RuggedCom RX1000, RX1100 manual Supported Encryption Protocols, Public Key And Pre-shared Keys

RuggedRouter™ User Guide

With route based VPNs:

∙Openswan generates an IPSEC interface for each VPN tunnel,

∙As the tunnel is brought up a route for the subnet at the other end of the tunnel is created through that interface,

∙Any traffic destined for tunnel's remote subnet is forwarded to the IPSEC interface and encoded and transmitted,

∙The firewall is configured with a vpn zone (zone type IPV4), the IPSEC interface is included in the zone,

∙As IPsec packets are received, openswan decodes them and directs the decoded packet to the IPSEC interface,

∙Firewalling can be performed by simply accepting all traffic to and from the zone containing the IPSEC interfaces,

∙It is possible to use a tunnel to provide the default route by making the subnet at the other end of the tunnel be 0.0.0.0/0.

With policy based VPNs:

∙Openswan will not generate IPSEC interfaces,

∙The routing table is not involved in deciding which packets should go to the ipsec layer,

∙Only traffic matching the tunnel's local and remote subnets are forwarded to it. Normal traffic is routed by one set of rules and VPN traffic is routed based on different rules,

∙The firewall is configured with a vpn zone of zone type IPSEC,

∙As IPsec packets are received, openswan decodes them, policy flags them as IPSEC encoded and presents them as arriving on the same interface they originally arrived at.

∙Firewall rules must be written to allow traffic to and from tunnels based upon the the normal form of source/destination IP addresses and IP protocol and port numbers. These, by virtue of the zones they match, use the policy flagging inserted by netkey and routes them to the proper interface.

Route based VPNs are the default. This type of VPN is recommended as it is simpler to configure.

Supported Encryption Protocols

Openswan supports the following standard encryption protocols:

∙3DES (Triple DES) – Uses three DES encryptions on a single data block, with at least two different keys, to get higher security than is available from a single DES pass. 3DES is the most CPU intensive cipher.

∙AES – The Advanced Encryption Standard protocol cipher uses a 128-bit block and 128, 192 or 256-bit keys. This is the most secure protocol in use today, and is much preferred to 3DES due to its efficiency.

Public Key And Pre-shared Keys

In public key cryptography, keys are created in matched pairs (called public and private keys). The public key is made public while the private key is kept secret. Messages can then be sent by anyone who knows the public key to the holder of the private key. Only the owner of the private key can decrypt the message.