diff options
| -rw-r--r-- | CONTRIBUTING.md | 18 | ||||
| -rw-r--r-- | docs/appendix/examples/dmvpn.rst | 1 | ||||
| -rw-r--r-- | docs/conf.py | 6 | ||||
| -rw-r--r-- | docs/configuration-overview.rst | 14 | ||||
| -rw-r--r-- | docs/contributing/index.rst | 1 | ||||
| -rw-r--r-- | docs/contributing/upstream-packages.rst | 2 | ||||
| -rw-r--r-- | docs/firewall.rst | 17 | ||||
| -rw-r--r-- | docs/history.rst | 38 | ||||
| -rw-r--r-- | docs/interfaces/tunnel.rst | 24 | ||||
| -rw-r--r-- | docs/nat.rst | 6 | ||||
| -rw-r--r-- | docs/routing/bgp.rst | 6 | ||||
| -rw-r--r-- | docs/services/index.rst | 3 | ||||
| -rw-r--r-- | docs/services/ipoe-server.rst | 6 | ||||
| -rw-r--r-- | docs/services/references.rst | 2 | ||||
| -rw-r--r-- | docs/services/sstp-server.rst | 76 | ||||
| -rw-r--r-- | docs/services/webproxy.rst | 4 | ||||
| -rw-r--r-- | docs/vpn/dmvpn.rst | 8 | ||||
| -rw-r--r-- | docs/vpn/index.rst | 2 | ||||
| -rw-r--r-- | docs/vpn/l2tp.rst | 237 | ||||
| -rw-r--r-- | docs/vpn/l2tp_ipsec.rst | 132 | ||||
| -rw-r--r-- | docs/vpn/openvpn.rst | 60 | ||||
| -rw-r--r-- | docs/vpn/pptp.rst | 2 | ||||
| -rw-r--r-- | docs/vpn/site2site_ipsec.rst | 44 |
23 files changed, 486 insertions, 223 deletions
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9dcaeb1b..496659bb 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -10,12 +10,18 @@ Please check the documation, if you don't familiar with [sphinx-doc](http://http://www.sphinx-doc.org) or [reStructuredText](http://www.sphinx-doc.org/en/master/usage/restructuredtext/index.html) - Note the following RFCs, which describe the reserved public IP addresses and autonomous system numbers for the documentation. Please don't use other public address space. - - * [RFC5737](https://tools.ietf.org/html/rfc5737) - * [RFC3849](https://tools.ietf.org/html/rfc3849) - * [RFC5389](https://tools.ietf.org/html/rfc5398) - + Note the following RFCs, which describe the reserved public IP addresses and autonomous system numbers for the documentation. [RFC5737](https://tools.ietf.org/html/rfc5737), [RFC3849](https://tools.ietf.org/html/rfc3849), [RFC5389](https://tools.ietf.org/html/rfc5398), [RFC7042](https://tools.ietf.org/html/rfc7042) + + * 192.0.2.0/24 + * 198.51.100.0/24 + * 203.0.113.0/24 + * 2001:db8::/32 + * 16bit ASN: 64496 - 64511 + * 32bit ASN: 65536 - 65551 + * Unicast MAC Addresses: 00-53-00 to 00-53-FF + * Multicast MAC-Addresses: 90-10-00 to 90-10-FF + + Please don't use other public address space. 5. add the modified files diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index d3bf45c7..f247cade 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -88,6 +88,7 @@ Use this configuration on your Cisco device: crypto ipsec profile DMVPN set security-association idle-time 720 set transform-set DMVPN-AES256 + set isakmp-profile DMVPN ! interface Tunnel10 description Tunnel to DMVPN HUB diff --git a/docs/conf.py b/docs/conf.py index aa76a7d6..51879fbb 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -20,14 +20,14 @@ # -- Project information ----------------------------------------------------- project = u'VyOS' -copyright = u'2018, VyOS maintainers and contributors' +copyright = u'2019, VyOS maintainers and contributors' author = u'VyOS maintainers and contributors' # The short X.Y version -version = u'1.3.0' +version = u'1.2' # The full version, including alpha/beta/rc tags -release = u'current' +release = u'crux' # -- General configuration --------------------------------------------------- diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst index 9031609f..1ed0938f 100644 --- a/docs/configuration-overview.rst +++ b/docs/configuration-overview.rst @@ -214,10 +214,10 @@ These commands are also relative to the level where they are executed and all re .. code-block:: sh [edit] - vyos@vyos# set interface ethernet eth0 address 1.2.3.4/24 + vyos@vyos# set interface ethernet eth0 address 203.0.113.6/24 [edit interfaces ethernet eth0] - vyos@vyos# set address 1.2.3.4/24 + vyos@vyos# set address 203.0.113.6/24 These two commands above are essentially the same, just executed from different levels in the hierarchy. @@ -227,7 +227,7 @@ Deleting an entry could also mean to reset it back to its default value if the e .. code-block:: sh [edit interfaces ethernet eth0] - vyos@vyos# delete address 1.2.3.4/24 + vyos@vyos# delete address 203.0.113.6/24 Any change you do on the configuration, will not take effect until committed using the `commit` command in configuration mode. @@ -352,7 +352,7 @@ VyOS has built-in config archiving and versioning that renders tools like rancid This feature was available in Vyatta Core since 6.3 Local archive and revisions -~~~~~~~~~~~~~~~~~~~~~~~~~~~ +--------------------------- Revisions are stored on disk, you can view them, compare them, and rollback to previous revisions if anything goes wrong. To view existing revisions, use `show system commit` operational mode command. @@ -390,11 +390,13 @@ You can compare revisions with `compare X Y` command, where X and Y are revision You can rollback to a previous revision