serial Port Redirection for details)
RFC2217 also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 3.1.6 ­ Serial Bridging)

Unauthenticated Telnet This enables Telnet access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt. With unauthenticated Telnet, they connect directly through to the port without any console server login challenge. If a Telnet client does prompt for authentication, any entered data allows connection.

31

Chapter 3: Serial Port, Host, Device & User Configuration
This mode is used with an external system (such as conserver) managing user authentication and access privileges at the serial device level.
Logging into a device connected to the console server may require authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (6000

• serial port #) i.e. 6001 ­ 6048

Unauthenticated SSH This enables SSH access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt. With unauthenticated SSH they connect directly through to the port without any console server login challenge.
This mode is used when you have another system managing user authentication and access privileges at the serial device level but wish to encrypt the session across the network.
Logging into a device connected to the console server may require authentication.
For Unauthenticated Telnet the default port address is IP Address _ Port (7000

• serial port #) i.e. 7001 ­ 7048
  The : method of port access (as described in the above SSH section) always requires authentication.

Web Terminal This enables web browser access to the serial port via Manage > Devices: Serial using the Management Console’s built in AJAX terminal. Web Terminal connects as the currently authenticated Management Console user and does not re-authenticate. See section 12.3 for more details.

IP Alias

Enable access to the serial port using a specific IP address, specified in CIDR format. Each serial port can be assigned one or more IP aliases, configured on a per-network-interface basis. A serial port can, for example, be made accessible at both 192.168.0.148 (as part of the internal network) and 10.10.10.148 (as part of the Management LAN). It is also possible to make a serial port available on two IP addresses on the same network (for example, 192.168.0.148 and 192.168.0.248).

These IP addresses can only be used to access the specific serial port, accessible using the standard protocol TCP port numbers of the console server services. For example, SSH on serial port 3 would be accessible on port 22 of a serial port IP alias (whereas on the console server’s primary address it is available on port 2003).

This feature can also be configured via the multiple port edit page. In this case the IP addresses are applied sequentially, with the first selected port getting the IP entered and subsequent ones getting incremented, with numbers being skipped for any unselected ports. For example, if ports 2, 3 and 5 are selected and the IP alias 10.0.0.1/24 is entered for the Network Interface, the following addresses are assigned:

Port 2: 10.0.0.1/24

Port 3: 10.0.0.2/24

Port 5: 10.0.0.4/24

IP Aliases also support IPv6 alias addresses. The only difference is that addresses are hexadecimal numbers, so port 10 may correspond to an address ending in A, and 11 to one ending in B, rather than 10 or 11 as per IPv4.

32

User Manual
Encrypt Traffic / Authenticate Enable trivial encryption and authentication of RFC2217 serial communications using Portshare (for strong encryption use VPN).
Accumulation Period Once a connection has been established for a particular serial port (such as a RFC2217 redirection or Telnet connection to a remote computer), any incoming characters on that port are forwarded over the network on a character by character basis. The accumulation period specifies a period of time that incoming characters are collected before being sent as a packet over the network
Escape Character Change the character used for sending escape characters. The default is ~. Replace Backspace Substitute the default backspace value of CTRL+? (127) with CTRL+h (8). Power Menu The command to bring up the power menu is ~p and enables the shell power command so a
user can control the power connection to a managed device from command line when they are Telnet or SSH connected to the device. The managed device must be set up with both its Serial port connection and Power connection configured.
Single Connection This limits the port to a single connection so if multiple users have access privileges for a particular port only one user at a time can access that port (i.e. port snooping is not permitted).
33

Chapter 3: Serial Port, Host, Device & User Configuration
3.1.3 Device (RPC, UPS, Environmental) Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller / Power Distribution Units (RPC) or Environmental Monitoring Device (Environmental)

1. Select the desired Device Type (UPS, RPC, or Environmental)
2. Proceed to the appropriate device configuration page (Serial & Network > UPS Connections, RPC Connection or Environmental) as detailed in Chapter 7.

3.1.4 ·

Terminal Server Mode
Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux or ANSI) to enable a getty on the selected serial port

The getty configures the port and wait for a connection to be made. An active connection on a serial device is indicated by the raised Data Carrier Detect (DCD) pin on the serial device. When a connection is detected, the getty program issues a login: prompt, and invokes the login program to handle the system login.
NOTE Selecting Terminal Server mode disables Port Manager for that serial port, so data is no longer logged for alerts etc.

34

User Manual
3.1.5 Serial Bridging Mode With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and transported over a network to a second console server where it is represented as serial data. The two console servers act as a virtual serial cable over an IP network. One console server is configured to be the Server. The Server serial port to be bridged is set in Console server mode with either RFC2217 or RAW enabled. For the Client console server, the serial port to be bridged must be set in Bridging Mode:
· Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port (for RFC2217 bridging this will be 5001-5048)
· By default, the bridging client uses RAW TCP. Select RFC2217 if this is the console server mode you have specified on the server console server
· You can secure the communications over the local Ethernet by enabling SSH. Generate and upload keys.
3.1.6 Syslog In addition to inbuilt logging and monitoring which can be applied to serial-attached and network-attached management accesses, as covered in Chapter 6, the console server can also be configured to support the remote syslog protocol on a per serial port basis:
· Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to a syslog server; and to sort and act on those logged messages (i.e. redirect them / send alert email.)
35

Chapter 3: Serial Port, Device and User Configuration
For example, if the computer attached to serial port 3 should never send anything out on its serial console port, the administrator can set the Facility for that port to local0 (local0 .. local7 are meant for site local values), and the Priority to critical. At this priority, if the console server syslog server does receive a message, it raises an alert. See Chapter 6. 3.1.7 NMEA Streaming The ACM7000-L can provide GPS NMEA data streaming from the internal GPS /cellular modem. This data stream presents as a serial data stream on port 5 on the ACM models.
The Common Settings (baud rate etc.) are ignored when configuring the NMEA serial port. You can specify the Fix Frequency (i.e. this GPS fix rate determines how often GPS fixes are obtained). You can also apply all the Console Server Mode, Syslog and Serial Bridging settings to this port.
You can use pmshell, webshell, SSH, RFC2217 or RawTCP to get at the stream:
For example, using the Web Terminal:
36

User Manual

3.1.8 USB Consoles
Console servers with USB ports support USB console connections to devices from a wide range of vendors, including Cisco, HP, Dell and Brocade. These USB ports can also function as plain RS-232 serial ports when a USB-to-serial adapter is connected.

These USB ports are available as regular portmanager ports and are presented numerically in the web UI after all RJ45 serial ports.

The ACM7008-2 has eight RJ45 serial ports on the rear of the console server and four USB ports on the front. In Serial & Network > Serial Port these are listed as

Port # Connector

1

RJ45

2

RJ45

3

RJ45

4

RJ45

5

RJ45

6

RJ45

7

RJ45

8

RJ45

9

USB

10 USB

11 USB

12 USB

If the particular ACM7008-2 is a cellular model, port #13 — for the GPS — will also be listed.

