From dba819da9466bdf44b10605cf0613b6770e79e41 Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Fri, 10 May 2024 14:40:17 -0400 Subject: [PATCH 01/16] add documentation for new ipsecclient plugin version --- docs/plugin_ipsec_client.md | 167 +++++++++++++++++++++++++++++++----- 1 file changed, 144 insertions(+), 23 deletions(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 5fcf878417..b4fedb7de4 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -14,30 +14,56 @@ The instructions for installing and managing the plugin can be found [here](plug The IPsec plugin setup has the following key parts to the configuration. * `ipsec-profile` describing the mechanism with which to connect to the server. * `ipsec-client` represent the remote endpoints or server with which the ipsec client communicates. +* `ipsec-client-settings` configure universal settings for all conductor-managed routers. * `service-route`'s to route the traffic through the tunnels ### Profiles -The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The table below represents the most common configuration elements for a valid ipsec profile. + +The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. + +:::note +This plugin can only connect to IPsec endpoints that support pre-shared key or X.509 certificate. +::: ``` router - ipsec-profile zscaler - name zscaler - ike-encryption aes256 - ike-digest sha2 - ike-modp modp1024 - authentication-protocol esp - phase2-encryption aes_gcm128 - phase2-digest sha2 - phase2-modp modp1024 - ike-lifetime 1h - connection-lifetime 8h - perfect-forward-secrecy true - dpddelay 20 - dpdtimeout 100 - dpdaction restart - local-id [local-id@domain.com] - pre-shared-key (removed) + ipsec-profile zscaler-preshared-key + name zscaler-preshared-key + ike-encryption aes256 + ike-digest sha2 + ike-modp modp1024 + authentication-protocol esp + phase2-encryption aes_gcm128 + phase2-digest sha2 + phase2-modp modp1024 + ike-lifetime 1h + connection-lifetime 8h + perfect-forward-secrecy true + dpddelay 20 + dpdtimeout 100 + dpdaction restart + local-id [local-id@domain.com] + pre-shared-key (removed) + exit + ipsec-profile zscaler-certificate + name zscaler-certificate + ike-encryption aes128 + ike-digest sha2 + ike-modp modp1024 + authentication-protocol esp + phase2-encryption aes_gcm256 + phase2-digest sha2 + phase2-modp modp1024 + ike-lifetime 1h + connection-lifetime 8h + perfect-forward-secrecy true + dpddelay 20 + dpdtimeout 100 + dpdaction restart + local-id [local-id@domain.com] + private-key-name rem1-private-key + local-certificate-name rem1-cert + trusted-ca-certificate-name ca-cert exit exit ``` @@ -61,10 +87,21 @@ The above configuration example represents a typical profile used for a IPSec pr | dpdtimeout | seconds | 100 | After the period has elapsed with no traffic including DPD traffic, the connection will be declared dead | | dpdaction | enum | restart | Action taken once the enabled peer is detected as dead | | local-id | string | user-defined | How to identify the router for authentication. Can be an IP address of FQDN. Must be preceded with an `@` symbol to prevent resolution as shown in the example | -| pre-shared-key | string | user-defined | pre-shared key used for authentication | +| pre-shared-key | string | user-defined | pre-shared key used for authentication | +| private-key-name | reference | - | The name that reference to a private key defined in [Private Key](#private-key) | +| local-certificate-name | reference | - | The name that reference to a client certificate defined in [`client-certificate`](config_command_guide.md#configure-authority-client-certificate)| +| trusted-ca-certificate-name | reference | - | The name that reference to a trusted CA certificate defined in [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) | + +##### Version History + +| Release | Modification | +| -------- | ------------------------------------ | +| 3.7.0 | `profile > private-key-name` introduced | +| 3.7.0 | `profile > local-certificate-name ` introduced | +| 3.7.0 | `profile > trusted-ca-certificate-name` introduced | :::note -This plugin can only connect to IPsec endpoints that support pre-shared key authentication. +All `local-certificate-name`, `trusted-ca-certificate-name` and `private-key-name` must be configured in order to use X.509 certificate type ::: #### Custom Options @@ -117,7 +154,7 @@ The main config properties of a remote endpoint are as follows. | name | string | The name of the remote client to be used for sending traffic to the tunnel. | | host | ip-or-fqdn | The address or FQDN of the remote endpoint. | | profile | reference | The name of the profile to be used for this remote endpoint. | -| remote-id | string | The optional remote