[people/ms/network.git] / man / network-vpn-security-policies.txt

= network-vpn-security-policies(8)

== NAME
network-vpn-security-policies - Configure VPN Security Policies

== SYNOPSIS
[verse]
'network vpn security-policies [new|destroy]' NAME...
'network vpn security-policies' NAME COMMAND ...

== DESCRIPTION
With help of the 'vpn security-policies', it is possible to create, destroy
and edit VPN security policies.

A security policy is a definition of ciphers and algorithms for integrity
and key-exchanges for VPN connections.

== COMMANDS
The following commands are understood:

'new NAME'::
	A new security policy may be created with the 'new' command.
	+
	NAME does not allow any spaces.

'destroy NAME'::
	A security policy can be destroyed with this command.
	+
	If the policy is still in use, it cannot be deleted.

For all other commands, the name of the security policy needs to be passed first:

'NAME show'::
	Shows the configuration of the security policy.

'NAME key-exchange' [IKEv2|IKEv1]::
	Defines the key exchange algorithm that should be used to initiate an
	IPsec VPN connection.

'NAME ciphers' [CIPHER-LIST|+CIPHER ...|-CIPHER ...]::
	This command allows modifying the cipher list.
	A new CIPHER-LIST can be passed which will replace the current configuration.
	Alternatively, new ciphers can be added by prepending a + sign to the cipher
	name and can removed likewise using -.
	+
	A cipher is an algorithm that encrypts and decrypts data to be able to
	transmit it over an insecure channel.

'NAME integrities' [INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]::
	This command allows modifying the integrity list similar to the
	'ciphers' command.
	+
	Integrity algorithms are used to be able to determine if data has been
	altered when being transferred over an untrusted channel.

'NAME pseudo-random-functions' [PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]::
	This command allows modifying the list of pseudo random functions
	similar to the 'ciphers' command.
	+
	These functions are used in combination with an AEAD cipher only.

'NAME group-types' [GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]::
	This command allows modifying the list of group types similar to the
	'ciphers' command.
	+
	These algorithms are used to negotiate a shared secret of an insecure channel.

'NAME pfs' [on|off]::
	This command allows to enable or disable Perfect Forward Secrecy (PFS).
	If PFS is enabled, the encrypted channels of a VPN connection will be
	renegotiated regularly to avoid that the same keys are used for too long.
	If an attacker is able to obtain a key that was used to encrypt the
	data, it is only possible to decrypt a certain amount of data.
	+
	It is strongly recommended to enable PFS at all times.

'NAME lifetime' LIFETIME::
	This command allows to define how often the VPN connection is
	renegotiated if PFS is enabled.

'NAME compression' [on|off]::
	This command allows to enable or disable compression.
	If compression is enabled, all data is being compressed before being
	sent through the VPN.
	This setting is ignored if the peer does not support this.

== System Policies

The system comes with builtin policies that cannot be modified by the user.
They are intended to provide good defaults for various situations.

[horizontal]
'system'::
	This policy is the default for every VPN connection and allows using
	all ciphers, integrity and key-exchange algorithms that are recommended
	to use and have not been proven or assumed to be broken, yet.
	+
	Over time, this policy will change whenever an algorithm has been broken
	and is not recommended to be used any more.

'performance'::
	This policy is recommended to be used on systems that are not very powerful.
	Algorithms with smaller key lengths, but still considered to be secure
	are being used.

System policies cannot be deleted.