The 7216-24U has 16 RJ45 serial ports and 24 USB ports on its rear-face as well as two front-facing USB ports and (in the cellular model) a GPS.

The RJ45 serial ports are presented in Serial & Network > Serial Port as port numbers 1­16. The 24 rearfacing USB ports take port numbers 17­40, and the front-facing USB ports are listed at port numbers 41 and 42 respectively. And, as with the ACM7008-2, if the particular 7216-24U is a cellular model, the GPS is presented at port number 43.

The common settings (baud rate, etc.) are used when configuring the ports, but some operations may not work depending on the implementation of the underlying USB serial chip.

3.2 Add and Edit Users
The administrator uses this menu selection to create, edit and delete users and to define the access permissions for each of these users.

37

Chapter 3: Serial Port, Device and User Configuration

Users can be authorized to access specified services, serial ports, power devices and specified networkattached hosts. These users can also be given full administrator status (with full configuration and management and access privileges).

Users can be added to groups. Six groups are set up by default:

admin

Provides unlimited configuration and management privileges.

pptpd

Allows access to the PPTP VPN server. Users in this group have their password stored in clear text.

dialin

Allows dialin access via modems. Users in this group have their password stored in clear text.

ftp

Allows ftp access and file access to storage devices.

pmshell

Sets default shell to pmshell.

users

Provides users with basic management privileges.

The admin group provides members full administrator privileges. The admin user can access the console server using any of the services which have been enabled in System > Services They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections. Only trusted users should have administrator access
The user group provides members with limited access to the console server and connected hosts and serial devices. These users can only access the Management section of the Management Console menu and they have no command line access to the console server. They can only access those Hosts and serial devices that have been checked for them, using services that have been enabled
Users in the pptd, dialin, ftp or pmshell groups have restricted user shell access to the nominated managed devices but they will not have any direct access to the console server. To add this the users must also be a member of the users or admin groups
The administrator can set up additional groups with specific power device, serial port and host access permissions. Users in these additional groups don’t have any access to the Management Console menu nor do they have any command line access to the console server.

38

User Manual
The administrator can set up users with specific power device, serial port and host access permissions who are not a member of any groups. These users don’t have any access to the Management Console menu nor command line access to the console server. 3.2.1 Set up new group To set up new groups and new users, and to classify users as members of particular groups:
1. Select Serial & Network > Users & Groups to display all groups and users 2. Click Add Group to add a new group
3. Add a Group name and Description for each new group, and nominate the Accessible Hosts, Accessible Ports and Accessible RPC Outlets that users in this new group will be able to access
4. Click Apply 5. The administrator can Edit or Delete any added group 3.2.2 Set up new users To set up new users, and to classify users as members of particular groups: 1. Select Serial & Network > Users & Groups to display all groups and users 2. Click Add User
39

Chapter 3: Serial Port, Device and User Configuration
3. Add a Username for each new user. You may also include information related to the user (e.g. contact details) in the Description field. The Username can contain from 1 to 127 alphanumeric characters and the characters “-” “_” and “.”.
4. Specify which Groups you wish the user to be a member of 5. Add a confirmed Password for each new user. All characters are allowed. 6. SSH pass- key authentication can be used. Paste the public keys of authorized public/private
keypairs for this user in the Authorized SSH Keys field 7. Check Disable Password Authentication to only allow public key authentication for this user
when using SSH 8. Check Enable Dial-Back in the Dial-in Options menu to allow an out-going dial-back connection
to be triggered by logging into this port. Enter the Dial-Back Phone Number with the phone number to call-back when user logs in 9. Check Accessible Hosts and/or Accessible Ports to nominate the serial ports and network connected hosts you wish the user to have access privileges to 10. If there are configured RPCs, check Accessible RPC Outlets to specify which outlets the user is able to control (i.e. Power On/Off) 11. Click Apply. The new user will be able to access the accessible Network Devices, Ports and RPC Outlets. If the user is a group member, they can also access any other device/port/outlet accessible to the group
40

User Manual
There are no limits on the number of users you can set up or the number of users per serial port or host. Multiple users can control/monitor the one port or host. There are no limits on the number of groups and each user can be a member of a number of groups. A user does not have to be a member of any groups, but if the user is a member of the default user group, they will not be able to use the Management Console to manage ports. While there are no limits, the time to re-configure increases as the number and complexity increases. We recommend the aggregate number of users and groups be kept under 250. The administrator can also edit the access settings for any existing users:
· Select Serial & Network > Users & Groups and click Edit to modify the user access privileges · Click Delete to remove the user · Click Disable to temporarily block access privileges
3.3 Authentication
See Chapter 8 for authentication configuration details.
3.4 Network Hosts
To monitor and remotely access a locally networked computer or device (referred to as a Host) you must identify the Host:
1. Selecting Serial & Network > Network Hosts presents all the network connected Hosts that have been enabled for use.
2. Click Add Host to enable access to a new Host (or select Edit to update the settings for existing Host)
41

Chapter 3: Serial Port, Device and User Configuration
3. If the Host is a PDU or UPS power device or a server with IPMI power control, specify RPC (for IPMI and PDU) or UPS and the Device Type. The administrator can configure these devices and enable which users have permission to remotely cycle power, etc. See Chapter 7. Otherwise leave the Device Type set to None.
4. If the console server has been configured with distributed Nagios monitoring enabled, you will also see Nagios Settings options to enable nominated services on the Host to be monitored.
5. Click Apply. This creates the new Host and also create a new managed device with the same name.
3.5 Trusted Networks
The Trusted Networks facility gives you an option to nominate IP addresses that users must be located at, to have access to console server serial ports:
42

User Manual
1. Select Serial & Network > Trusted Networks 2. To add a new trusted network, select Add Rule. In the absence of Rules, there are no access
limitations as to the IP address at which users can be located.

3. Select the Accessible Ports that the new rule is to be applied to
4. Enter the Network Address of the subnet to be permitted access
5. Specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range e.g.
· To permit all the users located with a particular Class C network connection to the nominated port, add the following Trusted Network New Rule:

Network IP Address

204.15.5.0

Subnet Mask

255.255.255.0

· To permit only one user located at a specific IP address to connect:

Network IP Address

204.15.5.13

Subnet Mask

255.255.255.255

· To allow all the users operating from within a specific range of IP addresses (say any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port:

Host /Subnet Address

204.15.5.128

Subnet Mask

255.255.255.224

6. Click Apply

43

Chapter 3: Serial Port, Device and User Configuration
3.6 Serial Port Cascading
Cascaded Ports enables you to cluster distributed console servers so a large number of serial ports (up to 1000) can be configured and accessed through one IP address and managed through the one Management Console. One console server, the Primary, controls other console servers as Node units and all the serial ports on the Node units appear as if they are part of the Primary. Opengear’s clustering connects each Node to the Primary with an SSH connection. This is done using public key authentication, so the Primary can access each Node using the SSH key pair (rather than using passwords). This ensures secure authenticated communications between Primary and Nodes enabling theNode console server units to be distributed locally on a LAN or remotely around the world.
3.6.1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Primary and Node console servers. This can be done automatically from the Primary:
44

