]>
Commit | Line | Data |
---|---|---|
0a31681e MT |
1 | = network-vpn-security-policies(8) |
2 | Michael Tremer <michael.tremer@ipfire.org> | |
3 | ||
4 | == NAME | |
5 | network-vpn-security-policies - Configure VPN Security Policies | |
6 | ||
7 | == SYNOPSIS | |
8 | [verse] | |
9 | 'network vpn security-policies [new|destroy]' NAME... | |
10 | 'network vpn security-policies' NAME COMMAND ... | |
11 | ||
12 | == DESCRIPTION | |
13 | With help of the 'vpn security-policies', it is possible to create, destroy | |
14 | and edit VPN security policies. | |
15 | ||
16 | A security policy is a definition of ciphers and algorithms for integrity | |
17 | and key-exchanges for VPN connections. | |
18 | ||
19 | == COMMANDS | |
20 | The following commands are understood: | |
21 | ||
22 | 'new NAME':: | |
23 | A new security policy may be created with the 'new' command. | |
24 | + | |
25 | NAME does not allow any spaces. | |
26 | ||
27 | 'destroy NAME':: | |
28 | A security policy can be destroyed with this command. | |
29 | + | |
30 | If the policy is still in use, it cannot be deleted. | |
31 | ||
32 | For all other commands, the name of the security policy needs to be passed first: | |
33 | ||
34 | 'NAME show':: | |
35 | Shows the configuration of the security policy. | |
36 | ||
37 | 'NAME key-exchange' [IKEv2|IKEv1]:: | |
38 | Defines the key exchange algorithm that should be used to initiate an | |
39 | IPsec VPN connection. | |
40 | ||
41 | 'NAME ciphers' [CIPHER-LIST|+CIPHER ...|-CIPHER ...]:: | |
42 | This command allows modifying the cipher list. | |
43 | A new CIPHER-LIST can be passed which will replace the current configuration. | |
44 | Alternatively, new ciphers can be added by prepending a + sign to the cipher | |
45 | name and can removed likewise using -. | |
46 | + | |
47 | A cipher is an algorithm that encrypts and decrypts data to be able to | |
48 | transmit it over an insecure channel. | |
49 | ||
50 | 'NAME integrities' [INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]:: | |
51 | This command allows modifying the integrity list similar to the | |
52 | 'ciphers' command. | |
53 | + | |
54 | Integrity algorithms are used to be able to determine if data has been | |
55 | altered when being transferred over an untrusted channel. | |
56 | ||
57 | 'NAME pseudo-random-functions' [PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]:: | |
58 | This command allows modifying the list of pseudo random functions | |
59 | similar to the 'ciphers' command. | |
60 | + | |
61 | These functions are used in combination with an AEAD cipher only. | |
62 | ||
63 | 'NAME group-types' [GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]:: | |
64 | This command allows modifying the list of group types similar to the | |
65 | 'ciphers' command. | |
66 | + | |
67 | These algorithms are used to negotiate a shared secret of an insecure channel. | |
68 | ||
69 | 'NAME pfs' [on|off]:: | |
70 | This command allows to enable or disable Perfect Forward Secrecy (PFS). | |
71 | If PFS is enabled, the encrypted channels of a VPN connection will be | |
72 | renegotiated regularly to avoid that the same keys are used for too long. | |
73 | If an attacker is able to obtain a key that was used to encrypt the | |
74 | data, it is only possible to decrypt a certain amount of data. | |
75 | + | |
76 | It is strongly recommended to enable PFS at all times. | |
77 | ||
78 | 'NAME lifetime' LIFETIME:: | |
79 | This command allows to define how often the VPN connection is | |
80 | renegotiated if PFS is enabled. | |
81 | ||
82 | 'NAME compression' [on|off]:: | |
83 | This command allows to enable or disable compression. | |
84 | If compression is enabled, all data is being compressed before being | |
85 | sent through the VPN. | |
86 | This setting is ignored if the peer does not support this. | |
87 | ||
88 | == System Policies | |
89 | ||
90 | The system comes with builtin policies that cannot be modified by the user. | |
91 | They are intended to provide good defaults for various situations. | |
92 | ||
93 | [horizontal] | |
94 | 'system':: | |
95 | This policy is the default for every VPN connection and allows using | |
96 | all ciphers, integrity and key-exchange algorithms that are recommended | |
97 | to use and have not been proven or assumed to be broken, yet. | |
98 | + | |
99 | Over time, this policy will change whenever an algorithm has been broken | |
100 | and is not recommended to be used any more. | |
101 | ||
102 | 'performance':: | |
103 | This policy is recommended to be used on systems that are not very powerful. | |
104 | Algorithms with smaller key lengths, but still considered to be secure | |
105 | are being used. | |
106 | ||
107 | System policies cannot be deleted. | |
108 | ||
109 | == SEE ALSO | |
110 | link:network[8], | |
111 | link:network-vpn[8] |