summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/l2tp.rst12
-rw-r--r--docs/configuration/vpn/openconnect.rst7
-rw-r--r--docs/configuration/vpn/pptp.rst4
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst129
-rw-r--r--docs/configuration/vpn/sstp.rst18
5 files changed, 97 insertions, 73 deletions
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 26de47b3..4a7657e7 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -17,8 +17,8 @@ with native Windows and Mac VPN clients):
set vpn ipsec interface eth0
set vpn l2tp remote-access outside-address 192.0.2.2
- set vpn l2tp remote-access client-ip-pool start 192.168.255.2
- set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+ set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
set vpn l2tp remote-access authentication mode local
@@ -95,8 +95,8 @@ Below is an example to configure a LNS:
.. code-block:: none
set vpn l2tp remote-access outside-address 192.0.2.2
- set vpn l2tp remote-access client-ip-pool start 192.168.255.2
- set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+ set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access lns shared-secret 'secret'
set vpn l2tp remote-access ccp-disable
set vpn l2tp remote-access authentication mode local
@@ -122,8 +122,8 @@ The rate-limit is set in kbit/sec.
.. code-block:: none
set vpn l2tp remote-access outside-address 192.0.2.2
- set vpn l2tp remote-access client-ip-pool start 192.168.255.2
- set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+ set vpn l2tp remote-access default-pool 'L2TP-POOL'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password test
set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 1cc197e9..845d9196 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -165,6 +165,13 @@ Simple setup with one user added and password authentication:
set vpn openconnect ssl ca-certificate 'ca-ocserv'
set vpn openconnect ssl certificate 'srv-ocserv'
+To enable the HTTP security headers in the configuration file, use the command:
+
+.. code-block:: none
+
+ set vpn openconnect http-security-headers
+
+
Adding a 2FA with an OTP-key
============================
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
index 12364acb..fe536eec 100644
--- a/docs/configuration/vpn/pptp.rst
+++ b/docs/configuration/vpn/pptp.rst
@@ -20,8 +20,8 @@ server example
set vpn pptp remote-access authentication local-users username test password 'test'
set vpn pptp remote-access authentication mode 'local'
- set vpn pptp remote-access client-ip-pool start '192.168.0.10'
- set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
+ set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15
+ set vpn pptp remote-access default-pool 'PPTP-POOL'
set vpn pptp remote-access gateway-address '10.100.100.1'
set vpn pptp remote-access outside-address '10.1.1.120'
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 8c0af774..23df1b76 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -10,8 +10,8 @@ connected/routed networks.
To configure site-to-site connection you need to add peers with the
``set vpn ipsec site-to-site peer <name>`` command.
-The peer name must be an alphanumeric and can have hypen or underscore as
-special characters. It is purely informational.
+The peer name must be an alphanumeric and can have hypen or underscore as
+special characters. It is purely informational.
Each site-to-site peer has the next options:
@@ -20,11 +20,11 @@ Each site-to-site peer has the next options:
* ``psk`` - Preshared secret key name:
- * ``dhcp-interface`` - ID for authentication generated from DHCP address
+ * ``dhcp-interface`` - ID for authentication generated from DHCP address
dynamically;
- * ``id`` - static ID's for authentication. In general local and remote
+ * ``id`` - static ID's for authentication. In general local and remote
address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
- * ``secret`` - predefined shared secret. Used if configured mode
+ * ``secret`` - predefined shared secret. Used if configured mode
``pre-shared-secret``;
@@ -110,7 +110,7 @@ Each site-to-site peer has the next options:
* ``remote-address`` - remote IP address or hostname for IPSec connection.
IPv4 or IPv6 address is used when a peer has a public static IP address.
- Hostname is a DNS name which could be used when a peer has a public IP
+ Hostname is a DNS name which could be used when a peer has a public IP
address and DNS name, but an IP address could be changed from time to time.
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
@@ -149,9 +149,9 @@ Each site-to-site peer has the next options:
* ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
interface.
-* ``virtual-address`` - Defines a virtual IP address which is requested by the
- initiator and one or several IPv4 and/or IPv6 addresses are assigned from
- multiple pools by the responder.
+* ``virtual-address`` - Defines a virtual IP address which is requested by the
+ initiator and one or several IPv4 and/or IPv6 addresses are assigned from
+ multiple pools by the responder.
