summaryrefslogtreecommitdiff
path: root/docs/appendix/examples
diff options
context:
space:
mode:
Diffstat (limited to 'docs/appendix/examples')
-rw-r--r--docs/appendix/examples/azure-vpn-bgp.rst128
-rw-r--r--docs/appendix/examples/azure-vpn-dual-bgp.rst155
-rw-r--r--docs/appendix/examples/index.rst2
-rw-r--r--docs/appendix/examples/tunnelbroker-ipv6.rst151
4 files changed, 436 insertions, 0 deletions
diff --git a/docs/appendix/examples/azure-vpn-bgp.rst b/docs/appendix/examples/azure-vpn-bgp.rst
new file mode 100644
index 00000000..818817ae
--- /dev/null
+++ b/docs/appendix/examples/azure-vpn-bgp.rst
@@ -0,0 +1,128 @@
+.. _examples-azure-vpn-bgp:
+
+Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+------------------------------------------------------------
+
+This guide shows an example of a route-based IKEv2 site-to-site VPN to
+Azure using VTI and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+ configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+ the Vyos device, matching the below Vyos settings except for
+ address space, which only requires the Vyos private IP, in
+ this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+ Azure VNet gateway and the local network gateway representing
+ the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface | eth0 |
++---------------------------------------+---------------------+
+| On-premises address space | 10.10.0.0/16 |
++---------------------------------------+---------------------+
+| Azure address space | 10.0.0.0/16 |
++---------------------------------------+---------------------+
+| Vyos public IP | 198.51.100.3 |
++---------------------------------------+---------------------+
+| Vyos private IP | 10.10.0.5 |
++---------------------------------------+---------------------+
+| Azure VNet Gateway public IP | 203.0.113.2 |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP | 10.0.0.4 |
++---------------------------------------+---------------------+
+| Pre-shared key | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN | 64499 |
++---------------------------------------+---------------------+
+| Azure ASN | 65540 |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+ of those supported by Azure:
+
+.. code-block:: sh
+
+ set vpn ipsec esp-group AZURE compression 'disable'
+ set vpn ipsec esp-group AZURE lifetime '3600'
+ set vpn ipsec esp-group AZURE mode 'tunnel'
+ set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+ set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+ set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+ set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ set vpn ipsec ike-group AZURE lifetime '28800'
+ set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: sh
+
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure a VTI with a dummy IP address
+
+.. code-block:: sh
+
+ set interfaces vti vti1 address '10.10.1.5/32'
+ set interfaces vti vti1 description 'Azure Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: sh
+
+ set firewall options interface vti1 adjust-mss 1350
+
+- Configure the VPN tunnel
+
+.. code-block:: sh
+
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+ set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+ set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+ set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+ set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+ set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach Azure's BGP listener
+
+.. code-block:: sh
+
+ set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+
+- Configure your BGP settings
+
+.. code-block:: sh
+
+ set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+ set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+ set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+ set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+- **Important**: Disable connected check \
+
+.. code-block:: sh
+
+ set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
diff --git a/docs/appendix/examples/azure-vpn-dual-bgp.rst b/docs/appendix/examples/azure-vpn-dual-bgp.rst
new file mode 100644
index 00000000..4cbcde3b
--- /dev/null
+++ b/docs/appendix/examples/azure-vpn-dual-bgp.rst
@@ -0,0 +1,155 @@
+.. _examples-azure-vpn-dual-bgp:
+
+Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+----------------------------------------------------------------------
+
+This guide shows an example of a redundant (active-active) route-based IKEv2
+site-to-site VPN to Azure using VTI
+and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-passive
+ configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+ the Vyos device, matching the below Vyos settings except for
+ address space, which only requires the Vyos private IP, in
+ this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+ Azure VNet gateway and the local network gateway representing
+ the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface | eth0 |
++---------------------------------------+---------------------+
+| On-premises address space | 10.10.0.0/16 |
++---------------------------------------+---------------------+
+| Azure address space | 10.0.0.0/16 |
++---------------------------------------+---------------------+
+| Vyos public IP | 198.51.100.3 |
++---------------------------------------+---------------------+
+| Vyos private IP | 10.10.0.5 |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 1 public IP | 203.0.113.2 |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 2 public IP | 203.0.113.3 |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP | 10.0.0.4,10.0.0.5 |
++---------------------------------------+---------------------+
