diff options
| author | rebortg <github@ghlr.de> | 2023-08-27 21:04:56 +0200 |
|---|---|---|
| committer | rebortg <github@ghlr.de> | 2023-08-27 21:04:56 +0200 |
| commit | 355b459f22544c97bd0332ff06dee1d39a05ac07 (patch) | |
| tree | 54b261d0577c48a53695d6cf8392cb130ed2ae0a /docs/configuration/interfaces | |
| parent | abd23045bc3bc06fcd6475e3e616056c1870ab0c (diff) | |
| parent | 02aafc3df3abebb58832c62ded26c495363ebb3a (diff) | |
| download | vyos-documentation-355b459f22544c97bd0332ff06dee1d39a05ac07.tar.gz vyos-documentation-355b459f22544c97bd0332ff06dee1d39a05ac07.zip | |
Merge branch 'master' of github.com:vyos/vyos-documentation into localazy-3
Diffstat (limited to 'docs/configuration/interfaces')
| -rw-r--r-- | docs/configuration/interfaces/macsec.rst | 49 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireless.rst | 13 |
3 files changed, 61 insertions, 5 deletions
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst index 60877d73..0c0c052b 100644 --- a/docs/configuration/interfaces/macsec.rst +++ b/docs/configuration/interfaces/macsec.rst @@ -44,6 +44,30 @@ MACsec options A physical interface is required to connect this MACsec instance to. Traffic leaving this interface will now be authenticated/encrypted. +Static Keys +----------- +Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each +device wishing to use MACsec. Keys must be set statically on all devices for traffic +to flow properly. Key rotation is dependent on the administrator updating all keys +manually across connected devices. Static SAK mode can not be used with MKA. + +.. cfgcmd:: set interfaces macsec <interface> security static key <key> + + Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes + (GCM-AES-128) or 32-bytes (GCM-AES-256). + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address> + + Set the peer's MAC address + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key> + + Set the peer's key used to receive (RX) traffic + +.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable + + Disable the peer configuration + Key Management -------------- @@ -188,3 +212,28 @@ the unencrypted but authenticated content. 0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+ 0x0080: a282 c842 5254 ef28 ...BRT.( +**R1 Static Key** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.1/24' + set interfaces macsec macsec1 address '2001:db8::1/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02 + set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 source-interface 'eth1' + +**R2 Static Key** + +.. code-block:: none + + set interfaces macsec macsec1 address '192.0.2.2/24' + set interfaces macsec macsec1 address '2001:db8::2/64' + set interfaces macsec macsec1 security cipher 'gcm-aes-128' + set interfaces macsec macsec1 security encrypt + set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7' + set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01 + set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7' + set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 5eb10fe8..d2916d9f 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -183,6 +183,10 @@ traffic. The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the public key, which needs to be shared with the peer. +.. cmdinclude:: /_include/interface-per-client-thread.txt + :var0: wireguard + :var1: wg01 + **remote side - commands** .. code-block:: none diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index f45101b5..e853a1ec 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -122,6 +122,10 @@ Wireless options * ``station`` - Connects to another access point * ``monitor`` - Passively monitor all packets on the frequency/channel +.. cmdinclude:: /_include/interface-per-client-thread.txt + :var0: wireless + :var1: wlan0 + PPDU ---- @@ -304,6 +308,7 @@ default physical device (``phy0``) is used. set interfaces wireless wlan0 type station set interfaces wireless wlan0 address dhcp + set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 ssid Test set interfaces wireless wlan0 security wpa passphrase '12345678' @@ -315,6 +320,7 @@ Resulting in [...] wireless wlan0 { address dhcp + country-code de security { wpa { passphrase "12345678" @@ -350,6 +356,7 @@ The WAP in this example has the following characteristics: .. code-block:: none set interfaces wireless wlan0 address '192.168.2.1/24' + set interfaces wireless wlan0 country-code de set interfaces wireless wlan0 type access-point set interfaces wireless wlan0 channel 1 set interfaces wireless wlan0 mode n @@ -367,6 +374,7 @@ Resulting in [...] wireless wlan0 { address 192.168.2.1/24 + country-code de channel 1 mode n security { @@ -385,11 +393,6 @@ Resulting in type access-point } } - system { - [...] - wifi-regulatory-domain DE - } - VLAN ==== |