Age | Commit message (Collapse) | Author |
|
Added config example of vpn ipsec site-to-site
|
|
|
|
Update dmvpn.rst
|
|
When we put this command we got an error like:
set interfaces tunnel tun100 local-ip '192.0.2.1'
Configuration path: interfaces tunnel tun100 [local-ip] is not valid
Set failed
|
|
To make easily understandable the Site-to-Site VPN ikev2 configuration for users (especially if the user is new to VyOS) made the following changes:
- Added dummy interface to both routers for testing purposes
- Added static route for both routers for dummy interface
- Added this line of command:
set vpn ipsec option disable-route-autoinstall
Because when we write this line after the commit action we got an error like:
WARNING: It's recommended to use ipsec vti with the next command
- corrected this line:
set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10'
to this:
set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'
|
|
|
|
for changes done for zone based firewall
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Added Pseudo-Random Functions (PRF) information
in IPSEC documentation.
|
|
|
|
|
|
There was a typo in the reference for the image added in the previous
commit, corrected that.
|
|
Added VPN IPSec connection-type recommendation for the close-action and
dpd settings.
For example close-action restart should not be added on both peers
|
|
|
|
|
|
Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations
- IKE changes:
- replace 'ipsec ike-group <tag> mobike disable'
=> 'ipsec ike-group <tag> disable-mobike'
- replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
=> 'ipsec ike-group <tag> ikev2-reauth'
- ESP changes:
- replace 'ipsec esp-group <tag> compression enable'
=> 'ipsec esp-group <tag> compression'
- PEER changes:
- replace: 'peer <tag> id xxx'
=> 'peer <tag> local-id xxx'
- replace: 'peer <tag> force-encapsulation enable'
=> 'peer <tag> force-udp-encapsulation'
- add option: 'peer <tag> remote-address x.x.x.x'
If peer name is IPv4 or IPv6 address add remote-address via
migration script
|
|
The command to set the vpn interface is changed in the rolling release
which is not modified in many configuration examples, corrected syntax
in all pages where it is mentioned
|
|
Fixed gramma mistake in commands
|
|
The command path:
set vpn sstp ssl key-file <file>
Does not appear to exist anymore, as per https://github.com/vyos/vyos-1x/pull/1038
Can the doc be updated with instructions on SSTP setup with new command structure?
|
|
|
|
|
|
|
|
Removed the note from the firewall page as nat grouping is not added yet
Added the information about new option 'none' in the site-to-site ipsec vpn
page
|
|
|
|
|
|
Ability to set Cisco FlexVPN vendor ID payload:
charon.cisco_flexvpn = yes
charon.install_virtual_ip_on = tunX
swanctl.connections.<conn>.vips = x.x.x.x, z.z.z.z
|
|
https://phabricator.vyos.net/T1856
https://github.com/vyos/vyos-1x/pull/1230
|
|
OpenConnect lacks full documentation which would also include how to create and
add use keys from the new PKI backend. For the time beeing we should not
confuse users.
|
|
Updated OpenConnect SSL Syntax
|
|
and remote
vyos@vyos# set int tunnel tun0
Possible completions:
remote Tunnel remote address
source-address
Source IP address used to initiate connection
|
|
Updated syntax to match 1.4.x.
|
|
|
|
|
|
A private key is also needed to finish the ipsec setup which is not mentioned
in the section "Source tunnel from loopbacks/Setting up IPSec". I have added
for reference.
|
|
|
|
|
|
|
|
Modified the index files to reflect this.
Added Diagram of the VPN Topology
Modified the weird IP subnets for local& remote sites. This Included:
Changing the Interface Address for the wg01 tunnel
Chaning the WAN addresses to addrs not in the RFC1918 range (1.1.1.1 & 2.2.2.2)
Modifing the allowed IPs and static route to reflect this.
Modified the ping test to reflect this.
Added an annotated verison of the wireguard local&remote config.
Added an example of a firewall exception for wirguard (OUTSIDE_IN)
Modified the explanation for the behavior of AllowedIPs for remote clients.
Added an example of "sudo wg" to the operational commands.
Fixed typo
|
|
There were minimal grammatical and spelling mistakes in the files which I
corrected as documentation proof reading.
Also added information about few ipsec vpn parameters.
|
|
Autosectionlabel
|
|
|
|
|
|
Update l2tp "name-server" with correct syntax
|