summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/dmvpn.rst420
-rw-r--r--docs/configuration/vpn/index.rst17
-rw-r--r--docs/configuration/vpn/ipsec.rst190
-rw-r--r--docs/configuration/vpn/l2tp.rst131
-rw-r--r--docs/configuration/vpn/pptp.rst47
-rw-r--r--docs/configuration/vpn/references.rst10
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst299
7 files changed, 1114 insertions, 0 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
new file mode 100644
index 00000000..e6487292
--- /dev/null
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -0,0 +1,420 @@
+.. _vpn-dmvpn:
+
+DMVPN
+-----
+
+**D** ynamic **M** ultipoint **V** irtual **P** rivate **N** etworking
+
+DMVPN is a dynamic VPN technology originally developed by Cisco. While their
+implementation was somewhat proprietary, the underlying technologies are
+actually standards based. The three technologies are:
+
+* **NHRP** - NBMA Next Hop Resolution Protocol RFC2332_
+* **mGRE** - Multipoint Generic Routing Encapsulation / mGRE RFC1702_
+* **IPSec** - IP Security (too many RFCs to list, but start with RFC4301_)
+
+NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint
+registration, and endpoint discovery/lookup), mGRE provides the tunnel
+encapsulation itself, and the IPSec protocols handle the key exchange, and
+crypto mechanism.
+
+In short, DMVPN provides the capability for creating a dynamic-mesh VPN
+network without having to pre-configure (static) all possible tunnel end-point
+peers.
+
+.. note:: DMVPN only automates the tunnel endpoint discovery and setup. A
+ complete solution also incorporates the use of a routing protocol. BGP is
+ particularly well suited for use with DMVPN.
+
+Baseline Configuration:
+
+**STEPS:**
+
+#. Create tunnel config (`interfaces tunnel`)
+#. Create nhrp (`protocols nhrp`)
+#. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`)
+
+The tunnel will be set to mGRE if for encapsulation `gre` is set, and no
+`remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip`
+can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set.
+
+.. figure:: /_static/images/vpn_dmvpn_topology01.png
+ :scale: 40 %
+ :alt: Baseline DMVPN topology
+
+ Baseline DMVPN topology
+
+HUB Configuration
+^^^^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+ interfaces
+ tunnel <tunN> {
+ address <ipv4>
+ encapsulation gre
+ local-ip <public ip>
+ multicast enable
+ description <txt>
+ parameters {
+ ip {
+ <usual IP options>
+ }
+ }
+ }
+ }
+ protocols {
+ nhrp {
+ tunnel <tunN> {
+ cisco-authentication <key phrase>
+ holding-time <seconds>
+ multicast dynamic
+ redirect
+ }
+ }
+ }
+ vpn {
+ ipsec {
+ esp-group <text> {
+ lifetime <30-86400>
+ mode tunnel
+ pfs enable
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption 3des
+ hash md5
+ }
+ }
+ ike-group <text> {
+ key-exchange ikev1
+ lifetime <30-86400>
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption aes128
+ hash sha1
+ }
+ }
+ ipsec-interfaces {
+ interface <ethN>
+ }
+ profile <text> {
+ authentication {
+ mode pre-shared-secret
+ pre-shared-secret <key phrase>
+ }
+ bind {
+ tunnel <tunN>
+ }
+ esp-group <text>
+ ike-group <text>
+ }
+ }
+ }
+
+HUB Example Configuration:
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address '198.51.100.41/30'
+ set interfaces ethernet eth1 address '192.168.1.1/24'
+ set system host-name 'HUB'
+
+ set interfaces tunnel tun0 address 10.0.0.1/24
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 local-ip 198.51.100.41
+ set interfaces tunnel tun0 multicast enable
+ set interfaces tunnel tun0 parameters ip key 1
+
+ set protocols nhrp tunnel tun0 cisco-authentication SECRET
+ set protocols nhrp tunnel tun0 holding-time 300
+ set protocols nhrp tunnel tun0 multicast dynamic
+ set protocols nhrp tunnel tun0 redirect
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec ike-group IKE-HUB proposal 1
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1
+ set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128
+ set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1
+ set vpn ipsec ike-group IKE-HUB lifetime 3600
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1
+ set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des
+ set vpn ipsec esp-group ESP-HUB proposal 2 hash md5
+ set vpn ipsec esp-group ESP-HUB lifetime 1800
+ set vpn ipsec esp-group ESP-HUB pfs dh-group2
+
+ set vpn ipsec profile NHRPVPN
+ set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
+ set vpn ipsec profile NHRPVPN bind tunnel tun0
+ set vpn ipsec profile NHRPVPN esp-group ESP-HUB
+ set vpn ipsec profile NHRPVPN ike-group IKE-HUB
+
+ set protocols static route 0.0.0.0/0 next-hop 1.1.1.2
