diff options
author | Robert Göhler <github@ghlr.de> | 2021-12-07 20:31:24 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-07 20:31:24 +0100 |
commit | d30f8c0f58a5086aef61f6259f74192021a03c6e (patch) | |
tree | ad8fc78453ae76237477192f9aa42f1a2373686e | |
parent | 39e8c25c1dfb49a863d744385a9a315a803e091e (diff) | |
parent | 865ff61166299ac542d7bf6a6419d54dd0d7597f (diff) | |
download | vyos-documentation-d30f8c0f58a5086aef61f6259f74192021a03c6e.tar.gz vyos-documentation-d30f8c0f58a5086aef61f6259f74192021a03c6e.zip |
Merge pull request #674 from goodNETnick/master
ESP group parameters
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 29dc5a0e..590f6023 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,52 @@ VyOS IKE group has the next options: * ``hash`` hash algorithm. +*********************************************** +ESP (Encapsulating Security Payload) Attributes +*********************************************** +ESP is used to provide confidentiality, data origin authentication, +connectionless integrity, an anti-replay service (a form of partial sequence +integrity), and limited traffic flow confidentiality. +https://datatracker.ietf.org/doc/html/rfc4303 + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +* ``compression`` whether IPComp compression of content is proposed + on the connection: + + * ``disable`` disable IPComp compression (default); + + * ``enable`` enable IPComp compression; + +* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, + from successful negotiation to expiry; + +* ``mode`` the type of the connection: + + * ``tunnel`` tunnel mode (default); + + * ``transport`` transport mode; + +* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the + connection's keying channel and defines a Diffie-Hellman group for PFS: + + * ``enable`` Inherit Diffie-Hellman group from IKE group (default); + + * ``disable`` Disable PFS; + + * ``< dh-group >`` defines a Diffie-Hellman group for PFS; + +* ``proposal`` ESP-group proposal with number <1-65535>: + + * ``encryption`` encryption algorithm (default 128 bit AES-CBC); + + * ``hash`` hash algorithm (default sha1). + ************************* IPsec policy matching GRE ************************* |