diff options
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/interfaces/dummy.rst | 2 | ||||
-rw-r--r-- | docs/configuration/interfaces/index.rst | 1 | ||||
-rw-r--r-- | docs/configuration/interfaces/virtual-ethernet.rst | 95 | ||||
-rw-r--r-- | docs/configuration/policy/examples.rst | 35 | ||||
-rw-r--r-- | docs/configuration/protocols/isis.rst | 263 | ||||
-rw-r--r-- | docs/configuration/vpn/ipsec.rst | 63 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 20 |
7 files changed, 394 insertions, 85 deletions
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst index 8440feca..ba09d9a7 100644 --- a/docs/configuration/interfaces/dummy.rst +++ b/docs/configuration/interfaces/dummy.rst @@ -68,7 +68,7 @@ Operation .. code-block:: none - vyos@vyos:~$ show interfaces ethernet eth0 + vyos@vyos:~$ show interfaces dummy dum0 dum0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether 26:7c:8e:bc:fc:f5 brd ff:ff:ff:ff:ff:ff inet 172.18.254.201/32 scope global dum0 diff --git a/docs/configuration/interfaces/index.rst b/docs/configuration/interfaces/index.rst index 23792203..97ad709e 100644 --- a/docs/configuration/interfaces/index.rst +++ b/docs/configuration/interfaces/index.rst @@ -20,6 +20,7 @@ Interfaces pppoe pseudo-ethernet tunnel + virtual-ethernet vti vxlan wireless diff --git a/docs/configuration/interfaces/virtual-ethernet.rst b/docs/configuration/interfaces/virtual-ethernet.rst new file mode 100644 index 00000000..a6988318 --- /dev/null +++ b/docs/configuration/interfaces/virtual-ethernet.rst @@ -0,0 +1,95 @@ +:lastproofread: 2022-11-25 + +.. _virtual-ethernet: + +################ +Virtual Ethernet +################ + +The veth devices are virtual Ethernet devices. They can act as tunnels between +network namespaces to create a bridge to a physical network device in another +namespace or VRF, but can also be used as standalone network devices. + +.. note:: veth interfaces need to be created in pairs - it's called the peer name + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: /_include/interface-address-with-dhcp.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-description.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-disable.txt + :var0: virtual-ethernet + :var1: veth0 + +.. cmdinclude:: /_include/interface-vrf.txt + :var0: virtual-ethernet + :var1: veth0 + +********* +Operation +********* + +.. opcmd:: show interfaces virtual-ethernet + + Show brief interface information. + + .. code-block:: none + + vyos@vyos:~$ show interfaces virtual-ethernet + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + veth10 100.64.0.0/31 u/u + veth11 100.64.0.1/31 u/u + +.. opcmd:: show interfaces virtual-ethernet <interface> + + Show detailed information on given `<interface>` + + .. code-block:: none + + vyos@vyos:~$ show interfaces virtual-ethernet veth11 + 10: veth11@veth10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master red state UP group default qlen 1000 + link/ether b2:7b:df:47:e9:11 brd ff:ff:ff:ff:ff:ff + inet 100.64.0.1/31 scope global veth11 + valid_lft forever preferred_lft forever + inet6 fe80::b07b:dfff:fe47:e911/64 scope link + valid_lft forever preferred_lft forever + + + RX: bytes packets errors dropped overrun mcast + 0 0 0 0 0 0 + TX: bytes packets errors dropped carrier collisions + 1369707 4267 0 0 0 0 + +******* +Example +******* + +Interconnect the global VRF with vrf "red" using the veth10 <-> veth 11 pair + +.. code-block:: none + + set interfaces virtual-ethernet veth10 address '100.64.0.0/31' + set interfaces virtual-ethernet veth10 peer-name 'veth11' + set interfaces virtual-ethernet veth11 address '100.64.0.1/31' + set interfaces virtual-ethernet veth11 peer-name 'veth10' + set interfaces virtual-ethernet veth11 vrf 'red' + set vrf name red table '1000' + + vyos@vyos:~$ ping 100.64.0.1 + PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data. + 64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.080 ms + 64 bytes from 100.64.0.1: icmp_seq=2 ttl=64 time=0.119 ms + + diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index 2d44f4bc..7c7b9c46 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -83,7 +83,7 @@ interface, we use: .. code-block:: none - set interfaces ethernet eth1 policy route FILTER-WEB + set policy route FILTER-WEB interface eth1 ################ Multiple Uplinks @@ -129,8 +129,8 @@ Apply routing policy to **inbound** direction of out VLAN interfaces .. code-block:: none - set interfaces ethernet eth0 vif 10 policy route 'PBR' - set interfaces ethernet eth0 vif 11 policy route 'PBR' + set policy route 'PBR' interface eth0.10 + set policy route 'PBR' interface eth0.11 **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) @@ -182,3 +182,32 @@ Add multiple source IP in one rule with same priority set policy local-route rule 101 source '203.0.113.253' set policy local-route rule 101 source '198.51.100.0/24' +########################### +Clamp MSS for a specific IP +########################### + +This example shows how to target an MSS clamp (in our example to 1360 bytes) +to a specific destination IP. + +.. code-block:: none + + set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30' + set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32' + set policy route IP-MSS-CLAMP rule 10 protocol 'tcp' + set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360' + set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN' + +To apply this policy to the correct