2 <!DOCTYPE refentry PUBLIC
"-//OASIS/DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 <refentry id=
"network-zone">
7 <title>network-vpn-security-policies
</title>
8 <productname>network
</productname>
12 <contrib>Developer
</contrib>
13 <firstname>Michael
</firstname>
14 <surname>Tremer
</surname>
15 <email>michael.tremer@ipfire.org
</email>
21 <refentrytitle>network-vpn-security-policies
</refentrytitle>
22 <manvolnum>8</manvolnum>
26 <refname>network-vpn-security-policies
</refname>
27 <refpurpose>Network Configuration Control Program
</refpurpose>
32 <command>network vpn security-policies
<arg choice=
"plain">[new|destroy]
</arg> <replaceable>NAME
</replaceable> ...
</command>
36 <command>network vpn security-policies
<replaceable>NAME
</replaceable> <arg choice=
"plain">command
</arg> ...
</command>
41 <title>Description
</title>
44 With help of the
<command>vpn security-policies
</command>, it is possible
45 to create, destroy and edit VPN security policies.
48 A security policy is a definition of ciphers and algorithms for integrity
49 and key-exchanges for VPN connections.
54 <title>Commands
</title>
57 The following commands are understood:
63 <command>new
<replaceable>NAME
</replaceable></command>
68 A new security policy may be created with the
69 <command>new
</command> command.
73 <replaceable>NAME
</replaceable> does not allow any spaces.
80 <command>destroy
<replaceable>NAME
</replaceable></command>
85 A security policy can be destroyed with this command.
88 If the policy is still in use, it cannot be deleted.
95 For all other commands, the name of the security policy needs to be passed first:
101 <command><replaceable>NAME
</replaceable> show
</command>
106 Shows the configuration of the security policy.
113 <command><replaceable>NAME
</replaceable> key-exchange
<replaceable>[IKEv2|IKEv1]
</replaceable></command>
118 Defines the key exchange algorithm that should be used to
119 initiate an IPsec VPN connection.
126 <command><replaceable>NAME
</replaceable> ciphers
<replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]
</replaceable></command>
131 This command allows modifying the cipher list.
135 A new
<replaceable>CIPHER-LIST
</replaceable> can be passed
136 which will replace the current configuration.
137 Alternatively, new ciphers can be added by prepending a
138 + sign to the cipher name and can removed likewise
143 A cipher is an algorithm that encrypts and decrypts data
144 to be able to transmit it over an insecure channel.
151 <command><replaceable>NAME
</replaceable> integrities
<replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]
</replaceable></command>
156 This command allows modifying the integrity list
157 similar to the
<command>ciphers
</command> command.
161 Integrity algorithms are used to be able to determine
162 if data has been altered when being transfered over
163 an untrusted channel.
170 <command><replaceable>NAME
</replaceable> pseudo-random-functions
<replaceable>[PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]
</replaceable>
176 This command allows modifying the list of pseudo random functions
177 similar to the
<command>ciphers
</command> command.
181 These functions are used in combination with an AEAD cipher only.
188 <command><replaceable>NAME
</replaceable> group-types
<replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]
</replaceable>
194 This command allows modifying the list of group types
195 similar to the
<command>ciphers
</command> command.
199 These algorithms are used to negotiate a shared secret
200 of an insecure channel.
207 <command><replaceable>NAME
</replaceable> pfs
<replaceable>[on|off]
</replaceable></command>
212 This command allows to enable or disable Perfect Forward Secrecy (PFS).
216 If PFS is enabled, the encrypted channels of a VPN connection will be
217 renegotiated regularly to avoid that the same keys are used for too long.
218 If an attacker is able to obtain a key that was used to encrypt the
219 data, it is only possible to decrypt a certain amount of data.
223 It is strongly recommended to enable PFS at all times.
230 <command><replaceable>NAME
</replaceable> lifetime
<replaceable>LIFETIME
</replaceable></command>
235 This command allows to define how often the VPN connection is
236 renegotiated if PFS is enabled.
243 <command><replaceable>NAME
</replaceable> compression
<replaceable>[on|off]
</replaceable></command>
248 This command allows to enable or disable compression.
252 If compression is enabled, all data is being compressed before being
253 sent through the VPN.
254 This setting is ignored if the peer does not support this.
262 <title>System Policies
</title>
265 The system comes with builtin policies that cannot be modified by the user.
266 They are intended to provide good defaults for various situations.
270 <title>system
</title>
273 This policy is the default for every VPN connection and allows using
274 all ciphers, integrity and key-exchange algorithms that are recommended
275 to use and have not been proven or assumed to be broken, yet.
279 Over time, this policy will change whenever an algorithm has been broken
280 and is not recommended to be used any more.
285 <title>performance
</title>
288 This policy is recommended to be used on systems that are not very powerful.
289 Algorithms with smaller key lengths, but still considered to be secure
295 System policies cannot be deleted.
300 <title>See Also
</title>
304 <refentrytitle>network
</refentrytitle>
305 <manvolnum>8</manvolnum>
308 <refentrytitle>network-vpn
</refentrytitle>
309 <manvolnum>8</manvolnum>