with `rollback X`, where X is a revision number. Your system will reboot and load the config from the archive. Configuring the archive size -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +---------------------------- + You can specify the number of revisions stored on disk with `set system config-management commit-revisions X`, where X is a number between 0 and 65535. When the number of revisions exceeds that number, the oldest revision is removed. Remote archive -~~~~~~~~~~~~~~ +-------------- + VyOS can copy the config to a remote location after each commit. TFTP, FTP, and SFTP servers are supported. You can specify the location with `set system config-management commit-archive location URL` command, e.g. `set system config-management commit-archive location tftp://10.0.0.1/vyos`. diff --git a/docs/contributing/index.rst b/docs/contributing/index.rst index 82d1b588..a7dd55ce 100644 --- a/docs/contributing/index.rst +++ b/docs/contributing/index.rst @@ -8,3 +8,4 @@ development vyos_cli coding_guidelines + upstream-packages diff --git a/docs/contributing/upstream-packages.rst b/docs/contributing/upstream-packages.rst index 55c7e5e2..4e602866 100644 --- a/docs/contributing/upstream-packages.rst +++ b/docs/contributing/upstream-packages.rst @@ -1,4 +1,4 @@ -.. _development: +.. _development_pkgs: Upstream packages ================= diff --git a/docs/firewall.rst b/docs/firewall.rst index fc6bf746..f41bbcbb 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -3,7 +3,7 @@ Firewall ======== -VyOS makes use of Linux [netfilter](http://netfilter.org/) for packet filtering. +VyOS makes use of Linux `netfilter <http://netfilter.org/>`_ for packet filtering. The firewall supports the creation of groups for ports, addresses, and networks (implemented using netfilter ipset) and the option of interface or zone based @@ -25,8 +25,7 @@ firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying to rulesets to interfaces they are applied to source zone-destination zone pairs. -An introduction to zone-based firewalls can be found [[A primer to Zone Based -Firewall|here]]. For an example see :ref:`examples-zone-policy`. +An example to zone-based firewalls can be found here: :ref:`examples-zone-policy`. Groups ------ @@ -114,12 +113,11 @@ Example Partial Config config-trap disable group { network-group BAD-NETWORKS { - network 1.2.3.0/24 - network 1.2.4.0/24 + network 198.51.100.0/24 + network 203.0.113.0/24 } network-group GOOD-NETWORKS { - network 4.5.6.0/24 - network 4.5.7.0/24 + network 192.0.2.0/24 } port-group BAD-PORTS { port 65535 @@ -172,7 +170,4 @@ Example Partial Config } } } - } - -[XFinity Blocked Port List](https://www.xfinity.com/support/internet/list-of-blocked-ports/) - + }
\ No newline at end of file diff --git a/docs/history.rst b/docs/history.rst index 422d56c7..46764d89 100644 --- a/docs/history.rst +++ b/docs/history.rst @@ -3,22 +3,40 @@ VyOS History ================== -VyOS is a Linux-based network operating system that provides software-based network routing, firewall, and VPN functionality. +VyOS is a Linux-based network operating system that provides software-based +network routing, firewall, and VPN functionality. -The VyOS project was started in late 2013 as a community fork of the `GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>`_ portions of Vyatta Core 6.6R1 with the goal of maintaining a free and open source network operating system in response to the decision to discontinue the community edition of Vyatta. Here everyone loves learning, older managers and new users. +The VyOS project was started in late 2013 as a community fork of the +`GPL <http://en.wikipedia.org/wiki/GNU_General_Public_License>`_ portions of +Vyatta Core 6.6R1 with the goal of maintaining a free and open source network +operating system in response to the decision to discontinue the community +edition of Vyatta. Here everyone loves learning, older managers and new users. + +VyOS is primarily based on `Debian GNU/Linux <http://www.debian.org/>`_ and the +`Quagga <http://www.nongnu.org/quagga/>`_ routing engine. Its configuration +syntax and :ref:`cli` are loosely derived from Juniper JUNOS as modelled by the +`XORP project <http://www.xorp.org/>`_ (which was the original routing engine +Vyatta was based upon). -VyOS is primarily based on `Debian GNU/Linux <http://www.debian.org/>`_ and the `Quagga <http://www.nongnu.org/quagga/>`_ routing engine. Its configuration syntax and :ref:`cli` are loosely derived from Juniper JUNOS as modelled by the `XORP project <http://www.xorp.org/>`_ (which was the original routing engine Vyatta was based upon). Vyatta changed to the Quagga routing engine for release 4.0. -Vyos changed the routing enging to `FRRoution <https://frrouting.org/>`_ in version 1.2.0 +VyOS changed the routing enging to `FRRoution <https://frrouting.org/>`_ in +version 1.2.0 **How it's different from other router distros?