General Syntax
network vpn security-policies <name> <key> <value>
The examples below are for a policy called "secure".
New
network vpn security-policies new secure
Destroy
network vpn security-policies destroy secure
Integrity
Adding values should be possible by prepending a + or - character:
network vpn security-policies secure integrity +SHA512 +SHA384 -SHA256
network vpn security-policies secure integrity SHA512
Ciphers
Same as above:
network vpn security-policies secure cipher +AES256 +AES192 -AES128
Group Type
network vpn security-policies secure group-type +MODP4096
Compression
network vpn security-policies secure compression on
network vpn security-policies secure compression off
Key Exchange
network vpn security-policies secure key-exchange ikev2
network vpn security-policies secure key-exchange ikev1
Perfect Forward Secrecy
network vpn security-policies secure pfs on
network vpn security-policies secure pfs off
IKE/ESP Key Lifetime
network vpn security-policies secure lifetime 3600
Defaults
There should be a policy that cannot be modified called system which we just build in with our defaults. If a new one is created, it should create a copy of the system one which then can be modified.
The system one will change over time, but any copies won't.
Show it all
$ network vpn security-policies secure show
Security Policy: secure
Ciphers:
AES-256, AES-128
Integrity:
SHA-512, SHA-384, MD5 (broken)
Group Types:
MODP-8192, MODP-4096, ECP-192
Perfect Forward Secrecy: enabled
Key Lifetime: 1h
Compression: enabled
To use it (later)
network vpn ipsec Connection1 security-policy secure
Possible Values
| Handle | Description |
|---|---|
| Cipher | |
| 3DES-CBC | 168 bit 3DES-EDE-CBC |
| AES{256,192,128}-CBC | {256,192,128} bit AES-CBC |
| AES{256,192,128}-CTR | {256,192,128} bit AES-COUNTER |
| AES{256,192,128}-GCM128 | {256,192,128} bit AES-GCM with 128 bit ICV |
| AES{256,192,128}-GCM96 | {256,192,128} bit AES-GCM with 96 bit ICV |
| AES{256,192,128}-GCM64 | {256,192,128} bit AES-GCM with 64 bit ICV |
| AES{256,192,128}-CCM128 | {256,192,128} bit AES-CCM with 128 bit ICV |
| AES{256,192,128}-CCM96 | {256,192,128} bit AES-CCM with 96 bit ICV |
| AES{256,192,128}-CCM64 | {256,192,128} bit AES-CCM with 64 bit ICV |
| CAMELLIA{256,192,128}-CBC | {256,192,128} bit CAMELLIA-CBC |
| CAMELLIA{256,192,128}-CTR | {256,192,128} bit CAMELLIA-COUNTER |
| CAMELLIA{256,192,128}-GCM128 | {256,192,128} bit CAMELLIA-GCM with 128 bit ICV |
| CAMELLIA{256,192,128}-GCM96 | {256,192,128} bit CAMELLIA-GCM with 96 bit ICV |
| CAMELLIA{256,192,128}-GCM64 | {256,192,128} bit CAMELLIA-GCM with 64 bit ICV |
| CAMELLIA{256,192,128}-CCM128 | {256,192,128} bit CAMELLIA-CCM with 128 bit ICV |
| CAMELLIA{256,192,128}-CCM96 | {256,192,128} bit CAMELLIA-CCM with 96 bit ICV |
| CAMELLIA{256,192,128}-CCM64 | {256,192,128} bit CAMELLIA-CCM with 64 bit ICV |
| Integrity | |
| MD5 | MD5-HMAC (broken) |
| SHA1 | SHA1-HMAC (weak) |
| SHA{512,384,256} | SHA2 {256,192,128} bit HMAC |
| AES-XCBC | AES-XCBC |
| AES-CMAC | AES-CMAC |
| AES{256,192,128}-GMAC | {256,192,128} bit AES-GMAC |