Settings to mark cryptographic parameters as excluded/obsolete

abh1sar · abh1sar · commit 029af071097b · 2025-12-04T23:08:04.000+05:30
diff --git a/source/adminguide/networking/site_to_site_vpn.rst b/source/adminguide/networking/site_to_site_vpn.rst
@@ -115,13 +115,19 @@ To add a VPN Customer Gateway:
          confirming that the remote gateway has a matching Preshared Key.
 
    -  **IKE Hash**: The IKE hash for phase-1. The supported hash
-      algorithms are SHA1 and MD5.
+      algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.
+
+   -  **IKE Version**: The IKE Version to use between ike (autoselect), ikev1, or ikev2.
+      Connections marked with 'ike' will use 'ikev2' when initiating,
+      but accept any protocol version when responding. Defaults to 'ike'.
 
    -  **IKE DH**: A public-key cryptography protocol which allows two
       parties to establish a shared secret over an insecure
       communications channel. The 1536-bit Diffie-Hellman group is used
       within IKE to establish session keys. The supported options are
-      None, Group-5 (1536-bit) and Group-2 (1024-bit).
+      None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
+      Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
+      Group-18 (8192-bit).
 
    -  **ESP Encryption**: Encapsulating Security Payload (ESP) algorithm
       within phase-2. The supported encryption algorithms are AES128,
@@ -134,18 +140,19 @@ To add a VPN Customer Gateway:
          extracted from the Diffie-Hellman key exchange in phase-1, to
          provide session keys to use in protecting the VPN data flow.
 
-   -  **ESP Hash**: Encapsulating Security Payload (ESP) hash for
-      phase-2. Supported hash algorithms are SHA1 and MD5.
+   -  **ESP Hash**: Encapsulating Security Payload (ESP) hash for phase-2.
+      Supported hash algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.
 
    -  **Perfect Forward Secrecy**: Perfect Forward Secrecy (or PFS) is
       the property that ensures that a session key derived from a set of
       long-term public and private keys will not be compromised. This
       property enforces a new Diffie-Hellman key exchange. It provides
       the keying material that has greater key material life and thereby
       greater resistance to cryptographic attacks. The available options
-      are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security
-      of the key exchanges increase as the DH groups grow larger, as
-      does the time of the exchanges.
+      are None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
+      Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
+      Group-18 (8192-bit). The security of the key exchanges increase as
+      the DH groups grow larger, as does the time of the exchanges.
 
       .. note::
          When PFS is turned on, for every negotiation of a new phase-2 SA
@@ -172,15 +179,102 @@ To add a VPN Customer Gateway:
    -  **Force UDP Encapsulation of ESP Packets**: Force Encapsulation for
       NAT traversal
 
+   .. note::
+      If the administrator has configured excluded cryptographic
+      parameters, those options will not appear in the form. If obsolete
+      parameters are configured, those options will be displayed with a
+      warning message indicating they are obsolete and should be avoided.
+
 #. Click OK.
 
 
+Configuring Excluded and Obsolete VPN Customer Gateway Parameters
+''''''''''''''''''''''''''''''''''''''''''''''''
+
+CloudStack provides administrators with configuration settings to enforce
+modern security standards by marking certain cryptographic algorithms and
+parameters as excluded or obsolete for VPN Customer Gateway creation.
+
+**Excluded Parameters:**
+
+These parameters are completely hidden from users and cannot be used
+while creating or updating VPN Customer Gateways:
+
+-  **vpn.customer.gateway.excluded.encryption.algorithms**: Comma-separated
+   list of encryption algorithms to exclude. Applies to both phases.
+
+-  **vpn.customer.gateway.excluded.hashing.algorithms**: Comma-separated
+   list of hashing algorithms to exclude. Applies to both phases.
+
+-  **vpn.customer.gateway.excluded.ike.versions**: Comma-separated list of
+   IKE versions to exclude.
+
+-  **vpn.customer.gateway.excluded.dh.group**: Comma-separated list of
+   Diffie-Hellman groups to exclude. Applies to both phases.
+
+**Obsolete Parameters:**
+
+These parameters are shown with a warning message, allowing existing
+deployments to continue functioning while encouraging migration to more
+secure alternatives:
+
+-  **vpn.customer.gateway.obsolete.encryption.algorithms**: Comma-separated
+   list of encryption algorithms marked as obsolete. Applies to both phases.
+
+-  **vpn.customer.gateway.obsolete.hashing.algorithms**: Comma-separated
+   list of hashing algorithms marked as obsolete. Applies to phases.
+
+-  **vpn.customer.gateway.obsolete.ike.versions**: Comma-separated list of
+   IKE versions marked as obsolete.
+
+-  **vpn.customer.gateway.obsolete.dh.group**: Comma-separated list of
+   Diffie-Hellman groups marked as obsolete. Applies to both phases.
+
+**Behavior:**
+
+-  **Excluded parameters**: Not shown in the Create and Update VPN Customer
+   Gateway forms. Users cannot select these options for new gateways.
+
+-  **Obsolete parameters**: Shown with a warning message in the Create and
+   Update forms, indicating they are deprecated and should be avoided.
+
+-  **Existing gateways**: If a VPN Customer Gateway already uses excluded or
+   obsolete parameters:
+
+   -  A warning icon is displayed next to the gateway name with a message
+      prompting users to change the obsolete or excluded parameters.
+
+   -  The Update VPN Customer Gateway form displays the setting with a
+      warning message encouraging users to change it to a more secure
+      alternative.
+
+-  The ``listVpnCustomerGateways`` API response includes two new boolean
+   fields:
+
+   -  **containsobsoleteparameters**: Indicates whether the gateway
+      contains any obsolete parameters
+
+   -  **containsexcludedparameters**: Indicates whether the gateway
+      contains any excluded parameters
+
+-  The ``listCapabilities`` API response includes a new field containing
+   the list of excluded and obsolete VPN Customer Gateway parameters, but
+   only if these configuration settings are configured by the operator.
+
+
 Updating and Removing a VPN Customer Gateway
 ''''''''''''''''''''''''''''''''''''''''''''
 
 You can update a customer gateway either with no VPN connection, or
 related VPN connection is in error state.
 
+.. note::
+   If a VPN Customer Gateway is using excluded or obsolete cryptographic
+   parameters (as configured by your CloudStack operator), a warning icon
+   will be displayed next to the gateway name. When editing such a gateway,
+   the Update form will display warnings for any obsolete or excluded
+   parameters, encouraging you to change them to more secure alternatives.
+
 #. Log in to the CloudStack UI as an administrator or end user.
 
 #. In the left navigation, choose Network.
