]>
Commit | Line | Data |
---|---|---|
0a31681e | 1 | = network-vpn-security-policies(8) |
0a31681e MT |
2 | |
3 | == NAME | |
4 | network-vpn-security-policies - Configure VPN Security Policies | |
5 | ||
6 | == SYNOPSIS | |
7 | [verse] | |
8 | 'network vpn security-policies [new|destroy]' NAME... | |
9 | 'network vpn security-policies' NAME COMMAND ... | |
10 | ||
11 | == DESCRIPTION | |
12 | With help of the 'vpn security-policies', it is possible to create, destroy | |
13 | and edit VPN security policies. | |
14 | ||
15 | A security policy is a definition of ciphers and algorithms for integrity | |
16 | and key-exchanges for VPN connections. | |
17 | ||
18 | == COMMANDS | |
19 | The following commands are understood: | |
20 | ||
21 | 'new NAME':: | |
22 | A new security policy may be created with the 'new' command. | |
23 | + | |
24 | NAME does not allow any spaces. | |
25 | ||
26 | 'destroy NAME':: | |
27 | A security policy can be destroyed with this command. | |
28 | + | |
29 | If the policy is still in use, it cannot be deleted. | |
30 | ||
31 | For all other commands, the name of the security policy needs to be passed first: | |
32 | ||
33 | 'NAME show':: | |
34 | Shows the configuration of the security policy. | |
35 | ||
36 | 'NAME key-exchange' [IKEv2|IKEv1]:: | |
37 | Defines the key exchange algorithm that should be used to initiate an | |
38 | IPsec VPN connection. | |
39 | ||
40 | 'NAME ciphers' [CIPHER-LIST|+CIPHER ...|-CIPHER ...]:: | |
41 | This command allows modifying the cipher list. | |
42 | A new CIPHER-LIST can be passed which will replace the current configuration. | |
43 | Alternatively, new ciphers can be added by prepending a + sign to the cipher | |
44 | name and can removed likewise using -. | |
45 | + | |
46 | A cipher is an algorithm that encrypts and decrypts data to be able to | |
47 | transmit it over an insecure channel. | |
48 | ||
49 | 'NAME integrities' [INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]:: | |
50 | This command allows modifying the integrity list similar to the | |
51 | 'ciphers' command. | |
52 | + | |
53 | Integrity algorithms are used to be able to determine if data has been | |
54 | altered when being transferred over an untrusted channel. | |
55 | ||
56 | 'NAME pseudo-random-functions' [PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]:: | |
57 | This command allows modifying the list of pseudo random functions | |
58 | similar to the 'ciphers' command. | |
59 | + | |
60 | These functions are used in combination with an AEAD cipher only. | |
61 | ||
62 | 'NAME group-types' [GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]:: | |
63 | This command allows modifying the list of group types similar to the | |
64 | 'ciphers' command. | |
65 | + | |
66 | These algorithms are used to negotiate a shared secret of an insecure channel. | |
67 | ||
68 | 'NAME pfs' [on|off]:: | |
69 | This command allows to enable or disable Perfect Forward Secrecy (PFS). | |
70 | If PFS is enabled, the encrypted channels of a VPN connection will be | |
71 | renegotiated regularly to avoid that the same keys are used for too long. | |
72 | If an attacker is able to obtain a key that was used to encrypt the | |
73 | data, it is only possible to decrypt a certain amount of data. | |
74 | + | |
75 | It is strongly recommended to enable PFS at all times. | |
76 | ||
77 | 'NAME lifetime' LIFETIME:: | |
78 | This command allows to define how often the VPN connection is | |
79 | renegotiated if PFS is enabled. | |
80 | ||
81 | 'NAME compression' [on|off]:: | |
82 | This command allows to enable or disable compression. | |
83 | If compression is enabled, all data is being compressed before being | |
84 | sent through the VPN. | |
85 | This setting is ignored if the peer does not support this. | |
86 | ||
87 | == System Policies | |
88 | ||
89 | The system comes with builtin policies that cannot be modified by the user. | |
90 | They are intended to provide good defaults for various situations. | |
91 | ||
92 | [horizontal] | |
93 | 'system':: | |
94 | This policy is the default for every VPN connection and allows using | |
95 | all ciphers, integrity and key-exchange algorithms that are recommended | |
96 | to use and have not been proven or assumed to be broken, yet. | |
97 | + | |
98 | Over time, this policy will change whenever an algorithm has been broken | |
99 | and is not recommended to be used any more. | |
100 | ||
101 | 'performance':: | |
102 | This policy is recommended to be used on systems that are not very powerful. | |
103 | Algorithms with smaller key lengths, but still considered to be secure | |
104 | are being used. | |
105 | ||
106 | System policies cannot be deleted. | |
107 | ||
6b1e7474 MT |
108 | == AUTHORS |
109 | Michael Tremer | |
110 | ||
0a31681e MT |
111 | == SEE ALSO |
112 | link:network[8], | |
113 | link:network-vpn[8] |