== AUTHORS
Michael Tremer

== SEE ALSO
link:network[8],
link:network-vpn[8]
Commit	Line	Data
0a31681e	1	= network-vpn-security-policies(8)
0a31681e MT	2
	3	== NAME
	4	network-vpn-security-policies - Configure VPN Security Policies
	5
	6	== SYNOPSIS
	7	[verse]
	8	'network vpn security-policies [new\|destroy]' NAME...
	9	'network vpn security-policies' NAME COMMAND ...
	10
	11	== DESCRIPTION
	12	With help of the 'vpn security-policies', it is possible to create, destroy
	13	and edit VPN security policies.
	14
	15	A security policy is a definition of ciphers and algorithms for integrity
	16	and key-exchanges for VPN connections.
	17
	18	== COMMANDS
	19	The following commands are understood:
	20
	21	'new NAME'::
	22	A new security policy may be created with the 'new' command.
	23	+
	24	NAME does not allow any spaces.
	25
	26	'destroy NAME'::
	27	A security policy can be destroyed with this command.
	28	+
	29	If the policy is still in use, it cannot be deleted.
	30
	31	For all other commands, the name of the security policy needs to be passed first:
	32
	33	'NAME show'::
	34	Shows the configuration of the security policy.
	35
	36	'NAME key-exchange' [IKEv2\|IKEv1]::
	37	Defines the key exchange algorithm that should be used to initiate an
	38	IPsec VPN connection.
	39
	40	'NAME ciphers' [CIPHER-LIST\|+CIPHER ...\|-CIPHER ...]::
	41	This command allows modifying the cipher list.
	42	A new CIPHER-LIST can be passed which will replace the current configuration.
	43	Alternatively, new ciphers can be added by prepending a + sign to the cipher
	44	name and can removed likewise using -.
	45	+
	46	A cipher is an algorithm that encrypts and decrypts data to be able to
	47	transmit it over an insecure channel.
	48
	49	'NAME integrities' [INTEGRITY-LIST\|+INTEGRITY ...\|-INTEGRITY ...]::
	50	This command allows modifying the integrity list similar to the
	51	'ciphers' command.
	52	+
	53	Integrity algorithms are used to be able to determine if data has been
	54	altered when being transferred over an untrusted channel.
	55
	56	'NAME pseudo-random-functions' [PSEUDO-RANDOM-FUNCTION-LIST\|+PSEUDO-RANDOM-FUNCTION...\|-PSEUDO-RANDOM-FUNCTION]::
	57	This command allows modifying the list of pseudo random functions
	58	similar to the 'ciphers' command.
	59	+
	60	These functions are used in combination with an AEAD cipher only.
	61
	62	'NAME group-types' [GROUP-TYPES-LIST\|+GROUP-TYPE ...\|-GROUP-TYPE]::
	63	This command allows modifying the list of group types similar to the
	64	'ciphers' command.
	65	+
66	These algorithms are used to negotiate a shared secret of an insecure channel.
67
68	'NAME pfs' [on\|off]::
69	This command allows to enable or disable Perfect Forward Secrecy (PFS).
70	If PFS is enabled, the encrypted channels of a VPN connection will be
71	renegotiated regularly to avoid that the same keys are used for too long.
72	If an attacker is able to obtain a key that was used to encrypt the
73	data, it is only possible to decrypt a certain amount of data.
74	+
75	It is strongly recommended to enable PFS at all times.
76
77	'NAME lifetime' LIFETIME::
78	This command allows to define how often the VPN connection is
79	renegotiated if PFS is enabled.
80
81	'NAME compression' [on\|off]::
82	This command allows to enable or disable compression.
83	If compression is enabled, all data is being compressed before being
84	sent through the VPN.
85	This setting is ignored if the peer does not support this.
86
87	== System Policies
88
89	The system comes with builtin policies that cannot be modified by the user.
90	They are intended to provide good defaults for various situations.
91
92	[horizontal]
93	'system'::
94	This policy is the default for every VPN connection and allows using
95	all ciphers, integrity and key-exchange algorithms that are recommended
96	to use and have not been proven or assumed to be broken, yet.
97	+
98	Over time, this policy will change whenever an algorithm has been broken
99	and is not recommended to be used any more.
100
101	'performance'::
102	This policy is recommended to be used on systems that are not very powerful.
103	Algorithms with smaller key lengths, but still considered to be secure
104	are being used.
105
106	System policies cannot be deleted.
107
6b1e7474 MT	108	== AUTHORS
	109	Michael Tremer
	110
0a31681e MT	111	== SEE ALSO
	112	link:network[8],
	113	link:network-vpn[8]