User Manual
1. Select System > Administration on Primary’s Management Console
2. Check Generate SSH keys automatically. 3. Click Apply
Next you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys require two minutes and the new keys destroy old keys of that type. While the new generation is underway, functions relying on SSH keys (e.g. cascading) may stop functioning until they are updated with the new set of keys. To generate keys:
1. Check boxes for the keys you wish to generate. 2. Click Apply
3. Once the new keys have been generated, click the link Click here to return. The keys are uploaded
to the Primary and connected Nodes.
3.6.2 Manually generate and upload SSH keys Alternately if you have an RSA or DSA key pair you can upload them to the Primary and Node consoleservers. To upload the key public and private key pair to the Primary console server:
1. Select System > Administration on the Primary’s Management Console
2. Browse to the location you have stored RSA (or DSA) Public Key and upload it to SSH RSA (DSA) Public Key
3. Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA (DSA) Private Key 4. Click Apply
45

Chapter 3: Serial Port, Device and User Configuration
Next, you must register the Public Key as an Authorized Key on the Node. In the case of one Primary withmultiple Nodes, you upload one RSA or DSA public key for each Node.
1. Select System > Administration on the Node’s Management Console 2. Browse to the stored RSA (or DSA) Public Key and upload it to Node’s SSH Authorized Key
3. Click Apply The next step is to Fingerprint each new Node-Primary connection. This step validates that you are establishing an SSH session to who you think you are. On the first connection the Node receives a fingerprint from the Primary used on all future connections: To establish the fingerprint first log in the Primary server as root and establish an SSH connection to theNode remote host:

ssh remhost Once the SSH connection has been established, you are asked to

accept the key. Answer yes and the fingerprint is added to the list of known hosts. If you are asked to supply a password, there was problem uploading keys. 3.6.3 Configure the Nodes and their serial ports Begin setting up the Nodes and configuring Node serial ports from the Primary console server:
1. Select Serial & Network > Cascaded Ports on the Primary’s Management Console: 2. To add clustering support, select Add Node
You can’t add Nodes until you have generated SSH keys. To define and configure a Node:
46

User Manual
1. Enter the remote IP Address or DNS Name for the Node console server 2. Enter a brief Description and a short Label for the Node 3. Enter the full number of serial ports on the Node unit in Number of Ports 4. Click Apply. This establishes the SSH tunnel between the Primary and the new Node
The Serial & Network > Cascaded Ports menu displays all the nodes and the port numbers that have been allocated on the Primary. If the Primary console server has 16 ports of its own, ports 1-16 are preallocated to the Primary, so the first node added is assigned port number 17 onwards. Once you have added all the Node console servers, the Node serial ports and the connected devices are configurable and accessible from the Primary’s Management Console menu and accessible through the Primary’s IP address.
1. Select the appropriate Serial & Network > Serial Port and Edit to configure the serial ports on the
Node.
2. Select the appropriate Serial & Network > Users & Groups to add new users with access privileges
to the Node serial ports (or to extend existing users access privileges).
3. Select the appropriate Serial & Network > Trusted Networks to specify network addresses that
can access nominated node serial ports. 4. Select the appropriate Alerts & Logging > Alerts to configure Node port Connection, State
Changeor Pattern Match alerts. The configuration changes made on the Primary are propagated out to all the nodes when you click Apply.
3.6.4 Managing Nodes The Primary is in control of the Node serial ports. For example, if change a user access privileges or edit any serial port setting on the Primary, the updated configuration files are sent out to each Node in parallel.Each Node makes changes to their local configurations (and only makes changes that relate to its particular serial ports). You can use the local Node Management Console to change the settings on any node serial port (such as alter the baud rates). These changes are overwritten next time the Primary sends out a configuration file update. While the Primary is in control of all node serial port related functions, it is not primary over the node network host connections or over the Node Console Server system. Node functions such as IP, SMTP & SNMP Settings, Date &Time, DHCP server must be managed by accessing each node directly and these functions are not over written when configuration changes are propagated from the Primary. The Node’s Network Host and IPMI settings must be configured at each node.
47

Chapter 3: Serial Port, Device and User Configuration
The Primary’s Management Console provides a consolidated view of the settings for its own and the entireNode’s serial ports. The Primary does not provide a fully consolidated view. For example, if you want to find out who is logged in to cascaded serial ports from the primary, you’ll see that Status > Active Users only displays those users active on the Primary’s ports, so you may need to write custom scripts to providethis view.
3.7 Serial Port Redirection (PortShare)
Opengear’s Port Share software delivers the virtual serial port technology your Windows and Linux applications need to open remote serial ports and read the data from serial devices that are connected to your console server.
PortShare is supplied free with each console server and you are licensed to install PortShare on one or more computers for accessing any serial device connected to a console server port. PortShare for Windows The portshare_setup.exe can be downloaded from the ftp site. See the PortShare User Manual and Quick Start for details on installation and operation. PortShare for Linux The PortShare driver for Linux maps the console server serial port to a host try port. Opengear has released the portshare-serial- client as an open source utility for Linux, AIX, HPUX, SCO, Solaris and UnixWare. This utility can be downloaded from the ftp site. This PortShare serial port redirector allows you to use a serial device connected to the remote console server as if it were connected to your local serial port. The portshare-serial-client creates a pseudo tty port, connects the serial application to the pseudo tty port, receives data from the pseudo tty port, transmits it to the console server through network and receives data from the console server through network and transmits it to the pseudo-tty port. The .tar file can be downloaded from the ftp site. See the PortShare User Manual and Quick Start for details on installation and operation.
48

User Manual
3.8 Managed Devices
The Managed Devices page presents a consolidated view of all the connections to a device that can be accessed and monitored through the console server. To view the connections to the devices, select Serial & Network > Managed Devices
This screen displays all the managed devices with their Description/Notes and lists of all the configured Connections:
· Serial Port # (if serially connected) or · USB (if USB connected) · IP Address (if network connected) · Power PDU/outlet details (if applicable) and any UPS connections Devices such as servers may have more than one power connection (e.g. dual power supplied) and more than one network connection (e.g. for BMC/service processor). All users can view these managed device connections by selecting Manage > Devices. Administrators can also edit and add/delete these managed devices and their connections. To edit an existing device and add a new connection: 1. Select Edit on the Serial & Network > Managed Devices and click Add Connection 2. Select the connection type for the new connection (Serial, Network Host, UPS or RPC) and select
the connection from the presented list of configured unallocated hosts/ports/outlets
49

Chapter 3: Serial Port, Device and User Configuration
To add a new network connected managed device: 1. The Administrator adds a new network connected managed device using Add Host on the Serial & Network > Network Host menu. This automatically creates a corresponding new managed device. 2. When adding a new network connected RPC or UPS power device, you set up a Network Host, designate it as RPC or UPS. Go to RPC Connections or UPS Connections to configure the relevant connection. Corresponding new managed device with the same Name /Description as the RPC/UPS Host is not created until this connection step is completed.
NOTE The outlet names on the newly created PDU are Outlet 1 and Outlet 2. When you connect a particular managed device that draws power from the outlet, the outlet takes the name of the powered managed device.
To add a new serially connected managed device: 1. Configure the serial port using the Serial & Network > Serial Port menu (See Section 3.1 Configure Serial Port) 2. Select Serial & Network > Managed Devices and click Add Device 3. Enter a Device Name and Description for the managed device

4. Click Add Connection and select Serial and the Port that connects to the managed device

5. To add a UPS/RPC power connection or network connection or another serial connection click Add Connection

6. Click Apply

NOTE

To set up a serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, and enter a Name and Description for that device in the Serial & Network > RPC Connections (or UPS Connections or Environmental). This creates a corresponding new managed device with the same Name /Description as the RPC/UPS Host. The outlet names on this newly created PDU are Outlet 1and Outlet 2. When you connect a managed device that draws power from the outlet, the outlet takes the name of the powered managed Device.

