diff options
| -rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 27 | ||||
| -rw-r--r-- | requirements.txt | 2 |
3 files changed, 27 insertions, 6 deletions
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 8b829b64..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -222,7 +222,7 @@ firewall exception. set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp set firewall ipv4 name OUTSIDE_LOCAL rule 20 source -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local). .. code-block:: none @@ -413,7 +413,7 @@ the VyOS CLI. into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet. - In addition you will specifiy the IP address or FQDN for the client where it + In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e89d25c6..57b45181 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -280,17 +280,31 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' + set vpn ipsec option disable-route-autoinstall set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' set vpn ipsec authentication psk OFFICE-B secret 'secretkey' @@ -311,17 +325,22 @@ Imagine the following topology set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' + set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' -**right** + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 + +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' + set vpn ipsec option disable-route-autoinstall set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' set vpn ipsec authentication psk OFFICE-A secret 'secretkey' @@ -350,6 +369,8 @@ Imagine the following topology set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 + Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for diff --git a/requirements.txt b/requirements.txt index 02303cc9..9ca1cac2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -urllib3==1.26.17 +urllib3==1.26.18 Sphinx==4.5.0 sphinx-rtd-theme==1.0.0 sphinx-autobuild==2021.3.14 |