+ set protocols static route 192.168.2.0/24 next-hop 10.0.0.2
+ set protocols static route 192.168.3.0/24 next-hop 10.0.0.3
+
+HUB on AWS Configuration Specifics
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the offical AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console)
+
+SPOKE Configuration
+^^^^^^^^^^^^^^^^^^^
+
+SPOKE1 Configuration:
+
+.. code-block:: none
+
+ interfaces
+ tunnel <tunN> {
+ address <ipv4>
+ encapsulation gre
+ local-ip <public ip>
+ multicast enable
+ description <txt>
+ parameters {
+ ip {
+ <usual IP options>
+ }
+ }
+ }
+ }
+ protocols {
+ nhrp {
+ tunnel <tunN> {
+ cisco-authentication <key phrase>
+ map <ipv4/net> {
+ nbma-address <ipv4>
+ register
+ }
+ holding-time <seconds>
+ multicast nhs
+ redirect
+ shortcut
+ }
+ }
+ }
+ vpn {
+ ipsec {
+ esp-group <text> {
+ lifetime <30-86400>
+ mode tunnel
+ pfs enable
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption 3des
+ hash md5
+ }
+ }
+ ike-group <text> {
+ key-exchange ikev1
+ lifetime <30-86400>
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption aes128
+ hash sha1
+ }
+ }
+ ipsec-interfaces {
+ interface <ethN>
+ }
+ profile <text> {
+ authentication {
+ mode pre-shared-secret
+ pre-shared-secret <key phrase>
+ }
+ bind {
+ tunnel <tunN>
+ }
+ esp-group <text>
+ ike-group <text>
+ }
+ }
+ }
+
+SPOKE1 Example Configuration
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 'dhcp'
+ set interfaces ethernet eth1 address '192.168.2.1/24'
+ set system host-name 'SPOKE1'
+
+ set interfaces tunnel tun0 address 10.0.0.2/24
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 local-ip 0.0.0.0
+ set interfaces tunnel tun0 multicast enable
+ set interfaces tunnel tun0 parameters ip key 1
+
+ set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
+ set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41
+ set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
+ set protocols nhrp tunnel tun0 multicast 'nhs'
+ set protocols nhrp tunnel tun0 'redirect'
+ set protocols nhrp tunnel tun0 'shortcut'
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec ike-group IKE-SPOKE proposal 1
+ set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
+ set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
+ set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
+ set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
+ set vpn ipsec ike-group IKE-SPOKE lifetime 3600
+ set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
+ set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
+ set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
+ set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
+ set vpn ipsec esp-group ESP-SPOKE lifetime 1800
+ set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
+
+ set vpn ipsec profile NHRPVPN
+ set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
+ set vpn ipsec profile NHRPVPN bind tunnel tun0
+ set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
+ set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
+
+ set protocols static route 192.168.1.0/24 next-hop 10.0.0.1
+ set protocols static route 192.168.3.0/24 next-hop 10.0.0.3
+
+
+SPOKE2 Configuration
+
+.. code-block:: none
+
+ interfaces
+ tunnel <tunN> {
+ address <ipv4>
+ encapsulation gre
+ local-ip <public ip>
+ multicast enable
+ description <txt>
+ parameters {
+ ip {
+ <usual IP options>
+ }
+ }
+ }
+ }
+ protocols {
+ nhrp {
+ tunnel <tunN> {
+ cisco-authentication <key phrase>
+ map <ipv4/net> {
+ nbma-address <ipv4>
+ register
+ }
+ holding-time <seconds>
+ multicast nhs
+ redirect
+ shortcut
+ }
+ }
+ }
+ vpn {
+ ipsec {
+ esp-group <text> {
+ lifetime <30-86400>
+ mode tunnel
+ pfs enable
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption 3des
+ hash md5
+ }
+ }
+ ike-group <text> {
+ key-exchange ikev1
+ lifetime <30-86400>
+ proposal <1-65535> {
+ encryption aes256
+ hash sha1
+ }
+ proposal <1-65535> {
+ encryption aes128
+ hash sha1
+ }
+ }
+ ipsec-interfaces {
+ interface <ethN>
+ }
+ profile <text> {
+ authentication {
+ mode pre-shared-secret
+ pre-shared-secret <key phrase>
+ }
+ bind {
+ tunnel <tunN>
+ }
+ esp-group <text>
+ ike-group <text>
+ }
+ }
+ }
+
+SPOKE2 Example Configuration
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 'dhcp'
+ set interfaces ethernet eth1 address '192.168.3.1/24'
+ set system host-name 'SPOKE2'
+
+ set interfaces tunnel tun0 address 10.0.0.3/24
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 local-ip 0.0.0.0
+ set interfaces tunnel tun0 multicast enable
+ set interfaces tunnel tun0 parameters ip key 1
+
+ set protocols nhrp tunnel tun0 cisco-authentication SECRET
+ set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41
