diff options
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/highavailability/index.rst | 59 | ||||
-rw-r--r-- | docs/configuration/interfaces/l2tpv3.rst | 21 | ||||
-rw-r--r-- | docs/configuration/interfaces/pppoe.rst | 8 | ||||
-rw-r--r-- | docs/configuration/interfaces/tunnel.rst | 8 | ||||
-rw-r--r-- | docs/configuration/interfaces/wwan.rst | 1 | ||||
-rw-r--r-- | docs/configuration/nat/nat44.rst | 27 | ||||
-rw-r--r-- | docs/configuration/policy/large-community-list.rst | 2 | ||||
-rw-r--r-- | docs/configuration/protocols/bgp.rst | 35 | ||||
-rw-r--r-- | docs/configuration/service/dhcp-relay.rst | 33 | ||||
-rw-r--r-- | docs/configuration/service/dhcp-server.rst | 6 | ||||
-rw-r--r-- | docs/configuration/service/ipoe-server.rst | 45 | ||||
-rw-r--r-- | docs/configuration/system/acceleration.rst | 39 | ||||
-rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 4 | ||||
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 6 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 34 |
15 files changed, 262 insertions, 66 deletions
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 9150b1bd..bc8aad99 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -357,6 +357,21 @@ Forward method set high-availability virtual-server 203.0.113.1 forward-method 'nat' +Health-check +^^^^^^^^^^^^ +Custom health-check script allows checking real-server availability + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script <path-to-script> + +Fwmark +^^^^^^ +Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value + +.. code-block:: none + + set high-availability virtual-server 203.0.113.1 fwmark '111' Real server ^^^^^^^^^^^ @@ -395,3 +410,47 @@ Real server is auto-excluded if port check with this server fail. set high-availability virtual-server 203.0.113.1 protocol 'tcp' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '80' set high-availability virtual-server 203.0.113.1 real-server 192.0.2.12 port '80' + + +A firewall mark ``fwmark`` allows using multiple ports for high-availability +virtual-server. +It uses fwmark value. + +In this example all traffic destined to ports "80, 2222, 8888" protocol TCP +marks to fwmark "111" and balanced between 2 real servers. +Port "0" is required if multiple ports are used. + +.. code-block:: none + + set interfaces ethernet eth0 address 'dhcp' + set interfaces ethernet eth0 description 'WAN' + set interfaces ethernet eth1 address '192.0.2.1/24' + set interfaces ethernet eth1 description 'LAN' + + set policy route PR interface 'eth0' + set policy route PR rule 10 destination port '80,2222,8888' + set policy route PR rule 10 protocol 'tcp' + set policy route PR rule 10 set mark '111' + + set high-availability virtual-server vyos fwmark '111' + set high-availability virtual-server vyos protocol 'tcp' + set high-availability virtual-server vyos real-server 192.0.2.11 health-check script '/config/scripts/check-real-server-first.sh' + set high-availability virtual-server vyos real-server 192.0.2.11 port '0' + set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' + set high-availability virtual-server vyos real-server 192.0.2.12 port '0' + + set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 source address '192.0.2.0/24' + set nat source rule 100 translation address 'masquerade' + +Op-mode check virtual-server status + +.. code-block:: none + + vyos@r14:~$ run show virtual-server + IP Virtual Server version 1.2.1 (size=4096) + Prot LocalAddress:Port Scheduler Flags + -> RemoteAddress:Port Forward Weight ActiveConn InActConn + FWM 111 lc persistent 300 + -> 192.0.2.11:0 Masq 1 0 0 + -> 192.0.2.12:0 Masq 1 1 0 diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst index bd5d6862..897e38dc 100644 --- a/docs/configuration/interfaces/l2tpv3.rst +++ b/docs/configuration/interfaces/l2tpv3.rst @@ -141,29 +141,26 @@ IPSec: .. code-block:: none + set vpn ipsec authentication psk <pre-shared-name> id '%any' + set vpn ipsec authentication psk <pre-shared-name> secret <pre-shared-key> set vpn ipsec interface <VPN-interface> - set vpn ipsec esp-group test-ESP-1 compression 'disable' set vpn ipsec esp-group test-ESP-1 lifetime '3600' set vpn ipsec esp-group test-ESP-1 mode 'transport' set vpn ipsec esp-group test-ESP-1 pfs 'enable' set vpn ipsec esp-group test-ESP-1 proposal 1 encryption 'aes128' set vpn ipsec esp-group test-ESP-1 proposal 1 hash 'sha1' - set vpn ipsec ike-group test-IKE-1 ikev2-reauth 'no' set vpn ipsec ike-group test-IKE-1 key-exchange 'ikev1' set vpn ipsec ike-group test-IKE-1 lifetime '3600' set vpn ipsec ike-group test-IKE-1 proposal 1 dh-group '5' set vpn ipsec ike-group test-IKE-1 proposal 1 encryption 'aes128' set vpn ipsec ike-group test-IKE-1 proposal 1 hash 'sha1' - set vpn ipsec site-to-site peer <peer-ip> authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer <peer-ip> authentication pre-shared-secret <pre-shared-key> - set vpn ipsec site-to-site peer <peer-ip> connection-type 'initiate' - set vpn ipsec site-to-site peer <peer-ip> ike-group 'test-IKE-1' - set vpn ipsec site-to-site peer <peer-ip> ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer <peer-ip> local-address <local-ip> - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-nat-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 allow-public-networks 'disable' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 esp-group 'test-ESP-1' - set vpn ipsec site-to-site peer <peer-ip> tunnel 1 protocol 'l2tp' + set vpn ipsec site-to-site peer <connection-name> authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer <connection-name> connection-type 'initiate' + set vpn ipsec site-to-site peer <connection-name> ike-group 'test-IKE-1' + set vpn ipsec site-to-site peer <connection-name> ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer <connection-name> local-address <local-ip> + set vpn ipsec site-to-site peer <connection-name> tunnel 1 esp-group 'test-ESP-1' + set vpn ipsec site-to-site peer <connection-name> tunnel 1 protocol 'l2tp' Bridge: diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst index 0953e948..cf406baf 100644 --- a/docs/configuration/interfaces/pppoe.rst +++ b/docs/configuration/interfaces/pppoe.rst @@ -91,7 +91,7 @@ PPPoE options This command allows you to select a specific access concentrator when you know the access concentrators `<name>`. -.. cfgcmd:: set interfaces pppoe <interface> authentication user <username> +.. cfgcmd:: set interfaces pppoe <interface> authentication username <username> Use this command to set the username for authenticating with a remote PPPoE endpoint. Authentication is optional from the system's point of view but @@ -324,7 +324,7 @@ Requirements: .. code-block:: none - set interfaces pppoe pppoe0 authentication user 'userid' + set interfaces pppoe pppoe0 authentication username 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0' @@ -349,7 +349,7 @@ which is the default VLAN for Deutsche Telekom: .. code-block:: none - set interfaces pppoe pppoe0 authentication user 'userid' + set interfaces pppoe pppoe0 authentication username 'userid' set interfaces pppoe pppoe0 authentication password 'secret' set interfaces pppoe pppoe0 source-interface 'eth0.7' @@ -367,7 +367,7 @@ If you do not know the prefix size delegated to you, start with sla-len 0. .. code-block:: none - set interfaces pppoe pppoe0 authentication user vyos + set interfaces pppoe pppoe0 authentication username vyos set interfaces pppoe pppoe0 authentication password vyos set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 address '1' set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth0 sla-id '0' diff --git a/docs/configuration/interfaces/tunnel.rst b/docs/configuration/interfaces/tunnel.rst index bd7a8460..31539d9f 100644 --- a/docs/configuration/interfaces/tunnel.rst +++ b/docs/configuration/interfaces/tunnel.rst @@ -18,7 +18,11 @@ a closer look at the protocols and options currently supported by VyOS. Common interface configuration ------------------------------ -.. cmdinclude:: /_include/interface-common-without-dhcp1.txt +.. cmdinclude:: /_include/interface-address.txt + :var0: tunnel + :var1: tun0 + +.. cmdinclude:: /_include/interface-common-without-mac.txt :var0: tunnel :var1: tun0 @@ -207,7 +211,7 @@ GRETAP ^^^^^^^ While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encapsulate -Ethernet frames, thus it can be bridged with other interfaces to create +Ethernet frames, thus it can be bridged with other interfaces to create datalink layer segments that span multiple remote sites. .. code-block:: none diff --git a/docs/configuration/interfaces/wwan.rst b/docs/configuration/interfaces/wwan.rst index 45b18387..98890158 100644 --- a/docs/configuration/interfaces/wwan.rst +++ b/docs/configuration/interfaces/wwan.rst @@ -22,7 +22,6 @@ Common interface configuration :var0: wwan :var1: wwan0 - .. cmdinclude:: /_include/interface-description.txt :var0: wwan :var1: wwan0 diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 62964fea..b2ba61af 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -697,17 +697,22 @@ too. .. code-block:: none - set vpn ipsec site-to-site peer 198.51.100.243 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 198.51.100.243 authentication pre-shared-secret 'PASSWORD IS HERE' - set vpn ipsec site-to-site peer 198.51.100.243 connection-type 'initiate' - set vpn ipsec site-to-site peer 198.51.100.243 default-esp-group 'my-esp' - set vpn ipsec site-to-site peer 198.51.100.243 ike-group 'my-ike' - set vpn ipsec site-to-site peer 198.51.100.243 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 198.51.100.243 local-address '203.0.113.46' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 0 remote prefix '172.27.1.0/24' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 