RuggedCom RX1100 ユーザーズマニュアル
RuggedRouter
User Guide
With route based VPNs:
•
Openswan generates an IPSEC interface for each VPN tunnel,
•
As the tunnel is brought up a route for the subnet at the other end of the
tunnel is created through that interface,
•
Any traffic destined for tunnel's remote subnet is forwarded to the IPSEC
interface and encoded and transmitted,
•
The firewall is configured with a vpn zone (zone type IPV4), the IPSEC
interface is included in the zone,
•
As IPsec packets are received, openswan decodes them and directs the
decoded packet to the IPSEC interface,
•
Firewalling can be performed by simply accepting all traffic to and from
the zone containing the IPSEC interfaces,
•
It is possible to use a tunnel to provide the default route by making the subnet
at the other end of the tunnel be 0.0.0.0/0.
at the other end of the tunnel be 0.0.0.0/0.
With policy based VPNs:
•
Openswan will not generate IPSEC interfaces,
•
The routing table is not involved in deciding which packets should go to
the ipsec layer,
•
Only traffic matching the tunnel's local and remote subnets are
forwarded to it. Normal traffic is routed by one set of rules and VPN
traffic is routed based on different rules,
traffic is routed based on different rules,
•
The firewall is configured with a vpn zone of zone type IPSEC,
•
As IPsec packets are received, openswan decodes them, policy flags
them as IPSEC encoded and presents them as arriving on the same
interface they originally arrived at.
interface they originally arrived at.
•
Firewall rules must be written to allow traffic to and from tunnels based upon
the the normal form of source/destination IP addresses and IP protocol and
port numbers. These, by virtue of the zones they match, use the policy
flagging inserted by netkey and routes them to the proper interface.
the the normal form of source/destination IP addresses and IP protocol and
port numbers. These, by virtue of the zones they match, use the policy
flagging inserted by netkey and routes them to the proper interface.
Route based VPNs are the default. This type of VPN is recommended as it is simpler
to configure.
to configure.
Supported Encryption Protocols
Openswan supports the following standard encryption protocols:
•
3DES (Triple DES) – Uses three DES encryptions on a single data block,
with at least two different keys, to get higher security than is available
from a single DES pass. 3DES is the most CPU intensive cipher.
from a single DES pass. 3DES is the most CPU intensive cipher.
•
AES – The Advanced Encryption Standard protocol cipher uses a 128-bit
block and 128, 192 or 256-bit keys. This is the most secure protocol in
use today, and is much preferred to 3DES due to its efficiency.
use today, and is much preferred to 3DES due to its efficiency.
Public Key And Pre-shared Keys
In public key cryptography, keys are created in matched pairs (called public and
private keys). The public key is made public while the private key is kept secret.
Messages can then be sent by anyone who knows the public key to the holder of the
private key. Only the owner of the private key can decrypt the message.
private keys). The public key is made public while the private key is kept secret.
Messages can then be sent by anyone who knows the public key to the holder of the
private key. Only the owner of the private key can decrypt the message.
124 RuggedCom