** - Unified command line interface in the style of hardware routers. - Scriptable CLI -- Stateful configuration system: prepare changes and commit at once or discard, view previous revisions or rollback to them, archive revisions to remote server, execute hooks at commit time... -- Image-based upgrade: keep multiple versions on the same system and revert to previous image if something went wrong. -- Not just firewall and VPN: includes routing protocols such as BGP and OSPF and complex routing policy language. -- Runs on physical and virtual platforms alike: small x86 boards, big servers, KVM, Xen, VMWare, Hyper-V... -- Completely free and open source, with documented internal APIs and build procedures. -- Community driven: patches are welcome, all code, bugs, and nightly builds are public. +- Stateful configuration system: prepare changes and commit at once or discard, + view previous revisions or rollback to them, archive revisions to remote + server, execute hooks at commit time... +- Image-based upgrade: keep multiple versions on the same system and revert to + previous image if something went wrong. +- Not just firewall and VPN: includes routing protocols such as BGP and OSPF and + complex routing policy language. +- Runs on physical and virtual platforms alike: small x86 boards, big servers, + KVM, Xen, VMWare, Hyper-V... +- Completely free and open source, with documented internal APIs and build + procedures. +- Community driven: patches are welcome, all code, bugs, and nightly builds are + public. diff --git a/docs/interfaces/tunnel.rst b/docs/interfaces/tunnel.rst index 14f02b1c..f466a714 100644 --- a/docs/interfaces/tunnel.rst +++ b/docs/interfaces/tunnel.rst @@ -98,8 +98,8 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a set interfaces tunnel tun100 address '10.0.0.1/30' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '198.18.0.2' - set interfaces tunnel tun100 remote-ip '198.18.2.2' + set interfaces tunnel tun100 local-ip '198.51.100.2' + set interfaces tunnel tun100 remote-ip '203.0.113.10' **Cisco IOS Router:** @@ -107,8 +107,8 @@ The Cisco router defaults to 'gre ip' otherwise it would have to be configured a interface Tunnel100 ip address 10.0.0.2 255.255.255.252 - tunnel source 198.18.2.2 - tunnel destination 198.18.0.2 + tunnel source 203.0.113.10 + tunnel destination 198.51.100.2 Troubleshooting ^^^^^^^^^^^^^^^ @@ -122,14 +122,14 @@ configurations that are discarding IP protocol 47 or blocking your source/desint .. code-block:: sh - vyos@vyos:~$ ping 198.18.2.2 interface 198.18.0.2 count 4 - PING 198.18.2.2 (198.18.2.2) from 198.18.0.2 : 56(84) bytes of data. - 64 bytes from 198.18.2.2: icmp_seq=1 ttl=254 time=0.807 ms - 64 bytes from 198.18.2.2: icmp_seq=2 ttl=254 time=1.50 ms - 64 bytes from 198.18.2.2: icmp_seq=3 ttl=254 time=0.624 ms - 64 bytes from 198.18.2.2: icmp_seq=4 ttl=254 time=1.41 ms + vyos@vyos:~$ ping 203.0.113.10 interface 198.51.100.2 count 4 + PING 203.0.113.10 (203.0.113.10) from 198.51.100.2 : 56(84) bytes of data. + 64 bytes from 203.0.113.10: icmp_seq=1 ttl=254 time=0.807 ms + 64 bytes from 203.0.113.10: icmp_seq=2 ttl=254 time=1.50 ms + 64 bytes from 203.0.113.10: icmp_seq=3 ttl=254 time=0.624 ms + 64 bytes from 203.0.113.10: icmp_seq=4 ttl=254 time=1.41 ms - --- 198.18.2.2 ping statistics --- + --- 203.0.113.10 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3007ms rtt min/avg/max/mdev = 0.624/1.087/1.509/0.381 ms @@ -139,7 +139,7 @@ configurations that are discarding IP protocol 47 or blocking your source/desint vyos@vyos:~$ show interfaces tunnel tun100 tun100@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000 - link/gre 198.18.0.2 peer 198.18.2.2 + link/gre 198.51.100.2 peer 203.0.113.10 inet 10.0.0.1/30 brd 10.0.0.3 scope global tun100 valid_lft forever preferred_lft forever inet6 fe80::5efe:c612:2/64 scope link diff --git a/docs/nat.rst b/docs/nat.rst index 66fb783e..5c3dadc4 100644 --- a/docs/nat.rst +++ b/docs/nat.rst @@ -249,16 +249,16 @@ one external interface: set interfaces ethernet eth0 address '192.168.1.1/24' set interfaces ethernet eth0 description 'Inside interface' - set interfaces ethernet eth1 address '1.2.3.4/24' + set interfaces ethernet eth1 address '192.0.2.30/24' set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' - set nat destination rule 2000 destination address '1.2.3.4' + set nat destination rule 2000 destination address '192.0.2.30' set nat destination rule 2000 inbound-interface 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' set nat source rule 2000 outbound-interface 'eth1' set nat source rule 2000 source address '192.168.1.10' - set nat source rule 2000 translation address '1.2.3.4' + set nat source rule 2000 translation address '192.0.2.30' Firewall rules are written as normal, using the internal IP address as the source of outbound rules and the destination of inbound rules. diff --git a/docs/routing/bgp.rst b/docs/routing/bgp.rst index ecd706ba..d2c60853 100644 --- a/docs/routing/bgp.rst +++ b/docs/routing/bgp.rst @@ -37,13 +37,13 @@ creating a static route:** .. code-block:: sh - set protocols static route 1.0.0.0/16 blackhole distance '254' + set protocols static route 172.16.0.0/16 blackhole distance '254' **Node 