+ set protocols nhrp tunnel tun0 map 10.0.0.1/24 register
+ set protocols nhrp tunnel tun0 multicast nhs
+ set protocols nhrp tunnel tun0 redirect
+ set protocols nhrp tunnel tun0 shortcut
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec ike-group IKE-SPOKE proposal 1
+ set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256
+ set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1
+ set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128
+ set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1
+ set vpn ipsec ike-group IKE-SPOKE lifetime 3600
+ set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256
+ set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1
+ set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des
+ set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5
+ set vpn ipsec esp-group ESP-SPOKE lifetime 1800
+ set vpn ipsec esp-group ESP-SPOKE pfs dh-group2
+
+ set vpn ipsec profile NHRPVPN
+ set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET
+ set vpn ipsec profile NHRPVPN bind tunnel tun0
+ set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE
+ set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE
+
+ set protocols static route 192.168.1.0/24 next-hop 10.0.0.1
+ set protocols static route 192.168.2.0/24 next-hop 10.0.0.2
+
+
+.. _RFC2332: https://tools.ietf.org/html/rfc2332
+.. _RFC1702: https://tools.ietf.org/html/rfc1702
+.. _RFC4301: https://tools.ietf.org/html/rfc4301
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
new file mode 100644
index 00000000..522842d1
--- /dev/null
+++ b/docs/configuration/vpn/index.rst
@@ -0,0 +1,17 @@
+.. _vpn:
+
+.. include:: references.rst
+
+VPN
+===
+
+This chapter describes the available VPN services provided by VyOS.
+
+.. toctree::
+ :hidden:
+
+ l2tp
+ site2site_ipsec
+ ipsec
+ dmvpn
+ pptp
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
new file mode 100644
index 00000000..38849f67
--- /dev/null
+++ b/docs/configuration/vpn/ipsec.rst
@@ -0,0 +1,190 @@
+.. _gre-ipsec:
+
+GRE/IPsec
+---------
+
+Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any
+other stateless tunnel protocol over IPsec) is the usual way to protect the
+traffic inside a tunnel.
+
+An advantage of this scheme is that you get a real interface with its own
+address, which makes it easier to setup static routes or use dynamic routing
+protocols without having to modify IPsec policies. The other advantage is that
+it greatly simplifies router to router communication, which can be tricky with
+plain IPsec because the external outgoing address of the router usually doesn't
+match the IPsec policy of typical site-to-site setup and you need to add special
+configuration for it, or adjust the source address for outgoing traffic of your
+applications. GRE/IPsec has no such problem and is completely transparent for
+the applications.
+
+GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
+easy to implement between VyOS and virtually any other router.
+
+For simplicity we'll assume that the protocol is GRE, it's not hard to guess
+what needs to be changed to make it work with a different protocol. We assume
+that IPsec will use pre-shared secret authentication and will use AES128/SHA1
+for the cipher and hash. Adjust this as necessary.
+
+.. NOTE:: VMWare users should ensure that VMXNET3 adapters used, e1000 adapters
+ have known issue with GRE processing
+
+IPsec policy matching GRE
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The first and arguably cleaner option is to make your IPsec policy match GRE
+packets between external addresses of your routers. This is the best option if
+both routers have static external addresses.
+
+Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
+and the RIGHT router is 203.0.113.45
+
+On the LEFT:
+
+.. code-block:: none
+
+ # GRE tunnel
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 local-ip 192.0.2.10
+ set interfaces tunnel tun0 remote-ip 203.0.113.45
+ set interfaces tunnel tun0 address 10.10.10.1/30
+
+ ## IPsec
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ # IKE group
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
+
+ # ESP group
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
+
+ # IPsec tunnel
+ set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
+ set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY
+
+ set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup
+
+ set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10
+
+ # This will match all GRE traffic to the peer
+ set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre
+
+On the RIGHT, setup by analogy and swap local and remote addresses.
