Age | Commit message (Collapse) | Author |
|
|
|
|
|
|
|
|
|
|
|
FRR supports configuring either network prefixes per area, or assign an
interface to an area to participate in the routing process. This is already well
known from other venders and supported by FRR.
A valid VyOS OSPF configuration would then look like:
vyos@vyos# show protocols
ospf {
interface dum0 {
area 0
}
interface eth0.201 {
area 0
authentication {
md5 {
key-id 10 {
md5-key vyos
}
}
}
dead-interval 40
hello-interval 10
priority 1
retransmit-interval 5
transmit-delay 1
}
log-adjacency-changes {
detail
}
parameters {
abr-type cisco
router-id 172.18.254.201
}
passive-interface default
passive-interface-exclude eth0.201
}
|
|
This commit fixes an error introduced by 43fcc0db0 ("conntrack: T3275: migrate
'disable' syntax to 'enable' syntax for the new default behavior") as the
<valueless/> option can only be used on leafNodes. THis triggered the following
build error:
ValueError: <valueless/> is only allowed in <leafNode>
|
|
pbr: T3702: Add rules match fwmark
|
|
default behavior
|
|
When removing bgp (vrf) instances the assigned VRF vni must be deleted from FRR
prior the removal of the bgp settings (T3734).
This is now done by moving the CLI command "set vrf name red vni 1000" to a
dedicated Python script with a priority higher then bgp.
|
|
policy: T3673: Add set large-comm-list for route-map
|
|
|
|
FRR 7.5.1 supports:
vyos(config-route-map)# match evpn
default-route default EVPN type-5 route
rd Route Distinguisher
route-type Match route-type
vni Match VNI
This commit adds a proper VyOS CLI abstraction.
|
|
|
|
|
|
IKE dh-group defaults to 2 (modp1024).
|
|
|
|
isis: T3693: Adding IPv6 redistribution to ISIS
|
|
In this commit we add the ability to redistribute into
ISIS for IPv6 address family.
|
|
|
|
|
|
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
set vpn ipsec remote-access connection rw authentication server-mode 'x509'
set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
set vpn ipsec remote-access connection rw local-address '192.0.2.1'
set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
set vpn ipsec remote-access connection rw unique 'never'
set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2'
set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24'
set vpn ipsec remote-access radius nas-identifier 'fooo'
set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
|
|
|
|
As this is only related to remote-access, keeping it under "options" simply
feels wrong.
|
|
Update/refresh of DNS records is now handled internally by Strongswan.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
pki: wireguard: T3642: Migrate Wireguard private key directly into CLI
|
|
Also renames peer pubkey to public-key for consistency
|
|
Connection uniqueness policy to enforce. To avoid multiple connections from the
same user, a uniqueness policy can be enforced.
* never: never enforce such a policy, even if a peer included INITIAL_CONTACT
notification
* keep: reject new connection attempts if the same user already has an active
connection
* replace: delete any existing connection if a new one for the same user gets
established
To compare connections for uniqueness, the remote IKE identity is used. If EAP
or XAuth authentication is involved, the EAP-Identity or XAuth username is used
to enforce the uniqueness policy instead.
|
|
Remote access IP pools can now be defined at a global level and referenced
in IPSec remote-access connections. To defined a pool use:
set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1'
set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24'
set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1'
set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64'
A connection can then reference the pool:
set vpn ipsec remote-access connection foo pool 'global-ipv4'
set vpn ipsec remote-access connection foo pool 'global-ipv6'
|
|
... this enables a dual-stack IKEv2 VPN deployment.
|
|
VRF: T3655: proper connection tracking for VRFs
|
|
Currently, all VRFs share the same connection tracking table, which can
lead to problems:
- traffic leaks to a wrong VRF
- improper NAT rules handling when multiple VRFs contain the same IP
networks
- stateful firewall rules issues
The commit implements connection tracking zones support. Each VRF
utilizes its own zone, so connections will never mix up.
It also adds some restrictions to VRF names and assigned table numbers,
because of nftables and conntrack requirements:
- VRF name should always start from a letter (interfaces that start from
numbers are not supported in nftables rules)
- table number must be in the 100-65535 range because conntrack supports
only 65535 zones
|
|
|
|
|
|
|
|
update to use PKI.
|
|
Set its priority to 1280 to prevent its configuration
failure from affecting the underlying network services
|
|
|
|
|
|
Also adds check for the charon socket instead of an arbitrary sleep()
|
|
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
|
|
|
|
Used by both site2site and remote-access/road-warrior VPN connections.
|
|
|