2:** .. code-block:: sh - set protocols static route 2.0.0.0/16 blackhole distance '254' + set protocols static route 172.17.0.0/16 blackhole distance '254' IPv6 @@ -81,7 +81,7 @@ creating a static route:** .. code-block:: sh - set protocols static route6 2a001:100:1::/48 blackhole distance '254' + set protocols static route6 2001:db8:1::/48 blackhole distance '254' **Node 2:** diff --git a/docs/services/index.rst b/docs/services/index.rst index 57471cf8..03fdc9c4 100644 --- a/docs/services/index.rst +++ b/docs/services/index.rst @@ -18,8 +18,9 @@ This chapter descriptes the available system/network services provided by VyOS. dynamic-dns lldp mdns-repeater - pppoe-server ipoe-server + pppoe-server + sstp-server udp-broadcast-relay snmp ssh diff --git a/docs/services/ipoe-server.rst b/docs/services/ipoe-server.rst index 633de880..925ef373 100644 --- a/docs/services/ipoe-server.rst +++ b/docs/services/ipoe-server.rst @@ -14,7 +14,7 @@ Configuration IPoE can be configure on different interfaces, it will depend on each specific situation which interface will provide IPoE to clients. The clients mac address and the incoming interface is being used as control parameter, to authenticate a client. -The example comnfiguration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. +The example configuration below will assign an IP to the client on the incoming interface eth2 with the client mac address 08:00:27:2f:d8:06. Other DHCP discovery requests will be ignored, unless the client mac has been enabled in the configuration. .. code-block:: sh @@ -26,7 +26,7 @@ Other DHCP discovery requests will be ignored, unless the client mac has been en set service ipoe-server interface eth2 client-subnet '192.168.0.0/24' -The first address of the paramter ``client-subnet``, will be used as the default gateway. +The first address of the parameter ``client-subnet``, will be used as the default gateway. Connected sessions can be checked via the ``show ipoe-server sessions`` command. .. code-block:: sh @@ -72,7 +72,7 @@ globally communicate without the need of any NAT rules. Automatic VLAN creation ======================= -To create VLANs per user during runtime, the follwing settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. +To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time. .. code-block:: sh diff --git a/docs/services/references.rst b/docs/services/references.rst index 3a2f4b74..257ffe11 100644 --- a/docs/services/references.rst +++ b/docs/services/references.rst @@ -11,3 +11,5 @@ .. _Squidguard: http://www.squidguard.org/ .. _TFTP: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol .. _`arbitrary extension commands`: http://net-snmp.sourceforge.net/docs/man/snmpd.conf.html#lbAZ +.. _`accel-ppp`: https://accel-ppp.org/ +.. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol diff --git a/docs/services/sstp-server.rst b/docs/services/sstp-server.rst new file mode 100644 index 00000000..8ee8ef45 --- /dev/null +++ b/docs/services/sstp-server.rst @@ -0,0 +1,76 @@ + +SSTP server +------------ + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be +used with local authentication or a connected RADIUS server. + +.. note:: **Please be aware, due to an upstream bug, config changes/commits + will restart the ppp daemon and will reset existing PPPoE connections from + connected users, in order to become effective.** + +Configuration +^^^^^^^^^^^^^ + +The `Secure Socket Tunneling Protocol`_ (SSTP), provides ppp via a SSL/TLS channel. +Using publically signed certificates as well a by private PKI, is fully supported. +All certficates should be stored on VyOS under ``/config/user-data/sstp``. + + +Self Signed CA and server certificates +====================================== + +To generate the CA, the server private key and certificates the following commands can be used. + +.. code-block:: sh + + vyos@vyos:~$ conf + [edit] + vyos@vyos# mkdir -p /config/user-data/sstp && cd /config/user-data/sstp + [edit] + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout server.key -out server.crt + + Generating a 4096 bit RSA private key + .........................++ + ...............................................................++ + writing new private key to 'server.key' + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + + vyos@vyos# openssl req -new -x509 -key server.key -out ca.crt + [...] + Country Name (2 letter code) [AU]: + State or Province Name (full name) [Some-State]: + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []: + Email Address []: + [edit] + vyos@vyos# + + +The example below will answer configuration request for the user user ``foo``. + +Use <tab> to setup the ``set sstp-settings ssl-certs ...