+
+
+Source tunnel from loopbacks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The scheme above doesn't work when one of the routers has a dynamic external
+address though. The classic workaround for this is to setup an address on a
+loopback interface and use it as a source address for the GRE tunnel, then setup
+an IPsec policy to match those loopback addresses.
+
+We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
+RIGHT router has a dynamic address on eth0.
+
+**Setting up the GRE tunnel**
+
+On the LEFT:
+
+.. code-block:: none
+
+ set interfaces loopback lo address 192.168.99.1/32
+
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 address 10.10.10.1/30
+ set interfaces tunnel tun0 local-ip 192.168.99.1
+ set interfaces tunnel tun0 remote-ip 192.168.99.2
+
+On the RIGHT:
+
+.. code-block:: none
+
+ set interfaces loopback lo address 192.168.99.2/32
+
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 address 10.10.10.2/30
+ set interfaces tunnel tun0 local-ip 192.168.99.2
+ set interfaces tunnel tun0 remote-ip 192.168.99.1
+
+**Setting up IPSec**
+
+However, now you need to make IPsec work with dynamic address on one side. The
+tricky part is that pre-shared secret authentication doesn't work with dynamic
+address, so we'll have to use RSA keys.
+
+First, on both routers run the operational command "generate vpn rsa-key bits
+2048". You may choose different length than 2048 of course.
+
+.. code-block:: none
+
+ vyos@left# run generate vpn rsa-key bits 2048
+ Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
+
+ Your new local RSA key has been generated
+ The public portion of the key is:
+
+ 0sAQO2335[long string here]
+
+Then on the opposite router, add the RSA key to your config.
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
+
+Now you are ready to setup IPsec. You'll need to use an ID instead of address
+for the peer on the dynamic side.
+
+On the LEFT (static address):
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
+ set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
+ set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
+ set vpn ipsec site-to-site peer @RIGHT connection-type respond
+ set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
+
+
+On the RIGHT (dynamic address):
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT
+ set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT
+ set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
+ set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 192.0.2.10 local-address any
+ set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
new file mode 100644
index 00000000..64223475
--- /dev/null
+++ b/docs/configuration/vpn/l2tp.rst
@@ -0,0 +1,131 @@
+.. _l2tp:
+
+L2TP over IPsec
+---------------
+
+Example for configuring a simple L2TP over IPsec VPN for remote access (works
+with native Windows and Mac VPN clients):
+
+.. code-block:: none
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal enable
+ set vpn ipsec nat-networks allowed-network 0.0.0.0/0
+
+ set vpn l2tp remote-access outside-address 203.0.113.2
+ set vpn l2tp remote-access client-ip-pool start 192.168.255.1
+ set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
+ set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
+ set vpn l2tp remote-access authentication mode local
+ set vpn l2tp remote-access authentication local-users username <username> password <password>
+
+In the example above an external IP of 203.0.113.2 is assumed.
+
+If a local firewall policy is in place on your external interface you will need
+to open:
+
+* UDP port 500 (IKE)
+* IP protocol number 50 (ESP)
+* UDP port 1701 for IPsec
+
+In addition when NAT is detected by the VPN client ESP is encapsulated in UDP
+for NAT-traversal:
+
+* UDP port 4500 (NAT-T)
+
+Example:
+
+.. code-block:: none
+
+ set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
+ set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
+ set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
+ set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
+ set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
+ set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
+ set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
+ set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
+
+Also note that if you wish to allow the VPN to be used for external access you
+will need to add the appropriate source NAT rules to your configuration.
+
+.. code-block:: none
+
+ set nat source rule 110 outbound-interface 'eth0'
+ set nat source rule 110 source address '192.168.255.0/24'
+ set nat source rule 110 translation address masquerade
+
+To be able to resolve when connected to the VPN, the following DNS rules are
+needed as well.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
+ set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
+
+.. note:: Those are the `Google public DNS`_ servers. You can also use the
+ public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1).
+
+Established sessions can be viewed using the **show vpn remote-access**
+operational command.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn remote-access
+ Active remote access VPN sessions:
+ User Proto Iface Tunnel IP TX byte RX byte Time
+ ---- ----- ----- --------- ------- ------- ----
+ vyos L2TP l2tp0 192.168.255.1 3.2K 8.0K 00h06m13s
+
+RADIUS authentication
+^^^^^^^^^^^^^^^^^^^^^
+
+The above configuration made use of local accounts on the VyOS router for
+authenticating L2TP/IPSec clients. In bigger environments usually something
+like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used.
