From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 20 Aug 2017 11:10:39 +0000 (+0200)
Subject: man: Add documentation for VPN security policies
X-Git-Tag: 010~189
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bec94f95fe6fc4b01baf8eae5a07155593a5c3e8;p=network.git

man: Add documentation for VPN security policies

Fixes #11426

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/Makefile.am b/Makefile.am
index c963b7c8..c18c460a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -347,6 +347,8 @@ MANPAGES = \
 	man/network-route.8 \
 	man/network-route-static.8 \
 	man/network-settings.8 \
+	man/network-vpn.8 \
+	man/network-vpn-security-policies.8 \
 	man/network-zone.8 \
 	man/network-zone-6to4-tunnel.8 \
 	man/network-zone-bridge.8 \
diff --git a/man/network-vpn-security-policies.xml b/man/network-vpn-security-policies.xml
new file mode 100644
index 00000000..a2f91430
--- /dev/null
+++ b/man/network-vpn-security-policies.xml
@@ -0,0 +1,295 @@
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="network-zone">
+	<refentryinfo>
+		<title>network-vpn-security-policies</title>
+		<productname>network</productname>
+
+		<authorgroup>
+			<author>
+				<contrib>Developer</contrib>
+				<firstname>Michael</firstname>
+				<surname>Tremer</surname>
+				<email>michael.tremer@ipfire.org</email>
+			</author>
+		</authorgroup>
+	</refentryinfo>
+
+	<refmeta>
+		<refentrytitle>network-vpn-security-policies</refentrytitle>
+		<manvolnum>8</manvolnum>
+	</refmeta>
+
+	<refnamediv>
+		<refname>network-vpn-security-policies</refname>
+		<refpurpose>Network Configuration Control Program</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>network vpn security-policies <arg choice="plain">[new|destroy]</arg> <replaceable>NAME</replaceable> ...</command>
+		</cmdsynopsis>
+
+		<cmdsynopsis>
+			<command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+
+		<para>
+			With help of the <command>vpn security-policies</command>, it is possible
+			to create, destroy and edit VPN security policies.
+		</para>
+		<para>
+			A security policy is a definition of ciphers and algorithms for integrity
+			and key-exchanges for VPN connections.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Commands</title>
+
+		<para>
+			The following commands are understood:
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>
+					<command>new <replaceable>NAME</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						A new security policy may be created with the
+						<command>new</command> command.
+					</para>
+
+					<para>
+						<replaceable>NAME</replaceable> does not allow any spaces.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command>destroy <replaceable>NAME</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						A security policy can be destroyed with this command.
+					</para>
+					<para>
+						If the policy is still in use, it cannot be deleted.
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+
+		<para>
+			For all other commands, the name of the security policy needs to be passed first:
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> show</command>
+				</term>
+
+				<listitem>
+					<para>
+						Shows the configuration of the security policy.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2|IKEv1]</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						Defines the key exchange algorithm that should be used to
+						initiate an IPsec VPN connection.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows modifying the cipher list.
+					</para>
+
+					<para>
+						A new <replaceable>CIPHER-LIST</replaceable> can be passed
+						which will replace the current configuration.
+						Alternatively, new ciphers can be added by prepending a
+						+ sign to the cipher name and can removed likewise
+						using -.
+					</para>
+
+					<para>
+						A cipher is an algorithm that encrypts and decrypts data
+						to be able to transmit it over an insecure channel.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows modifying the integrity list
+						similar to the <command>ciphers</command> command.
+					</para>
+
+					<para>
+						Integrity algorithms are used to be able to determine
+						if data has been altered when being transfered over
+						an untrusted channel.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable>
+					</command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows modifying the list of group types
+						similar to the <command>ciphers</command> command.
+					</para>
+
+					<para>
+						These algorithms are used to negotiate a shared secret
+						of an insecure channel.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> pfs <replaceable>[on|off]</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows to enable or disable Perfect Forward Secrecy (PFS).
+					</para>
+
+					<para>
