Skip to content

Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete #605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
abh1sar wants to merge 1 commit into
base: 4.20
Choose a base branch
from
Draft

Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete #605

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 101 additions & 7 deletions source/adminguide/networking/site_to_site_vpn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,13 +115,19 @@ To add a VPN Customer Gateway:
confirming that the remote gateway has a matching Preshared Key.

- **IKE Hash**: The IKE hash for phase-1. The supported hash
algorithms are SHA1 and MD5.
algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.

- **IKE Version**: The IKE Version to use between ike (autoselect), ikev1, or ikev2.
Connections marked with 'ike' will use 'ikev2' when initiating,
but accept any protocol version when responding. Defaults to 'ike'.

- **IKE DH**: A public-key cryptography protocol which allows two
parties to establish a shared secret over an insecure
communications channel. The 1536-bit Diffie-Hellman group is used
within IKE to establish session keys. The supported options are
None, Group-5 (1536-bit) and Group-2 (1024-bit).
None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
Group-18 (8192-bit).

- **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm
within phase-2. The supported encryption algorithms are AES128,
Expand All @@ -134,18 +140,19 @@ To add a VPN Customer Gateway:
extracted from the Diffie-Hellman key exchange in phase-1, to
provide session keys to use in protecting the VPN data flow.

- **ESP Hash**: Encapsulating Security Payload (ESP) hash for
phase-2. Supported hash algorithms are SHA1 and MD5.
- **ESP Hash**: Encapsulating Security Payload (ESP) hash for phase-2.
Supported hash algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.

- **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is
the property that ensures that a session key derived from a set of
long-term public and private keys will not be compromised. This
property enforces a new Diffie-Hellman key exchange. It provides
the keying material that has greater key material life and thereby
greater resistance to cryptographic attacks. The available options
are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security
of the key exchanges increase as the DH groups grow larger, as
does the time of the exchanges.
are None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
Group-18 (8192-bit). The security of the key exchanges increase as
the DH groups grow larger, as does the time of the exchanges.

.. note::
When PFS is turned on, for every negotiation of a new phase-2 SA
Expand All @@ -172,15 +179,102 @@ To add a VPN Customer Gateway:
- **Force UDP Encapsulation of ESP Packets**: Force Encapsulation for
NAT traversal

.. note::
If the administrator has configured excluded cryptographic
parameters, those options will not appear in the form. If obsolete
parameters are configured, those options will be displayed with a
warning message indicating they are obsolete and should be avoided.

#. Click OK.


Configuring Excluded and Obsolete VPN Customer Gateway Parameters
''''''''''''''''''''''''''''''''''''''''''''''''

CloudStack provides administrators with configuration settings to enforce
modern security standards by marking certain cryptographic algorithms and
parameters as excluded or obsolete for VPN Customer Gateway creation.

**Excluded Parameters:**

These parameters are completely hidden from users and cannot be used
while creating or updating VPN Customer Gateways:

- **vpn.customer.gateway.excluded.encryption.algorithms**: Comma-separated
list of encryption algorithms to exclude. Applies to both phases.

- **vpn.customer.gateway.excluded.hashing.algorithms**: Comma-separated
list of hashing algorithms to exclude. Applies to both phases.

- **vpn.customer.gateway.excluded.ike.versions**: Comma-separated list of
IKE versions to exclude.

- **vpn.customer.gateway.excluded.dh.group**: Comma-separated list of
Diffie-Hellman groups to exclude. Applies to both phases.

**Obsolete Parameters:**

These parameters are shown with a warning message, allowing existing
deployments to continue functioning while encouraging migration to more
secure alternatives:

- **vpn.customer.gateway.obsolete.encryption.algorithms**: Comma-separated
list of encryption algorithms marked as obsolete. Applies to both phases.

- **vpn.customer.gateway.obsolete.hashing.algorithms**: Comma-separated
list of hashing algorithms marked as obsolete. Applies to phases.

- **vpn.customer.gateway.obsolete.ike.versions**: Comma-separated list of
IKE versions marked as obsolete.

- **vpn.customer.gateway.obsolete.dh.group**: Comma-separated list of
Diffie-Hellman groups marked as obsolete. Applies to both phases.

**Behavior:**

- **Excluded parameters**: Not shown in the Create and Update VPN Customer
Gateway forms. Users cannot select these options for new gateways.

- **Obsolete parameters**: Shown with a warning message in the Create and
Update forms, indicating they are deprecated and should be avoided.

- **Existing gateways**: If a VPN Customer Gateway already uses excluded or
obsolete parameters:

- A warning icon is displayed next to the gateway name with a message
prompting users to change the obsolete or excluded parameters.

- The Update VPN Customer Gateway form displays the setting with a
warning message encouraging users to change it to a more secure
alternative.

- The ``listVpnCustomerGateways`` API response includes two new boolean
fields:

- **containsobsoleteparameters**: Indicates whether the gateway
contains any obsolete parameters

- **containsexcludedparameters**: Indicates whether the gateway
contains any excluded parameters

- The ``listCapabilities`` API response includes a new field containing
the list of excluded and obsolete VPN Customer Gateway parameters, but
only if these configuration settings are configured by the operator.


Updating and Removing a VPN Customer Gateway
''''''''''''''''''''''''''''''''''''''''''''

You can update a customer gateway either with no VPN connection, or
related VPN connection is in error state.

.. note::
If a VPN Customer Gateway is using excluded or obsolete cryptographic
parameters (as configured by your CloudStack operator), a warning icon
will be displayed next to the gateway name. When editing such a gateway,
the Update form will display warnings for any obsolete or excluded
parameters, encouraging you to change them to more secure alternatives.

#. Log in to the CloudStack UI as an administrator or end user.

#. In the left navigation, choose Network.
Expand Down