identifier used during authentication. | +| remote-id | string | The optional remote identifier used during authentication, the field must be correctly configured as remote side certificate common name (CN) | | subnet | ip-prefix | The remote subnet behind the tunnel. | | tunnel-monitor | container | Properties for monitoring the phase-2 connection. See [Tunnel Monitoring](#tunnel-monitoring) for more information. | @@ -151,8 +188,8 @@ router myRouter remote secondary name primary host - profile myProfile - remote-id prisma@paloalto.com + profile zscaler-certificate + remote-id subnet 0.0.0/0 tunnel-monitor enabled true @@ -179,6 +216,75 @@ The `ipsec-client > name` cannot start with `ipsec` or `mast`. See notes [here]( Each `remote` represents a unique tunnel destination and can be used to route traffic in/out of the tunnels. Typically each node has two tunnels to act as primary and backup. +### Client Settings + +##### Version History + +| Release | Modification | +| -------- | ------------------------------------ | +| 3.7.0 | `authority > ipsec-client-settings` introduced | + +Client settings are a collection of common settings that would apply to all routers that run IPSec plugin under management of a conductor. + +The main config properties of client settings are as follows. + +| Config | Type | Description | +| -------- | ----- | ------------------- | +| common-criteria-mode | boolean | Whether common criteria should be applied upon validation. | +| private-key | list | List of [Private Keys](#private-key) to be used for IPSec X.509 certificate type. | + + +``` console +config + + authority + ipsec-client-settings + common-criteria-mode true + private-key rem1-private-key + name rem1-private-key + content (removed) + exit + + private-key rem2-private-key + name rem2-private-key + content (removed) + exit + exit +exit +``` + +#### Private Key + +##### Version History + +| Release | Modification | +| -------- | ------------------------------------ | +| 3.7.0 | `ipsec-client-settings > private-key` introduced | + +The `private-key` allows the users to configure private keys to be used for IPSec X.508 certificate type. + +``` +config + authority + ipsec-client-settings + private-key rem1-private-key + name rem1-private-key + content (removed) + exit + exit + exit +exit +``` + +| Config | Type | Description | +| -------- | ----- | ------------------- | +| name | string | The name of the the private key. | +| content | string | Private key to be used for X.509 certificate. | + +:::warning +The `private-key` is used for pkc12 certification creation which will be used for tunnel authentication. Wrongly configured private key may prevent IPSec tunnel from establishing successfully. +::: + ### Tunnel Monitoring ##### Version History @@ -289,6 +395,10 @@ exit Once enabled, the records will allow the IPsec controller to perform additional functions such as detecting and remediating stuck egress tunnel sessions and reporting the name of the WAN interface being used for the tunnel. +### Configure X.509 Certificates Type For Tunnel Authentication +The user could enable X.509 certificate type for tunnel authenticate by confiuring valid [`private-key`](#private-key), [`client-certificate`](config_command_guide.md#configure-authority-client-certificate) and [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) then refer their key names to respective fields in [`ipsec-profile`](#profiles) section, with which a PKCS12 file will be generated. IPSec NSS database will be used to store the generated PKCS12 file and wiil be directly used for tunnel authentication. A public Libreswan document is refered [here](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan). The plugin requires users to generate/acquire their private key, a CA certificate file and user certificate file signed by the CA certificate offline by utilities mentioned in Libreswan document or other reliable sources (openssl). The plugin will take over the configuration from `Importing third-party files into NSS` section listed in the Libreswan document. + + ### Directing traffic through the tunnel The user can leverage standard SSR service and service-route to direct intended traffic over the ipsec tunnel. In the example below, all guest internet traffic is sent over the ipsec tunnel for break and inspect. This can be accomplished as follows: @@ -804,6 +914,17 @@ exit ## Release Notes +### Release 3.7.0 + +**Release Date:** May 10, 2024 + +**Router Version** 128T-ipsec-2.5.0-3 + +#### New Features and Improvements + +- **/I95-51716** Common Criteria Certification - VPN Protection Profile +The new version adds support for X.509 ceritifcate management for IPSec plugin, validating strength of VPN’s encryption algorithms, new