]>
Commit | Line | Data |
---|---|---|
bec94f95 MT |
1 | <?xml version="1.0"?> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | ||
5 | <refentry id="network-zone"> | |
6 | <refentryinfo> | |
7 | <title>network-vpn-security-policies</title> | |
8 | <productname>network</productname> | |
9 | ||
10 | <authorgroup> | |
11 | <author> | |
12 | <contrib>Developer</contrib> | |
13 | <firstname>Michael</firstname> | |
14 | <surname>Tremer</surname> | |
15 | <email>michael.tremer@ipfire.org</email> | |
16 | </author> | |
17 | </authorgroup> | |
18 | </refentryinfo> | |
19 | ||
20 | <refmeta> | |
21 | <refentrytitle>network-vpn-security-policies</refentrytitle> | |
22 | <manvolnum>8</manvolnum> | |
23 | </refmeta> | |
24 | ||
25 | <refnamediv> | |
26 | <refname>network-vpn-security-policies</refname> | |
27 | <refpurpose>Network Configuration Control Program</refpurpose> | |
28 | </refnamediv> | |
29 | ||
30 | <refsynopsisdiv> | |
31 | <cmdsynopsis> | |
32 | <command>network vpn security-policies <arg choice="plain">[new|destroy]</arg> <replaceable>NAME</replaceable> ...</command> | |
33 | </cmdsynopsis> | |
34 | ||
35 | <cmdsynopsis> | |
36 | <command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command> | |
37 | </cmdsynopsis> | |
38 | </refsynopsisdiv> | |
39 | ||
40 | <refsect1> | |
41 | <title>Description</title> | |
42 | ||
43 | <para> | |
44 | With help of the <command>vpn security-policies</command>, it is possible | |
45 | to create, destroy and edit VPN security policies. | |
46 | </para> | |
47 | <para> | |
48 | A security policy is a definition of ciphers and algorithms for integrity | |
49 | and key-exchanges for VPN connections. | |
50 | </para> | |
51 | </refsect1> | |
52 | ||
53 | <refsect1> | |
54 | <title>Commands</title> | |
55 | ||
56 | <para> | |
57 | The following commands are understood: | |
58 | </para> | |
59 | ||
60 | <variablelist> | |
61 | <varlistentry> | |
62 | <term> | |
63 | <command>new <replaceable>NAME</replaceable></command> | |
64 | </term> | |
65 | ||
66 | <listitem> | |
67 | <para> | |
68 | A new security policy may be created with the | |
69 | <command>new</command> command. | |
70 | </para> | |
71 | ||
72 | <para> | |
73 | <replaceable>NAME</replaceable> does not allow any spaces. | |
74 | </para> | |
75 | </listitem> | |
76 | </varlistentry> | |
77 | ||
78 | <varlistentry> | |
79 | <term> | |
80 | <command>destroy <replaceable>NAME</replaceable></command> | |
81 | </term> | |
82 | ||
83 | <listitem> | |
84 | <para> | |
85 | A security policy can be destroyed with this command. | |
86 | </para> | |
87 | <para> | |
88 | If the policy is still in use, it cannot be deleted. | |
89 | </para> | |
90 | </listitem> | |
91 | </varlistentry> | |
92 | </variablelist> | |
93 | ||
94 | <para> | |
95 | For all other commands, the name of the security policy needs to be passed first: | |
96 | </para> | |
97 | ||
98 | <variablelist> | |
99 | <varlistentry> | |
100 | <term> | |
101 | <command><replaceable>NAME</replaceable> show</command> | |
102 | </term> | |
103 | ||
104 | <listitem> | |
105 | <para> | |
106 | Shows the configuration of the security policy. | |
107 | </para> | |
108 | </listitem> | |
109 | </varlistentry> | |
110 | ||
111 | <varlistentry> | |
112 | <term> | |
113 | <command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2|IKEv1]</replaceable></command> | |
114 | </term> | |
115 | ||
116 | <listitem> | |
117 | <para> | |
118 | Defines the key exchange algorithm that should be used to | |
119 | initiate an IPsec VPN connection. | |
120 | </para> | |
121 | </listitem> | |
122 | </varlistentry> | |
123 | ||
124 | <varlistentry> | |
125 | <term> | |
126 | <command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]</replaceable></command> | |
127 | </term> | |
128 | ||
129 | <listitem> | |
130 | <para> | |
131 | This command allows modifying the cipher list. | |
132 | </para> | |
133 | ||
134 | <para> | |
135 | A new <replaceable>CIPHER-LIST</replaceable> can be passed | |
136 | which will replace the current configuration. | |
137 | Alternatively, new ciphers can be added by prepending a | |
138 | + sign to the cipher name and can removed likewise | |
139 | using -. | |
140 | </para> | |
141 | ||
142 | <para> | |
143 | A cipher is an algorithm that encrypts and decrypts data | |
144 | to be able to transmit it over an insecure channel. | |
145 | </para> | |
146 | </listitem> | |
147 | </varlistentry> | |
148 | ||
149 | <varlistentry> | |
150 | <term> | |
151 | <command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]</replaceable></command> | |
152 | </term> | |
153 | ||
154 | <listitem> | |
155 | <para> | |
156 | This command allows modifying the integrity list | |
157 | similar to the <command>ciphers</command> command. | |
158 | </para> | |
159 | ||
160 | <para> | |
161 | Integrity algorithms are used to be able to determine | |