``, it automatically looks for all files and directories in ``/config/user-data/sstp``. + +.. code-block:: sh + + set authentication local-users username foo password 'bar' + set authentication mode 'local' + set network-settings client-ip-settings gateway-address '10.100.100.1' + set network-settings client-ip-settings subnet '192.168.0.0/24' + set network-settings dns-server primary-dns '10.100.100.1' + set network-settings dns-server secondary-dns '10.200.100.1' + set sstp-settings ssl-certs ca 'ca.crt' + set sstp-settings ssl-certs server-cert 'server.crt' + set sstp-settings ssl-certs server-key 'server.key' + + +.. include:: references.rst diff --git a/docs/services/webproxy.rst b/docs/services/webproxy.rst index 75f9993a..36571f75 100644 --- a/docs/services/webproxy.rst +++ b/docs/services/webproxy.rst @@ -135,9 +135,9 @@ So sometimes it is useful to bypass a transparent proxy: * To bypass the proxy for every request that is directed to a specific destination: - :code:`set service webproxy whitelist destination-address 1.2.3.4` + :code:`set service webproxy whitelist destination-address 198.51.100.33` - :code:`set service webproxy whitelist destination-address 4.5.6.0/24` + :code:`set service webproxy whitelist destination-address 192.0.2.0/24` * To bypass the proxy for every request that is coming from a specific source: diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index e5135727..5b206c57 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -121,13 +121,13 @@ HUB Example Configuration: .. code-block:: sh - set interfaces ethernet eth0 address '1.1.1.1/30' + set interfaces ethernet eth0 address '198.51.100.41/30' set interfaces ethernet eth1 address '192.168.1.1/24' set system host-name 'HUB' set interfaces tunnel tun0 address 10.0.0.1/24 set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 1.1.1.1 + set interfaces tunnel tun0 local-ip 198.51.100.41 set interfaces tunnel tun0 multicast enable set interfaces tunnel tun0 parameters ip key 1 @@ -256,7 +256,7 @@ SPOKE1 Example Configuration set interfaces tunnel tun0 parameters ip key 1 set protocols nhrp tunnel tun0 cisco-authentication 'SECRET' - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1 + set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register' set protocols nhrp tunnel tun0 multicast 'nhs' set protocols nhrp tunnel tun0 'redirect' @@ -379,7 +379,7 @@ SPOKE2 Example Configuration set interfaces tunnel tun0 parameters ip key 1 set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1 + set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 set protocols nhrp tunnel tun0 map 10.0.0.1/24 register set protocols nhrp tunnel tun0 multicast nhs set protocols nhrp tunnel tun0 redirect diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index ffdf39a0..9bab2b0c 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -11,7 +11,7 @@ This chapter descriptes the available VPN services provided by VyOS. :hidden: openvpn - l2tp_ipsec + l2tp site2site_ipsec gre-ipsec dmvpn diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst new file mode 100644 index 00000000..0dd5fe3e --- /dev/null +++ b/docs/vpn/l2tp.rst @@ -0,0 +1,237 @@ +.. _l2tp: + +L2TP +----------- + +VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used +with local authentication or a connected RADIUS server. + +L2TP over IPsec +=============== + +Example for configuring a simple L2TP over IPsec VPN for remote access (works +with native Windows and Mac VPN clients): + +.. code-block:: sh + + set vpn ipsec ipsec-interfaces interface eth0 + set vpn ipsec nat-traversal enable + set vpn ipsec nat-networks allowed-network 0.0.0.0/0 + + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 + set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret + set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password 'test' + +In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address +192.168.255.1 uses as client tunnel termination point. + +If a local firewall policy is in place on your external interface you will need +to allow the ports below: + +* UDP port 500 (IKE) +* IP protocol number 50 (ESP) +* UDP port 1701 for IPsec + +As well as the below to allow NAT-traversal: + +* UDP port 4500 (NAT-T) + +Example: + +.. code-block:: sh + + set firewall name OUTSIDE-LOCAL rule 40 action 'accept' + set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' + set firewall name OUTSIDE-LOCAL rule 41 action 'accept' + set firewall name OUTSIDE-LOCAL rule 41 destination port '500' + set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' + set firewall name OUTSIDE-LOCAL rule 42 action 'accept' + set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' + set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' + set firewall name OUTSIDE-LOCAL rule 43 action 'accept' + set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' + set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' + set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp' + +To allow VPN-clients access via your external address, a NAT rule is required: + + +.. code-block:: sh + + set nat source rule 110 outbound-interface 'eth0' + set nat source rule 110 source address '192.168.255.0/24' + set nat source rule 110 translation address masquerade + + +VPN-clients will request configuration parameters, optionally you can DNS +parameter to the client. + +.. code-block:: sh + + set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' + set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' + +.. note:: Those