+| Pre-shared key | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN | 64499 |
++---------------------------------------+---------------------+
+| Azure ASN | 65540 |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+ of those supported by Azure:
+
+.. code-block:: sh
+
+ set vpn ipsec esp-group AZURE compression 'disable'
+ set vpn ipsec esp-group AZURE lifetime '3600'
+ set vpn ipsec esp-group AZURE mode 'tunnel'
+ set vpn ipsec esp-group AZURE pfs 'dh-group2'
+ set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+ set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+ set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+ set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+ set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+ set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+ set vpn ipsec ike-group AZURE lifetime '28800'
+ set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+ set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: sh
+
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure two VTIs with a dummy IP address each
+
+.. code-block:: sh
+
+ set interfaces vti vti1 address '10.10.1.5/32'
+ set interfaces vti vti1 description 'Azure Primary Tunnel'
+
+ set interfaces vti vti2 address '10.10.1.6/32'
+ set interfaces vti vti2 description 'Azure Secondary Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: sh
+
+ set firewall options interface vti1 adjust-mss 1350
+ set firewall options interface vti2 adjust-mss 1350
+
+- Configure the VPN tunnels
+
+.. code-block:: sh
+
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+ set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+ set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+ set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+ set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+ set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+ set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
+ set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+ set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
+ set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
+ set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
+ set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
+ set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
+ set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
+ set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach both Azure's BGP listeners
+
+.. code-block:: sh
+
+ set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+ set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+
+- Configure your BGP settings
+
+.. code-block:: sh
+
+ set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+ set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+ set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+ set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+ set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'
+ set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound'
+ set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
+ set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'
+
+- **Important**: Disable connected check, otherwise the routes learned
+ from Azure will not be imported into the routing table.
+
+.. code-block:: sh
+
+ set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
+ set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check
diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst
index a77ee380..f9689851 100644
--- a/docs/appendix/examples/index.rst
+++ b/docs/appendix/examples/index.rst
@@ -13,3 +13,5 @@ This chapter contains various configuration Examples
zone-policy
bgp-ipv6-unnumbered
ospf-unnumbered
+ azure-vpn-bgp
+ azure-vpn-dual-bgp
diff --git a/docs/appendix/examples/tunnelbroker-ipv6.rst b/docs/appendix/examples/tunnelbroker-ipv6.rst
new file mode 100644
index 00000000..e05d77a5
--- /dev/null
+++ b/docs/appendix/examples/tunnelbroker-ipv6.rst
@@ -0,0 +1,151 @@
+.. _examples-tunnelbroker-ipv6:
+
+VyOS Tunnelbroker.net IPv6
+--------------------------
+
+This guides walks through the setup of `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ for an IPv6 Tunnel.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A public IP address. This does not necessarily need to be static, but you will need to update the tunnel endpoint when/if your IP address changes, which can be done with a script and a scheduled task.
+- An account at `Tunnelbroker.net <https://www.tunnelbroker.net/>`_.
+- Requested a "Regular Tunnel". You want to choose a location that is closest to your physical location for the best response time.
+
+Setting up the initial tunnel
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Set up the initial IPv6 tunnel. Replace the field below from the fields on the `Tunnelbroker.net <https://www.tunnelbroker.net/>`_ tunnel information page.
+
+.. code-block:: sh
+
+ conf
+ set interfaces tunnel tun0 address Client_IPv6_from_Tunnelbroker # This will be your VyOS install's public IPv6 address
+ set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel'
+ set interfaces tunnel tun0 encapsulation 'sit'
+ set interfaces tunnel tun0 local-ip Client_IPv4_from_Tunnelbroker # This is your public IP
+ set interfaces tunnel tun0 mtu '1472'
+ set interfaces tunnel tun0 multicast 'disable'
+ set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker # This is the IP of the Tunnelbroker server
+ set protocols static interface-route6 ::/0 next-hop-interface tun0 # Tell all traffic to go over this tunnel
+ commit
+
+- If your WAN connection is over PPPoE, you may need to set the MTU on the above tunnel lower than 1472.
