RuggedCom RX1000, RX1100

RuggedRouter User Guide

With route based VPNs:

•Opensw an gene rates a n IPSEC interfa ce for each VPN tunnel ,

•As the tunnel is brou ght up a route for th e subnet at the other end of the

tunnel is crea ted thr ough th at inte rface,

•Any tra ffic de stined for tunn el's re mote su bnet is forwar ded to t he IPSEC

interfa ce and encoded and tra nsmitte d,

•The fir ewall i s confi gured wi th a vp n zone (zone t ype IPV 4), the IPSEC

interfa ce is i ncluded in the zone,

•As IPse c packe ts are receive d, open swan de codes th em and directs the

decoded packet to the IPSEC i nterfac e,

•Firewa lling ca n be pe rformed by sim ply acc epting all tra ffic to and fro m

the zon e conta ining t he IPSEC interf aces,

•It is possible to use a tunnel to provide the default route by making the subnet

at the other end of the tunnel be 0.0.0.0/0.

With policy based VPNs:

•Opensw an will not ge nerate IPSEC in terface s,

•The rou ting ta ble is n ot invo lved in decidin g which packets shoul d go to

the ip sec lay er,

•Only t raffic m atching the tu nnel's local a nd remo te subn ets are

forward ed to it . Norm al traf fic is r outed b y one s et of r ules an d VPN

traffic is rou ted base d on di fferent rules,

•The fir ewall i s confi gured wi th a vp n zone of zone type IPSEC,

•As IPse c packe ts are receive d, open swan de codes th em, po licy fl ags

them a s IPSEC encoded and pr esents them as arrivin g on th e same

interfa ce they origin ally ar rived a t.

•Firewall rules must be written to allow traffic to and from tunnels based upon

the the normal form of source/destination IP addresses and IP protocol and

port numbers. These, by virtue of the zones they match, use the policy

flagging inserted by netkey and routes them to the proper interface.

Route based VPNs are the default. This type of VPN is recommended as it is simpler

to configure.

Supporte d Encryption Protocols

Openswan supports the following standard encryption protocols:

•3DES (T riple D ES) – Us es thre e DES e ncrypti ons on a singl e data b lock,

with a t least two dif ferent keys, to get h igher s ecurity than i s avail able

from a single DES pas s. 3DE S is the most CPU inte nsive cipher.

•AES – T he Advan ced Enc ryption Standa rd proto col cip her use s a 128 -bit

block a nd 128, 192 or 256-bit keys. This is the mo st secu re prot ocol in

use tod ay, an d is mu ch prefe rred to 3DES du e to it s effic iency.

Public Key And Pre -shared Key s

In public key cryptography, keys are created in matched pairs (called public and

private keys). The public key is made public while the private key is kept secret.

Messages can then be sent by anyone who knows the public key to the holder of the

private key. Only the owner of the private key can decrypt the messag e.

124 RuggedCom