are the `Google public DNS`_ servers. You can also use the + public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1). + +Established sessions can be viewed using the **show vpn remote-access** +operational command, or **show l2tp-server sessions** + +.. code-block:: sh + + vyos@vyos:~$ show vpn remote-access + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + --------+----------+--------------+---------------+------------+------+------+--------+---------- + ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13 + + +LNS (L2TP Network Server) +========================= + +LNS are often used to connect to a LAC (L2TP Access Concentrator). + +Below is an example to configure a LNS: + +.. code-block:: sh + + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 + set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access lns shared-secret 'secret' + set vpn l2tp remote-access ccp-disable + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password 'test' + +The example above uses 192.0.2.2 as external IP address, the nexthop is supposed +to be 192.168.255.1 and is used as client termination point. A LAC normally +requires an authentication password, which is set in the example configuration +to ``lns shared-secret 'secret'``. This setup requires the Compression Control +Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable`` +accomplishes that. + + +Bandwidth Shaping +================= + +Bandwidth rate limits can be set for local users or via RADIUS based attributes. + +Bandwidth Shaping for local users +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The rate-limit is set in kbit/sec. + +.. code-block:: sh + + set vpn l2tp remote-access outside-address 192.0.2.2 + set vpn l2tp remote-access outside-nexthop 192.168.255.1 + set vpn l2tp remote-access client-ip-pool start 192.168.255.2 + set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 + set vpn l2tp remote-access authentication mode local + set vpn l2tp remote-access authentication local-users username test password test + set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 + set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240 + + vyos@vyos:~$ show vpn remote-access + ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime + -------+----------+--------------+---------------+-------------+------+------+--------+----------- + ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30 + +RADIUS authentication +====================== + +To enable RADIUS based authentication, the authentication mode needs to be +changed withing the configuration. Previous settings like the local users, still +exists within the configuration, however they are not used if the mode has been +changed from local to radius. Once changed back to local, it will use all local +accounts again. + +.. code-block:: sh + + set vpn l2tp remote-access authentication mode <local|radius> + +Since the RADIUS server would be a single point of failure, multiple RADIUS +servers can be setup and will be used subsequentially. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo' + set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo' + +.. note:: Some RADIUS_ severs use an access control list which allows or denies + queries, make sure to add your VyOS router to the allowed client list. + +RADIUS source address +^^^^^^^^^^^^^^^^^^^^^ + +If you are using OSPF as IGP always the closets interface connected to the RADIUS +server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a +single source IP e.g. the loopback interface. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius source-address 10.0.0.3 + +Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries +on this NAS. + +.. note:: The ``source-address`` must be configured on one of VyOS interface. + Best proctice would be a loopback or dummy interface. + +RADIUS bandwidth shaping attribute +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius rate-limit enable + +The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also +redefine it. + +.. code-block:: sh + + set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed + +.. note:: If you set a custom RADIUS attribute you must define it on both + dictionaries at RADIUS server and client, which is the vyos router in our + example. + +The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/`` + +RADIUS advanced features +^^^^^^^^^^^^^^^^^^^^^^^^ + +Received RADIUS attributes have a higher priority than parameters defined within +the CLI configuration, refer to the explanation below. + +Allocation clients ip addresses by RADIUS +***************************************** + +If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP +address will be allocated to the client and the option ip-pool within the CLI +config is being ignored. + +Renaming clients interfaces by RADIUS +************************************* + +If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be +renamed. + +.