General On Demand IPSec Setup - adelyte/crescendo-cloud-driver GitHub Wiki

The recommended method to connect Crestron processors to the Crescendo Cloud (CC) servers, is setting up on-demand IPSec VPN connections.

At a high-level this involves the following:

Setup

  1. Router is set up to connect to CC server's VPN
  • The client must request credentials from Crescendo Cloud to use the VPN functionality.
    • This is currently a manual process, but will be ultimately automated
  1. Router is set up to allow requests for VPN connections
  • This can be done through port knocking (e.g. knockd)
  • There may be other solutions if port knocking is not available
  1. Router has rules configured to redirect all traffic from the external CC server IP to the VPN CC server IP
  • These can be set up to be enabled after a successful port-knock, in order to maintain connections to the CC servers if the VPN connection fails to connect, or if the Crestron processor's request to the router has failed for any reason

Runtime

  1. Crestron processor notifies the router that it would like a VPN connection
  2. Router successfully connects to VPN
  3. Router enables traffic redirecting
  4. Router notifies the Crestron processor that the VPN connection is set up
  • This may not be necessary as the traffic is being redirected at the router level. The processor may just notice a blip in traffic.
  1. Crestron processor disconnects from processor
  2. Router disables traffic redirecting
  3. Router closes VPN connection