3.9 IPsec VPN
The ACM7000, CM7100, and IM7200 include Openswan, a Linux implementation of the IPsec (IP Security) protocols, which can be used to configure a Virtual Private Network (VPN). The VPN allows multiple sites or remote administrators to access the console server and managed devices securely over the Internet.

50

User Manual
The administrator can establish encrypted authenticated VPN connections between console servers distributed at remote sites and a VPN gateway (such as Cisco router running IOS IPsec) on their central office network:
· Users at the central office can securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location as though they were local
· All these remote console servers can be monitored with a CMS6000 on the central network · With serial bridging, serial data from controller at the central office machine can be securely
connected to the serially controlled devices at the remote sites The road warrior administrator can use a VPN IPsec software client to remotely access the console server and every machine on the Management LAN subnet at the remote location
Configuration of IPsec is quite complex so Opengear provides a GUI interface for basic set up as described below. To enable the VPN gateway:
1. Select IPsec VPN on the Serial & Networks menu
2. Click Add and complete the Add IPsec Tunnel screen 3. Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as
WestStOutlet-VPN
51

Chapter 3: Serial Port, Device and User Configuration
4. Select the Authentication Method to be used, either RSA digital signatures or a Shared secret (PSK) o If you select RSA you are asked to click here to generate keys. This generates an RSA public key for the console server (the Left Public Key). Locate the key to be used on the remote gateway, cut and paste it into the Right Public Key
o If you select Shared secret, enter a Pre-shared secret (PSK). The PSK must match the PSK configured at the other end of the tunnel
5. In Authentication Protocol select the authentication protocol to be used. Either authenticate as part of ESP (Encapsulating Security Payload) encryption or separately using the AH (Authentication Header) protocol.
52

User Manual
6. Enter a Left ID and Right ID. This is the identifier that the Local host/gateway and remote host/gateway use for IPsec negotiation and authentication. Each ID must include an @ and can include a fully qualified domain name ( e.g. [email protected])
7. Enter the public IP or DNS address of this Opengear VPN gateway as the Left Address. You can leave this blank to use the interface of the default route
8. In Right Address enter the public IP or DNS address of the remote end of the tunnel (only if the remote end has a static or DynDNS address). Otherwise leave this blank
9. If the Opengear VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a Management LAN configured) enter the private subnet details in Left Subnet. Use the CIDR notation (where the IP address number is followed by a slash and the number of `one’ bits in the binary notation of the netmask). For example, 192.168.0.0/24 indicates an IP address where the first 24 bits are used as the network address. This is the same as 255.255.255.0. If the VPN access is only to the console server and to its attached serial console devices, leave Left Subnet blank
10. If there is a VPN gateway at the remote end, enter the private subnet details in Right Subnet. Use the CIDR notation and leave blank if there is only a remote host
11. Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end. This can only be initiated from the VPN gateway (Left) if the remote end is configured with a static (or DynDNS) IP address
12. Click Apply to save changes
NOTE Configuration details set up on the console server (referred to as the Left or Local host) must match the set up entered when configuring the Remote (Right) host/gateway or software client. See http://www.opengear.com/faq.html for details on configuring these remote ends
3.10 OpenVPN
The ACM7000, CM7100, and IM7200 with firmware V3.2 and later include OpenVPN. OpenVPN uses the OpenSSL library for encryption, authentication, and certification, which means it uses SSL/TSL (Secure Socket Layer/Transport Layer Security) for key exchange and can encrypt both data and control channels. Using OpenVPN allows for the building of cross-platform, point-to- point VPNs using either X.509 PKI (Public Key Infrastructure) or custom configuration files. OpenVPN allows secure tunneling of data through a single TCP/UDP port over an unsecured network, thus providing secure access to multiple sites and secure remote administration to a console server over the Internet. OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility. For example, an OpenVPN tunnel may be established between a roaming windows client and an Opengear console server within a data center. Configuration of OpenVPN can be complex so Opengear provides a GUI interface for basic set up as described below. More detailed information is available at http://www.openvpn.net
3.10.1 Enable the OpenVPN 1. Select OpenVPN on the Serial & Networks menu
53

Chapter 3: Serial Port, Device and User Configuration
2. Click Add and complete the Add OpenVPN Tunnel screen 3. Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example
NorthStOutlet-VPN
4. Select the authentication method to be used. To authenticate using certificates select PKI (X.509 Certificates) or select Custom Configuration to upload custom configuration files. Custom configurations must be stored in /etc/config.
NOTE If you select PKI, establish: Separate certificate (also known as a public key). This Certificate File is a .crt file type Private Key for the server and each client. This Private Key File is a .key file type
Primary Certificate Authority (CA) certificate and key which is used to sign each of the server
andclient certificates. This Root CA Certificate is a *.crt file type For a server, you may also need dh1024.pem (Diffie Hellman parameters). See http://openvpn.net/easyrsa.html for a guide to basic RSA key management. For alternative authentication methods see http://openvpn.net/index.php/documentation/howto.html#auth.
5. Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP are part of the Linux kernel.
6. Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN. 7. Check or uncheck the Compression button to enable or disable compression. 8. In Tunnel Mode, nominate whether this is the Client or Server end of the tunnel. When running as
a server, the console server supports multiple clients connecting to the VPN server over the same port.
54

User Manual
3.10.2 Configure as Server or Client
1. Complete the Client Details or Server Details depending on the Tunnel Mode selected. o If Client has been selected, the Primary Server Address is the address of the OpenVPN Server. o If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The network defined by the IP Pool Network address/mask is used to provide the addresses for connecting clients.
2. Click Apply to save changes
55

Chapter 3: Serial Port, Device and User Configuration
3. To enter authentication certificates and files, select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and files.
4. Apply to save changes. Saved files are displayed in red on the right-hand side of the Upload button.
5. To enable OpenVPN, Edit the OpenVPN tunnel
56

User Manual
6. Check the Enabled button. 7. Apply to save changes NOTE Make sure that the console server system time is correct when working with OpenVPN to avoid
authentication issues.
8. Select Statistics on the Status menu to verify that the tunnel is operational.
57

