[people/ms/network.git] / man / network-vpn-security-policies.xml

<?xml version="1.0"?>
<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<refentry id="network-zone">
	<refentryinfo>
		<title>network-vpn-security-policies</title>
		<productname>network</productname>

		<authorgroup>
			<author>
				<contrib>Developer</contrib>
				<firstname>Michael</firstname>
				<surname>Tremer</surname>
				<email>michael.tremer@ipfire.org</email>
			</author>
		</authorgroup>
	</refentryinfo>

	<refmeta>
		<refentrytitle>network-vpn-security-policies</refentrytitle>
		<manvolnum>8</manvolnum>
	</refmeta>

	<refnamediv>
		<refname>network-vpn-security-policies</refname>
		<refpurpose>Network Configuration Control Program</refpurpose>
	</refnamediv>

	<refsynopsisdiv>
		<cmdsynopsis>
			<command>network vpn security-policies <arg choice="plain">[new|destroy]</arg> <replaceable>NAME</replaceable> ...</command>
		</cmdsynopsis>

		<cmdsynopsis>
			<command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command>
		</cmdsynopsis>
	</refsynopsisdiv>

	<refsect1>
		<title>Description</title>

		<para>
			With help of the <command>vpn security-policies</command>, it is possible
			to create, destroy and edit VPN security policies.
		</para>
		<para>
			A security policy is a definition of ciphers and algorithms for integrity
			and key-exchanges for VPN connections.
		</para>
	</refsect1>

	<refsect1>
		<title>Commands</title>

		<para>
			The following commands are understood:
		</para>

		<variablelist>
			<varlistentry>
				<term>
					<command>new <replaceable>NAME</replaceable></command>
				</term>

				<listitem>
					<para>
						A new security policy may be created with the
						<command>new</command> command.
					</para>

					<para>
						<replaceable>NAME</replaceable> does not allow any spaces.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command>destroy <replaceable>NAME</replaceable></command>
				</term>

				<listitem>
					<para>
						A security policy can be destroyed with this command.
					</para>
					<para>
						If the policy is still in use, it cannot be deleted.
					</para>
				</listitem>
			</varlistentry>
		</variablelist>

		<para>
			For all other commands, the name of the security policy needs to be passed first:
		</para>

		<variablelist>
			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> show</command>
				</term>

				<listitem>
					<para>
						Shows the configuration of the security policy.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2|IKEv1]</replaceable></command>
				</term>

				<listitem>
					<para>
						Defines the key exchange algorithm that should be used to
						initiate an IPsec VPN connection.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]</replaceable></command>
				</term>

				<listitem>
					<para>
						This command allows modifying the cipher list.
					</para>

					<para>
						A new <replaceable>CIPHER-LIST</replaceable> can be passed
						which will replace the current configuration.
						Alternatively, new ciphers can be added by prepending a
						+ sign to the cipher name and can removed likewise
						using -.
					</para>

					<para>
						A cipher is an algorithm that encrypts and decrypts data
						to be able to transmit it over an insecure channel.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]</replaceable></command>
				</term>

				<listitem>
					<para>
						This command allows modifying the integrity list
						similar to the <command>ciphers</command> command.
					</para>

					<para>
						Integrity algorithms are used to be able to determine
						if data has been altered when being transfered over
						an untrusted channel.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> pseudo-random-functions <replaceable>[PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]</replaceable>
					</command>
				</term>

				<listitem>
					<para>
						This command allows modifying the list of pseudo random functions
						similar to the <command>ciphers</command> command.
					</para>

					<para>
						These functions are used in combination with an AEAD cipher only.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable>
					</command>
				</term>

				<listitem>
					<para>
						This command allows modifying the list of group types
						similar to the <command>ciphers</command> command.
					</para>

					<para>
						These algorithms are used to negotiate a shared secret
						of an insecure channel.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> pfs <replaceable>[on|off]</replaceable></command>
				</term>

				<listitem>
					<para>
						This command allows to enable or disable Perfect Forward Secrecy (PFS).
					</para>

					<para>
						If PFS is enabled, the encrypted channels of a VPN connection will be
						renegotiated regularly to avoid that the same keys are used for too long.
						If an attacker is able to obtain a key that was used to encrypt the
						data, it is only possible to decrypt a certain amount of data.
					</para>

					<para>
						It is strongly recommended to enable PFS at all times.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command>
				</term>

				<listitem>
					<para>
						This command allows to define how often the VPN connection is
						renegotiated if PFS is enabled.
					</para>
				</listitem>
			</varlistentry>

			<varlistentry>
				<term>
					<command><replaceable>NAME</replaceable> compression <replaceable>[on|off]</replaceable></command>
				</term>

				<listitem>
					<para>
						This command allows to enable or disable compression.
					</para>

					<para>
						If compression is enabled, all data is being compressed before being
						sent through the VPN.
						This setting is ignored if the peer does not support this.
					</para>
				</listitem>
			</varlistentry>
		</variablelist>
	</refsect1>

