RuggedCom RX1100, RX1000 manual

Chapter 12 – Configuring An IPsec VPN

The At IPsec startup field determines what happens to the connection after Openswan starts and includes the options “Ignore”, “Add connection”, “Start Connection”, “Route” and “Default”. A value of “Ignore” will cause the connection to be ignored. A value of “Add connection” will cause the connection to be established when explicitly started (via command line or the IPsec VPN Configuration menu “Start Connection” button). If “Start connection” is chosen then the connection will be authorized when Openswan is started, but not activated until an incoming request arrives. A value of “Route” will cause a route (and only the route) for packets to be established, discarding packets sent there, which may be preferable to having them sent elsewhere based on a more general route (e.g., a default route).

The Authenticate by fields select the authentication method. If “Default” is selected the value in the “Defaults for all connections” record is used. If “rsasig” or “secret rsasig” is selected then the System's public key of each of the Left System's Settings and Right System's Settings sections must include an RSA signature string or an X. 509 certificate must be in use. If “secret” is selected then the Preshared key menu must contain a key indexed by the Public IPs of the Left and Right systems.

The Encryption Protocols fields select the encryption protocol used. If “Default” is selected the value in the “Defaults for all connections” record is used. If “allow only” is selected, the protocols in “aes256”, “aes192”, “aes128” and “3des”, are included in a list. At connection time the two peers will compare their capabilities and select the strongest common protocol (largest aes over smaller aes and aes over 3des).

The Compress data? fields will select whether data should be compressed. If “Default” is selected the value in the “Defaults for all connections” record is used.

The Perfect Forward Secrecy fields will enable PFS, causing keys to be exchanged in a manner which provides attackers that have compromised a key with no advantage in decoding previously intercepted packets or with subsequent packets. Not all clients support PFS.