]> git.ipfire.org Git - people/ms/network.git/blame - man/network-vpn-security-policies.xml
projects / people / ms / network.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
man: Add documentation for VPN security policies
[people/ms/network.git] / man / network-vpn-security-policies.xml
CommitLineData
bec94f95
MT		 1<?xml version="1.0"?>
2<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5<refentry id="network-zone">
6 <refentryinfo>
7 <title>network-vpn-security-policies</title>
8 <productname>network</productname>
9
10 <authorgroup>
11 <author>
12 <contrib>Developer</contrib>
13 <firstname>Michael</firstname>
14 <surname>Tremer</surname>
15 <email>michael.tremer@ipfire.org</email>
16 </author>
17 </authorgroup>
18 </refentryinfo>
19
20 <refmeta>
21 <refentrytitle>network-vpn-security-policies</refentrytitle>
22 <manvolnum>8</manvolnum>
23 </refmeta>
24
25 <refnamediv>
26 <refname>network-vpn-security-policies</refname>
27 <refpurpose>Network Configuration Control Program</refpurpose>
28 </refnamediv>
29
30 <refsynopsisdiv>
31 <cmdsynopsis>
32 <command>network vpn security-policies <arg choice="plain">[new|destroy]</arg> <replaceable>NAME</replaceable> ...</command>
33 </cmdsynopsis>
34
35 <cmdsynopsis>
36 <command>network vpn security-policies <replaceable>NAME</replaceable> <arg choice="plain">command</arg> ...</command>
37 </cmdsynopsis>
38 </refsynopsisdiv>
39
40 <refsect1>
41 <title>Description</title>
42
43 <para>
44 With help of the <command>vpn security-policies</command>, it is possible
45 to create, destroy and edit VPN security policies.
46 </para>
47 <para>
48 A security policy is a definition of ciphers and algorithms for integrity
49 and key-exchanges for VPN connections.
50 </para>
51 </refsect1>
52
53 <refsect1>
54 <title>Commands</title>
55
56 <para>
57 The following commands are understood:
58 </para>
59
60 <variablelist>
61 <varlistentry>
62 <term>
63 <command>new <replaceable>NAME</replaceable></command>
64 </term>
65
66 <listitem>
67 <para>
68 A new security policy may be created with the
69 <command>new</command> command.
70 </para>
71
72 <para>
73 <replaceable>NAME</replaceable> does not allow any spaces.
74 </para>
75 </listitem>
76 </varlistentry>
77
78 <varlistentry>
79 <term>
80 <command>destroy <replaceable>NAME</replaceable></command>
81 </term>
82
83 <listitem>
84 <para>
85 A security policy can be destroyed with this command.
86 </para>
87 <para>
88 If the policy is still in use, it cannot be deleted.
89 </para>
90 </listitem>
91 </varlistentry>
92 </variablelist>
93
94 <para>
95 For all other commands, the name of the security policy needs to be passed first:
96 </para>
97
98 <variablelist>
99 <varlistentry>
100 <term>
101 <command><replaceable>NAME</replaceable> show</command>
102 </term>
103
104 <listitem>
105 <para>
106 Shows the configuration of the security policy.
107 </para>
108 </listitem>
109 </varlistentry>
110
111 <varlistentry>
112 <term>
113 <command><replaceable>NAME</replaceable> key-exchange <replaceable>[IKEv2|IKEv1]</replaceable></command>
114 </term>
115
116 <listitem>
117 <para>
118 Defines the key exchange algorithm that should be used to
119 initiate an IPsec VPN connection.
120 </para>
121 </listitem>
122 </varlistentry>
123
124 <varlistentry>
125 <term>
126 <command><replaceable>NAME</replaceable> ciphers <replaceable>[CIPHER-LIST|+CIPHER ...|-CIPHER ...]</replaceable></command>
127 </term>
128
129 <listitem>
130 <para>
131 This command allows modifying the cipher list.
132 </para>
133
134 <para>
135 A new <replaceable>CIPHER-LIST</replaceable> can be passed
136 which will replace the current configuration.
137 Alternatively, new ciphers can be added by prepending a
138 + sign to the cipher name and can removed likewise
139 using -.
140 </para>
141
142 <para>
143 A cipher is an algorithm that encrypts and decrypts data
144 to be able to transmit it over an insecure channel.
