summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/highavailability/index.rst59
-rw-r--r--docs/configuration/interfaces/l2tpv3.rst21
-rw-r--r--docs/configuration/interfaces/pppoe.rst8
-rw-r--r--docs/configuration/interfaces/tunnel.rst8
-rw-r--r--docs/configuration/interfaces/wwan.rst1
-rw-r--r--docs/configuration/nat/nat44.rst27
-rw-r--r--docs/configuration/policy/large-community-list.rst2
-rw-r--r--docs/configuration/protocols/bgp.rst35
-rw-r--r--docs/configuration/service/dhcp-relay.rst33
-rw-r--r--docs/configuration/service/dhcp-server.rst6
-rw-r--r--docs/configuration/service/ipoe-server.rst45
-rw-r--r--docs/configuration/system/acceleration.rst39
-rw-r--r--docs/configuration/vpn/dmvpn.rst4
-rw-r--r--docs/configuration/vpn/ipsec.rst6
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst34
15 files changed, 262 insertions, 66 deletions
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst
index 9150b1bd..bc8aad99 100644
--- a/docs/configuration/highavailability/index.rst
+++ b/docs/configuration/highavailability/index.rst
@@ -357,6 +357,21 @@ Forward method
set high-availability virtual-server 203.0.113.1 forward-method 'nat'
+Health-check
+^^^^^^^^^^^^
+Custom health-check script allows checking real-server availability
+
+.. code-block:: none
+
+ set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script <path-to-script>
+
+Fwmark
+^^^^^^
+Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value
+
+.. code-block:: none
+
+ set high-availability virtual-server 203.0.113.1 fwmark '111'
Real server
^^^^^^^^^^^
@@ -395,3 +410,47 @@ Real server is auto-excluded if port check with this server fail.
set high-availability virtual-server 203.0.113.1 protocol 'tcp'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80'
+
+
+A firewall mark ``fwmark`` allows using multiple ports for high-availability
+virtual-server.
+It uses fwmark value.
+
+In this example all traffic destined to ports "80, 2222, 8888" protocol TCP
+marks to fwmark "111" and balanced between 2 real servers.
+Port "0" is required if multiple ports are used.
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 'dhcp'
+ set interfaces ethernet eth0 description 'WAN'
+ set interfaces ethernet eth1 address '192.0.2.1/24'
+ set interfaces ethernet eth1 description 'LAN'
+
+ set policy route PR interface 'eth0'
+ set policy route PR rule 10 destination port '80,2222,8888'
+ set policy route PR rule 10 protocol 'tcp'
+ set policy route PR rule 10 set mark '111'
+
+ set high-availability virtual-server vyos fwmark '111'
+ set high-availability virtual-server vyos protocol 'tcp'
+ set high-availability virtual-server vyos real-server 192.0.2.11 health-check script '/config/scripts/check-real-server-first.sh'
+ set high-availability virtual-server vyos real-server 192.0.2.11 port '0'
+ set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh'
+ set high-availability virtual-server vyos real-server 192.0.2.12 port '0'
+
+ set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 source address '192.0.2.0/24'
+ set nat source rule 100 translation address 'masquerade'
+
+Op-mode check virtual-server status
+
+.. code-block:: none
+
+ vyos@r14:~$ run show virtual-server
+ IP Virtual Server version 1.2.1 (size=4096)
+ Prot LocalAddress:Port Scheduler Flags
+ -> RemoteAddress:Port Forward Weight ActiveConn InActConn
+ FWM 111 lc persistent 300
+ -> 192.0.2.11:0 Masq 1 0 0
+ -> 192.0.2.12:0 Masq 1 1 0
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index bd5d6862..897e38dc 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -141,29 +141,26 @@ IPSec:
.. code-block:: none
+ set vpn ipsec authentication psk <pre-shared-name> id '%any'
+ set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key>
set vpn ipsec interface <VPN-interface>
- set vpn ipsec esp-group test-ESP-1 compression 'disable'
set vpn ipsec esp-group test-ESP-1 lifetime '3600'
set vpn ipsec esp-group test-ESP-1 mode 'transport'
set vpn ipsec esp-group test-ESP-1 pfs 'enable'
set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1'
- set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group test-IKE-1 lifetime '3600'
set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1'
- set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key>
- set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate'
- set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1'
- set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip>
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1'
- set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp'
+ set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate'
+ set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1'
+ set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer <connection-name> local-address <local-ip>
+ set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1'
+ set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp'
Bridge:
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index 0953e948..cf406baf 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -91,7 +91,7 @@ PPPoE options
This command allows you to select a specific access concentrator when you
know the access concentrators `<name>`.