interface, configure it on the +interface the inbound local host will send through to reach our +destined target host (in our example eth1). + +.. code-block:: none + + set policy route IP-MSS-CLAMP interface eth1 + +You can view that the policy is being correctly (or incorrectly) utilised +with the following command: + +.. code-block:: none + + show policy route statistics diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst index 416a42c3..ef9cc960 100644 --- a/docs/configuration/protocols/isis.rst +++ b/docs/configuration/protocols/isis.rst @@ -7,14 +7,18 @@ IS-IS ##### :abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state -interior gateway routing protocol which is described in ISO10589, -:rfc:`1195`, :rfc:`5308`. Like OSPF, IS-IS runs the Dijkstra shortest-path -first (SPF) algorithm to create a database of the network’s topology and, -from that database, to determine the best (that is, shortest) path to a -destination. The routers exchange topology information with their nearest -neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS -addresses are called :abbr:`NETs (Network Entity Titles)` and can be -8 to 20 bytes long, but are generally 10 bytes long. +interior gateway protocol (IGP) which is described in ISO10589, +:rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) +algorithm to create a database of the network’s topology, and +from that database to determine the best (that is, lowest cost) path to a +destination. The intermediate systems (the name for routers) exchange topology +information with their directly conencted neighbors. IS-IS runs directly on +the data link layer (Layer 2). IS-IS addresses are called +:abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are +generally 10 bytes long. The tree database that is created with IS-IS is +similar to the one that is created with OSPF in that the paths chosen should +be similar. Comparisons to OSPF are inevitable and often are reasonable ones +to make in regards to the way a network will respond with either IGP. ******* General @@ -26,60 +30,76 @@ Configuration Mandatory Settings ------------------ +For IS-IS top operate correctly, one must do the equivalent of a Router ID in +CLNS. This Router ID is called the :abbr:`NET (Network Entity Title)`. This +must be unique for each and every router that is operating in IS-IS. It also +must not be duplicated otherwise the same issues that occur within OSPF will +occur within IS-IS when it comes to said duplication. + + .. cfgcmd:: set protocols isis net <network-entity-title> - This commad also sets network entity title (NET) provided in ISO format. + This commad sets network entity title (NET) provided in ISO format. - For example :abbr:`NET (Network Entity Title)` + Here is an example :abbr:`NET (Network Entity Title)` value: .. code-block:: none 49.0001.1921.6800.1002.00 - The IS-IS address consists of the following parts: + The CLNS address consists of the following parts: * :abbr:`AFI (Address family authority identifier)` - ``49`` The AFI value 49 is what IS-IS uses for private addressing. - * Area identifier: ``0001`` IS-IS area number (Area1) + * Area identifier: ``0001`` IS-IS area number (numberical area ``1``) * System identifier: ``1921.6800.1002`` - for system idetifiers we recommend - to use IP address or MAC address of the router itself. + to use IP address or MAC address of the router itself. The way to construct + this is to keep all of the zeroes of the router IP address, and then change + the periods from being every three numbers to every four numbers. The + address that is listed here is ``192.168.1.2``, which if expanded will turn + into ``192.168.001.002``. Then all one has to do is move the dots to have + four numbers instead of three. This gives us ``1921.6800.1002``. - * NET selector: ``00`` Must always be 00, to indicate "this system". + * :abbr:`NET (Network Entity Title)` selector: ``00`` Must always be 00. This + setting indicates "this system" or "local system." .. cfgcmd:: set protocols isis interface <interface> - This command activates ISIS adjacency on this interface. Note that the name - of ISIS instance must be the same as the one used to configure the ISIS - process. + This command enables IS-IS on this interface, and allows for + adjacency to occur. Note that the name of IS-IS instance must be + the same as the one used to configure the IS-IS process. + +IS-IS Global Configuration +-------------------------- .. cfgcmd:: set protocols isis dynamic-hostname - This command enables support for dynamic hostname. Dynamic hostname mapping - determined as described in :rfc:`2763`, Dynamic Hostname Exchange Mechanism - for IS-IS. + This command enables support for dynamic hostname TLV. Dynamic hostname + mapping determined as described in :rfc:`2763`, Dynamic Hostname + Exchange Mechanism for IS-IS. .. cfgcmd:: set protocols isis level <level-1|level-1-2|level-2> - This command defines the ISIS router behavior: + This command defines the IS-IS router behavior: - **level-1** Act as a station router only. - **level-1-2** Act as both a station router and an area router. - **level-2-only** Act as an area router only. + * **level-1** - Act as a station (Level 1) router only. + * **level-1-2** - Act as a station (Level 1) router and area (Level 2) router. + * **level-2-only** - Act as an area (Level 2) router only. .. cfgcmd:: set protocols isis lsp-mtu <size> - This command configures