RuggedCom RuggedRouter RX1100 User Manual
Page 153
16. Configuring IPsec VPN
Revision 1.14.3
153
RX1000/RX1100™
“Start Connection” button). If “Start connection” is chosen then the connection will be authorized when
Openswan is started, but not activated until an incoming request arrives. A value of “Route” will cause
a route (and only the route) for packets to be established, discarding packets sent there, which may
be preferable to having them sent elsewhere based on a more general route (e.g., a default route).
The Authenticate by fields select the authentication method. If “Default” is selected the value in the
“Defaults for all connections” record is used. If “rsasig” is selected then the System's public key
of each of the Left System's Settings and Right System's Settings sections must include an RSA
signature string or an X.509 certificate must be in use. If “secret” is selected then the Preshared key
menu must contain a key indexed by the Public IPs of the Left and Right systems.
The Phase 1 Encryption Protocols fields select the encryption protocols used for Phase 1 (aka
ISAKMP SA). If “Default” is selected, the value in the “Defaults for all connections” record is used.
If “allow only” is selected, only the selected protocols among “aes256”, “aes192”, “aes128” and
“3des”will be included in the list of protocols to be negotiated. At connection time, the two peers will
compare their capabilities and select the strongest (allowed) common protocol. In decreasing order
of cryptographic strength, they are: AES256, AES192, AES128, and 3DES.
The Phase 1 Encryption Protocols(Hash) fields select the hash method used for Phase 1 (aka ISAKMP
SA). If "Default" is selected, the value in the "Defaults for all connections" record is used. Normally,
the user should select the "Default" option. However, in special cases (with some kind of VPN server,
for example), you may need to clearly specify which one (sha1 or md5) you want to use.
The Phase 2 Encryption Protocols fields select the encryption protocols used for Phase 2 (aka
IPSec SA). If “Default” is selected the value in the “Defaults for all connections” record is used. If “allow
only” is selected, only the selected protocols among “aes256”, “aes192”, “aes128” and “3des”will be
included in the list of protocols to be negotiated. At connection time the two peers will compare their
capabilities and select the strongest common protocol.
The Phase 2 Encryption Protocols(Hash) fields select the hash method used for Phase 2 (aka IPSec
SA). If "Default" is selected, the value in the "Defaults for all connections" record is used. Normally,
the user should select the "Default" option. However, in special cases (with some kind of VPN server),
you may need to clearly specify which one (sha1 or md5) you want to use.
The Compress data? fields will select whether data should be compressed prior to encryption. If
“Default” is selected the value in the “Defaults for all connections” record is used.
The Perfect Forward Secrecy fields will enable PFS, causing keys to be exchanged in a manner
which provides attackers that have compromised a key with no advantage in decoding previously
intercepted packets or with subsequent packets. Not all clients support PFS.
The Connection key lifetime fields determine how long a particular instance of a connection should
last, from successful negotiation to expiry. Normally, the connection is renegotiated before it expires.
The L2TP field determines whether this connection uses L2TP.
Note
ROX supports only DH group 1024 bits or greater for both Phase 1 and Phase 2. Please ensure
that your client is configured not to use DH group sizes of less than 1024 bits.