Libreswan version update, and DH 21 groups. + ### Release 3.6.0 **Release Date:** Oct 13, 2023 From 0a4c2e43cfd4fe38336b895081bb8a25b05b34fc Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Fri, 10 May 2024 16:01:53 -0400 Subject: [PATCH 02/16] fix typo --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index b4fedb7de4..393de00a35 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -396,7 +396,7 @@ exit Once enabled, the records will allow the IPsec controller to perform additional functions such as detecting and remediating stuck egress tunnel sessions and reporting the name of the WAN interface being used for the tunnel. ### Configure X.509 Certificates Type For Tunnel Authentication -The user could enable X.509 certificate type for tunnel authenticate by confiuring valid [`private-key`](#private-key), [`client-certificate`](config_command_guide.md#configure-authority-client-certificate) and [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) then refer their key names to respective fields in [`ipsec-profile`](#profiles) section, with which a PKCS12 file will be generated. IPSec NSS database will be used to store the generated PKCS12 file and wiil be directly used for tunnel authentication. A public Libreswan document is refered [here](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan). The plugin requires users to generate/acquire their private key, a CA certificate file and user certificate file signed by the CA certificate offline by utilities mentioned in Libreswan document or other reliable sources (openssl). The plugin will take over the configuration from `Importing third-party files into NSS` section listed in the Libreswan document. +The user could enable X.509 certificate type for tunnel authenticate by configuring valid [`private-key`](#private-key), [`client-certificate`](config_command_guide.md#configure-authority-client-certificate) and [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) then refer their key names to respective fields in [`ipsec-profile`](#profiles) section, with which a PKCS12 file will be generated. IPSec NSS database will be used to store the generated PKCS12 file and wiil be directly used for tunnel authentication. A public Libreswan document is refered [here](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan). The plugin requires users to generate/acquire their private key, a CA certificate file and user certificate file signed by the CA certificate offline by utilities mentioned in Libreswan document or other reliable sources (openssl). The plugin will take over the configuration from `Importing third-party files into NSS` section listed in the Libreswan document. ### Directing traffic through the tunnel From 26eeae38b72a54031dfcd9293d070ff50e999175 Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:22:24 -0400 Subject: [PATCH 03/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 393de00a35..3efd1b4292 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -154,7 +154,7 @@ The main config properties of a remote endpoint are as follows. | name | string | The name of the remote client to be used for sending traffic to the tunnel. | | host | ip-or-fqdn | The address or FQDN of the remote endpoint. | | profile | reference | The name of the profile to be used for this remote endpoint. | -| remote-id | string | The optional remote identifier used during authentication, the field must be correctly configured as remote side certificate common name (CN) | +| remote-id | string | The optional remote identifier used during authentication. This field must be correctly configured as the remote side certificate common name (CN). | | subnet | ip-prefix | The remote subnet behind the tunnel. | | tunnel-monitor | container | Properties for monitoring the phase-2 connection. See [Tunnel Monitoring](#tunnel-monitoring) for more information. | From e1dada256135f12e669fbc70da37636e73931901 Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:22:34 -0400 Subject: [PATCH 04/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 3efd1b4292..496472e395 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -396,7 +396,18 @@ exit Once enabled, the records will allow the IPsec controller to perform additional functions such as detecting and remediating stuck egress tunnel sessions and reporting the name of the WAN interface being used for the tunnel. ### Configure X.509 Certificates Type For Tunnel Authentication -The user could enable X.509 certificate type for tunnel authenticate by configuring valid [`private-key`](#private-key), [`client-certificate`](config_command_guide.md#configure-authority-client-certificate) and [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) then refer their key names to respective