Chapter 3: Serial Port, Device and User Configuration
3.10.3 Windows OpenVPN Client and Server set up This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server. Console servers generate Windows client config automatically from the GUI ­ for Pre- shared Secret (Static Key File) configurations.
Alternately OpenVPN GUI for Windows software (which includes the standard OpenVPN package plus a Windows GUI) can be downloaded from http://openvpn.net. Once installed on the Windows machine, an OpenVPN icon is added to the Notification Area located in the right side of the taskbar. Right click on this icon to start and stop VPN connections, edit configurations, and view logs.
When the OpenVPN software begins running, the C:Program FilesOpenVPNconfig folder is scanned for .opvn files. This folder is rechecked for new configuration files whenever the OpenVPN GUI icon is rightclicked. Once OpenVPN is installed, create a configuration file:
58

User Manual

Using a text editor, create an xxxx.ovpn file and save in C:Program FilesOpenVPNconfig. For example, C:Program FilesOpenVPNconfigclient.ovpn
An example of an OpenVPN Windows client configuration file is shown below:

description: IM4216_client client proto udp verb 3 dev tun remote

192.168.250.152 port 1194 ca c:\openvpnkeys\ca.crt cert c:\openvpnkeys\client.crt key c:\openvpnkeys\client.key nobind persist-key persist-tun comp-lzo
An example of an OpenVPN Windows Server configuration file is shown below:
server 10.100.10.0 255.255.255.0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist-key persist-tun dev tun ca c:\openvpnkeys\ca.crt cert c:\openvpnkeys\server.crt key c:\openvpnkeys\server.key dh c:\openvpnkeys\dh.pem comp-lzo verb 1 syslog IM4216_OpenVPN_Server
The Windows client/server configuration file options are:

Options #description: Client server proto udp proto tcp mssfix <max. size> verb
dev tun dev tap

Description This is a comment describing the configuration. Comment lines start with#’ and are ignored by OpenVPN. Specify whether this will be a client or server configuration file. In the server configuration file, define the IP address pool and netmask. For example, server 10.100.10.0 255.255.255.0 Set the protocol to UDP or TCP. The client and server must use the same settings. Mssfix sets the maximum size of the packet. This is only useful for UDP if problems occur. Set log file verbosity level. Log verbosity level can be set from 0 (minimum) to 15 (maximum). For example, 0 = silent except for fatal errors 3 = medium output, good for general usage 5 = helps with debugging connection problems 9 = verbose, excellent for troubleshooting Selectdev tun’ to create a routed IP tunnel or `dev tap’ to create an Ethernet tunnel. The client and server must use the same settings.

59

Chapter 3: Serial Port, Device and User Configuration

remote Port Keepalive
http-proxy <proxy port #> ca
cert
key
dh Nobind persist-key persist-tun cipher BF-CBC Blowfish (default) cipher AES-128-CBC AES cipher DES-EDE3-CBC Triple-DES comp-lzo syslog

The hostname/IP of OpenVPN server when operating as a client. Enter either the DNS hostname or the static IP address of the server. The UDP/TCP port of the server. Keepalive uses ping to keep the OpenVPN session alive. ‘Keepalive 10 120′ pings every 10 seconds and assumes the remote peer is down if no ping has been received over a 120 second time period. If a proxy is required to access the server, enter the proxy server DNS name or IP and port number. Enter the CA certificate file name and location. The same CA certificate file can be used by the server and all clients. Note: Ensure each ’ in the directory path is replaced with \’. For example, c:openvpnkeysca.crt will become c:\openvpnkeys\ca.crt Enter the client’s or server’s certificate file name and location. Each client should have its own certificate and key files. Note: Ensure each ’ in the directory path is replaced with \’. Enter the file name and location of the client’s or server’s key. Each client should have its own certificate and key files. Note: Ensure each ’ in the directory path is replaced with \’. This is used by the server only. Enter the path to the key with the Diffie-Hellman parameters. `Nobind’ is used when clients do not need to bind to a local address or specific local port number. This is the case in most client configurations. This option prevents the reloading of keys across restarts. This option prevents the close and reopen of TUN/TAP devices across restarts. Select a cryptographic cipher. The client and server must use the same settings.
Enable compression on the OpenVPN link. This must be enabled on both the client and the server. By default, logs are located in syslog or, if running as a service on Window, in Program FilesOpenVPNlog directory.

To initiate the OpenVPN tunnel following the creation of the client/server configuration files: 1. Right click on the OpenVPN icon in the Notification Area 2. Select the newly created client or server configuration. 3. Click Connect

4. The log file is displayed as the connection is established
60

User Manual
5. Once established, the OpenVPN icon displays a message indicating a successful connection and assigned IP. This information, as well as the time the connection was established, is available by scrolling over the OpenVPN icon.
3.11 PPTP VPN
Console servers include a PPTP (Point-to-Point Tunneling Protocol) server. PPTP is used for communications over a physical or virtual serial link. The PPP endpoints define a virtual IP address to themselves. Routes to networks can be defined with these IP addresses as the gateway, which results in traffic being sent across the tunnel. PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the tunnel.
The strength of PPTP is its ease of configuration and integration into existing Microsoft infrastructure. It is generally used for connecting single remote Windows clients. If you take your portable computer on a business trip, you can dial a local number to connect to your Internet access service provider (ISP) and create a second connection (tunnel) into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your office. Telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP.
61

Chapter 3: Serial Port, Device and User Configuration
To set up a PPTP connection from a remote Windows client to your Opengear appliance and local network:
1. Enable and configure the PPTP VPN server on your Opengear appliance 2. Set up VPN user accounts on the Opengear appliance and enable the appropriate
authentication 3. Configure the VPN clients at the remote sites. The client does not require special software as
the PPTP Server supports the standard PPTP client software included with Windows NT and later 4. Connect to the remote VPN 3.11.1 Enable the PPTP VPN server 1. Select PPTP VPN on the Serial & Networks menu
2. Select the Enable check box to enable the PPTP Server 3. Select the Minimum Authentication Required. Access is denied to remote users attempting to
connect using an authentication scheme weaker than the selected scheme. The schemes are described below, from strongest to weakest. · Encrypted Authentication (MS-CHAP v2): The strongest type of authentication to use; this is
the recommended option · Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted password
authentication to use. It is not recommended that clients connect using this as it provides very little password protection. Also note that clients connecting using CHAP are unable to encrypt traffic
62

User Manual
· Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of authentication, the client password is transmitted unencrypted.
· None 4. Select the Required Encryption Level. Access is denied to remote users attempting to connect
that are not using this encryption level. 5. In Local Address enter IP address to assign to the server’s end of the VPN connection 6. In Remote Addresses enter the pool of IP addresses to assign to the incoming client’s VPN
connections (e.g. 192.168.1.10-20). This must be a free IP address or range of addresses from the network that remote users are assigned while connected to the Opengear appliance 7. Enter the desired value of the Maximum Transmission Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400) 8. In the DNS Server field, enter the IP address of the DNS server that assigns IP addresses to connecting PPTP clients 9. In the WINS Server field, enter the IP address of the WINS server that assigns IP addresses to connecting PPTP client 10. Enable Verbose Logging to assist in debugging connection problems 11. Click Apply Settings 3.11.2 Add a PPTP user 1. Select Users & Groups on the Serial & Networks menu and complete the fields as covered in section 3.2. 2. Ensure the pptpd group has been checked, to allow access to the PPTP VPN server. Note – users in this group have their passwords stored in clear text. 3. Keep note of the username and password for when you need to connect to the VPN connection 4. Click Apply
63

