diff options
23 files changed, 337 insertions, 89 deletions
@@ -100,7 +100,7 @@ $ docker run --rm -it -p 8000:8000 -v "$(pwd)":/vyos -w /vyos/docs -e \ ### Test the docs -Discuss in this Phabricator task: [T1731](https://phabricator.vyos.net/T1731) +Discuss in this Phabricator task: [T1731](https://vyos.dev/T1731) To test all files run: diff --git a/docs/_ext/releasenotes.py b/docs/_ext/releasenotes.py index 4db65c86..71897403 100644 --- a/docs/_ext/releasenotes.py +++ b/docs/_ext/releasenotes.py @@ -9,7 +9,7 @@ parser.add_argument("-b", "--branch", nargs="+", help="List of github branches", args = parser.parse_args() -phab = Phabricator(host='https://phabricator.vyos.net/api/', token=args.token) +phab = Phabricator(host='https://vyos.dev/api/', token=args.token) ''' # code to find new PHIDs diff --git a/docs/_ext/vyos.py b/docs/_ext/vyos.py index 61b7519d..fe0a258b 100644 --- a/docs/_ext/vyos.py +++ b/docs/_ext/vyos.py @@ -19,7 +19,7 @@ def setup(app): app.add_config_value( 'vyos_phabricator_url', - 'https://phabricator.vyos.net/', + 'https://vyos.dev/', 'html' ) diff --git a/docs/_include/common-references.txt b/docs/_include/common-references.txt index a921ec67..2e3f934a 100644 --- a/docs/_include/common-references.txt +++ b/docs/_include/common-references.txt @@ -2,7 +2,7 @@ .. _`accel-ppp`: https://accel-ppp.org/ .. _`Secure Socket Tunneling Protocol`: https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol -.. _Phabricator: https://phabricator.vyos.net/ +.. _Phabricator: https://vyos.dev/ .. _802.1ad: https://en.wikipedia.org/wiki/IEEE_802.1ad .. _802.1q: https://en.wikipedia.org/wiki/IEEE_802.1Q .. _`VyOS CI`: https://ci.vyos.net diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject 6eea12512e59cc28f5c2e5ca5ec7e9e7b21731d +Subproject 9d8bcc8096ae00aa49bd91098728ad74117cd99 diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index dfb4917e..ca705e62 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,36 @@ _ext/releasenotes.py +2023-02-11 +========== + +* :vytask:`T2603` (feature): pppoe-server: reduce min MTU + + +2023-02-08 +========== + +* :vytask:`T1288` (feature): FRR: rewrite staticd backend (/opt/vyatta/share/vyatta-cfg/templates/protocols/static/*) + + +2023-02-07 +========== + +* :vytask:`T4117` (bug): Does not possible to configure PoD/CoA for L2TP vpn + + +2023-02-01 +========== + +* :vytask:`T4970` (default): pin OCaml pcre package to avoid JIT support + + +2023-01-30 +========== + +* :vytask:`T4954` (bug): DNS cannot be configured via Network-Config v1 received from ConfigDrive / Cloud-Init + + 2023-01-24 ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index a1687f87..4aa7ae77 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,55 @@ _ext/releasenotes.py +2023-02-12 +========== + +* :vytask:`T4998` (bug): pppoe username validation too restrictive (regression) + + +2023-02-11 +========== + +* :vytask:`T2603` (feature): pppoe-server: reduce min MTU + + +2023-02-10 +========== + +* :vytask:`T4857` (feature): SNMP - Implement FRR SNMP recommendations +* :vytask:`T4995` (feature): pppoe, wwan and sstp-client - rename user -> username on authentication + + +2023-02-07 +========== + +* :vytask:`T4980` (bug): chrony not listening as a server +* :vytask:`T4868` (bug): L2TP ppp-options ipv6 does not work without ipv6 pool but should +* :vytask:`T4117` (bug): Does not possible to configure PoD/CoA for L2TP vpn + + +2023-02-01 +========== + +* :vytask:`T4970` (default): pin OCaml pcre package to avoid JIT support + + +2023-01-31 +========== + +* :vytask:`T4964` (bug): FRR bgp address-family l2vpn-evpn route-target export/import not working +* :vytask:`T4780` (feature): Firewall - Add interface group +* :vytask:`T4157` (default): Add jinja2 to pip test requirements + + +2023-01-30 +========== + +* :vytask:`T4958` (feature): Add OpenConnect RADIUS Accounting support +* :vytask:`T4954` (bug): DNS cannot be configured via Network-Config v1 received from ConfigDrive / Cloud-Init +* :vytask:`T4118` (default): IPsec syntax overhaul + + 2023-01-29 ========== diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst index 6e715d79..fc6e1a04 100644 --- a/docs/configexamples/azure-vpn-bgp.rst +++ b/docs/configexamples/azure-vpn-bgp.rst @@ -100,15 +100,18 @@ Vyos configuration .. code-block:: none - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' + set vpn ipsec authentication psk azure id '198.51.100.3' + set vpn ipsec authentication psk azure id '203.0.113.2' + set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk' + set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure remote-address '203.0.113.2' set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst index 2172e76d..7f4987bb 100644 --- a/docs/configexamples/azure-vpn-dual-bgp.rst +++ b/docs/configexamples/azure-vpn-dual-bgp.rst @@ -103,29 +103,34 @@ Vyos configuration .. code-block:: none - set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2' - set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1' - set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE' - - set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3' - set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk' - set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3' - set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond' - set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL' - set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE' - set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5' - set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2' - set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE' + set vpn ipsec authentication psk azure id '198.51.100.3' + set vpn ipsec authentication psk azure id '203.0.113.2' + set vpn ipsec authentication psk azure id '203.0.113.3' + set vpn ipsec authentication psk azure secret 'ch00s3-4-s3cur3-psk' + + set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3' + set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2' + set vpn