fields in [`ipsec-profile`](#profiles) section, with which a PKCS12 file will be generated. IPSec NSS database will be used to store the generated PKCS12 file and wiil be directly used for tunnel authentication. A public Libreswan document is refered [here](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan). The plugin requires users to generate/acquire their private key, a CA certificate file and user certificate file signed by the CA certificate offline by utilities mentioned in Libreswan document or other reliable sources (openssl). The plugin will take over the configuration from `Importing third-party files into NSS` section listed in the Libreswan document. +### Configure X.509 Certificate-type for Tunnel Authentication + +The IPsec plugin requires users to generate/acquire their private key, a CA certificate file, and user certificate file. This must be signed by the CA certificate offline by utilities mentioned in Libreswan document (or other reliable sources such as openssl). Refer to the public [HOWTO:_Using_NSS_with_libreswan document](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan) for additional information. Note that the IPsec plugin will take over the configuration mentioned in `Importing third-party files into NSS` in the Libreswan document. + +Use the following steps to create the X.509 certificate-type for Tunnel Authentication. + +1. Configure the [`private-key`](#private-key). +2. Configure the [`client-certificate`](config_command_guide.md#configure-authority-client-certificate). +3. Configure the [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate). +4. Enter the key names for each of these items in their respective fields in the [`ipsec-profile`](#profiles). + +This information is used to generate the PKCS12 file. The IPsec NSS database stores the generated PKCS12 file for tunnel authentication. ### Directing traffic through the tunnel From 54abe719062282a463572bbc33b78e4abff7445a Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:22:43 -0400 Subject: [PATCH 05/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 496472e395..cc31526922 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -282,7 +282,7 @@ exit | content | string | Private key to be used for X.509 certificate. | :::warning -The `private-key` is used for pkc12 certification creation which will be used for tunnel authentication. Wrongly configured private key may prevent IPSec tunnel from establishing successfully. +The `private-key` is used to create the pkc12 certificate for tunnel authentication. A wrongly configured private key may prevent an IPSec tunnel from being established successfully. ::: ### Tunnel Monitoring From 2a49c9f8800d5a6b18388f539994d44aa3b811b8 Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:22:49 -0400 Subject: [PATCH 06/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index cc31526922..2209b2a89c 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -226,7 +226,7 @@ Each `remote` represents a unique tunnel destination and can be used to route tr Client settings are a collection of common settings that would apply to all routers that run IPSec plugin under management of a conductor. -The main config properties of client settings are as follows. +The main configuration properties of client settings are as follows: | Config | Type | Description | | -------- | ----- | ------------------- | From b32c1ff6cb9182ebfb5b5032db33e6609eb427cc Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:07 -0400 Subject: [PATCH 07/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 2209b2a89c..d571e6ae46 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -88,7 +88,7 @@ The above configuration example represents a typical profile used for a IPSec pr | dpdaction | enum | restart | Action taken once the enabled peer is detected as dead | | local-id | string | user-defined | How to identify the router for authentication. Can be an IP address of FQDN. Must be preceded with an `@` symbol to prevent resolution as shown in the example | | pre-shared-key | string | user-defined | pre-shared key used for authentication | -| private-key-name | reference | - | The name that reference to a private key defined in [Private Key](#private-key) | +| private-key-name | reference | - | The name that references the private key defined in [Private Key](#private-key) | | local-certificate-name | reference | - | The name that reference to a client certificate defined in [`client-certificate`](config_command_guide.md#configure-authority-client-certificate)| | trusted-ca-certificate-name | reference | - | The name that reference to a trusted CA certificate defined in [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) | From 