Chapter 3: Serial Port, Device and User Configuration
3.11.3 Set up a remote PPTP client Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up two networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the Opengear appliance. NOTE This procedure sets up a PPTP client in the Windows Professional operating system. The steps
may vary slightly depending on your network access or if you are using an alternate version of Windows. More detailed instructions are available from the Microsoft web site. 1. Login to your Windows client with administrator privileges 2. From the Network & Sharing Center on the Control Panel select Network Connections and create a new connection
64

User Manual
3. Select Use My Internet Connection (VPN) and enter the IP Address of the Opengear appliance To connect remote VPN clients to the local network, you need to know the username and password for the PPTP account you added, as well as the Internet IP address of the Opengear appliance. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service. Otherwise you must modify the PPTP client configuration each time your Internet IP address changes.
65

Chapter 3: Serial Port, Device and User Configuration

3.12 Call Home
All console servers include the Call Home feature which initiates the setup of a secure SSH tunnel from the console server to a centralized Opengear Lighthouse. The console server registers as a candidate on the Lighthouse. Once accepted there it becomes a Managed Console Server.
Lighthouse monitors the Managed Console Server and administrators can access the remote Managed Console Server through the Lighthouse. This access is available even when the remote console server is behinda third-party firewall or has a private non-routable IP addresses.

NOTE

Lighthouse maintains public key authenticated SSH connections to each of its Managed Console Servers. These connections are used for monitoring, directing and accessing the Managed Console Servers and the managed devices connected to the Managed Console Server.

To manage Local Console Servers, or console servers that are reachable from the Lighthouse, the SSHconnections are initiated by Lighthouse.

To manage Remote Console Servers, or console servers that are firewalled, not routable, or otherwise unreachable from the Lighthouse, the SSH connections are initiated by the Managed ConsoleServer via an initial Call Home connection.

This ensures secure, authenticated communications and enables Managed Console Servers units to be distributed locally on a LAN, or remotely around the world.

3.12.1 Set up Call Home candidate To set up the console server as a Call Home management candidate on the Lighthouse:
1. Select Call Home on the Serial & Network menu

2. If you have not already generated or uploaded an SSH key pair for this console server, do so before proceeding
3. Click Add

4. Enter the IP address or DNS name (e.g. the dynamic DNS address) of the Lighthouse.
5. Enter the Password that you configured on the CMS as the Call Home Password.
66

User Manual
6. Click Apply These steps initiate the Call Home connection from the console server to the Lighthouse. This creates an SSHlistening port on the Lighthouse and sets the console server up as a candidate.
Once the candidate has been accepted on the Lighthouse an SSH tunnel to the console server is redirected backacross the Call Home connection. The console server has become a Managed Console Server and the Lighthouse can connect to and monitor it through this tunnel. 3.12.2 Accept Call Home candidate as Managed Console Server on Lighthouse This section gives an overview on configuring the Lighthouse to monitor console Lighthouse servers that are connected via Call Home. For more details see the Lighthouse User Guide:
1. Enter a new Call Home Password on the Lighthouse. This password is used for accepting
Call Homeconnections from candidate console servers
2. The Lighthouse can be contacted by the console server it must either have a static IP
address or, ifusing DHCP, be configured to use a dynamic DNS service
The Configure > Managed Console Servers screen on the Lighthouse shows the status of
local andremote Managed Console Servers and candidates.
The Managed Console Servers section shows the console servers being monitored by the
Lighthouse.The Detected Console Servers section contains:
o The Local Console Servers drop-down which lists all the console servers which are on the
same subnet as the Lighthouse, and are not being monitored
67

Chapter 3: Serial Port, Device and User Configuration
o The Remote Console Servers drop-down which lists all the console servers that have established a Call Home connection and are not being monitored (i.e. candidates). You can click Refresh to update
To add a console server candidate to the Managed Console Server list, select it from the Remote Console Servers drop-down list and click Add. Enter IP Address and SSH Port (if these fields have not been auto-completed) and enter a Description and unique Name for the Managed Console server you are adding
Enter the Remote Root Password (i.e. System Password that has been set on this Managed Console server). This password is used by the Lighthouse to propagate auto generated SSH keys and isnot stored. Click Apply. The Lighthouse sets up secure SSH connections to and from the Managed Console Server and retrieves its Managed Devices, user account details and configured alerts 3.12.3 Calling Home to a generic central SSH server If you are connecting to a generic SSH server (not Lighthouse) you may configure Advanced settings: · Enter the SSH Server Port and SSH User. · Enter the details for the SSH port forward(s) to create
By selecting Listening Server, you may create a Remote port forward from the Server to this unit, or a Local port forward from this unit to the Server:
68

User Manual
· Specify a Listening Port to forward from, leave this field blank to allocate an unused port · Enter the Target Server and Target Port that will be the recipient of forwarded connections
3.13 IP Passthrough
IP Passthrough is used to make a modem connection (e.g. the internal cellular modem) appear like a regular Ethernet connection to a third-party downstream router, allowing the downstream router to use the modem connection as a primary or backup WAN interface.
The Opengear device provides the modem IP address and DNS details to the downstream device over DHCP and passes network traffic to and from the modem and router.
While IP Passthrough turns an Opengear into a modem-to-Ethernet half bridge, some layer 4 services (HTTP/HTTPS/SSH) may be terminated at the Opengear (Service Intercepts). Also, services running on the Opengear can initiate outbound cellular connections independent of the downstream router.
This allows the Opengear to continue to be used for out-of-band management and alerting and also be managed via Lighthouse, while in IP Passthrough mode.
3.13.1 Downstream Router Setup To use failover connectivity on the downstream router (aka Failover to Cellular or F2C), it must have two or more WAN interfaces.
NOTE Failover in IP Passthrough context is performed by the downstream router, and the built-in out-ofband failover logic on the Opengear is not available while in IP Passthrough mode.
Connect an Ethernet WAN interface on the downstream router to the Opengear’s Network Interface or Management LAN port with an Ethernet cable.
Configure this interface on the downstream router to receive its network settings via DHCP. If failover is required, configure the downstream router for failover between its primary interface and the Ethernet port connected to the Opengear.
3.13.2 IP Passthrough Pre-Configuration Prerequisite steps to enable IP Passthrough are:
1. Configure the Network Interface and where applicable Management LAN interfaces with static network settings. · Click Serial & Network > IP. · For Network Interface and where applicable Management LAN, select Static for the Configuration Method and enter the network settings (see the section entitled Network Configuration for detailed instructions). · For the interface connected to the downstream router, you may choose any dedicated private network ­ this network only exists between the Opengear and downstream router and is not normally accessible. · For the other interface, configure it as you would per normal on the local network. · For both interfaces, leave Gateway blank.
2. Configure the modem in Always On Out-of-band mode.
69

