summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2023-10-26 13:36:13 +0200
committerGitHub <noreply@github.com>2023-10-26 13:36:13 +0200
commit7aa0c1ab320a527900c5c54c81264a2f31b7db06 (patch)
tree8b040d7add61ba45b15dc7eb92019d4cb620f517 /docs/configuration
parent90c343fa9289ec150b3908bb625156198c2d6145 (diff)
parent4d7e44d3e7a80d028a12785ccaed4d78ab7636bd (diff)
downloadvyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.tar.gz
vyos-documentation-7aa0c1ab320a527900c5c54c81264a2f31b7db06.zip
Merge pull request #1126 from srividya0208/ipsec_vips
Added config example of vpn ipsec site-to-site
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/vpn/ipsec.rst4
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst4
2 files changed, 6 insertions, 2 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index c91feea0..ece06fa2 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -161,11 +161,11 @@ Options (Global IPsec settings) Attributes
* ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
- * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
+ * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
* ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
- * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.
+ * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy.
*************************
IPsec policy matching GRE
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 57b45181..2b3403f5 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -149,6 +149,10 @@ Each site-to-site peer has the next options:
* ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
interface.
+* ``virtual-address`` - Defines a virtual IP address which is requested by the
+ initiator and one or several IPv4 and/or IPv6 addresses are assigned from
+ multiple pools by the responder.
+
Examples:
------------------