local prefix '172.29.41.89/32' - set vpn ipsec site-to-site peer 198.51.100.243 tunnel 1 remote prefix '10.125.0.0/16' + set vpn ipsec authentication psk vyos id '203.0.113.46' + set vpn ipsec authentication psk vyos id '198.51.100.243' + set vpn ipsec authentication psk vyos secret 'MYSECRETPASSWORD' + set vpn ipsec site-to-site peer branch authentication local-id '203.0.113.46' + set vpn ipsec site-to-site peer branch authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer branch authentication remote-id '198.51.100.243' + set vpn ipsec site-to-site peer branch connection-type 'initiate' + set vpn ipsec site-to-site peer branch default-esp-group 'my-esp' + set vpn ipsec site-to-site peer branch ike-group 'my-ike' + set vpn ipsec site-to-site peer branch ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer branch local-address '203.0.113.46' + set vpn ipsec site-to-site peer branch remote-address '198.51.100.243' + set vpn ipsec site-to-site peer branch tunnel 0 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 0 remote prefix '172.27.1.0/24' + set vpn ipsec site-to-site peer branch tunnel 1 local prefix '172.29.41.89/32' + set vpn ipsec site-to-site peer branch tunnel 1 remote prefix '10.125.0.0/16' Testing and Validation """""""""""""""""""""" diff --git a/docs/configuration/policy/large-community-list.rst b/docs/configuration/policy/large-community-list.rst index 39da0815..0c57fd4a 100644 --- a/docs/configuration/policy/large-community-list.rst +++ b/docs/configuration/policy/large-community-list.rst @@ -14,7 +14,7 @@ policy large-community-list .. cfgcmd:: set policy large-community-list <text> - Creat large-community-list policy identified by name <text>. + Create large-community-list policy identified by name <text>. .. cfgcmd:: set policy large-community-list <text> description <text> diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 6593730f..68688b25 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -206,6 +206,41 @@ Defining Peers peers ASN is the same as mine as specified under the :cfgcmd:`protocols bgp <asn>` command the connection will be denied. +.. cfgcmd:: set protocols bgp neighbor <address|interface> local-role + <role> [strict] + + BGP roles are defined in RFC :rfc:`9234` and provide an easy way to + add route leak prevention, detection and mitigation. The local Role + value is negotiated with the new BGP Role capability which has a + built-in check of the corresponding value. In case of a mismatch the + new OPEN Roles Mismatch Notification <2, 11> would be sent. + The correct Role pairs are: + + Provider - Customer + + Peer - Peer + + RS-Server - RS-Client + + If :cfgcmd:`strict` is set the BGP session won’t become established + until the BGP neighbor sets local Role on its side. This + configuration parameter is defined in RFC :rfc:`9234` and is used to + enforce the corresponding configuration at your counter-parts side. + + Routes that are sent from provider, rs-server, or the peer local-role + (or if received by customer, rs-client, or the peer local-role) will + be marked with a new Only to Customer (OTC) attribute. + + Routes with this attribute can only be sent to your neighbor if your + local-role is provider or rs-server. Routes with this attribute can + be received only if your local-role is customer or rs-client. + + In case of peer-peer relationship routes can be received only if OTC + value is equal to your neighbor AS number. + + All these rules with OTC will help to detect and mitigate route leaks + and happen automatically if local-role is set. + .. cfgcmd:: set protocols bgp neighbor <address|interface> shutdown This command disable the peer or peer group. To reenable the peer use diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index a93c1046..43abf254 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -20,8 +20,20 @@ Configuration .. cfgcmd:: set service dhcp-relay interface <interface> - Interfaces that participate in the DHCP relay process, including the uplink - to the DHCP server. + Interfaces that participate in the DHCP relay process. If this command is + used, at least two entries of it are required: one for the interface that + captures the dhcp-requests, and one for the interface to forward such + requests. A warning message will be shown if this command is used, since + new implementations should use ``listen-interface`` and + ``upstream-interface``. + +.. cfgcmd:: set service dhcp-relay listen-interface <interface> + + Interface for DHCP Relay Agent to listen for requests. + +.. cfgcmd:: set service dhcp-relay upstream-interface <interface> + + Interface for DHCP Relay Agent to forward requests out. .. cfgcmd:: set service dhcp-relay server <server> @@ -70,8 +82,8 @@ Example * Listen for DHCP requests on interface ``eth1``. * DHCP server is located at IPv4 address 10.0.1.4 on ``eth2``. -* Router receives DHCP client requests on ``eth1`` and relays them to the server - at 10.0.1.4 on ``eth2``. +* Router receives DHCP client requests on ``eth1`` and relays them to the + server at 10.0.1.4 on ``eth2``. .. figure:: /_static/images/service_dhcp-relay01.png :scale: 80 % @@ -84,6 +96,19 @@ The generated configuration will look like: .. code-block:: none show service dhcp-relay + listen-interface eth1 + upstrem-interface eth2 + server 10.0.1.4 + relay-options { + relay-agents-packets discard + } + +Also, for backwards compatibility this configuration, which uses generic +interface definition, is still valid: + +.. code-block:: none + + show service dhcp-relay interface eth1 interface eth2 server 10.0.1.4 diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst index 3f4b7b89..b5b12a5b 100644 --- a/docs/configuration/service/dhcp-server.rst +++ b/docs/configuration/service/dhcp-server.rst @@ -234,7 +234,7 @@ inside the subnet definition but can be outside of the range statement. **Example:** -* IP address ``192.168.1.100`` shall be statically mapped to client named ``client100`` +* IP address ``192.168.1.100`` shall be statically mapped to client named ``client1`` .. code-block:: none @@ -747,10 +747,6 @@ Operation Mode To restart the DHCPv6 server -.. opcmd:: show dhcpv6 server status - - To show the current status of the DHCPv6 server. - .. opcmd:: show dhcpv6 server leases Shows status of all assigned leases: diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst index e42ab42e..c219a063 100644 --- a/docs/configuration/service/ipoe-server.rst +++ b/docs/configuration/service/ipoe-server.rst @@ -146,4 +146,49 @@ The rate-limit is set in kbit/sec. -------+------------+-------------------+-------------+-----+--------+------------+--------+----------+------------------ ipoe0 | eth2 | 08:00:27:2f:d8:06 | 192.168.0.2 | | | 500/500 | active | 00:00:05 | dccc870fd31349fb +Example +======= + +* IPoE server will listen on interfaces eth1.50 and eth1.51 +* There are rate-limited and non rate-limited users (MACs) + +Server configuration +-------------------- + +.. code-block:: none + + set interfaces dummy dum1000 address 100.64.0.1/32 + set interfaces dummy dum1000 address 2001:db8::1/128 + + set interfaces ethernet eth1 description 'IPoE' + set interfaces ethernet eth1 vif 50 + set interfaces ethernet eth1 vif 51 + + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:b7:49:a7 + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit download '5000' + set service ipoe-server authentication interface eth1.50 mac 00:0c:29:f0:be:4c rate-limit upload '5000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit download '50000' + set service ipoe-server authentication interface eth1.51 mac 00:0c:29:b7:49:a7 rate-limit upload '50000' + set service ipoe-server authentication mode 'local' + + set service ipoe-server client-ipv6-pool delegate 2001:db8:ffff::/48 delegation-prefix '56' + set service ipoe-server client-ipv6-pool prefix 2001:db8:fffe::/48 mask '64' + set service ipoe-server interface eth1.50 client-subnet '100.64.50.0/24' + set service ipoe-server interface eth1.50 mode 'l2' + set service ipoe-server interface eth1.51 client-subnet '100.64.51.0/24' + set service ipoe-server interface eth1.51 mode 'l2' + set service ipoe-server name-server '100.64.0.1' + set service ipoe-server name-server '2001:db8::1' + +Client configuration +-------------------- + +.. code-block:: none + + set interfaces ethernet eth0 mac '00:0c:29:b7:49:a7' + + set interfaces ethernet eth0 vif 50 address 'dhcp' + set interfaces ethernet eth0 vif 50 address 'dhcpv6' + set interfaces ethernet eth0 vif 50 dhcpv6-options pd 0 interface eth1 sla-id '1' + .. include:: /_include/common-references.txt diff --git a/docs/configuration/system/acceleration.rst b/docs/configuration/system/acceleration.rst index 62b85c71..63506d6d 100644 --- a/docs/configuration/system/acceleration.rst +++ b/docs/configuration/system/acceleration.rst @@ -63,39 +63,50 @@ Side A: .. code-block:: + set interfaces vti vti1 address '192.168.1.2/24' + set vpn ipsec authentication psk right id '10.10.10.2' + set vpn ipsec authentication psk right id '10.10.10.1' + set vpn ipsec authentication psk right secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.1 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.1 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.1 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.1 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.1 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.1 local-address '10.10.10.2' - set vpn ipsec site-to-site peer 10.10.10.1 vti bind 'vti1' + set vpn ipsec site-to-site peer right authentication local-id '10.10.10.2' + set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer right authentication remote-id '10.10.10.1' + set vpn ipsec site-to-site