summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/ipsec/ipsec_general.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn/ipsec/ipsec_general.rst')
-rw-r--r--docs/configuration/vpn/ipsec/ipsec_general.rst308
1 files changed, 308 insertions, 0 deletions
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
new file mode 100644
index 00000000..18d974c9
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -0,0 +1,308 @@
+.. _ipsec_general:
+
+#########################
+IPsec General Information
+#########################
+
+***********************
+Information about IPsec
+***********************
+
+IPsec is the framework used to secure data.
+IPsec accomplishes these goals by providing authentication,
+encryption of IP network packets, key exchange, and key management.
+VyOS uses Strongswan package to implement IPsec.
+
+**Authentication Header (AH)** is defined in :rfc:`4302`. It creates
+a hash using the IP header and data payload, and prepends it to the
+packet. This hash is used to validate that the data has not been
+changed during transfer over the network.
+
+**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
+It provides encryption and authentication of the data.
+
+
+There are two IPsec modes:
+ **IPsec Transport Mode**:
+ In transport mode, an IPSec header (AH or ESP) is inserted
+ between the IP header and the upper layer protocol header.
+
+ **IPsec Tunnel Mode:**
+ In tunnel mode, the original IP packet is encapsulated in
+ another IP datagram, and an IPsec header (AH or ESP) is
+ inserted between the outer and inner headers.
+
+.. figure:: /_static/images/ESP_AH.png
+ :scale: 80 %
+ :alt: AH and ESP in Transport Mode and Tunnel Mode
+
+***************************
+IKE (Internet Key Exchange)
+***************************
+The default IPsec method for secure key negotiation is the Internet Key
+Exchange (IKE) protocol. IKE is designed to provide mutual authentication
+of systems, as well as to establish a shared secret key to create IPsec
+security associations. A security association (SA) includes all relevant
+attributes of the connection, including the cryptographic algorithm used,
+the IPsec mode, the encryption key, and other parameters related to the
+transmission of data over the VPN connection.
+
+IKEv1
+=====
+
+IKEv1 is the older version and is still used today. Nowadays, most
+manufacturers recommend using IKEv2 protocol.
+
+IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
+(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
+of ESP Packets), :rfc:`3706` (DPD)
+
+IKEv1 operates in two phases to establish these IKE and IPsec SAs:
+ * **Phase 1** provides mutual authentication of the IKE peers and
+ establishment of the session key. This phase creates an IKE SA (a
+ security association for IKE) using a DH exchange, cookies, and an
+ ID exchange. Once an IKE SA is established, all IKE communication
+ between the initiator and responder is protected with encryption
+ and an integrity check that is authenticated. The purpose of IKE
+ phase 1 is to facilitate a secure channel between the peers so that
+ phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
+ Main and Aggressive.
+
+ * **Main Mode** is used for site-to-site VPN connections.
+
+ * **Aggressive Mode** is used for remote access VPN connections.
+
+ * **Phase 2** provides for the negotiation and establishment of the
+ IPsec SAs using ESP or AH to protect IP data traffic.
+
+IKEv2
+=====
+
+IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
+IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
+fewer messages are exchanged during the establishment of the VPN and
+additional security capabilities are available.
+
+
+IKE Authentication
+==================
+
+VyOS supports 3 authentication methods.
+ * **Pre-shared keys**: In this method, both peers of the IPsec
+ tunnel must have the same preshared keys.
+ * **Digital certificates**: PKI is used in this method.
+ * **RSA-keys**: If the RSA-keys method is used in your IKE policy,
+ you need to make sure each peer has the other peer’s public keys.
+
+*************************
+DPD (Dead Peer Detection)
+*************************
+
+This is a mechanism used to detect when a VPN peer is no longer active.
+This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
+DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
+are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
+every configured interval. The remote peer is considered unreachable
+if no response to these packets is received within the DPD timeout.
+In IKEv2, DPD sends messages every configured interval. If one request
+is not responded, Strongswan execute its retransmission algorithm with
+its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
+
+*****************
+Configuration IKE
+*****************
+
+IKE (Internet Key Exchange) Attributes
+======================================
+
+VyOS IKE group has the next options:
+
+.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
+
+ Defines the action to take if the remote peer unexpectedly
+ closes a CHILD_SA:
+
+ * **none** - Set action to none (default),
+ * **trap** - Installs a trap policy (IPsec policy without Security
+ Association) for the CHILD_SA and traffic matching these policies
+ will trigger acquire events that cause the daemon to establish the
+ required IKE/IPsec SAs.