-.. cfgcmd:: set interfaces pppoe <interface> authentication user <username>
+.. cfgcmd:: set interfaces pppoe <interface> authentication username <username>
Use this command to set the username for authenticating with a remote PPPoE
endpoint. Authentication is optional from the system's point of view but
@@ -324,7 +324,7 @@ Requirements:
.. code-block:: none
- set interfaces pppoe pppoe0 authentication user 'userid'
+ set interfaces pppoe pppoe0 authentication username 'userid'
set interfaces pppoe pppoe0 authentication password 'secret'
set interfaces pppoe pppoe0 source-interface 'eth0'
@@ -349,7 +349,7 @@ which is the default VLAN for Deutsche Telekom:
.. code-block:: none
- set interfaces pppoe pppoe0 authentication user 'userid'
+ set interfaces pppoe pppoe0 authentication username 'userid'
set interfaces pppoe pppoe0 authentication password 'secret'
set interfaces pppoe pppoe0 source-interface 'eth0.7'
@@ -367,7 +367,7 @@ If you do not know the prefix size delegated to you, start with sla-len 0.
.. code-block:: none
- set interfaces pppoe pppoe0 authentication user vyos
+ set interfaces pppoe pppoe0 authentication username vyos
set interfaces pppoe pppoe0 authentication password vyos
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0'
diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst
index bd7a8460..31539d9f 100644
--- a/docs/configuration/interfaces/tunnel.rst
+++ b/docs/configuration/interfaces/tunnel.rst
@@ -18,7 +18,11 @@ a closer look at the protocols and options currently supported by VyOS.
Common interface configuration
------------------------------
-.. cmdinclude:: /_include/interface-common-without-dhcp1.txt
+.. cmdinclude:: /_include/interface-address.txt
+ :var0: tunnel
+ :var1: tun0
+
+.. cmdinclude:: /_include/interface-common-without-mac.txt
:var0: tunnel
:var1: tun0
@@ -207,7 +211,7 @@ GRETAP
^^^^^^^
While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate
-Ethernet frames, thus it can be bridged with other interfaces to create
+Ethernet frames, thus it can be bridged with other interfaces to create
datalink layer segments that span multiple remote sites.
.. code-block:: none
diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst
index 45b18387..98890158 100644
--- a/docs/configuration/interfaces/wwan.rst
+++ b/docs/configuration/interfaces/wwan.rst
@@ -22,7 +22,6 @@ Common interface configuration
:var0: wwan
:var1: wwan0
-
.. cmdinclude:: /_include/interface-description.txt
:var0: wwan
:var1: wwan0
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index 62964fea..b2ba61af 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -697,17 +697,22 @@ too.
.. code-block:: none
- set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE'
- set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate'
- set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp'
- set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike'
- set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32'
- set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16'
+ set vpn ipsec authentication psk vyos id '203.0.113.46'
+ set vpn ipsec authentication psk vyos id '198.51.100.243'
+ set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD'
+ set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46'
+ set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243'
+ set vpn ipsec site-to-site peer branch connection-type 'initiate'
+ set vpn ipsec site-to-site peer branch default-esp-group 'my-esp'
+ set vpn ipsec site-to-site peer branch ike-group 'my-ike'
+ set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer branch local-address '203.0.113.46'
+ set vpn ipsec site-to-site peer branch remote-address '198.51.100.243'
+ set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32'
+ set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24'
+ set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32'
+ set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16'
Testing and Validation
""""""""""""""""""""""
diff --git a/docs/configuration/policy/large-community-list.rst b/docs/configuration/policy/large-community-list.rst
index 39da0815..0c57fd4a 100644
--- a/docs/configuration/policy/large-community-list.rst
+++ b/docs/configuration/policy/large-community-list.rst
@@ -14,7 +14,7 @@ policy large-community-list
.. cfgcmd:: set policy large-community-list <text>
- Creat large-community-list policy identified by name <text>.
+ Create large-community-list policy identified by name <text>.
.. cfgcmd:: set policy large-community-list <text> description <text>
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 6593730f..68688b25 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -206,6 +206,41 @@ Defining Peers
peers ASN is the same as mine as specified under the :cfgcmd:`protocols
bgp <asn>` command the connection will be denied.
+.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role
+ <role> [strict]
+
+ BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
+ add route leak prevention, detection and mitigation. The local Role
+ value is negotiated with the new BGP Role capability which has a
+ built-in check of the corresponding value. In case of a mismatch the
+ new OPEN Roles Mismatch Notification <2, 11> would be sent.
+ The correct Role pairs are:
+
+ Provider - Customer
+
+ Peer - Peer
+
+ RS-Server - RS-Client
+
+ If :cfgcmd:`strict` is set the BGP session won’t become established
+ until the BGP neighbor sets local Role on its side. This
+ configuration parameter is defined in RFC :rfc:`9234` and is used to
+ enforce the corresponding configuration at your counter-parts side.