	<refsect1>
		<title>System Policies</title>

		<para>
			The system comes with builtin policies that cannot be modified by the user.
			They are intended to provide good defaults for various situations.
		</para>

		<refsect2>
			<title>system</title>

			<para>
				This policy is the default for every VPN connection and allows using
				all ciphers, integrity and key-exchange algorithms that are recommended
				to use and have not been proven or assumed to be broken, yet.
			</para>

			<para>
				Over time, this policy will change whenever an algorithm has been broken
				and is not recommended to be used any more.
			</para>
		</refsect2>

		<refsect2>
			<title>performance</title>

			<para>
				This policy is recommended to be used on systems that are not very powerful.
				Algorithms with smaller key lengths, but still considered to be secure
				are being used.
			</para>
		</refsect2>

		<para>
			System policies cannot be deleted.
		</para>
	</refsect1>

	<refsect1>
		<title>See Also</title>

		<para>
			<citerefentry>
				<refentrytitle>network</refentrytitle>
				<manvolnum>8</manvolnum>
			</citerefentry>,
			<citerefentry>
				<refentrytitle>network-vpn</refentrytitle>
				<manvolnum>8</manvolnum>
			</citerefentry>
		</para>
	</refsect1>
</refentry>
Commit	Line	Data
bec94f95 MT	1	<?xml version="1.0"?>
	2	<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4
	5	<refentry id="network-zone">
	6	<refentryinfo>
	7	<title>network-vpn-security-policies</title>
	8	<productname>network</productname>
	9
	10	<authorgroup>
	11	<author>
	12	<contrib>Developer</contrib>
	13	<firstname>Michael</firstname>
	14	<surname>Tremer</surname>
	15	<email>michael.tremer@ipfire.org</email>
	16	</author>
	17	</authorgroup>
	18	</refentryinfo>
	19
	20	<refmeta>
	21	<refentrytitle>network-vpn-security-policies</refentrytitle>
	22	<manvolnum>8</manvolnum>
	23	</refmeta>
	24
	25	<refnamediv>
	26	<refname>network-vpn-security-policies</refname>
	27	<refpurpose>Network Configuration Control Program</refpurpose>
	28	</refnamediv>
	29
	30	<refsynopsisdiv>
	31	<cmdsynopsis>
	32	<command>network vpn security-policies <arg choice="plain">[new\|destroy]</arg> <replaceable>NAME</replaceable> ...</command>
	33	</cmdsynopsis>
	34
	35	<cmdsynopsis>
	36	<command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command>
	37	</cmdsynopsis>
	38	</refsynopsisdiv>
	39
	40	<refsect1>
	41	<title>Description</title>
	42
	43	<para>
	44	With help of the <command>vpn security-policies</command>, it is possible
	45	to create, destroy and edit VPN security policies.
	46	</para>
	47	<para>
	48	A security policy is a definition of ciphers and algorithms for integrity
	49	and key-exchanges for VPN connections.
	50	</para>
	51	</refsect1>
	52
	53	<refsect1>
	54	<title>Commands</title>
	55
	56	<para>
	57	The following commands are understood:
	58	</para>
	59
	60	<variablelist>
	61	<varlistentry>
	62	<term>
	63	<command>new <replaceable>NAME</replaceable></command>
	64	</term>
65
66	<listitem>
67	<para>
68	A new security policy may be created with the
69	<command>new</command> command.
70	</para>
71
72	<para>
73	<replaceable>NAME</replaceable> does not allow any spaces.
74	</para>
75	</listitem>
76	</varlistentry>
77
78	<varlistentry>
79	<term>
80	<command>destroy <replaceable>NAME</replaceable></command>
81	</term>
82
83	<listitem>
84	<para>
85	A security policy can be destroyed with this command.
86	</para>
87	<para>
88	If the policy is still in use, it cannot be deleted.
89	</para>
90	</listitem>
91	</varlistentry>
92	</variablelist>
93
94	<para>
95	For all other commands, the name of the security policy needs to be passed first:
96	</para>
97
98	<variablelist>
99	<varlistentry>
100	<term>
101	<command><replaceable>NAME</replaceable> show</command>
102	</term>
103
104	<listitem>
105	<para>
106	Shows the configuration of the security policy.
107	</para>
108	</listitem>
109	</varlistentry>
110
111	<varlistentry>
112	<term>
113	<command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2\|IKEv1]</replaceable></command>
114	</term>
115
116	<listitem>
117	<para>
118	Defines the key exchange algorithm that should be used to
119	initiate an IPsec VPN connection.
120	</para>
121	</listitem>
122	</varlistentry>
123
124	<varlistentry>
125	<term>
126	<command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST\|+CIPHER ...\|-CIPHER ...]</replaceable></command>
127	</term>
128
129	<listitem>
130	<para>
131	This command allows modifying the cipher list.
132	</para>
133
134	<para>
135	A new <replaceable>CIPHER-LIST</replaceable> can be passed
136	which will replace the current configuration.
137	Alternatively, new ciphers can be added by prepending a
138	+ sign to the cipher name and can removed likewise