+ * **start** - Tries to immediately re-create the CHILD_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
+
+ Whether rekeying of an IKE_SA should also reauthenticate
+ the peer. In IKEv1, reauthentication is always done.
+ Setting this parameter enables remote host re-authentication
+ during an IKE rekey.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
+
+ Which protocol should be used to initialize the connection
+ If not set both protocols are handled and connections will
+ use IKEv2 when initiating, but accept any protocol version
+ when responding:
+
+ * **ikev1** - Use IKEv1 for Key Exchange.
+ * **ikev2** - Use IKEv2 for Key Exchange.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
+
+ IKE lifetime in seconds <0-86400> (default 28800).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> mode
+
+ IKEv1 Phase 1 Mode Selection:
+
+ * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
+ (Recommended Default).
+ * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
+ protocol aggressive mode is much more insecure compared to Main mode.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
+
+ Dh-group. Default value is **2**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
+
+ Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
+
+ Hash algorithm. Default value is **sha1**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
+
+ Pseudo-random function.
+
+
+DPD (Dead Peer Detection) Configuration
+=======================================
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
+
+ Action to perform for this CHILD_SA on DPD timeout.
+
+ * **trap** - Installs a trap policy (IPsec policy without Security
+ Association), which will catch matching traffic and tries to
+ re-negotiate the tunnel on-demand.
+ * **clear** - Closes the CHILD_SA and does not take further action
+ (default).
+ * **restart** - Immediately tries to re-negotiate the CHILD_SA
+ under a fresh IKE_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
+
+ Keep-alive interval in seconds <2-86400> (default 30).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
+
+ Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
+
+ESP (Encapsulating Security Payload) Attributes
+===============================================
+
+In VyOS, ESP attributes are specified through ESP groups.
+Multiple proposals can be specified in a single group.
+
+VyOS ESP group has the next options:
+
+.. cfgcmd:: set vpn ipsec esp-group <name> compression
+
+ Enables the IPComp(IP Payload Compression) protocol which allows
+ compressing the content of IP packets.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
+
+ Do not locally initiate a re-key of the SA, remote peer must
+ re-key before expiration.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
+
+ ESP life in bytes <1024-26843545600000>. Number of bytes
+ transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
+
+ ESP life in packets <1000-26843545600000>.
+ Number of packets transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
+
+ ESP lifetime in seconds <30-86400> (default 3600).
+ How long a particular instance of a connection (a set of
+ encryption/authentication keys for user packets) should last,
+ from successful negotiation to expiry.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
+
+ The type of the connection:
+
+ * **tunnel** - Tunnel mode (default).
+ * **transport** - Transport mode.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
+
+ Whether Perfect Forward Secrecy of keys is desired on the
+ connection's keying channel and defines a Diffie-Hellman group for
+ PFS:
+
+ * **enable** - Inherit Diffie-Hellman group from IKE group (default).
+ * **disable** - Disable PFS.
+ * **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
+
+ Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
+
+ Hash algorithm. Default value is **sha1**.
+
+Global IPsec Settings
+=====================
+
+.. cfgcmd:: set vpn ipsec interface <name>
+
+ Interface name to restrict outbound IPsec policies. There is a possibility
+ to specify multiple interfaces. If an interfaces are not specified, IPsec
+ policies apply to all interfaces.
+
+
+.. cfgcmd:: set vpn ipsec log level <number>
+
+ Level of logging. Default value is **0**.
+
+.. cfgcmd:: set vpn ipsec log subsystem <name>
+
+ Subsystem of the daemon.
+
+Options
+=======
+
+.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
+
+ Do not automatically install routes to remote
+ networks.
+
+.. cfgcmd:: set vpn ipsec options flexvpn
+
+ Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
+ FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
+ Cisco brand devices allow negotiating a local traffic selector (from
+ strongSwan's point of view) that is not the assigned virtual IP address if
+ such an address is requested by strongSwan. Sending the Cisco FlexVPN
+ vendor ID prevents the peer from narrowing the initiator's local traffic
+ selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
+ instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
+ template but should also work for GRE encapsulation.
+
+.. cfgcmd:: set vpn ipsec options interface <name>
+
+ Interface Name to use. The name of the interface on which
+ virtual IP addresses should be installed. If not specified the addresses
+ will be installed on the outbound interface.
+
+.. cfgcmd:: set vpn ipsec options virtual-ip
+
+ Allows the installation of virtual-ip addresses.
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-12 19:04:19 +0000