diff options
| m--------- | docs/_include/vyos-1x | 0 | ||||
| -rw-r--r-- | docs/changelog/1.3.rst | 32 | ||||
| -rw-r--r-- | docs/changelog/1.4.rst | 127 | ||||
| -rw-r--r-- | docs/configuration/interfaces/dummy.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/interfaces/index.rst | 1 | ||||
| -rw-r--r-- | docs/configuration/interfaces/virtual-ethernet.rst | 95 | ||||
| -rw-r--r-- | docs/configuration/policy/examples.rst | 35 | ||||
| -rw-r--r-- | docs/configuration/protocols/isis.rst | 263 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 63 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 20 | ||||
| -rw-r--r-- | docs/contributing/build-vyos.rst | 73 |
11 files changed, 577 insertions, 134 deletions
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject 8403848a338d54f9e489fca1efd1143d820a14a +Subproject 2e011313a9b5fc1a263e11149f5dd4c904ee42d diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index 63111c53..fa016e56 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,31 @@ _ext/releasenotes.py +2022-11-06 +========== + +* :vytask:`T2913` (bug): Failure to install fpm while building builder docker image + + +2022-11-04 +========== + +* :vytask:`T2417` (feature): Python validator cleanup + + +2022-11-01 +========== + +* :vytask:`T4177` (bug): Strip-private doesn't work for service monitoring + + +2022-10-31 +========== + +* :vytask:`T1875` (feature): Add the ability to use network address as BGP neighbor (bgp listen range) +* :vytask:`T4785` (feature): snmp: Allow !, @, * and # in community name + + 2022-10-21 ========== @@ -537,12 +562,6 @@ * :vytask:`T4198` (bug): Error shown on commit -2022-01-29 -========== - -* :vytask:`T4153` (bug): Monitor bandwidth-test initiate not working - - 2022-01-28 ========== @@ -1295,7 +1314,6 @@ * :vytask:`T2759` (bug): validate-value prints error messages from validators that fail even if overall validation succeeds * :vytask:`T3234` (bug): multi_to_list fails in certain cases, with root cause an element redundancy in XML interface-definitions * :vytask:`T3732` (feature): override-default helper should support adding defaultValues to default less nodes -* :vytask:`T3574` (default): Add constraintGroup for combining validators with logical AND * :vytask:`T1962` (default): Add syntax version to schema diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 6af3ccae..c98dd3c9 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,124 @@ _ext/releasenotes.py +2022-11-20 +========== + +* :vytask:`T4827` (bug): route-map issues , not load configuration FRR + + +2022-11-19 +========== + +* :vytask:`T4826` (bug): Wrong key type is used for SSH SK public keys +* :vytask:`T4720` (feature): Ability to configure SSH HostKeyAlgorithms +* :vytask:`T4828` (default): Raise appropriate op-mode errors in ipsec.py 'reset_peer' + + +2022-11-18 +========== + +* :vytask:`T4821` (bug): Correct calling of config mode script dependencies from firewall.py + + +2022-11-17 +========== + +* :vytask:`T4750` (feature): Support of higher level SSH keys (sk-ssh-ed25519) + + +2022-11-15 +========== + +* :vytask:`T4808` (feature): Add details of configtree operations to migration log + + +2022-11-12 +========== + +* :vytask:`T4814` (bug): Regression in bundled powerdns version + + +2022-11-09 +========== + +* :vytask:`T4800` (bug): undefined var includes_chroot_dir in build-vyos-image + + +2022-11-08 +========== + +* :vytask:`T4771` (feature): Rewrite protocol BGP op-mode to vyos.opmode format +* :vytask:`T4806` (default): Update FRR to 8.4 in 1.4 version + + +2022-11-06 +========== + +* :vytask:`T4803` (bug): The header 'Authorization' needs to be explictly allowed in http-api CORS middleware + + +2022-11-05 +========== + +* :vytask:`T4802` (feature): Ability to define per container shared-memory size + + +2022-11-01 +========== + +* :vytask:`T4764` (bug): NAT tables vyos_nat and vyos_static_nat not deleting after deleting nat +* :vytask:`T4177` (bug): Strip-private doesn't work for service monitoring + + +2022-10-31 +========== + +* :vytask:`T4786` (feature): Add package python3-pyhumps +* :vytask:`T1875` (feature): Add the ability to use network address as BGP neighbor (bgp listen range) +* :vytask:`T4785` (feature): snmp: Allow !, @, * and # in community name +* :vytask:`T4787` (feature): ipsec: add support for road-warrior/remote-access RADIUS timeout + + +2022-10-29 +========== + +* :vytask:`T4783` (default): Add support for stunnel +* :vytask:`T4784` (feature): Add description node for static route/route6 tagNodes + + +2022-10-28 +========== + +* :vytask:`T4291` (default): Consolidate component version read/write functions + + +2022-10-27 +========== + +* :vytask:`T4763` (feature): Change XML for Show nat destination statistics +* :vytask:`T4762` (bug): Show nat rules with empty rules incorrect error +* :vytask:`T4778` (bug): Raise error UnconfiguredSubsystem if op-mode ipsec.py fails initialization + + +2022-10-26 +========== + +* :vytask:`T4773` (default): Add camel_case to snake_case conversion utility + + +2022-10-25 +========== + +* :vytask:`T4574` (default): Add token based authentication to GraphQL API + + +2022-10-24 +========== + +* :vytask:`T4772` (default): Return list of dicts in 'raw' output of route.py instead of dict with redundant information + + 2022-10-23 ========== @@ -37,7 +155,6 @@ 2022-10-14 ========== -* :vytask:`T4750` (feature): Support of higher level SSH keys (sk-ssh-ed25519) * :vytask:`T4672` (bug): RADIUS server disable does not work * :vytask:`T4749` (enhancment): Use config_dict for conf_mode http-api.py @@ -1139,12 +1256,6 @@ * :vytask:`T4138` (bug): NAT configuration allows to set incorrect port range and invalid port -2022-01-29 -========== - -* :vytask:`T4153` (bug): Monitor bandwidth-test initiate not working - - 2022-01-28 ========== @@ -1239,7 +1350,6 @@ * :vytask:`T4182` (bug): Show vrrp if vrrp not configured bug * :vytask:`T4179` (feature): Add op-mode CLI for show high-availability virtual-server -* :vytask:`T4177` (bug): Strip-private doesn't work for service monitoring 2022-01-13 @@ -2038,7 +2148,6 @@ * :vytask:`T3764` (bug): Unconfigurable IKE and ESP lifetime * :vytask:`T3234` (bug): multi_to_list fails in certain cases, with root cause an element redundancy in XML interface-definitions * :vytask:`T3732` (feature): override-default helper should support adding defaultValues to default less nodes -* :vytask:`T3574` (default): Add constraintGroup for combining validators with logical AND * :vytask:`T3759` (default): [L3VPN] VPNv4/VPNv6 add commands diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst index 8440feca..ba09d9a7 100644 --- a/docs/configuration/interfaces/dummy.rst +++ b/docs/configuration/interfaces/dummy.rst @@ -68,7 +68,7 @@ Operation .. code-block:: none - vyos@vyos:~$ show interfaces ethernet eth0 + vyos@vyos:~$ show interfaces dummy dum0 dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff inet 172.18.254.201/32 scope global dum0 diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst index 23792203..97ad709e 100644 --- a/docs/configuration/interfaces/index.rst +++ b/docs/configuration/interfaces/index.rst @@ -20,6 +20,7 @@ Interfaces pppoe pseudo-ethernet tunnel + virtual-ethernet vti vxlan wireless diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst new file mode 100644 index 00000000..a6988318 --- /dev/null +++ b/docs/configuration/interfaces/virtual-ethernet.rst @@ -0,0 +1,95 @@ +:lastproofread: 2022-11-25 + +.. _virtual-ethernet: + +################ +Virtual Ethernet +################ + +The veth devices are virtual Ethernet devices. They can act as tunnels between +network namespaces to create a bridge to a physical network device in another +namespace or VRF, but can also be used as standalone network devices. + +.. note:: veth interfaces need to be created in pairs - it's called the peer name + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: /_include/interface-address-with-dhcp.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-description.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-disable.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-vrf.txt + :var0: virtual-ethernet + :var1: veth0 + +********* +Operation +********* + +.. opcmd:: show interfaces virtual-ethernet + + Show brief interface information. + + .. code-block:: none + + vyos@vyos:~$ show interfaces virtual-ethernet + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + veth10 100.64.0.0/31 u/u + veth11 100.64.0.1/31 u/u + +.. opcmd:: show interfaces virtual-ethernet <interface> + + Show detailed information on given `<interface>` + + .. code-block:: none + + vyos@vyos:~$ show interfaces virtual-ethernet veth11 + 10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000 + link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff + inet 100.64.0.1/31 scope global veth11 + valid_lft forever preferred_lft forever + inet6 fe80::b07b:dfff:fe47:e911/64 scope link + valid_lft forever preferred_lft forever + + + RX: bytes packets errors dropped overrun mcast + 0 0 0 0 0 0 + TX: bytes packets errors dropped carrier