Re: [PR] Add settings to mark cryptographic algorithms in vpn customer gateways as excluded or obsolete [cloudstack-documentation]

[via GitHub]

RosiKyu commented on code in PR #605:
URL: 
https://github.com/apache/cloudstack-documentation/pull/605#discussion_r2639954985


##########
source/adminguide/networking/site_to_site_vpn.rst:
##########
@@ -172,15 +179,114 @@ To add a VPN Customer Gateway:
    -  **Force UDP Encapsulation of ESP Packets**: Force Encapsulation for
       NAT traversal
 
+   .. note::
+      If the administrator has configured excluded cryptographic
+      parameters, those options will not appear in the form. If obsolete
+      parameters are configured, those options will be displayed with a
+      warning message indicating they are obsolete and should be avoided.
+
 #. Click OK.
 
 
+Configuring Excluded and Obsolete VPN Customer Gateway Parameters
+''''''''''''''''''''''''''''''''''''''''''''''''
+
+CloudStack provides administrators with configuration settings to enforce
+modern security standards by marking certain cryptographic algorithms and
+parameters as excluded or obsolete for VPN Customer Gateway creation.
+
+**Excluded Parameters:**
+
+These parameters are completely hidden from users and cannot be used
+while creating or updating VPN Customer Gateways:
+
+-  **vpn.customer.gateway.excluded.encryption.algorithms**: Comma-separated
+   list of encryption algorithms to exclude. Applies to both phases.
+
+-  **vpn.customer.gateway.excluded.hashing.algorithms**: Comma-separated
+   list of hashing algorithms to exclude. Applies to both phases.
+
+-  **vpn.customer.gateway.excluded.ike.versions**: Comma-separated list of
+   IKE versions to exclude.
+
+-  **vpn.customer.gateway.excluded.dh.group**: Comma-separated list of
+   Diffie-Hellman groups to exclude. Applies to both phases.
+
+**Obsolete Parameters:**
+
+These parameters are shown with a warning message, allowing existing
+deployments to continue functioning while encouraging migration to more
+secure alternatives:
+
+-  **vpn.customer.gateway.obsolete.encryption.algorithms**: Comma-separated
+   list of encryption algorithms marked as obsolete. Applies to both phases.
+
+-  **vpn.customer.gateway.obsolete.hashing.algorithms**: Comma-separated
+   list of hashing algorithms marked as obsolete. Applies to phases.
+
+-  **vpn.customer.gateway.obsolete.ike.versions**: Comma-separated list of
+   IKE versions marked as obsolete.
+
+-  **vpn.customer.gateway.obsolete.dh.group**: Comma-separated list of
+   Diffie-Hellman groups marked as obsolete. Applies to both phases.
+
+**Behavior:**
+
+-  **Excluded parameters**: Not shown in the Create and Update VPN Customer
+   Gateway forms. Users cannot select these options for new gateways.
+
+-  **Obsolete parameters**: Shown with a warning message in the Create and
+   Update forms, indicating they are deprecated and should be avoided.
+
+-  **Existing gateways**: If a VPN Customer Gateway already uses excluded or
+   obsolete parameters:
+
+   -  A warning icon is displayed next to the gateway name with a message
+      prompting users to change the obsolete or excluded parameters.
+
+   -  The Update VPN Customer Gateway form displays the setting with a
+      warning message encouraging users to change it to a more secure
+      alternative.
+
+-  The ``listVpnCustomerGateways`` API response includes two new boolean

Review Comment:
   @abh1sar - I think the list vpncustomergateways API response fields are a 
list of strings, not boolean.
   
   - In the actual API response, the field names are ``obsoleteparameters`` and 
``excludedparameters`` 
   - Field type is string, not boolean
   - Fields contain the actual parameter list, e.g., "[sha1, 3des]"
   
   Can we please update this in the docs to match the actual implementation?
   
   ```
   (testuser) 🐱 > list vpncustomergateways keyword=test-both
   {
     "count": 1,
     "vpncustomergateway": [
       {
         "account": "testuser",
         "cidrlist": "0.0.0.0/0",
         "domain": "TestDomain",
         "domainid": "0fb6c46d-1d16-48b4-b146-9234ec22e63e",
         "domainpath": "ROOT/TestDomain",
         "dpd": false,
         "esplifetime": 3600,
         "esppolicy": "aes256-sha256",
         "excludedparameters": "[3des]",
         "forceencap": false,
         "gateway": "10.1.1.8",
         "hasannotations": false,
         "id": "89bf9794-f457-4cb9-b617-da93f268eb12",
         "ikelifetime": 86400,
         "ikepolicy": "3des-sha1;modp2048",
         "ikeversion": "ikev2",
         "ipsecpsk": "test123",
         "name": "test-both",
         "obsoleteparameters": "[sha1]",
         "splitconnections": false
       }
     ]
   }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org