+
+VyOS supports either `local` or `radius` user authentication:
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication mode <local|radius>
+
+In addition one or more RADIUS_ servers can be configured to server for user
+authentication. This is done using the `radius server` and `radius server key`
+nodes:
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo'
+ set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo'
+
+.. note:: Some RADIUS_ severs make use of an access control list who is allowed
+ to query the server. Please configure your VyOS router in the allowed client
+ list.
+
+RADIUS source address
+*********************
+
+If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS
+server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
+single source IP e.g. the loopback interface.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius source-address 3.3.3.3
+
+Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries
+on this NAS.
+
+
+.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
+.. _Quad9: https://quad9.net
+.. _CloudFlare: https://blog.cloudflare.com/announcing-1111
+.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS
+.. _FreeRADIUS: https://freeradius.org
+.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
new file mode 100644
index 00000000..72b3feb0
--- /dev/null
+++ b/docs/configuration/vpn/pptp.rst
@@ -0,0 +1,47 @@
+.. _pptp:
+
+PPTP-Server
+-----------
+
+The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility.
+PPTP has many well known security issues and you should use one of the many other new VPN implementations.
+
+As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption.
+If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1.
+
+server example
+^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+ set vpn pptp remote-access authentication local-users username test password 'test'
+ set vpn pptp remote-access authentication mode 'local'
+ set vpn pptp remote-access client-ip-pool start '192.168.0.10'
+ set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
+ set vpn pptp remote-access gateway-address '10.100.100.1'
+ set vpn pptp remote-access outside-address '10.1.1.120'
+
+
+client example (debian 9)
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Install the client software via apt and execute pptpsetup to generate the configuration.
+
+
+.. code-block:: none
+
+ apt-get install pptp-linux
+ pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt
+ pon TESTTUNNEL
+
+The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
+
+
+All tunnel sessions can be checked via:
+
+.. code-block:: none
+
+ run sh pptp-server sessions
+ ifname | username | calling-sid | ip | type | comp | state | uptime
+ --------+----------+-------------+--------------+------+------+--------+----------
+ ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58
diff --git a/docs/configuration/vpn/references.rst b/docs/configuration/vpn/references.rst
new file mode 100644
index 00000000..49b65cb0
--- /dev/null
+++ b/docs/configuration/vpn/references.rst
@@ -0,0 +1,10 @@
+.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
+.. _Quad9: https://quad9.net
+.. _CloudFlare: https://blog.cloudflare.com/announcing-1111
+.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS
+.. _FreeRADIUS: https://freeradius.org
+.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
+.. _RFC2332: https://tools.ietf.org/html/rfc2332
+.. _RFC1702: https://tools.ietf.org/html/rfc1702
+.. _RFC4301: https://tools.ietf.org/html/rfc4301
+.. _PPTP: https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
new file mode 100644
index 00000000..e0156a6f
--- /dev/null
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -0,0 +1,299 @@
+.. _size2site_ipsec:
+
+Site-to-Site
+============
+
+Site-to-site mode provides a way to add remote peers, which could be configured to exchange encrypted information between them and VyOS itself or connected/routed networks.
+
+To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site`` command.
+
+You can identify a remote peer with:
+
+* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used when a peer has a public static IP address;
+* Hostname. This mode is similar to IP address, only you define DNS name instead of an IP. Could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time;
+* Remote ID of the peer. In this mode, there is no predefined remote address nor DNS name of the peer. This mode is useful when a peer doesn't have a publicly available IP address (NAT between it and VyOS), or IP address could be changed.
+
+Each site-to-site peer has the next options:
+
+* ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions:
+
+ * ``id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer;
+
+ * ``mode`` - mode for authentication between VyOS and remote peer:
+
+ * ``pre-shared-secret`` - use predefined shared secret phrase, must be the same for local and remote side;
+
+ * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section;
+
+ * ``x509`` - use certificates infrastructure for authentication.
+
+ * ``pre-shared-secret`` - predefined shared secret. Used if configured ``mode pre-shared-secret``;
+
+ * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used;
+
+ * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined in the ``set vpn rsa-keys`` section;
+
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when ``id`` is defined;
+
+ * ``x509`` - options for x509 authentication mode:
+
+ * ``ca-cert-file`` - CA certificate file. Using for authenticating remote peer;
+
+ * ``cert-file`` - certificate file, which will be used for authenticating local router on remote peer;
+
+ * ``crl-file`` - file with the Certificate Revocation List. Using to check if a certificate for the remote peer is valid or revoked;
+
+ * ``key`` - a private key, which will be used for authenticating local router on remote peer:
+
+ * ``file`` - path to the key file;
+
+ * ``password`` - passphrase private key, if needed.
