RuggedRouter® User Guide
Policy Vs Route Based VPNs
The RuggedRouter supports two main modes of VPN: policy and route based VPN.
With route based VPNs:
• Openswan generates an IPSEC interface for each VPN tunnel,
• As the tunnel is brought up a route for the subnet at the other end of the
tunnel is created through that interface,
• Any traffic destined for tunnel's remote subnet is forwarded to the IPSEC
interface and encoded and transmitted,
• The firewall is configured with a vpn zone (zone type IPV4), the IPSEC
interface is included in the zone,
• As IPsec packets are received, openswan decodes them and directs the
decoded packet to the IPSEC interface,
• Firewalling can be performed by simply accepting all traffic to and from
the zone containing the IPSEC interfaces,
• It is possible to use a tunnel to provide the default route by making the subnet at
the other end of the tunnel be 0.0.0.0/0.
With policy based VPNs:
• Openswan will not generate IPSEC interfaces,
• The routing table is not involved in deciding which packets should go to
the ipsec layer,
• Only traffic matching the tunnel's local and remote subnets are forwarded
to it. Normal traffic is routed by one set of rules and VPN traffic is routed
based on different rules,
• The firewall is configured with a vpn zone of zone type IPSEC,
• As IPsec packets are received, openswan decodes them, policy flags them
as IPSEC encoded and presents them as arriving on the same interface they
originally arrived at.
• Firewall rules must be written to allow traffic to and from tunnels based upon the
the normal form of source/destination IP addresses and IP protocol and port
numbers. These, by virtue of the zones they match, use the policy flagging
inserted by netkey and routes them to the proper interface.
Route based VPNs are the default. This type of VPN is recommended as it is simpler
to configure.
Supported Encryption Protocols
Openswan supports the following standard encryption protocols:
• 3DES (Triple DES) – Uses three DES encryptions on a single data block,
with at least two different keys, to get higher security than is available
from a single DES pass. 3DES is the most CPU intensive cipher.
• AES – The Advanced Encryption Standard protocol cipher uses a 128-bit
block and 128, 192 or 256-bit keys. This is the most secure protocol in
use today, and is much preferred to 3DES due to its efficiency.
138 RuggedCom