Chapter 3: Serial Port, Device and User Configuration
· For a cellular connection, click System > Dial: Internal Cellular Modem. · Select Enable Dial-Out and enter carrier details such as APN (see section Cellular Modem
Connection for detailed instructions). 3.13.3 IP Passthrough Configuration To configure IP Passthrough:
· Click Serial & Network > IP Passthrough and check Enable. · Select the Opengear Modem to use for upstream connectivity. · Optionally, enter the MAC Address of downstream router’s connected interface. If MAC address is
not specified, the Opengear will passthrough to the first downstream device requesting a DHCP address. · Select the Opengear Ethernet Interface to use for connectivity to the downstream router.
· Click Apply. 3.13.4 Service Intercepts These allow the Opengear to continue to provide services, for example, for out-of-band management when in IP Passthrough mode. Connections to the modem address on the specified intercept port(s) are handled by the Opengear rather than passed through to the downstream router.
· For the required service of HTTP, HTTPS or SSH, check Enable · Optionally modify the Intercept Port to an alternate port (e.g. 8443 for HTTPS), this is useful if you
want to continue to allow the downstream router to remain accessible via its regular port. 3.13.5 IP Passthrough Status Refresh the page to view the Status section. It displays the modem’s External IP Address being passed through, the Internal MAC Address of the downstream router (only populated when the downstream router accepts the DHCP lease), and the overall running status of the IP Passthrough service. You may be alerted to the failover status of the downstream router by configuring a Routed Data Usage Check under Alerts & Logging > Auto-Response. 3.13.6 Caveats Some downstream routers may be incompatible with the gateway route. This can happen when IP Passthrough is bridging a 3G cellular network where the gateway address is a point-to-point destination address and no subnet information is available. The Opengear sends a DHCP netmask of 255.255.255.255. Devices normally construe this as a single host route on the interface, but some older downstream devices may have issues.
70

User Manual
Intercepts for local services will not work if the Opengear is using a default route other than the modem. Also, they will not work unless the service is enabled and access to the service is enabled (see System > Services, under the Service Access tab find Dialout/Cellular).
Outbound connections originating from Opengear to remote services are supported (e.g. sending SMTP email alerts, SNMP traps, getting NTP time, IPSec tunnels). There is a small risk of connection failure should both the Opengear and the downstream device try to access the same UDP or TCP port on the same remote host at the same time when they have randomly chosen the same originating local port number.
3.14 Configuration over DHCP (ZTP)
Opengear devices can be provisioned during their initial boot from a DHCPv4 or DHCPv6 server using config-over-DHCP. Provisioning on untrusted networks can be facilitated by providing keys on a USB flash drive. The ZTP functionality can also be used to perform a firmware upgrade on initial connection to the network, or to enroll into a Lighthouse 5 instance.
Preparation The typical steps for configuration over a trusted network are:
1. Configure a same-model Opengear device. 2. Save its configuration as an Opengear backup (.opg) file. 3. Select System > Configuration Backup > Remote Backup. 4. Click Save Backup. A backup configuration file — model-name_iso- format-date_config.opg — is downloaded from the Opengear device to the local system. You can save the configuration as an xml file: 1. Select System > Configuration Backup > XML Configuration. An editable field containing the
configuration file in XML format appears. 2. Click into the field to make it active. 3. If you are running any browser on Windows or Linux, right-click and choose Select All from the
contextual menu or press Control-A. Right-click and choose Copy from the contextual menu or press Control-C. 4. If you are using any browser on macOS, choose Edit > Select All or press Command-A. Choose Edit > Copy or press Command-C. 5. In your preferred text-editor, create a new empty document, paste the copied data into the empty document and save the file. Whatever file-name you choose, it must include the .xml filename suffix. 6. Copy the saved .opg or .xml file to a public-facing directory on a file server serving at least one of the following protocols: HTTPS, HTTP, FTP or TFTP. (Only HTTPS can be used if the connection between the file server and a to-be-configured Opengear device travels over an untrusted network.). 7. Configure your DHCP server to include a `vendor specific’ option for Opengear devices. (This will be done in a DHCP server-specific way.) The vendor specific option should be set to a string containing the URL of the published .opg or .xml file in the step above. The option string must not exceed 250 characters and it must end in either .opg or .xml.
71

Chapter 3: Serial Port, Device and User Configuration
8. Connect a new Opengear device, either factory-reset or Config-Erased, to the network and apply power. It may take up to 5 minutes for the device to reboot itself.
Example ISC DHCP (dhcpd) server configuration
The following is an example DHCP server configuration fragment for serving an .opg configuration image via the ISC DHCP server, dhcpd:
option space opengear code width 1 length width 1; option opengear.config-url code 1 = text; class “opengear-config-over-dhcp-test” {
match if option vendor-class-identifier ~~ “^Opengear/”; vendor-option-space opengear; option opengear.config-url “https://example.com/opg/${class}.opg”; }
This setup can be modified to upgrade the configuration image using the opengear.image-url option, and providing a URI to the firmware image.
Setup when the LAN is untrusted If the connection between the file server and a to-be-configured Opengear device includes an untrusted network, a two-handed approach can mitigate the issue.
NOTE This approach introduces two physical steps where trust can be difficult, if not impossible, to establish completely. First, the custody chain from the creation of the data-carrying USB flash drive to its deployment. Second, the hands connecting the USB flash drive to the Opengear device.
· Generate an X.509 certificate for the Opengear device.
· Concatenate the certificate and its private key into a single file named client.pem.
· Copy client.pem onto a USB flash drive.
· Set up an HTTPS server such that access to the .opg or .xml file is restricted to clients that can provide the X.509 client certificate generated above.
· Put a copy of the CA cert that signed the HTTP server’s certificate — ca- bundle.crt — onto the USB flash drive bearing client.pem.
· Insert the USB flash drive into the Opengear device before attaching power or network.
· Continue the procedure from `Copy the saved .opg or .xml file to a public- facing directory on a file server’ above using the HTTPS protocol between the client and server.
Prepare a USB drive and create the X.509 certificate and private key
· Generate the CA certificate so the client and server Certificate Signing Requests (CSRs) can be signed.

cp /etc/ssl/openssl.cnf . # mkdir -p exampleCA/newcerts # echo 00 >

exampleCA/serial # echo 00 > exampleCA/crlnumber # touch exampleCA/index.txt # openssl genrsa -out ca.key 8192 # openssl req -new -x509 -days 3650 -key ca.key -out demoCA/cacert.pem
-subj /CN=ExampleCA # cp demoCA/cacert.pem ca-bundle.crt
This procedure generates a certificate called ExampleCA but any allowed certificate name can be used. Also, this procedure uses openssl ca. If your organization has an enterprise-wide, secure CA generation process, that should be used instead.
72

User Manual
· Generate the server certificate.