+
+* ``connection-type`` - how to handle this connection process. Possible variants:
+
+ * ``initiate`` - do initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods;
+
+ * ``respond`` - do not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side.
+
+* ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding;
+
+* ``description`` - description for this peer;
+
+* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec connection with this peer, instead of ``local-address``;
+
+* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. Useful in case if between local and remote side is firewall or NAT, which not allows passing plain ESP packets between them;
+
+* ``ike-group`` - IKE group to use for key exchanges;
+
+* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. Can be used only with IKEv2:
+
+ * ``yes`` - create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
+
+ * ``no`` - rekey without uninstalling the IPsec SAs;
+
+ * ``inherit`` - use default behavior for the used IKE group.
+
+* ``local-address`` - local IP address for IPSec connection with this peer. If defined ``any``, then an IP address which configured on interface with default route will be used;
+
+* ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer:
+
+ * ``disable`` - disable this tunnel;
+
+ * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
+
+ * ``local`` - define a local source for match traffic, which should be encrypted and send to this peer:
+
+ * ``port`` - define port. Have effect only when used together with ``prefix``;
+
+ * ``prefix`` - IP network at local side.
+
+ * ``protocol`` - define the protocol for match traffic, which should be encrypted and send to this peer;
+
+ * ``remote`` - define the remote destination for match traffic, which should be encrypted and send to this peer:
+
+ * ``port`` - define port. Have effect only when used together with ``prefix``;
+
+ * ``prefix`` - IP network at remote side.
+
+* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will be send to VTI interface will be encrypted and send to this peer. Using VTI makes IPSec configuration much flexible and easier in complex situation, and allows to dynamically add/delete remote networks, reachable via a peer, as in this mode router don't need to create additional SA/policy for each remote network:
+
+ * ``bind`` - select a VTI interface to bind to this peer;
+
+ * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface.
+
+Examples:
+------------------
+
+IKEv1
+^^^^^
+
+Example:
+
+* WAN interface on `eth1`
+* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
+ there is no client or server roles)
+* left local_ip: `198.51.100.3` # server side WAN IP
+* right subnet: `10.0.0.0/24` site2,remote office side
+* right local_ip: `203.0.113.2` # remote office side WAN IP
+
+.. code-block:: none
+
+ # server config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21'
+
+ # remote office config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24'
+
+Show status of new setup:
+
+.. code-block:: none
+
+ vyos@srv-gw0:~$ show vpn ike sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 203.0.113.2 198.51.100.3
+ State Encrypt Hash D-H Grp NAT-T A-Time L-Time
+ ----- ------- ---- ------- ----- ------ ------
+ up aes256 sha1 5 no 734 3600
+
+ vyos@srv-gw0:~$ show vpn ipsec sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 203.0.113.2 198.51.100.3
+ Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
+ ------ ----- ------------- ------- ---- ----- ------ ------ -----
+ 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
+
+If there is SNAT rules on eth1, need to add exclude rule
+
+.. code-block:: none
+
+ # server side
+ set nat source rule 10 destination address '10.0.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '192.168.0.0/24'
+
+ # remote office side
+ set nat source rule 10 destination address '192.168.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '10.0.0.0/24'
+
+To allow traffic to pass through to clients, you need to add the following
+rules. (if you used the default configuration at the top of this page)
+
+.. code-block:: none
+
+ # server side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
+
+ # remote office side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
+
+IKEv2
+^^^^^
+
+Imagine the following topology
+
+.. figure:: /_static/images/vpn_s2s_ikev2.png
+ :scale: 50 %
+ :alt: IPSec IKEv2 site2site VPN
+
+ IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
+
+
+.. note:: Don't get confused about the used /31 tunnel subnet. RFC3031_ gives
+ you additional information for using /31 subnets on point-to-point links.
+
+**left**
+
+.. code-block:: none
+
+ set interfaces vti vti10 address '10.0.0.2/31'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ipsec-interfaces interface 'eth0.201'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
+
+**right**
+
+.. code-block:: none
+
+ set interfaces vti vti10 address '10.0.0.3/31'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ipsec-interfaces interface 'eth0.202'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+.. _RFC3031: https://tools.ietf.org/html/rfc3021
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-25 05:09:23 +0000