diff --git a/source/adminguide/networking/site_to_site_vpn.rst b/source/adminguide/networking/site_to_site_vpn.rst index 29aeea7962..e088fdc303 100644 --- a/source/adminguide/networking/site_to_site_vpn.rst +++ b/source/adminguide/networking/site_to_site_vpn.rst @@ -115,13 +115,19 @@ To add a VPN Customer Gateway: confirming that the remote gateway has a matching Preshared Key. - **IKE Hash**: The IKE hash for phase-1. The supported hash - algorithms are SHA1 and MD5. + algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5. + + - **IKE Version**: The IKE Version to use between ike (autoselect), ikev1, or ikev2. + Connections marked with 'ike' will use 'ikev2' when initiating, + but accept any protocol version when responding. Defaults to 'ike'. - **IKE DH**: A public-key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. The 1536-bit Diffie-Hellman group is used within IKE to establish session keys. The supported options are - None, Group-5 (1536-bit) and Group-2 (1024-bit). + None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit), + Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and + Group-18 (8192-bit). - **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm within phase-2. The supported encryption algorithms are AES128, @@ -134,8 +140,8 @@ To add a VPN Customer Gateway: extracted from the Diffie-Hellman key exchange in phase-1, to provide session keys to use in protecting the VPN data flow. - - **ESP Hash**: Encapsulating Security Payload (ESP) hash for - phase-2. Supported hash algorithms are SHA1 and MD5. + - **ESP Hash**: Encapsulating Security Payload (ESP) hash for phase-2. + Supported hash algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5. - **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is the property that ensures that a session key derived from a set of @@ -143,9 +149,10 @@ To add a VPN Customer Gateway: property enforces a new Diffie-Hellman key exchange. It provides the keying material that has greater key material life and thereby greater resistance to cryptographic attacks. The available options - are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security - of the key exchanges increase as the DH groups grow larger, as - does the time of the exchanges. + are None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit), + Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and + Group-18 (8192-bit). The security of the key exchanges increase as + the DH groups grow larger, as does the time of the exchanges. .. note:: When PFS is turned on, for every negotiation of a new phase-2 SA @@ -172,15 +179,102 @@ To add a VPN Customer Gateway: - **Force UDP Encapsulation of ESP Packets**: Force Encapsulation for NAT traversal + .. note:: + If the administrator has configured excluded cryptographic + parameters, those options will not appear in the form. If obsolete + parameters are configured, those options will be displayed with a + warning message indicating they are obsolete and should be avoided. + #. Click OK. +Configuring Excluded and Obsolete VPN Customer Gateway Parameters +'''''''''''''''''''''''''''''''''''''''''''''''' + +CloudStack provides administrators with configuration settings to enforce +modern security standards by marking certain cryptographic algorithms and +parameters as excluded or obsolete for VPN Customer Gateway creation. + +**Excluded Parameters:** + +These parameters are completely hidden from users and cannot be used +while creating or updating VPN Customer Gateways: + +- **vpn.customer.gateway.excluded.encryption.algorithms**: Comma-separated + list of encryption algorithms to exclude. Applies to both phases. + +- **vpn.customer.gateway.excluded.hashing.algorithms**: Comma-separated + list of hashing algorithms to exclude. Applies to both phases. + +- **vpn.customer.gateway.excluded.ike.versions**: Comma-separated list of + IKE versions to exclude. + +- **vpn.customer.gateway.excluded.dh.group**: Comma-separated list of + Diffie-Hellman groups to exclude. Applies to both phases. + +**Obsolete Parameters:** + +These parameters are shown with a warning message, allowing existing +deployments to continue functioning while encouraging migration to more +secure alternatives: + +- **vpn.customer.gateway.obsolete.encryption.algorithms**: Comma-separated + list of encryption algorithms marked as obsolete. Applies to both phases. + +- **vpn.customer.gateway.obsolete.hashing.algorithms**: Comma-separated + list of hashing algorithms marked as obsolete. Applies to phases. + +- **vpn.customer.gateway.obsolete.ike.versions**: Comma-separated list of + IKE versions marked as obsolete. + +- **vpn.customer.gateway.obsolete.dh.group**: Comma-separated list of + Diffie-Hellman groups marked as obsolete. Applies to both phases. + +**Behavior:** + +- **Excluded parameters**: Not shown in the Create and Update VPN Customer + Gateway forms. Users cannot select these options for new gateways. + +- **Obsolete parameters**: Shown with a warning message in the Create and + Update forms, indicating they are deprecated and should be avoided. + +- **Existing gateways**: If a VPN Customer Gateway already uses excluded or + obsolete parameters: + + - A warning icon is displayed next to the gateway name with a message + prompting users to change the obsolete or excluded parameters. + + - The Update VPN Customer Gateway form displays the setting with a + warning message encouraging users to change it to a more secure + alternative. + +- The ``listVpnCustomerGateways`` API response includes two new boolean + fields: + + - **containsobsoleteparameters**: Indicates whether the gateway + contains any obsolete parameters + + - **containsexcludedparameters**: Indicates whether the gateway + contains any excluded parameters + +- The ``listCapabilities`` API response includes a new field containing + the list of excluded and obsolete VPN Customer Gateway parameters, but + only if these configuration settings are configured by the operator. + + Updating and Removing a VPN Customer Gateway '''''''''''''''''''''''''''''''''''''''''''' You can update a customer gateway either with no VPN connection, or related VPN connection is in error state. +.. note:: + If a VPN Customer Gateway is using excluded or obsolete cryptographic + parameters (as configured by your CloudStack operator), a warning icon + will be displayed next to the gateway name. When editing such a gateway, + the Update form will display warnings for any obsolete or excluded + parameters, encouraging you to change them to more secure alternatives. + #. Log in to the CloudStack UI as an administrator or end user. #. In the left navigation, choose Network.