+
+ Routes that are sent from provider, rs-server, or the peer local-role
+ (or if received by customer, rs-client, or the peer local-role) will
+ be marked with a new Only to Customer (OTC) attribute.
+
+ Routes with this attribute can only be sent to your neighbor if your
+ local-role is provider or rs-server. Routes with this attribute can
+ be received only if your local-role is customer or rs-client.
+
+ In case of peer-peer relationship routes can be received only if OTC
+ value is equal to your neighbor AS number.
+
+ All these rules with OTC will help to detect and mitigate route leaks
+ and happen automatically if local-role is set.
+
.. cfgcmd:: set protocols bgp neighbor <address|interface> shutdown
This command disable the peer or peer group. To reenable the peer use
diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst
index a93c1046..43abf254 100644
--- a/docs/configuration/service/dhcp-relay.rst
+++ b/docs/configuration/service/dhcp-relay.rst
@@ -20,8 +20,20 @@ Configuration
.. cfgcmd:: set service dhcp-relay interface <interface>
- Interfaces that participate in the DHCP relay process, including the uplink
- to the DHCP server.
+ Interfaces that participate in the DHCP relay process. If this command is
+ used, at least two entries of it are required: one for the interface that
+ captures the dhcp-requests, and one for the interface to forward such
+ requests. A warning message will be shown if this command is used, since
+ new implementations should use ``listen-interface`` and
+ ``upstream-interface``.
+
+.. cfgcmd:: set service dhcp-relay listen-interface <interface>
+
+ Interface for DHCP Relay Agent to listen for requests.
+
+.. cfgcmd:: set service dhcp-relay upstream-interface <interface>
+
+ Interface for DHCP Relay Agent to forward requests out.
.. cfgcmd:: set service dhcp-relay server <server>
@@ -70,8 +82,8 @@ Example
* Listen for DHCP requests on interface ``eth1``.
* DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``.
-* Router receives DHCP client requests on ``eth1`` and relays them to the server
- at 10.0.1.4 on ``eth2``.
+* Router receives DHCP client requests on ``eth1`` and relays them to the
+ server at 10.0.1.4 on ``eth2``.
.. figure:: /_static/images/service_dhcp-relay01.png
:scale: 80 %
@@ -84,6 +96,19 @@ The generated configuration will look like:
.. code-block:: none
show service dhcp-relay
+ listen-interface eth1
+ upstrem-interface eth2
+ server 10.0.1.4
+ relay-options {
+ relay-agents-packets discard
+ }
+
+Also, for backwards compatibility this configuration, which uses generic
+interface definition, is still valid:
+
+.. code-block:: none
+
+ show service dhcp-relay
interface eth1
interface eth2
server 10.0.1.4
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index 3f4b7b89..b5b12a5b 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -234,7 +234,7 @@ inside the subnet definition but can be outside of the range statement.
**Example:**
-* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100``
+* IP address ``192.168.1.100`` shall be statically mapped to client named ``client1``
.. code-block:: none
@@ -747,10 +747,6 @@ Operation Mode
To restart the DHCPv6 server
-.. opcmd:: show dhcpv6 server status
-
- To show the current status of the DHCPv6 server.
-
.. opcmd:: show dhcpv6 server leases
Shows status of all assigned leases:
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
index e42ab42e..c219a063 100644
--- a/docs/configuration/service/ipoe-server.rst
+++ b/docs/configuration/service/ipoe-server.rst
@@ -146,4 +146,49 @@ The rate-limit is set in kbit/sec.