collisions + 1369707 4267 0 0 0 0 + +******* +Example +******* + +Interconnect the global VRF with vrf "red" using the veth10 <-> veth 11 pair + +.. code-block:: none + + set interfaces virtual-ethernet veth10 address '100.64.0.0/31' + set interfaces virtual-ethernet veth10 peer-name 'veth11' + set interfaces virtual-ethernet veth11 address '100.64.0.1/31' + set interfaces virtual-ethernet veth11 peer-name 'veth10' + set interfaces virtual-ethernet veth11 vrf 'red' + set vrf name red table '1000' + + vyos@vyos:~$ ping 100.64.0.1 + PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data. + 64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms + 64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms + + diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index 2d44f4bc..7c7b9c46 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -83,7 +83,7 @@ interface, we use: .. code-block:: none - set interfaces ethernet eth1 policy route FILTER-WEB + set policy route FILTER-WEB interface eth1 ################ Multiple Uplinks @@ -129,8 +129,8 @@ Apply routing policy to **inbound** direction of out VLAN interfaces .. code-block:: none - set interfaces ethernet eth0 vif 10 policy route 'PBR' - set interfaces ethernet eth0 vif 11 policy route 'PBR' + set policy route 'PBR' interface eth0.10 + set policy route 'PBR' interface eth0.11 **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) @@ -182,3 +182,32 @@ Add multiple source IP in one rule with same priority set policy local-route rule 101 source '203.0.113.253' set policy local-route rule 101 source '198.51.100.0/24' +########################### +Clamp MSS for a specific IP +########################### + +This example shows how to target an MSS clamp (in our example to 1360 bytes) +to a specific destination IP. + +.. code-block:: none + + set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30' + set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32' + set policy route IP-MSS-CLAMP rule 10 protocol 'tcp' + set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360' + set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN' + +To apply this policy to the correct interface, configure it on the +interface the inbound local host will send through to reach our +destined target host (in our example eth1). + +.. code-block:: none + + set policy route IP-MSS-CLAMP interface eth1 + +You can view that the policy is being correctly (or incorrectly) utilised +with the following command: + +.. code-block:: none + + show policy route statistics diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst index 416a42c3..ef9cc960 100644 --- a/docs/configuration/protocols/isis.rst +++ b/docs/configuration/protocols/isis.rst @@ -7,14 +7,18 @@ IS-IS ##### :abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state -interior gateway routing protocol which is described in ISO10589, -:rfc:`1195`, :rfc:`5308`. Like OSPF, IS-IS runs the Dijkstra shortest-path -first (SPF) algorithm to create a database of the network’s topology and, -from that database, to determine the best (that is, shortest) path to a -destination. The routers exchange topology information with their nearest -neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS -addresses are called :abbr:`NETs (Network Entity Titles)` and can be -8 to 20 bytes long, but are generally 10 bytes long. +interior gateway protocol (IGP) which is described in ISO10589, +:rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) +algorithm to create a database of the network’s topology, and +from that database to determine the best (that is, lowest cost) path to a +destination. The intermediate systems (the name for routers) exchange topology +information with their directly conencted neighbors. IS-IS runs directly on +the data link layer (Layer 2). IS-IS addresses are called +:abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are +generally 10 bytes long. The tree database that is created with IS-IS is +similar to the one that is created with OSPF in that the paths chosen should +be similar. Comparisons to OSPF are inevitable and often are reasonable ones +to make in regards to the way a network will respond with either IGP. ******* General @@ -26,60 +30,76 @@ Configuration Mandatory Settings ------------------ +For IS-IS top operate correctly, one must do the equivalent of a Router ID in +CLNS. This Router ID is called the :abbr:`NET (Network Entity Title)`. This +must be unique for each and every router that is operating in IS-IS. It also +must not be duplicated