162 | if data has been altered when being transfered over | |
163 | an untrusted channel. | |
164 | </para> | |
165 | </listitem> | |
166 | </varlistentry> | |
167 | ||
abe495ea MT |
168 | <varlistentry> |
169 | <term> | |
170 | <command><replaceable>NAME</replaceable> pseudo-random-functions <replaceable>[PSEUDO-RANDOM-FUNCTION-LIST|+PSEUDO-RANDOM-FUNCTION...|-PSEUDO-RANDOM-FUNCTION]</replaceable> | |
171 | </command> | |
172 | </term> | |
173 | ||
174 | <listitem> | |
175 | <para> | |
176 | This command allows modifying the list of pseudo random functions | |
177 | similar to the <command>ciphers</command> command. | |
178 | </para> | |
179 | ||
180 | <para> | |
181 | These functions are used in combination with an AEAD cipher only. | |
182 | </para> | |
183 | </listitem> | |
184 | </varlistentry> | |
185 | ||
bec94f95 MT |
186 | <varlistentry> |
187 | <term> | |
188 | <command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable> | |
189 | </command> | |
190 | </term> | |
191 | ||
192 | <listitem> | |
193 | <para> | |
194 | This command allows modifying the list of group types | |
195 | similar to the <command>ciphers</command> command. | |
196 | </para> | |
197 | ||
198 | <para> | |
199 | These algorithms are used to negotiate a shared secret | |
200 | of an insecure channel. | |
201 | </para> | |
202 | </listitem> | |
203 | </varlistentry> | |
204 | ||
205 | <varlistentry> | |
206 | <term> | |
207 | <command><replaceable>NAME</replaceable> pfs <replaceable>[on|off]</replaceable></command> | |
208 | </term> | |
209 | ||
210 | <listitem> | |
211 | <para> | |
212 | This command allows to enable or disable Perfect Forward Secrecy (PFS). | |
213 | </para> | |
214 | ||
215 | <para> | |
216 | If PFS is enabled, the encrypted channels of a VPN connection will be | |
217 | renegotiated regularly to avoid that the same keys are used for too long. | |
218 | If an attacker is able to obtain a key that was used to encrypt the | |
219 | data, it is only possible to decrypt a certain amount of data. | |
220 | </para> | |
221 | ||
222 | <para> | |
223 | It is strongly recommended to enable PFS at all times. | |
224 | </para> | |
225 | </listitem> | |
226 | </varlistentry> | |
227 | ||
228 | <varlistentry> | |
229 | <term> | |
230 | <command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command> | |
231 | </term> | |
232 | ||
233 | <listitem> | |
234 | <para> | |
235 | This command allows to define how often the VPN connection is | |
236 | renegotiated if PFS is enabled. | |
237 | </para> | |
238 | </listitem> | |
239 | </varlistentry> | |
240 | ||
241 | <varlistentry> | |
242 | <term> | |
243 | <command><replaceable>NAME</replaceable> compression <replaceable>[on|off]</replaceable></command> | |
244 | </term> | |
245 | ||
246 | <listitem> | |
247 | <para> | |
248 | This command allows to enable or disable compression. | |
249 | </para> | |
250 | ||
251 | <para> | |
252 | If compression is enabled, all data is being compressed before being | |
253 | sent through the VPN. | |
254 | This setting is ignored if the peer does not support this. | |
255 | </para> | |
256 | </listitem> | |
257 | </varlistentry> | |
258 | </variablelist> | |
259 | </refsect1> | |
260 | ||
261 | <refsect1> | |
262 | <title>System Policies</title> | |
263 | ||
264 | <para> | |
265 | The system comes with builtin policies that cannot be modified by the user. | |
266 | They are intended to provide good defaults for various situations. | |
267 | </para> | |
268 | ||
269 | <refsect2> | |
270 | <title>system</title> | |
271 | ||
272 | <para> | |
273 | This policy is the default for every VPN connection and allows using | |
274 | all ciphers, integrity and key-exchange algorithms that are recommended | |
275 | to use and have not been proven or assumed to be broken, yet. | |
276 | </para> | |
277 | ||
278 | <para> | |
279 | Over time, this policy will change whenever an algorithm has been broken | |
280 | and is not recommended to be used any more. | |
281 | </para> | |
282 | </refsect2> | |
283 | ||
284 | <refsect2> | |
285 | <title>performance</title> | |
286 | ||
287 | <para> | |
288 | This policy is recommended to be used on systems that are not very powerful. | |
289 | Algorithms with smaller key lengths, but still considered to be secure | |
290 | are being used. | |
291 | </para> | |
292 | </refsect2> | |
293 | ||
294 | <para> | |
295 | System policies cannot be deleted. | |
296 | </para> | |
297 | </refsect1> | |
298 | ||
299 | <refsect1> | |
300 | <title>See Also</title> | |
301 | ||
302 | <para> | |
303 | <citerefentry> | |
304 | <refentrytitle>network</refentrytitle> | |
305 | <manvolnum>8</manvolnum> | |
306 | </citerefentry>, | |
307 | <citerefentry> | |
308 | <refentrytitle>network-vpn</refentrytitle> | |
309 | <manvolnum>8</manvolnum> | |
310 | </citerefentry> | |
311 | </para> | |
312 | </refsect1> | |
313 | </refentry> |