diff options
| author | goodNETnick <pknet@ya.ru> | 2021-12-07 13:46:15 +1000 | 
|---|---|---|
| committer | goodNETnick <pknet@ya.ru> | 2021-12-07 13:46:15 +1000 | 
| commit | 865ff61166299ac542d7bf6a6419d54dd0d7597f (patch) | |
| tree | 256e18904cf2f2518be18d225fce7a97ebbd8d25 /docs/configuration/vpn | |
| parent | 6e6f13489889f95ab500f4a5074ae122489655cf (diff) | |
| download | vyos-documentation-865ff61166299ac542d7bf6a6419d54dd0d7597f.tar.gz vyos-documentation-865ff61166299ac542d7bf6a6419d54dd0d7597f.zip | |
ESP group parameters
Diffstat (limited to 'docs/configuration/vpn')
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 46 | 
1 files changed, 46 insertions, 0 deletions
| diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 29dc5a0e..590f6023 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,52 @@ VyOS IKE group has the next options:   * ``hash`` hash algorithm. +*********************************************** +ESP (Encapsulating Security Payload) Attributes +*********************************************** +ESP is used to provide confidentiality, data origin authentication,  +connectionless integrity, an anti-replay service (a form of partial sequence  +integrity), and limited traffic flow confidentiality. +https://datatracker.ietf.org/doc/html/rfc4303 + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +* ``compression`` whether IPComp compression of content is proposed  +  on the connection: + + * ``disable`` disable IPComp compression (default); +  + * ``enable`` enable IPComp compression; +  +* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).  +  How long a particular instance of a connection (a set of  +  encryption/authentication keys for user packets) should last,  +  from successful negotiation to expiry; +   +* ``mode`` the type of the connection: +  + * ``tunnel`` tunnel mode (default); + + * ``transport`` transport mode; + +* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the  +  connection's keying channel and defines a Diffie-Hellman group for PFS: + + * ``enable`` Inherit Diffie-Hellman group from IKE group (default); + + * ``disable`` Disable PFS; + + * ``< dh-group >`` defines a Diffie-Hellman group for PFS; + +* ``proposal`` ESP-group proposal with number <1-65535>: + + * ``encryption`` encryption algorithm (default 128 bit AES-CBC); + + * ``hash`` hash algorithm (default sha1). +  *************************  IPsec policy matching GRE  ************************* | 
