diff options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/configuration/firewall/index.rst | 6 | ||||
-rw-r--r-- | docs/configuration/interfaces/vti.rst | 19 | ||||
-rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 1 |
3 files changed, 25 insertions, 1 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index b4a884f0..c5be158f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -490,6 +490,12 @@ Applying a Rule-Set to a Zone Before you are able to apply a rule-set to a zone you have to create the zones first. +It helps to think of the syntax as: (see below). The 'rule-set' should be +written from the perspective of: *Source Zone*-to->*Destination Zone* + +.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> + firewall name <rule-set> + .. cfgcmd:: set zone-policy zone <name> from <name> firewall name <rule-set> .. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -20,4 +20,21 @@ Results in: address 192.168.2.249/30 address 2001:db8:2::249/64 description "Description" - }
\ No newline at end of file + } + +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even +though actual routing decision is made according to netfilter marks. Unless +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a +default route through the VTI peer address, which makes all traffic routed +to nowhere.
\ No newline at end of file diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index df6433c6..1c4b734c 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one. .. code-block:: none set interfaces wireguard wg01 address '10.1.0.1/30' + set interfaces wireguard wg01 description 'VPN-to-wg02' set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1' set interfaces wireguard wg01 peer to-wg02 port '51820' |