5d912ccb79cdf68a314bd1963d226871bd175c3c Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:16 -0400 Subject: [PATCH 08/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index d571e6ae46..b2ec107ff3 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -224,7 +224,7 @@ Each `remote` represents a unique tunnel destination and can be used to route tr | -------- | ------------------------------------ | | 3.7.0 | `authority > ipsec-client-settings` introduced | -Client settings are a collection of common settings that would apply to all routers that run IPSec plugin under management of a conductor. +Client settings are a collection of common settings that apply to all conductor-managed routers running the IPSec plugin. The main configuration properties of client settings are as follows: From 2724e0dd48964707521d280ac1bc356cf446060f Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:23 -0400 Subject: [PATCH 09/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index b2ec107ff3..818071239b 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -101,7 +101,7 @@ The above configuration example represents a typical profile used for a IPSec pr | 3.7.0 | `profile > trusted-ca-certificate-name` introduced | :::note -All `local-certificate-name`, `trusted-ca-certificate-name` and `private-key-name` must be configured in order to use X.509 certificate type +`local-certificate-name`, `trusted-ca-certificate-name` and `private-key-name` must be configured in order to use X.509 certificate type. ::: #### Custom Options From babc770aa73476d78b69f3e5494375e4cc7236dd Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:32 -0400 Subject: [PATCH 10/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 818071239b..3f81f0dcc5 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -90,7 +90,7 @@ The above configuration example represents a typical profile used for a IPSec pr | pre-shared-key | string | user-defined | pre-shared key used for authentication | | private-key-name | reference | - | The name that references the private key defined in [Private Key](#private-key) | | local-certificate-name | reference | - | The name that reference to a client certificate defined in [`client-certificate`](config_command_guide.md#configure-authority-client-certificate)| -| trusted-ca-certificate-name | reference | - | The name that reference to a trusted CA certificate defined in [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) | +| trusted-ca-certificate-name | reference | - | The name that references the trusted CA certificate defined in [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) | ##### Version History From 998562d0f30c9a246a65514296147e0b04560643 Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:40 -0400 Subject: [PATCH 11/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 3f81f0dcc5..6bd9a52e1c 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -89,7 +89,7 @@ The above configuration example represents a typical profile used for a IPSec pr | local-id | string | user-defined | How to identify the router for authentication. Can be an IP address of FQDN. Must be preceded with an `@` symbol to prevent resolution as shown in the example | | pre-shared-key | string | user-defined | pre-shared key used for authentication | | private-key-name | reference | - | The name that references the private key defined in [Private Key](#private-key) | -| local-certificate-name | reference | - | The name that reference to a client certificate defined in [`client-certificate`](config_command_guide.md#configure-authority-client-certificate)| +| local-certificate-name | reference | - | The name that references the client certificate defined in [`client-certificate`](config_command_guide.md#configure-authority-client-certificate)| | trusted-ca-certificate-name | reference | - | The name that references the trusted CA certificate defined in [`trusted-ca-certificate`](config_command_guide.md#configure-authority-trusted-ca-certificate) | ##### Version History From 4b2cd3bcc44bad60a5b17c1e055a186dcd90c1bb Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Mon, 13 May 2024 14:32:40 -0400 Subject: [PATCH 12/16] fix slash and add explanation on example. --- docs/plugin_ipsec_client.