+
+- At this point you should be able to ping an IPv6 address. Try pinging Google:
+
+.. code-block:: sh
+
+ ping6 -c2 2001:4860:4860::8888
+
+ 64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=57 time=21.7 ms
+ 64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=57 time=21.1 ms
+
+ --- 2001:4860:4860::8888 ping statistics ---
+ 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+ rtt min/avg/max/mdev = 21.193/21.459/21.726/0.304 ms
+
+- Assuming the pings are successful, you need to add some DNS servers. Some options:
+
+.. code-block:: sh
+
+ set system name-server 2001:4860:4860::8888 # Google
+ set system name-server 2001:4860:4860::8844 # Google
+ set system name-server 2606:4700:4700::1111 # Cloudflare
+ set system name-server 2606:4700:4700::1001 # Cloudflare
+ commit
+
+- You should now be able to ping something by IPv6 DNS name:
+
+.. code-block:: sh
+
+ # ping6 -c2 one.one.one.one
+ PING one.one.one.one(one.one.one.one) 56 data bytes
+ 64 bytes from one.one.one.one: icmp_seq=1 ttl=58 time=16.8 ms
+ 64 bytes from one.one.one.one: icmp_seq=2 ttl=58 time=17.4 ms
+
+ --- one.one.one.one ping statistics ---
+ 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+ rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
+
+- Assuming everything works, you can proceed to client configuration
+
+LAN Configuration
+^^^^^^^^^^^^^^^^^
+
+At this point your VyOS install should have full IPv6, but now your LAN devices need access.
+
+With Tunnelbroker.net, you have two options:
+
+- Routed /64. This is the default assignment. In IPv6-land, it's good for a single "LAN", and is somewhat equivalent to a /24. Example: `2001:470:xxxx:xxxx::/64`
+- Routed /48. This is something you can request by clicking the "Assign /48" link in the Tunnelbroker.net tunnel config. It allows you to have up to 65k LANs. Example: `2001:470:xxxx::/48`
+
+Unlike IPv4, IPv6 is really not designed to be broken up smaller than /64. So if you ever want to have multiple LANs, VLANs, DMZ, etc, you'll want to ignore the assigned /64, and request the /48 and use that.
+
+Single LAN Setup
+^^^^^^^^^^^^^^^^
+
+Single LAN setup where eth1 is your LAN interface. Use the /64 (all the xxxx should be replaced with the information from your `Routed /64` tunnel):
+
+.. code-block:: sh
+
+ set interfaces ethernet eth1 address '2001:470:xxxx:xxxx::1/64'
+ set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
+ set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 autonomous-flag 'true'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 on-link-flag 'true'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:xxxx::/64 valid-lifetime '2592000'
+
+
+- This accomplishes a few things:
+
+ - Sets your LAN interface's IP address
+ - Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS.
+
+Multiple LAN/DMZ Setup
+^^^^^^^^^^^^^^^^^^^^^^
+
+In this, you use the `Routed /48` information. This allows you to assign a different /64 to every interface, LAN, or even device. Or you could break your network into smaller chunks like /56 or /60.
+
+The format of these addresses:
+
+- `2001:470:xxxx::/48`: The whole subnet. xxxx should come from Tunnelbroker.
+- `2001:470:xxxx:1::/64`: A subnet suitable for a LAN
+- `2001:470:xxxx:2::/64`: Another subnet
+- `2001:470:xxxx:ffff:/64`: The last usable /64 subnet.
+
+In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff (1-65535).
+
+So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
+
+.. code-block:: sh
+
+ set interfaces ethernet eth1 address '2001:470:xxxx:1::1/64'
+ set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
+ set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 autonomous-flag 'true'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 on-link-flag 'true'
+ set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:xxxx:1::/64 valid-lifetime '2592000'
+
+ set interfaces ethernet eth2 address '2001:470:xxxx:2::1/64'
+ set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8888'
+ set interfaces ethernet eth2 ipv6 router-advert name-server '2001:4860:4860::8844'
+ set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 autonomous-flag 'true'
+ set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 on-link-flag 'true'
+ set interfaces ethernet eth2 ipv6 router-advert prefix 2001:470:xxxx:2::/64 valid-lifetime '2592000'
+
+ set interfaces ethernet eth3 address '2001:470:xxxx:3::1/64'
+ set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8888'
+ set interfaces ethernet eth3 ipv6 router-advert name-server '2001:4860:4860::8844'
+ set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 autonomous-flag 'true'
+ set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 on-link-flag 'true'
+ set interfaces ethernet eth3 ipv6 router-advert prefix 2001:470:xxxx:3::/64 valid-lifetime '2592000'
+
+Firewall
+^^^^^^^^
+
+Finally, don't forget the :ref:`firewall`. The usage is identical, except for instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`.
+
+Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall ipv6-name`
+
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-27 15:40:04 +0000