ipsec site-to-site peer azure-primary connection-type 'respond' + set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL' + set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE' + set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer azure-primary local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure-primary remote-address '203.0.113.2' + set vpn ipsec site-to-site peer azure-primary vti bind 'vti1' + set vpn ipsec site-to-site peer azure-primary vti esp-group 'AZURE' + + set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3' + set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3' + set vpn ipsec site-to-site peer azure-secondary connection-type 'respond' + set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL' + set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE' + set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer azure-secondary local-address '10.10.0.5' + set vpn ipsec site-to-site peer azure-secondary remote-address '203.0.113.3' + set vpn ipsec site-to-site peer azure-secondary vti bind 'vti2' + set vpn ipsec site-to-site peer azure-secondary vti esp-group 'AZURE' - **Important**: Add an interface route to reach both Azure's BGP listeners diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 9150b1bd..bc8aad99 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -357,6 +357,21 @@ Forward method set high-availability virtual-server 203.0.113.1 forward-method 'nat' +Health-check +^^^^^^^^^^^^ +Custom health-check script allows checking real-server availability + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script <path-to-script> + +Fwmark +^^^^^^ +Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 fwmark '111' Real server ^^^^^^^^^^^ @@ -395,3 +410,47 @@ Real server is auto-excluded if port check with this server fail. set high-availability virtual-server 203.0.113.1 protocol 'tcp' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80' + + +A firewall mark ``fwmark`` allows using multiple ports for high-availability +virtual-server. +It uses fwmark value. + +In this example all traffic destined to ports "80, 2222, 8888" protocol TCP +marks to fwmark "111" and balanced between 2 real servers. +Port "0" is required if multiple ports are used. + +.. code-block:: none + + set interfaces ethernet eth0 address 'dhcp' + set interfaces ethernet eth0 description 'WAN' + set interfaces ethernet eth1 address '192.0.2.1/24' + set interfaces ethernet eth1 description 'LAN' + + set policy route PR interface 'eth0' + set policy route PR rule 10 destination port '80,2222,8888' + set policy route PR rule 10 protocol 'tcp' + set policy route PR rule 10 set mark '111' + + set high-availability virtual-server vyos fwmark '111' + set high-availability virtual-server vyos protocol 'tcp' + set high-availability virtual-server vyos real-server 192.0.2.11 health-check script '/config/scripts/check-real-server-first.sh' + set high-availability virtual-server vyos real-server 192.0.2.11 port '0' + set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' + set high-availability virtual-server vyos real-server 192.0.2.12 port '0' + + set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 source address '192.0.2.0/24' + set nat source rule 100 translation address 'masquerade' + +Op-mode check virtual-server status + +.. code-block:: none + + vyos@r14:~$ run show virtual-server + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + FWM 111 lc persistent 300 + -> 192.0.2.11:0 Masq 1 0 0 + -> 192.0.2.12:0 Masq 1 1 0 diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index bd5d6862..897e38dc 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -141,29 +141,26 @@ IPSec: .. code-block:: none + set vpn ipsec authentication psk <pre-shared-name> id '%any' + set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key> set vpn ipsec interface <VPN-interface> - set vpn ipsec esp-group test-ESP-1 compression 'disable' set vpn ipsec esp-group test-ESP-1 lifetime '3600' set vpn ipsec esp-group test-ESP-1 mode 'transport' set vpn ipsec esp-group test-ESP-1 pfs 'enable' set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128' set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1' - set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no' set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1' set vpn ipsec ike-group test-IKE-1 lifetime '3600' set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5' set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128' set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1' - set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key> - set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate' - set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1' - set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip> - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' + set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate' + set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1' + set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer <connection-name> local-address <local-ip> + set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1' + set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp' Bridge: diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 0953e948..cf406baf 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -91,7 +91,7 @@ PPPoE options This command allows you to select a specific access concentrator when you know the access concentrators `<name>`. -.. cfgcmd:: set interfaces pppoe <interface> authentication user <username> +.. cfgcmd:: set interfaces pppoe <interface> authentication username <username> Use this command to set the username for authenticating with a remote PPPoE endpoint. Authentication is optional from the system's point of view but @@ -324,7 +324,7 @@ Requirements: .. code-block:: none - set interfaces pppoe pppoe0 authentication user 'userid' + set interfaces pppoe pppoe0 authentication username 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0' @@ -349,7 +349,7 @@ which is the default VLAN for Deutsche Telekom: .. code-block:: none - set interfaces pppoe pppoe0 authentication user 'userid' + set interfaces pppoe pppoe0 authentication username 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0.7' @@ -367,7 +367,7 @@ If you do not know the prefix size delegated to you, start with sla-len 0. .. code-block:: none - set interfaces pppoe pppoe0 authentication user vyos + set interfaces pppoe pppoe0 authentication username vyos set interfaces pppoe pppoe0 authentication password vyos set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1' set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0' diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst index 45b18387..98890158 100644 --- a/docs/configuration/interfaces/wwan.rst +++ b/docs/configuration/interfaces/wwan.rst @@ -22,7 +22,6 @@ Common interface configuration :var0: wwan :var1: wwan0 - .. cmdinclude:: /_include/interface-description.txt :var0: wwan :var1: wwan0 diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 62964fea..b2ba61af 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -697,17 +697,22 @@ too. .. code-block:: none - set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' - set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate' - set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp' - set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike' - set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' + set vpn ipsec authentication psk vyos id '203.0.113.46' + set vpn ipsec authentication psk vyos id '198.51.100.243' + set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD' + set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46' + set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243' + set vpn ipsec site-to-site peer branch connection-type 'initiate' + set vpn ipsec site-to-site peer branch default-esp-group 'my-esp' + set vpn ipsec site-to-site peer branch ike-group 'my-ike' + set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer branch local-address '203.0.113.46' + set vpn ipsec site-to-site peer branch remote-address '198.51.100.243' + set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24' + set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16' Testing and Validation """""""""""""""""""""" diff --git a/docs/configuration/policy/large-community-list.rst b/docs/configuration/policy/large-community-list.rst index 39da0815..0c57fd4a 100644 --- a/docs/configuration/policy/large-community-list.rst +++ b/docs/configuration/policy/large-community-list.rst @@ -14,7 +14,7 @@ policy large-community-list .. cfgcmd:: set policy large-community-list <text> - Creat large-community-list policy identified by name <text>. + Create large-community-list policy identified by name <text>. .. cfgcmd:: set policy large-community-list <text> description <text> diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index a93c1046..43abf254 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -20,8 +20,20 @@ Configuration .. cfgcmd:: set service dhcp-relay interface <interface> - Interfaces that participate in the DHCP relay process, including the uplink - to the DHCP server. + Interfaces that participate in the DHCP relay process. If this command is + used, at least two entries of it are required: one for the interface that + captures the dhcp-requests, and one for the interface to forward such + requests. A warning message will be shown if this command is used, since + new implementations should use ``listen-interface`` and + ``upstream-interface``. + +.. cfgcmd:: set service dhcp-relay listen-interface <interface> + + Interface for DHCP Relay Agent to listen for requests. + +.. cfgcmd:: set service dhcp-relay upstream-interface <interface> + + Interface for DHCP Relay Agent to forward requests out. .. cfgcmd:: set service dhcp-relay server <server> @@ -70,8 +82,8 @@ Example * Listen for DHCP requests on interface ``eth1``. * DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``. -* Router receives DHCP client requests on ``eth1`` and relays them to the server - at 10.0.1.4 on ``eth2``. +* Router receives DHCP client requests on ``eth1`` and relays them to the + server at 10.0.1.4 on ``eth2``. .. figure:: /_static/images/service_dhcp-relay01.png :scale: 80 % @@ -84,6 +96,19 @@ The generated configuration will look like: .. code-block:: none show service dhcp-relay + listen-interface eth1 + upstrem-interface eth2 + server 10.0.1.4 + relay-options { + relay-agents-packets discard + } + +Also, for backwards compatibility this configuration, which uses generic +interface definition, is still valid: + +.. code-block:: none + + show service dhcp-relay interface eth1 interface eth2 server 10.0.1.4 diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 3f4b7b89..b4245f0c 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -234,7 +234,7 @@ inside the subnet definition but can be outside of the range statement. **Example:** -* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100`` +* IP address ``192.168.1.100`` shall be statically mapped to client named ``client1`` .. code-block:: none diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index e42ab42e..c219a063 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -146,4 +146,49 @@ The rate-limit is set in kbit/sec. -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb +Example +======= + +* IPoE server will listen on interfaces eth1.50 and eth1.51 +* There are rate-limited and non rate-limited users (MACs) + +Server configuration +-------------------- + +.. code-block:: none + + set interfaces dummy dum1000 address 100.64.0.1/32 + set interfaces dummy dum1000 address 2001:db8::1/128 + + set interfaces ethernet eth1 description 'IPoE' + set interfaces ethernet eth1 vif 50 + set interfaces ethernet eth1 vif 51 + + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' + set service ipoe-server authentication mode 