summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2024-03-05 21:25:45 +0100
committerGitHub <noreply@github.com>2024-03-05 21:25:45 +0100
commitfd6bbf93a4d1165685aedd851ffb6888dddf8adf (patch)
tree1f160804479ab8e27a8d117e4b776aa1c084284c /docs/configuration
parentde7fab8728d9178ae548fc11f66495f5b7054693 (diff)
parent4c533eef7ff58915057d1c0abb0ae32627d91072 (diff)
downloadvyos-documentation-fd6bbf93a4d1165685aedd851ffb6888dddf8adf.tar.gz
vyos-documentation-fd6bbf93a4d1165685aedd851ffb6888dddf8adf.zip
Merge pull request #1306 from srividya0208/ipsecedit
addition of missing parameter
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst39
1 files changed, 21 insertions, 18 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 78cadfb5..ab0f623f 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -16,7 +16,8 @@ special characters. It is purely informational.
Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
- Suboptions:
+ If pre-shared-secret mode is used, the secret key must be defined in
+ ``set vpn ipsec authentication`` and suboptions:
* ``psk`` - Preshared secret key name:
@@ -36,8 +37,7 @@ Each site-to-site peer has the next options:
* ``pre-shared-secret`` - use predefined shared secret phrase;
- * ``rsa`` - use simple shared RSA key. The key must be defined in the
- ``set vpn rsa-keys`` section;
+ * ``rsa`` - use simple shared RSA key.
* ``x509`` - use certificates infrastructure for authentication.
@@ -45,29 +45,26 @@ Each site-to-site peer has the next options:
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
is used;
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
- in the ``set vpn rsa-keys`` section;
+ * ``rsa`` - options for RSA authentication mode:
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
- ``id`` is defined;
+ * ``local-key`` - name of PKI key-pair with local private key
- * ``x509`` - options for x509 authentication mode:
+ * ``remote-key`` - name of PKI key-pair with remote public key
- * ``ca-cert-file`` - CA certificate file. Using for authenticating
- remote peer;
+ * ``passphrase`` - local private key passphrase
- * ``cert-file`` - certificate file, which will be used for authenticating
- local router on remote peer;
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+ ``id`` is defined;
- * ``crl-file`` - file with the Certificate Revocation List. Using to check if
- a certificate for the remote peer is valid or revoked;
+ * ``x509`` - options for x509 authentication mode:
- * ``key`` - a private key, which will be used for authenticating local router
- on remote peer:
+ * ``ca-certificate`` - CA certificate in PKI configuration. Using for
+ authenticating remote peer;
- * ``file`` - path to the key file;
+ * ``certificate`` - certificate file in PKI configuration, which will be used
+ for authenticating local router on remote peer;
- * ``password`` - passphrase private key, if needed.
+ * ``passphrase`` - private key passphrase, if needed.
* ``connection-type`` - how to handle this connection process. Possible
variants:
@@ -113,6 +110,9 @@ Each site-to-site peer has the next options:
Hostname is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time to time.
+* ``replay-window`` - IPsec replay window to configure for this CHILD_SA
+ (default: 32), a value of 0 disables IPsec replay protection
+
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
it to a peer:
@@ -127,6 +127,9 @@ Each site-to-site peer has the next options:
* ``prefix`` - IP network at local side.
+ * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value
+ more preferable)
+
* ``protocol`` - define the protocol for match traffic, which should be
encrypted and send to this peer;