summaryrefslogtreecommitdiff
path: root/docs/vpn
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-11-16 08:03:39 +0100
committerChristian Poessinger <christian@poessinger.com>2020-11-16 08:03:39 +0100
commitc405bc37679b21fd21b9c68d4b77ce22f92447ae (patch)
tree7d1b2d607e5e535888632126de0dab52db3909ec /docs/vpn
parent8a3147fca5aa6e1623a09d3ce120886463006418 (diff)
downloadvyos-documentation-c405bc37679b21fd21b9c68d4b77ce22f92447ae.tar.gz
vyos-documentation-c405bc37679b21fd21b9c68d4b77ce22f92447ae.zip
ipsec: fix toc level
Diffstat (limited to 'docs/vpn')
-rw-r--r--docs/vpn/ipsec.rst13
1 files changed, 7 insertions, 6 deletions
diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst
index 8b0ad3b3..647f3753 100644
--- a/docs/vpn/ipsec.rst
+++ b/docs/vpn/ipsec.rst
@@ -4,9 +4,9 @@
IPsec
#####
-Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any
-other stateless tunnel protocol over IPsec) is the usual way to protect the
-traffic inside a tunnel.
+:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
+SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
+to protect the traffic inside a tunnel.
An advantage of this scheme is that you get a real interface with its own
address, which makes it easier to setup static routes or use dynamic routing
@@ -26,11 +26,12 @@ what needs to be changed to make it work with a different protocol. We assume
that IPsec will use pre-shared secret authentication and will use AES128/SHA1
for the cipher and hash. Adjust this as necessary.
-.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters
- have known issue with GRE processing
+.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
+ adapters have known issues with GRE processing.
+*************************
IPsec policy matching GRE
-^^^^^^^^^^^^^^^^^^^^^^^^^
+*************************
The first and arguably cleaner option is to make your IPsec policy match GRE
packets between external addresses of your routers. This is the best option if