'local' + + set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' + set service ipoe-server interface eth1.50 mode 'l2' + set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' + set service ipoe-server interface eth1.51 mode 'l2' + set service ipoe-server name-server '100.64.0.1' + set service ipoe-server name-server '2001:db8::1' + +Client configuration +-------------------- + +.. code-block:: none + + set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + + set interfaces ethernet eth0 vif 50 address 'dhcp' + set interfaces ethernet eth0 vif 50 address 'dhcpv6' + set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' + .. include:: /_include/common-references.txt diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst index 62b85c71..63506d6d 100644 --- a/docs/configuration/system/acceleration.rst +++ b/docs/configuration/system/acceleration.rst @@ -63,39 +63,50 @@ Side A: .. code-block:: + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec authentication psk right id '10.10.10.2' + set vpn ipsec authentication psk right id '10.10.10.1' + set vpn ipsec authentication psk right secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' - set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' + set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' + set vpn ipsec site-to-site peer right connection-type 'initiate' + set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer right local-address '10.10.10.2' + set vpn ipsec site-to-site peer right remote-address '10.10.10.1' + set vpn ipsec site-to-site peer right vti bind 'vti1' Side B: .. code-block:: set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec authentication psk left id '10.10.10.2' + set vpn ipsec authentication psk left id '10.10.10.1' + set vpn ipsec authentication psk left secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' - set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' + set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' + set vpn ipsec site-to-site peer left connection-type 'initiate' + set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer left local-address '10.10.10.1' + set vpn ipsec site-to-site peer left remote-address '10.10.10.2' + set vpn ipsec site-to-site peer left vti bind 'vti1' a bandwidth test over the VPN got these results: diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d6a4733c..327f3abb 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -202,6 +202,11 @@ On the LEFT: ## IPsec set vpn ipsec interface eth0 + # Pre-shared-secret + set vpn ipsec authentication psk vyos id 192.0.2.10 + set vpn ipsec authentication psk vyos id 203.0.113.45 + set vpn ipsec authentication psk vyos secret MYSECRETKEY + # IKE group set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' @@ -213,7 +218,6 @@ On the LEFT: # IPsec tunnel set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 set vpn ipsec site-to-site peer right ike-group MyIKEGroup diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 68f6c48b..e89d25c6 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -18,23 +18,29 @@ Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: + * ``psk`` - Preshared secret key name: + + * ``dhcp-interface`` - ID for authentication generated from DHCP address + dynamically; + * ``id`` - static ID's for authentication. In general local and remote + address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; + * ``secret`` - predefined shared secret. Used if configured mode + ``pre-shared-secret``; + + * ``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the - same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase; * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured - ``mode pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; @@ -161,6 +167,9 @@ Example: .. code-block:: none # server config + set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -171,8 +180,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' @@ -182,6 +191,9 @@ Example: set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21' # remote office config + set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -192,8 +204,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' @@ -279,6 +291,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.2/31' + set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-B secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -293,7 +308,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.201' set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' @@ -308,6 +322,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.3/31' + set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-A secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -325,7 +342,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.202' set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' diff --git a/docs/index.rst b/docs/index.rst index d5d25f48..c1ac38ed 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -46,7 +46,7 @@ VyOS User Guide | There are many ways to contribute to the project. | Add missing parts or improve the :ref:`Documentation<documentation:Write Documentation>`. | Discuss in `Slack <https://slack.vyos.io/>`_ or the `Forum <https://forum.vyos.io>`_. - | Or you can pick up a `Task <https://phabricator.vyos.net/>`_ and fix the :ref:`code<contributing/development:development>`. + | Or you can pick up a `Task <https://vyos.dev/>`_ and fix the :ref:`code<contributing/development:development>`. .. toctree:: diff --git a/docs/operation/information.rst b/docs/operation/information.rst index 95cf28ef..e32e55b4 100644 --- a/docs/operation/information.rst +++ b/docs/operation/information.rst @@ -31,7 +31,7 @@ interface is now directly identified by the USB root bridge and bus it connects to. This somehow mimics the new network interface definitions we see in recent Linux distributions. -For additional details you can refer to https://phabricator.vyos.net/T2490. +For additional details you can refer to https://vyos.dev/T2490. .. opcmd:: show hardware usb |