139	using -.
140	</para>
141
142	<para>
143	A cipher is an algorithm that encrypts and decrypts data
144	to be able to transmit it over an insecure channel.
145	</para>
146	</listitem>
147	</varlistentry>
148
149	<varlistentry>
150	<term>
151	<command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST\|+INTEGRITY ...\|-INTEGRITY ...]</replaceable></command>
152	</term>
153
154	<listitem>
155	<para>
156	This command allows modifying the integrity list
157	similar to the <command>ciphers</command> command.
158	</para>
159
160	<para>
161	Integrity algorithms are used to be able to determine
162	if data has been altered when being transfered over
163	an untrusted channel.
164	</para>
165	</listitem>
166	</varlistentry>
167
abe495ea MT	168	<varlistentry>
	169	<term>
	170	<command><replaceable>NAME</replaceable> pseudo-random-functions <replaceable>[PSEUDO-RANDOM-FUNCTION-LIST\|+PSEUDO-RANDOM-FUNCTION...\|-PSEUDO-RANDOM-FUNCTION]</replaceable>
	171	</command>
	172	</term>
	173
	174	<listitem>
	175	<para>
	176	This command allows modifying the list of pseudo random functions
	177	similar to the <command>ciphers</command> command.
	178	</para>
	179
	180	<para>
	181	These functions are used in combination with an AEAD cipher only.
	182	</para>
	183	</listitem>
	184	</varlistentry>
	185
bec94f95 MT	186	<varlistentry>
	187	<term>
	188	<command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST\|+GROUP-TYPE ...\|-GROUP-TYPE]</replaceable>
	189	</command>
	190	</term>
	191
	192	<listitem>
	193	<para>
	194	This command allows modifying the list of group types
	195	similar to the <command>ciphers</command> command.
	196	</para>
	197
	198	<para>
	199	These algorithms are used to negotiate a shared secret
	200	of an insecure channel.
	201	</para>
	202	</listitem>
	203	</varlistentry>
	204
	205	<varlistentry>
	206	<term>
	207	<command><replaceable>NAME</replaceable> pfs <replaceable>[on\|off]</replaceable></command>
	208	</term>
	209
	210	<listitem>
	211	<para>
	212	This command allows to enable or disable Perfect Forward Secrecy (PFS).
	213	</para>
	214
	215	<para>
	216	If PFS is enabled, the encrypted channels of a VPN connection will be
	217	renegotiated regularly to avoid that the same keys are used for too long.
	218	If an attacker is able to obtain a key that was used to encrypt the
	219	data, it is only possible to decrypt a certain amount of data.
	220	</para>
	221
	222	<para>
	223	It is strongly recommended to enable PFS at all times.
	224	</para>
	225	</listitem>
	226	</varlistentry>
	227
	228	<varlistentry>
	229	<term>
	230	<command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command>
	231	</term>
	232
	233	<listitem>
	234	<para>
	235	This command allows to define how often the VPN connection is
	236	renegotiated if PFS is enabled.
	237	</para>
	238	</listitem>
	239	</varlistentry>
	240
	241	<varlistentry>
	242	<term>
	243	<command><replaceable>NAME</replaceable> compression <replaceable>[on\|off]</replaceable></command>
	244	</term>
	245
	246	<listitem>
	247	<para>
	248	This command allows to enable or disable compression.
	249	</para>
250
251	<para>
252	If compression is enabled, all data is being compressed before being
253	sent through the VPN.
254	This setting is ignored if the peer does not support this.
255	</para>
256	</listitem>
257	</varlistentry>
258	</variablelist>
259	</refsect1>
260
261	<refsect1>
262	<title>System Policies</title>
263
264	<para>
265	The system comes with builtin policies that cannot be modified by the user.
266	They are intended to provide good defaults for various situations.
267	</para>
268
269	<refsect2>
270	<title>system</title>
271
272	<para>
273	This policy is the default for every VPN connection and allows using
274	all ciphers, integrity and key-exchange algorithms that are recommended
275	to use and have not been proven or assumed to be broken, yet.
276	</para>
277
278	<para>
279	Over time, this policy will change whenever an algorithm has been broken
280	and is not recommended to be used any more.
281	</para>
282	</refsect2>
283
284	<refsect2>
285	<title>performance</title>
286
287	<para>
288	This policy is recommended to be used on systems that are not very powerful.
289	Algorithms with smaller key lengths, but still considered to be secure
290	are being used.
291	</para>
292	</refsect2>
293
294	<para>
295	System policies cannot be deleted.
296	</para>
297	</refsect1>
298
299	<refsect1>
300	<title>See Also</title>
301
302	<para>
303	<citerefentry>
304	<refentrytitle>network</refentrytitle>
305	<manvolnum>8</manvolnum>
306	</citerefentry>,
307	<citerefentry>
308	<refentrytitle>network-vpn</refentrytitle>
309	<manvolnum>8</manvolnum>
310	</citerefentry>
311	</para>
312	</refsect1>
313	</refentry>