Security Policies

General Syntax

network vpn security-policies <name> <key> <value>

The examples below are for a policy called "secure".

New

network vpn security-policies new secure

Destroy

network vpn security-policies destroy secure

Integrity

Adding values should be possible by prepending a + or - character:

network vpn security-policies secure integrity +SHA512 +SHA384 -SHA256
network vpn security-policies secure integrity SHA512

Ciphers

Same as above:
network vpn security-policies secure cipher +AES256 +AES192 -AES128

Group Type

network vpn security-policies secure group-type +MODP4096

Compression

network vpn security-policies secure compression on
network vpn security-policies secure compression off

Key Exchange

network vpn security-policies secure key-exchange ikev2
network vpn security-policies secure key-exchange ikev1

Perfect Forward Secrecy

network vpn security-policies secure pfs on
network vpn security-policies secure pfs off

IKE/ESP Key Lifetime

network vpn security-policies secure lifetime 3600

Defaults

There should be a policy that cannot be modified called system which we just build in with our defaults. If a new one is created, it should create a copy of the system one which then can be modified.

The system one will change over time, but any copies won't.

Show it all

$ network vpn security-policies secure show
Security Policy: secure

  Ciphers:
    AES-256, AES-128

  Integrity:
    SHA-512, SHA-384, MD5 (broken)

  Group Types:
    MODP-8192, MODP-4096, ECP-192

  Perfect Forward Secrecy:   enabled
  Key Lifetime:              1h

  Compression:               enabled

To use it (later)

network vpn ipsec Connection1 security-policy secure

Possible Values

Handle Description
Cipher
3DES-CBC 168 bit 3DES-EDE-CBC
AES{256,192,128}-CBC {256,192,128} bit AES-CBC
AES{256,192,128}-CTR {256,192,128} bit AES-COUNTER
AES{256,192,128}-GCM128 {256,192,128} bit AES-GCM with 128 bit ICV
AES{256,192,128}-GCM96 {256,192,128} bit AES-GCM with 96 bit ICV
AES{256,192,128}-GCM64 {256,192,128} bit AES-GCM with 64 bit ICV
AES{256,192,128}-CCM128 {256,192,128} bit AES-CCM with 128 bit ICV
AES{256,192,128}-CCM96 {256,192,128} bit AES-CCM with 96 bit ICV
AES{256,192,128}-CCM64 {256,192,128} bit AES-CCM with 64 bit ICV
CAMELLIA{256,192,128}-CBC {256,192,128} bit CAMELLIA-CBC
CAMELLIA{256,192,128}-CTR {256,192,128} bit CAMELLIA-COUNTER
CAMELLIA{256,192,128}-GCM128 {256,192,128} bit CAMELLIA-GCM with 128 bit ICV
CAMELLIA{256,192,128}-GCM96 {256,192,128} bit CAMELLIA-GCM with 96 bit ICV
CAMELLIA{256,192,128}-GCM64 {256,192,128} bit CAMELLIA-GCM with 64 bit ICV
CAMELLIA{256,192,128}-CCM128 {256,192,128} bit CAMELLIA-CCM with 128 bit ICV
CAMELLIA{256,192,128}-CCM96 {256,192,128} bit CAMELLIA-CCM with 96 bit ICV
CAMELLIA{256,192,128}-CCM64 {256,192,128} bit CAMELLIA-CCM with 64 bit ICV
Integrity
MD5 MD5-HMAC (broken)
SHA1 SHA1-HMAC (weak)
SHA{512,384,256} SHA2 {256,192,128} bit HMAC
AES-XCBC AES-XCBC
AES-CMAC AES-CMAC
AES{256,192,128}-GMAC {256,192,128} bit AES-GMAC
Edit Page ‐ Yes, you can edit!

Older Revisions • August 28 at 5:41 pm • Jon