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16 + characters, otherwise the interface won't be renamed. + + +.. _`Google Public DNS`: https://developers.google.com/speed/public-dns +.. _Quad9: https://quad9.net +.. _CloudFlare: https://blog.cloudflare.com/announcing-1111 +.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS +.. _FreeRADIUS: https://freeradius.org +.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server +.. _accel-ppp: https://accel-ppp.org/ diff --git a/docs/vpn/l2tp_ipsec.rst b/docs/vpn/l2tp_ipsec.rst deleted file mode 100644 index 6f80fe35..00000000 --- a/docs/vpn/l2tp_ipsec.rst +++ /dev/null @@ -1,132 +0,0 @@ -.. _l2tp_ipsec: - -L2TP over IPsec ---------------- - -Example for configuring a simple L2TP over IPsec VPN for remote access (works -with native Windows and Mac VPN clients): - -.. code-block:: sh - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec nat-traversal enable - set vpn ipsec nat-networks allowed-network 0.0.0.0/0 - - set vpn l2tp remote-access outside-address 203.0.113.2 - set vpn l2tp remote-access client-ip-pool start 192.168.255.1 - set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 - set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret - set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret> - set vpn l2tp remote-access authentication mode local - set vpn l2tp remote-access authentication local-users username <username> password <password> - -In the example above an external IP of 203.0.113.2 is assumed. - -If a local firewall policy is in place on your external interface you will need -to open: - -* UDP port 500 (IKE) -* IP protocol number 50 (ESP) -* UDP port 1701 for IPsec - -In addition when NAT is detected by the VPN client ESP is encapsulated in UDP -for NAT-traversal: - -* UDP port 4500 (NAT-T) - -Example: - -.. code-block:: sh - - set firewall name OUTSIDE-LOCAL rule 40 action 'accept' - set firewall name OUTSIDE-LOCAL rule 40 destination port '50' - set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp' - set firewall name OUTSIDE-LOCAL rule 41 action 'accept' - set firewall name OUTSIDE-LOCAL rule 41 destination port '500' - set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp' - set firewall name OUTSIDE-LOCAL rule 42 action 'accept' - set firewall name OUTSIDE-LOCAL rule 42 destination port '4500' - set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp' - set firewall name OUTSIDE-LOCAL rule 43 action 'accept' - set firewall name OUTSIDE-LOCAL rule 43 destination port '1701' - set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec' - set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp' - -Also note that if you wish to allow the VPN to be used for external access you -will need to add the appropriate source NAT rules to your configuration. - -.. code-block:: sh - - set nat source rule 110 outbound-interface 'eth0' - set nat source rule 110 source address '192.168.255.0/24' - set nat source rule 110 translation address masquerade - -To be able to resolve when connected to the VPN, the following DNS rules are -needed as well. - -.. code-block:: sh - - set vpn l2tp remote-access dns-servers server-1 '8.8.8.8' - set vpn l2tp remote-access dns-servers server-2 '8.8.4.4' - -.. note:: Those are the `Google public DNS`_ servers. You can also use the - public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1). - -Established sessions can be viewed using the **show vpn remote-access** -operational command. - -.. code-block:: sh - - vyos@vyos:~$ show vpn remote-access - Active remote access VPN sessions: - User Proto Iface Tunnel IP TX byte RX byte Time - ---- ----- ----- --------- ------- ------- ---- - vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s - -RADIUS authentication -^^^^^^^^^^^^^^^^^^^^^ - -The above configuration made use of local accounts on the VyOS router for -authenticating L2TP/IPSec clients. In bigger environments usually something -like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used. - -VyOS supports either `local` or `radius` user authentication: - -.. code-block:: sh - - set vpn l2tp remote-access authentication mode <local|radius> - -In addition one or more RADIUS_ servers can be configured to server for user -authentication. This is done using the `radius server` and `radius server key` -nodes: - -.. code-block:: sh - - set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo' - set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo' - -.. note:: Some RADIUS_ severs make use of an access control list who is allowed - to query the server. Please configure your VyOS router in the allowed client - list. - -RADIUS source address -********************* - -If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS -server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a -single source IP e.g. the loopback interface. - -.. code-block:: sh - - set vpn l2tp remote-access authentication radius source-address 3.3.3.3 - -Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries -on this NAS. - - -.. _`Google Public DNS`: https://developers.google.com/speed/public-dns -.. _Quad9: https://quad9.net -.. _CloudFlare: https://blog.cloudflare.com/announcing-1111 -.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS -.. _FreeRADIUS: https://freeradius.org -.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