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 393de00a35..3a9c950931 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -19,7 +19,7 @@ The IPsec plugin setup has the following key parts to the configuration. ### Profiles -The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. +The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. The examples below show two IPSec profiles that are mutually exclusive. :::note This plugin can only connect to IPsec endpoints that support pre-shared key or X.509 certificate. @@ -922,7 +922,7 @@ exit #### New Features and Improvements -- **/I95-51716** Common Criteria Certification - VPN Protection Profile +- **I95-51716** Common Criteria Certification - VPN Protection Profile The new version adds support for X.509 ceritifcate management for IPSec plugin, validating strength of VPN’s encryption algorithms, new Libreswan version update, and DH 21 groups. ### Release 3.6.0 From d8986368e069489acd64d50599231282bbc55ea2 Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Mon, 13 May 2024 14:47:38 -0400 Subject: [PATCH 13/16] remove misleading note --- docs/plugin_ipsec_client.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 3a9c950931..0a902c0af6 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -21,10 +21,6 @@ The IPsec plugin setup has the following key parts to the configuration. The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. The examples below show two IPSec profiles that are mutually exclusive. -:::note -This plugin can only connect to IPsec endpoints that support pre-shared key or X.509 certificate. -::: - ``` router ipsec-profile zscaler-preshared-key From f8c6463a8db76ac58d3d2adec70544fdb8968c00 Mon Sep 17 00:00:00 2001 From: Sunan Jiang <92936762+jiangsunan@users.noreply.github.com> Date: Mon, 13 May 2024 19:59:19 -0400 Subject: [PATCH 14/16] Update docs/plugin_ipsec_client.md Co-authored-by: Chris Turner <47952861+Chr1st0ph3rTurn3r@users.noreply.github.com> --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 4442b5abb9..4770871bde 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -19,7 +19,7 @@ The IPsec plugin setup has the following key parts to the configuration. ### Profiles -The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. The examples below show two IPSec profiles that are mutually exclusive. +The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that are mutually exclusive; one using pre-shared keys, and one using certificate based authentication. The examples below show two IPSec profiles that are mutually exclusive. ``` router From 1a2e5d1ae16331670baa9890ccac8bdfa2d80558 Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Tue, 14 May 2024 10:40:14 -0400 Subject: [PATCH 15/16] remove duplicate header, remove duplicate comments --- docs/plugin_ipsec_client.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 4442b5abb9..568636b515 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -19,7 +19,7 @@ The IPsec plugin setup has the following key parts to the configuration. ### Profiles -The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below shows two examples of ipsec profiles that mutually exclusive one using pre-shared keys, and one using certificate based authentication. The examples below show two IPSec profiles that are mutually exclusive. +The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below show two IPSec profiles that are mutually exclusive. ``` router @@ -391,7 +391,6 @@ exit Once enabled, the records will allow the IPsec controller to perform additional functions such as detecting and remediating stuck egress tunnel sessions and reporting the name of the WAN interface being used for the tunnel. -### Configure X.509 Certificates Type For Tunnel Authentication ### Configure X.509 Certificate-type for Tunnel Authentication The IPsec plugin requires users to generate/acquire their private key, a CA certificate file, and user certificate file. This must be signed by the CA certificate offline by utilities mentioned in Libreswan document (or other reliable sources such as openssl). Refer to the public [HOWTO:_Using_NSS_with_libreswan document](https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan) for additional information. Note that the IPsec plugin will take over the configuration mentioned in `Importing third-party files into NSS` in the Libreswan document. From 34ceb63f8503bccb29af023321ef34f8144afd9f Mon Sep 17 00:00:00 2001 From: Sunan Jiang Date: Tue, 14 May 2024 10:43:52 -0400 Subject: [PATCH 16/16] fix misunderstood suggestion --- docs/plugin_ipsec_client.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugin_ipsec_client.md b/docs/plugin_ipsec_client.md index 568636b515..5b9d7179c4 100644 --- a/docs/plugin_ipsec_client.md +++ b/docs/plugin_ipsec_client.md @@ -19,7 +19,7 @@ The IPsec plugin setup has the following key parts to the configuration. ### Profiles -The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below show two IPSec profiles that are mutually exclusive. +The `router > ipsec-profile`'s are reusable IPsec settings that can be used across multiple nodes in a router and multiple IPsec endpoint `remote`s. The examples below show two IPSec profiles that are mutually exclusive; one using pre-shared keys, and one using certificate based authentication. ``` router