openssl genrsa -out server.key 4096 # openssl req -new -key server.key -out

server.csr -subj /CN=demo.example.com # openssl ca -days 365 -in server.csr -out server.crt
-keyfile ca.key -policy policy_anything -batch -notext
NOTE The hostname or IP address must be the same string used in the serving URL. In the example above, the hostname is demo.example.com.
· Generate the client certificate.

openssl genrsa -out client.key 4096 # openssl req -new -key client.key -out

client.csr -subj /CN=ExampleClient # openssl ca -days 365 -in client.csr -out client.crt
-keyfile ca.key -policy policy_anything -batch -notext # cat client.key client.crt > client.pem
· Format a USB flash drive as a single FAT32 volume.
· Move the client.pem and ca-bundle.crt files onto the flash drive’s root directory.
Debugging ZTP issues Use the ZTP log feature to debug ZTP issues. While the device is attempting to perform ZTP operations, log information is written to /tmp/ztp.log on the device.
The following is an example of the log file from a successful ZTP run.

cat /tmp/ztp.log Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0:

restoring config via DHCP Wed Dec 13 22:22:17 UTC 2017 [5127 notice] odhcp6c.eth0: waiting 10s for network to settle Wed Dec 13 22:22:27 UTC 2017 [5127 notice] odhcp6c.eth0: NTP skipped: no server Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.1 = ‘http://[fd07:2218:1350:44::1]/tftpboot/config.sh’ Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.2 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.3 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.4 (n/a) Wed Dec 13 22:22:27 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.5 (n/a) Wed Dec 13 22:22:28 UTC 2017 [5127 info] odhcp6c.eth0: vendorspec.6 (n/a) Wed Dec 13 22:22:28 UTC 2017 [5127 info] odhcp6c.eth0: no firmware to download (vendorspec.2) backup-url: trying http://[fd07:2218:1350:44::1]/tftpboot/config.sh … backup-url: forcing wan config mode to DHCP backup-url: setting hostname to acm7004-0013c601ce97 backup-url: load succeeded Wed Dec 13 22:22:36 UTC 2017 [5127 notice] odhcp6c.eth0: successful config load Wed Dec 13 22:22:36 UTC 2017 [5127 info] odhcp6c.eth0: no lighthouse configuration (vendorspec.3/4/5/6) Wed Dec 13 22:22:36 UTC 2017 [5127 notice] odhcp6c.eth0: provisioning completed, not rebooting
Errors are recorded in this log.
3.15 Enrollment into Lighthouse
Use Enrollment into Lighthouse to enroll Opengear devices into a Lighthouse instance, providing centralized access to console ports, and allowing central configuration of the Opengear devices.
See the Lighthouse User Guide for instructions for enrolling Opengear devices into Lighthouse.
73

Chapter 3: Serial Port, Device and User Configuration
3.16 Enable DHCPv4 Relay
A DHCP relay service forwards the DHCP packets between clients and remote DHCP servers. DHCP relay service can be enabled on an Opengear console server, so that its listens for DHCP clients on designated lower interfaces, wraps and forwards their messages up to DHCP servers using either normal routing, or broadcast directly onto designated upper interfaces. The DHCP relay agent thus receives DHCP messages and generates a new DHCP message to send out on another interface. In the steps below, the console servers can connect to circuit-ids, Ethernet or cell modems using DHCPv4 Relay service.
DHCPv4 Relay + DHCP Option 82 (circuit-id) Infrastructure – Local DHCP server, ACM7004-5 for relay, any other devices for clients. Any device with LAN role can be used as a relay. In this example, the 192.168.79.242 is the address for the client’s relayed interface (as defined in the DHCP server configuration file above) and the 192.168.79.244 is the relay box’s upper interface address, and enp112s0 is the downstream interface of the DHCP server.
1 Infrastructure – DHCPv4 Relay + DHCP Option 82 (circuit-id)
Steps on the DHCP Server 1. Setup local DHCP v4 server, in particular, it should contain a “host” entry as below for the DHCP client: host cm7116-2-dac { # hardware ethernet 00:13:C6:02:7E:41; host-identifier option agent.circuit- id “relay1”; fixed-address 192.168.79.242; } Note: the “hardware ethernet” line is commented off, so that the DHCP server will make use of the “circuit- id” setting to assign an address for relevant client. 2. Re-start DHCP Server to reload its changed configuration file. pkill -HUP dhcpd
74

User Manual
3. Manually add a host route to the client “relayed” interface (the interface behind the DHCP relay, not other interfaces the client may also have:
sudo ip route add 192.168.79.242/32 via 192.168.79.244 dev enp112s0 This will help avoid the asymmetric routing issue when the client and DHCP server would like to access each other via the client’s relayed interface, when the client has other interfaces in the same subnet of the DHCP address pool.
Note: This step is a must-have to support the dhcp server and client able to access each other.
Steps on the Relay box – ACM7004-5
1. Setup WAN/eth0 in either static or dhcp mode (not unconfigured mode). If in static mode, it must have an IP address within the address pool of the DHCP server.
2. Apply this config through CLI (where 192.168.79.1 is DHCP server address)
config -s config.services.dhcprelay.enabled=on config -s config.services.dhcprelay.lowers.lower1.circuit_id=relay1 config -s config.services.dhcprelay.lowers.lower1.role=lan config -s config.services.dhcprelay.lowers.total=1 config -s config.services.dhcprelay.servers.server1=192.168.79.1 config -s config.services.dhcprelay.servers.total=1 config -s config.services.dhcprelay.uppers.upper1.role=wan config -s config.services.dhcprelay.uppers.total=1
3. The lower interface of the DHCP relay must have a static IP address within the address pool of the DHCP server. In this example, giaddr = 192.168.79.245
config -s config.interfaces.lan.address=192.168.79.245 config -s config.interfaces.lan.mode=static config -s config.interfaces.lan.netmask=255.255.255.0 config -d config.interfaces.lan.disabled -r ipconfig
4. Wait a short while for the client to acquire a DHCP lease via the relay.
Steps on the Client (CM7116-2-dac in this example or any other OG CS)
1. Plug in the client’s LAN/eth1 to the relay’s LAN/eth1 2. Configure the client’s LAN to get IP address via DHCP as per usual 3. Once the clie

References

• accounts.myco.intranet.com
• Action.sh
• Opengear FTP
• Business VPN For Secure Networking | OpenVPN
• RSA Key Management | OpenVPN
• How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN
• test.sh
• Releases
• Homepage - GroundWork
• Service Name and Transport Protocol Port Number Registry
• Nagios Open Source | Nagios Open Source
• Documentation | Nagios Open Source
• Network UPS Tools - Documentation
• Secure Remote Access and IT Infrastructure Management
• Secure Remote Access and IT Infrastructure Management
• Secure Remote Access and IT Infrastructure Management
• Business VPN For Secure Networking | OpenVPN
• PADL Software dba Lukktone · GitHub
• rsyslog - The rocket-fast system for log processing
• Linux Tutorial - Using PPP and Linux
• Opengear FTP
• Product Selector - Opengear
• ISC DHCP - ISC

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>