otherwise the same issues that occur within OSPF will +occur within IS-IS when it comes to said duplication. + + .. cfgcmd:: set protocols isis net <network-entity-title> - This commad also sets network entity title (NET) provided in ISO format. + This commad sets network entity title (NET) provided in ISO format. - For example :abbr:`NET (Network Entity Title)` + Here is an example :abbr:`NET (Network Entity Title)` value: .. code-block:: none 49.0001.1921.6800.1002.00 - The IS-IS address consists of the following parts: + The CLNS address consists of the following parts: * :abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what IS-IS uses for private addressing. - * Area identifier: ``0001`` IS-IS area number (Area1) + * Area identifier: ``0001`` IS-IS area number (numberical area ``1``) * System identifier: ``1921.6800.1002`` - for system idetifiers we recommend - to use IP address or MAC address of the router itself. + to use IP address or MAC address of the router itself. The way to construct + this is to keep all of the zeroes of the router IP address, and then change + the periods from being every three numbers to every four numbers. The + address that is listed here is ``192.168.1.2``, which if expanded will turn + into ``192.168.001.002``. Then all one has to do is move the dots to have + four numbers instead of three. This gives us ``1921.6800.1002``. - * NET selector: ``00`` Must always be 00, to indicate "this system". + * :abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This + setting indicates "this system" or "local system." .. cfgcmd:: set protocols isis interface <interface> - This command activates ISIS adjacency on this interface. Note that the name - of ISIS instance must be the same as the one used to configure the ISIS - process. + This command enables IS-IS on this interface, and allows for + adjacency to occur. Note that the name of IS-IS instance must be + the same as the one used to configure the IS-IS process. + +IS-IS Global Configuration +-------------------------- .. cfgcmd:: set protocols isis dynamic-hostname - This command enables support for dynamic hostname. Dynamic hostname mapping - determined as described in :rfc:`2763`, Dynamic Hostname Exchange Mechanism - for IS-IS. + This command enables support for dynamic hostname TLV. Dynamic hostname + mapping determined as described in :rfc:`2763`, Dynamic Hostname + Exchange Mechanism for IS-IS. .. cfgcmd:: set protocols isis level <level-1|level-1-2|level-2> - This command defines the ISIS router behavior: + This command defines the IS-IS router behavior: - **level-1** Act as a station router only. - **level-1-2** Act as both a station router and an area router. - **level-2-only** Act as an area router only. + * **level-1** - Act as a station (Level 1) router only. + * **level-1-2** - Act as a station (Level 1) router and area (Level 2) router. + * **level-2-only** - Act as an area (Level 2) router only. .. cfgcmd:: set protocols isis lsp-mtu <size> - This command configures the maximum size of generated LSPs, in bytes. The - size range is 128 to 4352. + This command configures the maximum size of generated + :abbr:`LSPs (Link State PDUs)`, in bytes. The size range is 128 to 4352. .. cfgcmd:: set protocols isis metric-style <narrow|transition|wide> - This command sets old-style (ISO 10589) or new-style packet formats: + This command sets old-style (ISO 10589) or new style packet formats: - **narrow** Use old style of TLVs with narrow metric. - **transition** Send and accept both styles of TLVs during transition. - **wide** Use new style of TLVs to carry wider metric. + * **narrow** - Use old style of TLVs with narrow metric. + * **transition** - Send and accept both styles of TLVs during transition. + * **wide** - Use new style of TLVs to carry wider metric. .. cfgcmd:: set protocols isis purge-originator @@ -117,9 +137,9 @@ Interface Configuration This command specifies circuit type for interface: - * **level-1** Level-1 only adjacencies are formed. - * **level-1-2** Level-1-2 adjacencies are formed - * **level-2-only** Level-2 only adjacencies are formed + * **level-1** - Level-1 only adjacencies are formed. + * **level-1-2** - Level-1-2 adjacencies are formed + * **level-2-only** - Level-2 only adjacencies are formed .. cfgcmd:: set protocols isis interface <interface> hello-interval <seconds> @@ -261,12 +281,87 @@ Timers to IGP events. The process described in :rfc:`8405`. -******* -Example -******* +******** +Examples +******** + +Enable IS-IS +============ + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5255.00' + +**Node 2:** + +.. code-block:: none + + set interfaces ethernet eth1 address '192.0.2.2/24' + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5254.00' + + + +This gives us the following neighborships, Level 1 and Level 2: + +.. code-block:: none + + Node-1@vyos:~$ show isis neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 1 Up 28 0c87.6c09.0001 + vyos eth1 2 Up 28 0c87.6c09.0001 + + Node-2@vyos:~$ show isis neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 1 Up 29 0c33.0280.0001 + vyos eth1 2 Up 28 0c33.0280.0001 + + + +Here's the IP routes that are populated. Just the loopback: + +.. code-block:: none + + Node-1@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:02:22 + I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, weight 1, 00:02:22 + + Node-2@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure -Simple IS-IS configuration using 2 nodes and redistributing connected -interfaces. + I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:02:21 + I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, weight 1, 00:02:21 + + + +Enable IS-IS and redistribute routes not natively in IS-IS +========================================================== **Node 1:** @@ -293,11 +388,11 @@ interfaces. set protocols isis interface eth1 set protocols isis net '49.0001.1921.6800.2002.00' -Show ip routes on Node2: +Routes on Node 2: .. code-block:: none - vyos@r2:~$ show ip route isis + Node-2@r2:~$ show ip route isis Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, @@ -305,3 +400,91 @@ Show ip routes on Node2: > - selected route, * - FIB route, q - queued route, r - rejected route I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42 + + + + +Enable IS-IS with Segment Routing (Experimental) +================================================ + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5255.00' + set protocols isis segment-routing global-block high-label-value '599' + set protocols isis segment-routing global-block low-label-value '550' + set protocols isis segment-routing prefix 192.168.255.255/32 index value '1' + set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null + set protocols mpls interface 'eth1' + +**Node 2:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5254.00' + set protocols isis segment-routing global-block high-label-value '599' + set protocols isis segment-routing global-block low-label-value '550' + set protocols isis segment-routing prefix 192.168.255.254/32 index value '2' + set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null + set protocols mpls interface 'eth1' + + + +This gives us MPLS segment routing enabled and labels for far end loopbacks: + +.. code-block:: none + + Node-1@vyos:~$ show mpls table + Inbound Label Type Nexthop Outbound Label + ---------------------------------------------------------------------- + 552 SR (IS-IS) 192.0.2.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 + 15000 SR (IS-IS) 192.0.2.2 implicit-null + 15001 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null + 15002 SR (IS-IS) 192.0.2.2 implicit-null + 15003 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null + + Node-2@vyos:~$ show mpls table + Inbound Label Type Nexthop Outbound Label + --------------------------------------------------------------------- + 551 SR (IS-IS) 192.0.2.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 + 15000 SR (IS-IS) 192.0.2.1 implicit-null + 15001 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null + 15002 SR (IS-IS) 192.0.2.1 implicit-null + 15003 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null + +Here is the routing tables showing the MPLS segment routing label operations: + +.. code-block:: none + + Node-1@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48 + I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39 + + Node-2@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46 + I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43 diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d1ea7bbc..4721cbcd 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -166,7 +166,7 @@ VyOS ESP group has the next options: *********************************************** Options (Global IPsec settings) Attributes *********************************************** -* ``options`` IPsec settings: +* ``options`` * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; @@ -210,16 +210,18 @@ On the LEFT: set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication mode pre-shared-secret + set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer right ike-group MyIKEGroup + set vpn ipsec site-to-site peer right default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 + set vpn ipsec site-to-site peer right local-address 192.0.2.10 + set vpn ipsec site-to-site peer right remote-address 203.0.113.45 # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre + set vpn ipsec site-to-site peer right tunnel 1 protocol gre On the RIGHT, setup by analogy and swap local and remote addresses. @@ -235,6 +237,8 @@ an IPsec policy to match those loopback addresses. We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0. +The peer names RIGHT and LEFT are used as informational text. + **Setting up the GRE tunnel** On the LEFT: @@ -325,17 +329,17 @@ On the LEFT (static address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer @RIGHT authentication id LEFT - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT - set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT - set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT + set vpn ipsec site-to-site peer RIGHT authentication mode rsa + set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT + set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT + set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT + set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup + set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 + set vpn ipsec site-to-site peer RIGHT connection-type respond + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote On the RIGHT (dynamic address): @@ -350,14 +354,15 @@ On the RIGHT (dynamic address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT - set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT + set vpn ipsec site-to-site peer LEFT authentication mode rsa + set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT + set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT + set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT + set vpn ipsec site-to-site peer LEFT connection-type initiate + set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup + set vpn ipsec site-to-site peer LEFT local-address any + set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e72dbdd4..482c7130 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -8,19 +8,10 @@ to exchange encrypted information between them and VyOS itself or connected/routed networks. To configure site-to-site connection you need to add peers with the -``set vpn ipsec site-to-site`` command. +``set vpn ipsec site-to-site peer <name>`` command. -You can identify a remote peer with: - -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used - when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead - of an IP. Could be used when a peer has a public IP address and DNS name, but - an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address - nor DNS name of the peer. This mode is useful when a peer doesn't have a - publicly available IP address (NAT between it and VyOS), or IP address could - be changed. +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational. Each site-to-site peer has the next options: @@ -111,6 +102,11 @@ Each site-to-site peer has the next options: If defined ``any``, then an IP address which configured on interface with default route will be used; +* ``remote-address`` - remote IP address or hostname for IPSec connection. + IPv4 or IPv6 address is used when a peer has a public static IP address. + Hostname is a DNS name which could be used when a peer has a public IP + address and DNS name, but an IP address could be changed from time to time. + * ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index c2350ba1..afb1c27c 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -59,10 +59,10 @@ yourusername``. Build Container --------------- -The container can be built by hand or by fetching the pre-built one from -DockerHub. Using the pre-built containers from the `VyOS DockerHub -organisation`_ will ensure that the container is always up-to-date. A rebuild -is triggered once the container changes (please note this will take 2-3 hours +The container can be built by hand or by fetching the pre-built one from +DockerHub. Using the pre-built containers from the `VyOS DockerHub +organisation`_ will ensure that the container is always up-to-date. A rebuild +is triggered once the container changes (please note this will take 2-3 hours after pushing to the vyos-build repository). .. note: If you are using the pre-built container, it will be automatically @@ -132,9 +132,10 @@ your development containers in your current working directory. .. note:: Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to - build the ``vyos-1x`` package (which is our main development package) you need - to start your Docker container using the following argument: - ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail. + build the ``vyos-1x`` package (which is our main development package) you + need to start your Docker container using the following argument: + ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will + fail. .. _build_native: @@ -158,7 +159,7 @@ To start, clone the repository to your local machine: $ git clone -b current --single-branch https://github.com/vyos/vyos-build For the packages required, you can refer to the ``docker/Dockerfile`` file -in the repository_. The ``./configure`` script will also warn you if any +in the repository_. The ``./build-vyos-image`` script will also warn you if any dependencies are missing. Once you have the required dependencies installed, you may proceed with the @@ -214,8 +215,8 @@ Start the build: .. code-block:: none - vyos_bld@d4220bb519a0:/vyos# ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" - vyos_bld@d4220bb519a0:/vyos# sudo make iso + vyos_bld@8153428c7e1f:/vyos$ sudo make clean + vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``. @@ -234,46 +235,52 @@ Customize ========= This ISO can be customized with the following list of configure options. -The full and current list can be generated with ``./configure --help``: +The full and current list can be generated with ``./build-vyos-image --help``: .. code-block:: none - $ ./configure --help - usage: configure [-h] [--architecture ARCHITECTURE] [--build-by BUILD_BY] - [--debian-mirror DEBIAN_MIRROR] - [--debian-security-mirror DEBIAN_SECURITY_MIRROR] - [--pbuilder-debian-mirror PBUILDER_DEBIAN_MIRROR] - [--vyos-mirror VYOS_MIRROR] [--build-type BUILD_TYPE] - [--version VERSION] [--build-comment BUILD_COMMENT] [--debug] - [--custom-apt-entry CUSTOM_APT_ENTRY] - [--custom-apt-key CUSTOM_APT_KEY] - [--custom-package CUSTOM_PACKAGE] + $ vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image --help + I: Checking if packages required for VyOS image build are installed + usage: build-vyos-image [-h] [--architecture ARCHITECTURE] + [--build-by BUILD_BY] [--debian-mirror DEBIAN_MIRROR] + [--debian-security-mirror DEBIAN_SECURITY_MIRROR] + [--pbuilder-debian-mirror PBUILDER_DEBIAN_MIRROR] + [--vyos-mirror VYOS_MIRROR] [--build-type BUILD_TYPE] + [--version VERSION] [--build-comment BUILD_COMMENT] [--debug] [--dry-run] + [--custom-apt-entry CUSTOM_APT_ENTRY] [--custom-apt-key CUSTOM_APT_KEY] + [--custom-package CUSTOM_PACKAGE] + [build_flavor] - optional arguments: + positional arguments: + build_flavor Build flavor + + optional arguments: -h, --help show this help message and exit --architecture ARCHITECTURE - Image target architecture (amd64 or i386 or armhf) + Image target architecture (amd64 or arm64) --build-by BUILD_BY Builder identifier (e.g. jrandomhacker@example.net) --debian-mirror DEBIAN_MIRROR - Debian repository mirror for ISO build + Debian repository mirror --debian-security-mirror DEBIAN_SECURITY_MIRROR - Debian security updates mirror + Debian security updates mirror --pbuilder-debian-mirror PBUILDER_DEBIAN_MIRROR - Debian repository mirror for pbuilder env bootstrap + Debian repository mirror for pbuilder env bootstrap --vyos-mirror VYOS_MIRROR - VyOS package mirror + VyOS package mirror --build-type BUILD_TYPE - Build type, release or development + Build type, release or development --version VERSION Version number (release builds only) --build-comment BUILD_COMMENT - Optional build comment + Optional build comment --debug Enable debug output + --dry-run Check build configuration and exit --custom-apt-entry CUSTOM_APT_ENTRY - Custom APT entry + Custom APT entry --custom-apt-key CUSTOM_APT_KEY - Custom APT key file + Custom APT key file --custom-package CUSTOM_PACKAGE - Custom package to install from repositories + Custom package to install from repositories + .. _iso_build_issues: @@ -304,7 +311,7 @@ more or less similar looking error message: (10:13) vyos_bld ece068908a5b:/vyos [current] # To debug the build process and gain additional information of what could be the -root cause, you need to use `chroot` to change into the build directry. This is +root cause, you need to use `chroot` to change into the build directry. This is explained in the following step by step procedure: .. code-block:: none |