peer right connection-type 'initiate' + set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer right local-address '10.10.10.2' + set vpn ipsec site-to-site peer right remote-address '10.10.10.1' + set vpn ipsec site-to-site peer right vti bind 'vti1' Side B: .. code-block:: set interfaces vti vti1 address '192.168.1.1/24' + set vpn ipsec authentication psk left id '10.10.10.2' + set vpn ipsec authentication psk left id '10.10.10.1' + set vpn ipsec authentication psk left secret 'Qwerty123' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '14' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' - set vpn ipsec site-to-site peer 10.10.10.2 authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer 10.10.10.2 authentication pre-shared-secret 'Qwerty123' - set vpn ipsec site-to-site peer 10.10.10.2 connection-type 'initiate' - set vpn ipsec site-to-site peer 10.10.10.2 default-esp-group 'MyESPGroup' - set vpn ipsec site-to-site peer 10.10.10.2 ike-group 'MyIKEGroup' - set vpn ipsec site-to-site peer 10.10.10.2 local-address '10.10.10.1' - set vpn ipsec site-to-site peer 10.10.10.2 vti bind 'vti1' + set vpn ipsec site-to-site peer left authentication local-id '10.10.10.1' + set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer left authentication remote-id '10.10.10.2' + set vpn ipsec site-to-site peer left connection-type 'initiate' + set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' + set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' + set vpn ipsec site-to-site peer left local-address '10.10.10.1' + set vpn ipsec site-to-site peer left remote-address '10.10.10.2' + set vpn ipsec site-to-site peer left vti bind 'vti1' a bandwidth test over the VPN got these results: diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 66fc79da..6680d46a 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -191,7 +191,7 @@ Hub set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 local-ip '192.0.2.1' - set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' set protocols nhrp tunnel tun100 cisco-authentication 'secret' @@ -298,7 +298,7 @@ VyOS can also run in DMVPN spoke mode. set interfaces tunnel tun100 address '172.16.253.133/29' set interfaces tunnel tun100 local-ip 0.0.0.0 set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' set protocols nhrp tunnel tun100 cisco-authentication 'secret' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d6a4733c..327f3abb 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -202,6 +202,11 @@ On the LEFT: ## IPsec set vpn ipsec interface eth0 + # Pre-shared-secret + set vpn ipsec authentication psk vyos id 192.0.2.10 + set vpn ipsec authentication psk vyos id 203.0.113.45 + set vpn ipsec authentication psk vyos secret MYSECRETKEY + # IKE group set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' @@ -213,7 +218,6 @@ On the LEFT: # IPsec tunnel set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 set vpn ipsec site-to-site peer right ike-group MyIKEGroup diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 68f6c48b..e89d25c6 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -18,23 +18,29 @@ Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: + * ``psk`` - Preshared secret key name: + + * ``dhcp-interface`` - ID for authentication generated from DHCP address + dynamically; + * ``id`` - static ID's for authentication. In general local and remote + address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; + * ``secret`` - predefined shared secret. Used if configured mode + ``pre-shared-secret``; + + * ``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the - same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase; * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured - ``mode pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; @@ -161,6 +167,9 @@ Example: .. code-block:: none # server config + set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -171,8 +180,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' @@ -182,6 +191,9 @@ Example: set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21' # remote office config + set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -192,8 +204,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' @@ -279,6 +291,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.2/31' + set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-B secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -293,7 +308,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.201' set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' @@ -308,6 +322,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.3/31' + set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-A secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -325,7 +342,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.202' set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' |