+						If PFS is enabled, the encrypted channels of a VPN connection will be
+						renegotiated regularly to avoid that the same keys are used for too long.
+						If an attacker is able to obtain a key that was used to encrypt the
+						data, it is only possible to decrypt a certain amount of data.
+					</para>
+
+					<para>
+						It is strongly recommended to enable PFS at all times.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows to define how often the VPN connection is
+						renegotiated if PFS is enabled.
+					</para>
+				</listitem>
+			</varlistentry>
+
+			<varlistentry>
+				<term>
+					<command><replaceable>NAME</replaceable> compression <replaceable>[on|off]</replaceable></command>
+				</term>
+
+				<listitem>
+					<para>
+						This command allows to enable or disable compression.
+					</para>
+
+					<para>
+						If compression is enabled, all data is being compressed before being
+						sent through the VPN.
+						This setting is ignored if the peer does not support this.
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+
+	<refsect1>
+		<title>System Policies</title>
+
+		<para>
+			The system comes with builtin policies that cannot be modified by the user.
+			They are intended to provide good defaults for various situations.
+		</para>
+
+		<refsect2>
+			<title>system</title>
+
+			<para>
+				This policy is the default for every VPN connection and allows using
+				all ciphers, integrity and key-exchange algorithms that are recommended
+				to use and have not been proven or assumed to be broken, yet.
+			</para>
+
+			<para>
+				Over time, this policy will change whenever an algorithm has been broken
+				and is not recommended to be used any more.
+			</para>
+		</refsect2>
+
+		<refsect2>
+			<title>performance</title>
+
+			<para>
+				This policy is recommended to be used on systems that are not very powerful.
+				Algorithms with smaller key lengths, but still considered to be secure
+				are being used.
+			</para>
+		</refsect2>
+
+		<para>
+			System policies cannot be deleted.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>See Also</title>
+
+		<para>
+			<citerefentry>
+				<refentrytitle>network</refentrytitle>
+				<manvolnum>8</manvolnum>
+			</citerefentry>,
+			<citerefentry>
+				<refentrytitle>network-vpn</refentrytitle>
+				<manvolnum>8</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+</refentry>
diff --git a/man/network-vpn.xml b/man/network-vpn.xml
new file mode 100644
index 00000000..d71d14a8
--- /dev/null
+++ b/man/network-vpn.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="network-vpn">
+	<refentryinfo>
+		<title>network-vpn</title>
+		<productname>network</productname>
+
+		<authorgroup>
+			<author>
+				<contrib>Developer</contrib>
+				<firstname>Michael</firstname>
+				<surname>Tremer</surname>
+				<email>michael.tremer@ipfire.org</email>
+			</author>
+		</authorgroup>
+	</refentryinfo>
+
+	<refmeta>
+		<refentrytitle>network-vpn</refentrytitle>
+		<manvolnum>8</manvolnum>
+	</refmeta>
+
+	<refnamediv>
+		<refname>network-vpn</refname>
+		<refpurpose>Network Configuration Control Program</refpurpose>
+	</refnamediv>
+
+	<refsynopsisdiv>
+		<cmdsynopsis>
+			<command>network <arg choice="plain">vpn</arg> <arg choice="plain">command</arg> ...</command>
+		</cmdsynopsis>
+	</refsynopsisdiv>
+
+	<refsect1>
+		<title>Description</title>
+
+		<para>
+			The <command>vpn</command> command allows to create, delete, edit
+			and show the status of VPN connections and the configuration around it.
+		</para>
+	</refsect1>
+
+	<refsect1>
+		<title>Commands</title>
+
+		<para>
+			The following commands are understood:
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>
+					<command>security-policies ...</command>
+				</term>
+
+				<listitem>
+					<para>
+						Use this command to manage security policies.
+						See <citerefentry>
+							<refentrytitle>network-vpn-security-policies</refentrytitle>
+							<manvolnum>8</manvolnum>
+						</citerefentry> for details.
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+	</refsect1>
+
+	<refsect1>
+		<title>See Also</title>
+
+		<para>
+			<citerefentry>
+				<refentrytitle>network</refentrytitle>
+				<manvolnum>8</manvolnum>
+			</citerefentry>
+		</para>
+	</refsect1>
+</refentry>
diff --git a/man/network.xml b/man/network.xml
index 3b773c01..0a97453c 100644
--- a/man/network.xml
+++ b/man/network.xml
@@ -279,6 +279,22 @@
 				</listitem>
 			</varlistentry>
 
+			<varlistentry>
+				<term>
+					<command>vpn ...</command>
+				</term>
+
+				<listitem>
+					<para>
+						The <command>vpn</command> allows managing VPN connections.
+						See <citerefentry>
+							<refentrytitle>network-vpn</refentrytitle>
+							<manvolnum>8</manvolnum>
+						</citerefentry> for details.
+					</para>
+				</listitem>
+			</varlistentry>
+
 			<varlistentry>
 				<term>
 					<command>reset</command>