-------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------
ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb
+Example
+=======
+
+* IPoE server will listen on interfaces eth1.50 and eth1.51
+* There are rate-limited and non rate-limited users (MACs)
+
+Server configuration
+--------------------
+
+.. code-block:: none
+
+ set interfaces dummy dum1000 address 100.64.0.1/32
+ set interfaces dummy dum1000 address 2001:db8::1/128
+
+ set interfaces ethernet eth1 description 'IPoE'
+ set interfaces ethernet eth1 vif 50
+ set interfaces ethernet eth1 vif 51
+
+ set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7
+ set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000'
+ set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000'
+ set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000'
+ set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000'
+ set service ipoe-server authentication mode 'local'
+
+ set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56'
+ set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64'
+ set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24'
+ set service ipoe-server interface eth1.50 mode 'l2'
+ set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24'
+ set service ipoe-server interface eth1.51 mode 'l2'
+ set service ipoe-server name-server '100.64.0.1'
+ set service ipoe-server name-server '2001:db8::1'
+
+Client configuration
+--------------------
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7'
+
+ set interfaces ethernet eth0 vif 50 address 'dhcp'
+ set interfaces ethernet eth0 vif 50 address 'dhcpv6'
+ set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1'
+
.. include:: /_include/common-references.txt
diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst
index 62b85c71..63506d6d 100644
--- a/docs/configuration/system/acceleration.rst
+++ b/docs/configuration/system/acceleration.rst
@@ -63,39 +63,50 @@ Side A:
.. code-block::
+
set interfaces vti vti1 address '192.168.1.2/24'
+ set vpn ipsec authentication psk right id '10.10.10.2'
+ set vpn ipsec authentication psk right id '10.10.10.1'
+ set vpn ipsec authentication psk right secret 'Qwerty123'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
- set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123'
- set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate'
- set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup'
- set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup'
- set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2'
- set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1'
+ set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2'
+ set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1'
+ set vpn ipsec site-to-site peer right connection-type 'initiate'
+ set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
+ set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
+ set vpn ipsec site-to-site peer right local-address '10.10.10.2'
+ set vpn ipsec site-to-site peer right remote-address '10.10.10.1'
+ set vpn ipsec site-to-site peer right vti bind 'vti1'
Side B:
.. code-block::
set interfaces vti vti1 address '192.168.1.1/24'
+ set vpn ipsec authentication psk left id '10.10.10.2'
+ set vpn ipsec authentication psk left id '10.10.10.1'
+ set vpn ipsec authentication psk left secret 'Qwerty123'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
- set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123'
- set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate'
- set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup'
- set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup'
- set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1'
- set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1'
+ set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1'
+ set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2'
+ set vpn ipsec site-to-site peer left connection-type 'initiate'
+ set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
+ set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
+ set vpn ipsec site-to-site peer left local-address '10.10.10.1'
+ set vpn ipsec site-to-site peer left remote-address '10.10.10.2'
+ set vpn ipsec site-to-site peer left vti bind 'vti1'
a bandwidth test over the VPN got these results:
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index 66fc79da..6680d46a 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -191,7 +191,7 @@ Hub
set interfaces tunnel tun100 address '172.16.253.134/29'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 local-ip '192.0.2.1'
- set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 parameters ip key '1'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
@@ -298,7 +298,7 @@ VyOS can also run in DMVPN spoke mode.
set interfaces tunnel tun100 address '172.16.253.133/29'
set interfaces tunnel tun100 local-ip 0.0.0.0
set interfaces tunnel tun100 encapsulation 'gre'
- set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 parameters ip key '1'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index d6a4733c..327f3abb 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -202,6 +202,11 @@ On the LEFT:
## IPsec
set vpn ipsec interface eth0
+ # Pre-shared-secret
+ set vpn ipsec authentication psk vyos id 192.0.2.10
+ set vpn ipsec authentication psk vyos id 203.0.113.45
+ set vpn ipsec authentication psk vyos secret MYSECRETKEY
+
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
@@ -213,7 +218,6 @@ On the LEFT:
# IPsec tunnel
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
- set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY
set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 68f6c48b..e89d25c6 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -18,23 +18,29 @@ Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
Suboptions:
+ * ``psk`` - Preshared secret key name:
+
+ * ``dhcp-interface`` - ID for authentication generated from DHCP address
+ dynamically;
+ * ``id`` - static ID's for authentication. In general local and remote
+ address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
+ * ``secret`` - predefined shared secret. Used if configured mode
+ ``pre-shared-secret``;
+
+
* ``local-id`` - ID for the local VyOS router. If defined, during the
authentication
it will be send to remote peer;
* ``mode`` - mode for authentication between VyOS and remote peer:
- * ``pre-shared-secret`` - use predefined shared secret phrase, must be the
- same for local and remote side;
+ * ``pre-shared-secret`` - use predefined shared secret phrase;
* ``rsa`` - use simple shared RSA key. The key must be defined in the
``set vpn rsa-keys`` section;
* ``x509`` - use certificates infrastructure for authentication.
- * ``pre-shared-secret`` - predefined shared secret. Used if configured
- ``mode pre-shared-secret``;
-
* ``remote-id`` - define an ID for remote peer, instead of using peer name or
address. Useful in case if the remote peer is behind NAT or if ``mode x509``
is used;
@@ -161,6 +167,9 @@ Example:
.. code-block:: none
# server config
+ set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
+ set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
+ set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
@@ -171,8 +180,8 @@ Example:
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
@@ -182,6 +191,9 @@ Example:
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
# remote office config
+ set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
+ set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
+ set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
@@ -192,8 +204,8 @@ Example:
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
@@ -279,6 +291,9 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.2/31'
+ set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
+ set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
+ set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
@@ -293,7 +308,6 @@ Imagine the following topology
set vpn ipsec interface 'eth0.201'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
@@ -308,6 +322,9 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.3/31'
+ set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
+ set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
+ set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
@@ -325,7 +342,6 @@ Imagine the following topology
set vpn ipsec interface 'eth0.202'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'