From 865ff61166299ac542d7bf6a6419d54dd0d7597f Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Tue, 7 Dec 2021 13:46:15 +1000 Subject: ESP group parameters --- docs/configuration/vpn/ipsec.rst | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'docs') diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 29dc5a0e..590f6023 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,52 @@ VyOS IKE group has the next options: * ``hash`` hash algorithm. +*********************************************** +ESP (Encapsulating Security Payload) Attributes +*********************************************** +ESP is used to provide confidentiality, data origin authentication, +connectionless integrity, an anti-replay service (a form of partial sequence +integrity), and limited traffic flow confidentiality. +https://datatracker.ietf.org/doc/html/rfc4303 + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +* ``compression`` whether IPComp compression of content is proposed + on the connection: + + * ``disable`` disable IPComp compression (default); + + * ``enable`` enable IPComp compression; + +* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, + from successful negotiation to expiry; + +* ``mode`` the type of the connection: + + * ``tunnel`` tunnel mode (default); + + * ``transport`` transport mode; + +* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the + connection's keying channel and defines a Diffie-Hellman group for PFS: + + * ``enable`` Inherit Diffie-Hellman group from IKE group (default); + + * ``disable`` Disable PFS; + + * ``< dh-group >`` defines a Diffie-Hellman group for PFS; + +* ``proposal`` ESP-group proposal with number <1-65535>: + + * ``encryption`` encryption algorithm (default 128 bit AES-CBC); + + * ``hash`` hash algorithm (default sha1). + ************************* IPsec policy matching GRE ************************* -- cgit v1.2.3