Examples:
------------------
@@ -308,31 +308,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces vti vti10 address '10.0.0.2/31'
- set vpn ipsec option disable-route-autoinstall
- set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
- set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
- set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
+ set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
+ set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
+ set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
- set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.201'
- set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
- set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
- set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
- set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'
- set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
- set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'
- set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
@@ -344,34 +348,35 @@ Imagine the following topology
set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces vti vti10 address '10.0.0.3/31'
- set vpn ipsec option disable-route-autoinstall
- set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
- set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
- set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
+ set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
+ set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
+ set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
+ set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
- set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0.202'
- set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
- set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
- set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
- set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
- set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
- set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'
- set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
@@ -379,44 +384,44 @@ Key Parameters:
* ``authentication local-id/remote-id`` - IKE identification is used for
validation of VPN peer devices during IKE negotiation. If you do not configure
- local/remote-identity, the device uses the IPv4 or IPv6 address that
+ local/remote-identity, the device uses the IPv4 or IPv6 address that
corresponds to the local/remote peer by default.
- In certain network setups (like ipsec interface with dynamic address, or
- behind the NAT ), the IKE ID received from the peer does not match the IKE
- gateway configured on the device. This can lead to a Phase 1 validation
+ In certain network setups (like ipsec interface with dynamic address, or
+ behind the NAT ), the IKE ID received from the peer does not match the IKE
+ gateway configured on the device. This can lead to a Phase 1 validation
failure.
- So, make sure to configure the local/remote id explicitly and ensure that the
+ So, make sure to configure the local/remote id explicitly and ensure that the
IKE ID is the same as the remote-identity configured on the peer device.
* ``disable-route-autoinstall`` - This option when configured disables the
routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration.
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
- notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
- are periodically sent in order to check the liveliness of the IPsec peer. The
- values clear, hold, and restart all activate DPD and determine the action to
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+ notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
+ are periodically sent in order to check the liveliness of the IPsec peer. The
+ values clear, hold, and restart all activate DPD and determine the action to
perform on a timeout.
- With ``clear`` the connection is closed with no further actions taken.
- ``hold`` installs a trap policy, which will catch matching traffic and tries
- to re-negotiate the connection on demand.
- ``restart`` will immediately trigger an attempt to re-negotiate the
+ With ``clear`` the connection is closed with no further actions taken.
+ ``hold`` installs a trap policy, which will catch matching traffic and tries
+ to re-negotiate the connection on demand.
+ ``restart`` will immediately trigger an attempt to re-negotiate the
connection.
-* ``close-action = none | clear | hold | restart`` - defines the action to take
- if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
+* ``close-action = none | clear | hold | restart`` - defines the action to take
+ if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
-
- When the close-action option is set on the peers, the connection-type
+
+ When the close-action option is set on the peers, the connection-type
of each peer has to considered carefully. For example, if the option is set
- on both peers, then both would attempt to initiate and hold open multiple
- copies of each child SA. This might lead to instability of the device or
- cpu/memory utilization.
-
- Below flow-chart could be a quick reference for the close-action
- combination depending on how the peer is configured.
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
.. figure:: /_static/images/IPSec_close_action_settings.jpg
-
+
Similar combinations are applicable for the dead-peer-detection.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index f3e062fe..d9bb4353 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -116,9 +116,20 @@ Configuration
Specifies the port `<port>` that the SSTP port will listen on (default 443).
-.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
- Use `<subnet>` as the IP pool for all connecting clients.
+ Use this command to define the first IP address of a pool of
+ addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
+ it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+ used there is possibility to set host/netmask.
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+ Use this command to define the next address pool name.
+
+.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
+
+ Use this command to define default address pool name.
.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
@@ -282,7 +293,8 @@ Example
set vpn sstp authentication local-users username vyos password vyos
set vpn sstp authentication mode local
set vpn sstp gateway-address 192.0.2.254
- set vpn sstp client-ip-pool subnet 192.0.2.0/25
+ set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
+ set vpn sstp default-pool 'SSTP-POOL'
set vpn sstp name-server 10.0.0.1
set vpn sstp name-server 10.0.0.2
set vpn sstp ssl ca-cert-file /config/auth/ca.crt
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-25 20:39:06 +0000