the maximum size of generated LSPs, in bytes. The - size range is 128 to 4352. + This command configures the maximum size of generated + :abbr:`LSPs (Link State PDUs)`, in bytes. The size range is 128 to 4352. .. cfgcmd:: set protocols isis metric-style <narrow|transition|wide> - This command sets old-style (ISO 10589) or new-style packet formats: + This command sets old-style (ISO 10589) or new style packet formats: - **narrow** Use old style of TLVs with narrow metric. - **transition** Send and accept both styles of TLVs during transition. - **wide** Use new style of TLVs to carry wider metric. + * **narrow** - Use old style of TLVs with narrow metric. + * **transition** - Send and accept both styles of TLVs during transition. + * **wide** - Use new style of TLVs to carry wider metric. .. cfgcmd:: set protocols isis purge-originator @@ -117,9 +137,9 @@ Interface Configuration This command specifies circuit type for interface: - * **level-1** Level-1 only adjacencies are formed. - * **level-1-2** Level-1-2 adjacencies are formed - * **level-2-only** Level-2 only adjacencies are formed + * **level-1** - Level-1 only adjacencies are formed. + * **level-1-2** - Level-1-2 adjacencies are formed + * **level-2-only** - Level-2 only adjacencies are formed .. cfgcmd:: set protocols isis interface <interface> hello-interval <seconds> @@ -261,12 +281,87 @@ Timers to IGP events. The process described in :rfc:`8405`. -******* -Example -******* +******** +Examples +******** + +Enable IS-IS +============ + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5255.00' + +**Node 2:** + +.. code-block:: none + + set interfaces ethernet eth1 address '192.0.2.2/24' + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5254.00' + + + +This gives us the following neighborships, Level 1 and Level 2: + +.. code-block:: none + + Node-1@vyos:~$ show isis neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 1 Up 28 0c87.6c09.0001 + vyos eth1 2 Up 28 0c87.6c09.0001 + + Node-2@vyos:~$ show isis neighbor + Area VyOS: + System Id Interface L State Holdtime SNPA + vyos eth1 1 Up 29 0c33.0280.0001 + vyos eth1 2 Up 28 0c33.0280.0001 + + + +Here's the IP routes that are populated. Just the loopback: + +.. code-block:: none + + Node-1@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:02:22 + I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, weight 1, 00:02:22 + + Node-2@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure -Simple IS-IS configuration using 2 nodes and redistributing connected -interfaces. + I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:02:21 + I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, weight 1, 00:02:21 + + + +Enable IS-IS and redistribute routes not natively in IS-IS +========================================================== **Node 1:** @@ -293,11 +388,11 @@ interfaces. set protocols isis interface eth1 set protocols isis net '49.0001.1921.6800.2002.00' -Show ip routes on Node2: +Routes on Node 2: .. code-block:: none - vyos@r2:~$ show ip route isis + Node-2@r2:~$ show ip route isis Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, @@ -305,3 +400,91 @@ Show ip routes on Node2: > - selected route, * - FIB route, q - queued route, r - rejected route I 203.0.113.0/24 [115/10] via 192.0.2.1, eth1, 00:03:42 + + + + +Enable IS-IS with Segment Routing (Experimental) +================================================ + +**Node 1:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.255/32' + set interfaces ethernet eth1 address '192.0.2.1/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5255.00' + set protocols isis segment-routing global-block high-label-value '599' + set protocols isis segment-routing global-block low-label-value '550' + set protocols isis segment-routing prefix 192.168.255.255/32 index value '1' + set protocols isis segment-routing prefix 192.168.255.255/32 index explicit-null + set protocols mpls interface 'eth1' + +**Node 2:** + +.. code-block:: none + + set interfaces loopback lo address '192.168.255.254/32' + set interfaces ethernet eth1 address '192.0.2.2/24' + + set protocols isis interface eth1 + set protocols isis interface lo + set protocols isis net '49.0001.1921.6825.5254.00' + set protocols isis segment-routing global-block high-label-value '599' + set protocols isis segment-routing global-block low-label-value '550' + set protocols isis segment-routing prefix 192.168.255.254/32 index value '2' + set protocols isis segment-routing prefix 192.168.255.254/32 index explicit-null + set protocols mpls interface 'eth1' + + + +This gives us MPLS segment routing enabled and labels for far end loopbacks: + +.. code-block:: none + + Node-1@vyos:~$ show mpls table + Inbound Label Type Nexthop Outbound Label + ---------------------------------------------------------------------- + 552 SR (IS-IS) 192.0.2.2 IPv4 Explicit Null <-- Node-2 loopback learned on Node-1 + 15000 SR (IS-IS) 192.0.2.2 implicit-null + 15001 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null + 15002 SR (IS-IS) 192.0.2.2 implicit-null + 15003 SR (IS-IS) fe80::e87:6cff:fe09:1 implicit-null + + Node-2@vyos:~$ show mpls table + Inbound Label Type Nexthop Outbound Label + --------------------------------------------------------------------- + 551 SR (IS-IS) 192.0.2.1 IPv4 Explicit Null <-- Node-1 loopback learned on Node-2 + 15000 SR (IS-IS) 192.0.2.1 implicit-null + 15001 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null + 15002 SR (IS-IS) 192.0.2.1 implicit-null + 15003 SR (IS-IS) fe80::e33:2ff:fe80:1 implicit-null + +Here is the routing tables showing the MPLS segment routing label operations: + +.. code-block:: none + + Node-1@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.2, eth1 inactive, weight 1, 00:07:48 + I>* 192.168.255.254/32 [115/20] via 192.0.2.2, eth1, label IPv4 Explicit Null, weight 1, 00:03:39 + + Node-2@vyos:~$ show ip route isis + Codes: K - kernel route, C - connected, S - static, R - RIP, + O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, + T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR, + f - OpenFabric, + > - selected route, * - FIB route, q - queued, r - rejected, b - backup + t - trapped, o - offload failure + + I 192.0.2.0/24 [115/20] via 192.0.2.1, eth1 inactive, weight 1, 00:07:46 + I>* 192.168.255.255/32 [115/20] via 192.0.2.1, eth1, label IPv4 Explicit Null, weight 1, 00:03:43 diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d1ea7bbc..4721cbcd 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -166,7 +166,7 @@ VyOS ESP group has the next options: *********************************************** Options (Global IPsec settings) Attributes *********************************************** -* ``options`` IPsec settings: +* ``options`` * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; @@ -210,16 +210,18 @@ On the LEFT: set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication mode pre-shared-secret + set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY + set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer right ike-group MyIKEGroup + set vpn ipsec site-to-site peer right default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 + set vpn ipsec site-to-site peer right local-address 192.0.2.10 + set vpn ipsec site-to-site peer right remote-address 203.0.113.45 # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre + set vpn ipsec site-to-site peer right tunnel 1 protocol gre On the RIGHT, setup by analogy and swap local and remote addresses. @@ -235,6 +237,8 @@ an IPsec policy to match those loopback addresses. We assume that the LEFT router has static 192.0.2.10 address on eth0, and the RIGHT router has a dynamic address on eth0. +The peer names RIGHT and LEFT are used as informational text. + **Setting up the GRE tunnel** On the LEFT: @@ -325,17 +329,17 @@ On the LEFT (static address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer @RIGHT authentication id LEFT - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT - set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT - set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT + set vpn ipsec site-to-site peer RIGHT authentication mode rsa + set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT + set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT + set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT + set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup + set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 + set vpn ipsec site-to-site peer RIGHT connection-type respond + set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote On the RIGHT (dynamic address): @@ -350,14 +354,15 @@ On the RIGHT (dynamic address): set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT - set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote + set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT + set vpn ipsec site-to-site peer LEFT authentication mode rsa + set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT + set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT + set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT + set vpn ipsec site-to-site peer LEFT connection-type initiate + set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup + set vpn ipsec site-to-site peer LEFT local-address any + set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 + set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e72dbdd4..482c7130 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -8,19 +8,10 @@ to exchange encrypted information between them and VyOS itself or connected/routed networks. To configure site-to-site connection you need to add peers with the -``set vpn ipsec site-to-site`` command. +``set vpn ipsec site-to-site peer <name>`` command. -You can identify a remote peer with: - -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used - when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead - of an IP. Could be used when a peer has a public IP address and DNS name, but - an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address - nor DNS name of the peer. This mode is useful when a peer doesn't have a - publicly available IP address (NAT between it and VyOS), or IP address could - be changed. +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational. Each site-to-site peer has the next options: @@ -111,6 +102,11 @@ Each site-to-site peer has the next options: If defined ``any``, then an IP address which configured on interface with default route will be used; +* ``remote-address`` - remote IP address or hostname for IPSec connection. + IPv4 or IPv6 address is used when a peer has a public static IP address. + Hostname is a DNS name which could be used when a peer has a public IP + address and DNS name, but an IP address could be changed from time to time. + * ``tunnel`` - define criteria for traffic to be matched for encrypting and send it to a peer: |