145 </para>
146 </listitem>
147 </varlistentry>
148
149 <varlistentry>
150 <term>
151 <command><replaceable>NAME</replaceable> integrities <replaceable>[INTEGRITY-LIST|+INTEGRITY ...|-INTEGRITY ...]</replaceable></command>
152 </term>
153
154 <listitem>
155 <para>
156 This command allows modifying the integrity list
157 similar to the <command>ciphers</command> command.
158 </para>
159
160 <para>
161 Integrity algorithms are used to be able to determine
162 if data has been altered when being transfered over
163 an untrusted channel.
164 </para>
165 </listitem>
166 </varlistentry>
167
168 <varlistentry>
169 <term>
170 <command><replaceable>NAME</replaceable> group-types <replaceable>[GROUP-TYPES-LIST|+GROUP-TYPE ...|-GROUP-TYPE]</replaceable>
171 </command>
172 </term>
173
174 <listitem>
175 <para>
176 This command allows modifying the list of group types
177 similar to the <command>ciphers</command> command.
178 </para>
179
180 <para>
181 These algorithms are used to negotiate a shared secret
182 of an insecure channel.
183 </para>
184 </listitem>
185 </varlistentry>
186
187 <varlistentry>
188 <term>
189 <command><replaceable>NAME</replaceable> pfs <replaceable>[on|off]</replaceable></command>
190 </term>
191
192 <listitem>
193 <para>
194 This command allows to enable or disable Perfect Forward Secrecy (PFS).
195 </para>
196
197 <para>
198 If PFS is enabled, the encrypted channels of a VPN connection will be
199 renegotiated regularly to avoid that the same keys are used for too long.
200 If an attacker is able to obtain a key that was used to encrypt the
201 data, it is only possible to decrypt a certain amount of data.
202 </para>
203
204 <para>
205 It is strongly recommended to enable PFS at all times.
206 </para>
207 </listitem>
208 </varlistentry>
209
210 <varlistentry>
211 <term>
212 <command><replaceable>NAME</replaceable> lifetime <replaceable>LIFETIME</replaceable></command>
213 </term>
214
215 <listitem>
216 <para>
217 This command allows to define how often the VPN connection is
218 renegotiated if PFS is enabled.
219 </para>
220 </listitem>
221 </varlistentry>
222
223 <varlistentry>
224 <term>
225 <command><replaceable>NAME</replaceable> compression <replaceable>[on|off]</replaceable></command>
226 </term>
227
228 <listitem>
229 <para>
230 This command allows to enable or disable compression.
231 </para>
232
233 <para>
234 If compression is enabled, all data is being compressed before being
235 sent through the VPN.
236 This setting is ignored if the peer does not support this.
237 </para>
238 </listitem>
239 </varlistentry>
240 </variablelist>
241 </refsect1>
242
243 <refsect1>
244 <title>System Policies</title>
245
246 <para>
247 The system comes with builtin policies that cannot be modified by the user.
248 They are intended to provide good defaults for various situations.
249 </para>
250
251 <refsect2>
252 <title>system</title>
253
254 <para>
255 This policy is the default for every VPN connection and allows using
256 all ciphers, integrity and key-exchange algorithms that are recommended
257 to use and have not been proven or assumed to be broken, yet.
258 </para>
259
260 <para>
261 Over time, this policy will change whenever an algorithm has been broken
262 and is not recommended to be used any more.
263 </para>
264 </refsect2>
265
266 <refsect2>
267 <title>performance</title>
268
269 <para>
270 This policy is recommended to be used on systems that are not very powerful.
271 Algorithms with smaller key lengths, but still considered to be secure
272 are being used.
273 </para>
274 </refsect2>
275
276 <para>
277 System policies cannot be deleted.
278 </para>
279 </refsect1>
280
281 <refsect1>
282 <title>See Also</title>
283
284 <para>
285 <citerefentry>
286 <refentrytitle>network</refentrytitle>
287 <manvolnum>8</manvolnum>
288 </citerefentry>,
289 <citerefentry>
290 <refentrytitle>network-vpn</refentrytitle>
291 <manvolnum>8</manvolnum>
292 </citerefentry>
293 </para>
294 </refsect1>
295</refentry>
Networking code of IPFire 3.x.