\ No newline at end of file diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 2ae353e8..5a269b43 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -246,7 +246,7 @@ The required config file may look like: # LDAP server URL URL ldap://ldap.example.com # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN cn=Manager,dc=example,dc=com + BindDN cn=LDAPUser,dc=example,dc=com # Bind Password password Password S3cr3t # Network timeout (in seconds) @@ -258,10 +258,66 @@ The required config file may look like: BaseDN "ou=people,dc=example,dc=com" # User Search Filter SearchFilter "(&(uid=%u)(objectClass=shadowAccount))" - # Require Group Membership + # Require Group Membership - allow all users RequireGroup false </Authorization> +Active Directory +**************** + +Despite the fact that AD is a superset of LDAP + +.. code-block:: sh + + <LDAP> + # LDAP server URL + URL ldap://dc01.example.com + # Bind DN (If your LDAP server doesn’t support anonymous binds) + BindDN CN=LDAPUser,DC=example,DC=com + # Bind Password + Password mysecretpassword + # Network timeout (in seconds) + Timeout 15 + # Enable Start TLS + TLSEnable no + # Follow LDAP Referrals (anonymously) + FollowReferrals no + </LDAP> + + <Authorization> + # Base DN + BaseDN "DC=example,DC=com" + # User Search Filter, user must be a member of the VPN AD group + SearchFilter "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))" + # Require Group Membership + RequireGroup false # already handled by SearchFilter + <Group> + BaseDN "OU=Groups,DC=example,DC=com" + SearchFilter "(|(cn=VPN))" + MemberAttribute memberOf + </Group> + </Authorization> + +If you only wan't to check if the user account is enabled and can authenticate +(against the primary group) the following snipped is sufficient: + +.. code-block:: sh + + <LDAP> + URL ldap://ds0001.gefoekom.de + BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de + Password g7LjfjmlPhhHnvmal75hbfdknms-44 + Timeout 15 + TLSEnable no + FollowReferrals no + </LDAP> + + <Authorization> + BaseDN "OU=GeFoekoM,DC=gefoekom,DC=de" + SearchFilter "sAMAccountName=%u" + RequireGroup false + </Authorization> + A complete LDAP auth OpenVPN configuration could look like the following example: .. code-block:: sh diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst index 2d560919..ad8a37c4 100644 --- a/docs/vpn/pptp.rst +++ b/docs/vpn/pptp.rst @@ -4,7 +4,7 @@ PPTP-Server ----------- The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility. -PPTP has many well known secrurity issues and you should use one of the many other new VPN implementations. +PPTP has many well known security issues and you should use one of the many other new VPN implementations. As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1. diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst index 9279c112..ff398dab 100644 --- a/docs/vpn/site2site_ipsec.rst +++ b/docs/vpn/site2site_ipsec.rst @@ -11,9 +11,9 @@ Example: * WAN interface on `eth1` * left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually there is no client or server roles) -* left local_ip: `1.1.1.1` # server side WAN IP +* left local_ip: `198.51.100.3` # server side WAN IP * right subnet: `10.0.0.0/24` site2,remote office side -* right local_ip: `2.2.2.2` # remote office side WAN IP +* right local_ip: `203.0.113.2` # remote office side WAN IP .. code-block:: sh @@ -30,15 +30,15 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24' - set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21' + set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey' + set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike' + set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21' # remote office config set vpn ipsec esp-group office-srv-esp compression 'disable' @@ -53,15 +53,15 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' - set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey' - set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike' - set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21' - set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24' + set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey' + set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike' + set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21' + set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24' Show status of new setup: @@ -70,7 +70,7 @@ Show status of new setup: vyos@srv-gw0:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- - 2.2.2.2 1.1.1.1 + 203.0.113.2 198.51.100.3 State Encrypt Hash D-H Grp NAT-T A-Time L-Time ----- ------- ---- ------- ----- ------ ------ up aes256 sha1 5 no 734 3600 @@ -78,7 +78,7 @@ Show status of new setup: vyos@srv-gw0:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- - 2.2.2.2 1.1.1.1 + 203.0.113.2 198.51.100.3 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all |