From f1d53340b2634c8fbed7f63586f4b172f6c0c678 Mon Sep 17 00:00:00 2001 From: rebortg Date: Mon, 18 Sep 2023 05:42:25 +0000 Subject: Github: update translations --- docs/_locale/de/LC_MESSAGES/configexamples.mo | Bin 119351 -> 123543 bytes docs/_locale/de/LC_MESSAGES/configuration.mo | Bin 1043295 -> 1051533 bytes docs/_locale/de/LC_MESSAGES/contributing.mo | Bin 109085 -> 109457 bytes docs/_locale/de/configexamples.pot | 225 +++++++++---- docs/_locale/de/configuration.pot | 459 +++++++++++++++----------- docs/_locale/de/contributing.pot | 177 +++++----- 6 files changed, 525 insertions(+), 336 deletions(-) (limited to 'docs/_locale/de') diff --git a/docs/_locale/de/LC_MESSAGES/configexamples.mo b/docs/_locale/de/LC_MESSAGES/configexamples.mo index b576ae18..44d8467f 100644 Binary files a/docs/_locale/de/LC_MESSAGES/configexamples.mo and b/docs/_locale/de/LC_MESSAGES/configexamples.mo differ diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.mo index 77349729..2214ada7 100644 Binary files a/docs/_locale/de/LC_MESSAGES/configuration.mo and b/docs/_locale/de/LC_MESSAGES/configuration.mo differ diff --git a/docs/_locale/de/LC_MESSAGES/contributing.mo b/docs/_locale/de/LC_MESSAGES/contributing.mo index da94bd77..98e048cc 100644 Binary files a/docs/_locale/de/LC_MESSAGES/contributing.mo and b/docs/_locale/de/LC_MESSAGES/contributing.mo differ diff --git a/docs/_locale/de/configexamples.pot b/docs/_locale/de/configexamples.pot index 877d0a5f..22c08587 100644 --- a/docs/_locale/de/configexamples.pot +++ b/docs/_locale/de/configexamples.pot @@ -8,7 +8,7 @@ msgstr "" "Language: de\n" "Plural-Forms: nplurals=2; plural=(n==1) ? 0 : 1;\n" -#: ../../configexamples/zone-policy.rst:152 +#: ../../configexamples/zone-policy.rst:162 msgid "''It is important to note, that you do not want to add logging to the established state rule as you will be logging both the inbound and outbound packets for each session instead of just the initiation of the session. Your logs will be massive in a very short period of time.''" msgstr "''It is important to note, that you do not want to add logging to the established state rule as you will be logging both the inbound and outbound packets for each session instead of just the initiation of the session. Your logs will be massive in a very short period of time.''" @@ -36,7 +36,7 @@ msgstr "**NOTE:** VyOS Router (tested with VyOS 1.4-rolling-202110310317) – T msgid "**Note:** At the moment, trace mpls doesn’t show labels/paths. So we’ll see * * * for the transit routers of the mpls backbone." msgstr "**Note:** At the moment, trace mpls doesn’t show labels/paths. So we’ll see * * * for the transit routers of the mpls backbone." -#: ../../configexamples/zone-policy.rst:24 +#: ../../configexamples/zone-policy.rst:34 msgid "**This specific example is for a router on a stick, but is very easily adapted for however many NICs you have**:" msgstr "**This specific example is for a router on a stick, but is very easily adapted for however many NICs you have**:" @@ -140,11 +140,11 @@ msgstr "172.17.1.40 CS0 by default" msgid "172.17.1.4 CS0 -> CS6" msgstr "172.17.1.4 CS0 -> CS6" -#: ../../configexamples/zone-policy.rst:35 +#: ../../configexamples/zone-policy.rst:45 msgid "192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It can SSH to VyOS." msgstr "192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It can SSH to VyOS." -#: ../../configexamples/zone-policy.rst:33 +#: ../../configexamples/zone-policy.rst:43 msgid "192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web and mail (SMTP/IMAP) server." msgstr "192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web and mail (SMTP/IMAP) server." @@ -186,6 +186,10 @@ msgstr "203.0.113.2" msgid "203.0.113.3" msgstr "203.0.113.3" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:20 +msgid "2 private subnets on each site." +msgstr "2 private subnets on each site." + #: ../../configexamples/l3vpn-hub-and-spoke.rst:35 msgid "2 x Route reflectors (VyOS-RRx)" msgstr "2 x Route reflectors (VyOS-RRx)" @@ -272,7 +276,7 @@ msgstr "A brief excursion into VRFs: This has been one of the longest-standing f msgid "A connection resource deployed in Azure linking the Azure VNet gateway and the local network gateway representing the Vyos device." msgstr "A connection resource deployed in Azure linking the Azure VNet gateway and the local network gateway representing the Vyos device." -#: ../../configexamples/index.rst:34 +#: ../../configexamples/index.rst:35 msgid "A host ``vyos-oobm`` will use as a ssh proxy. This host is just necessary for the Lab test." msgstr "A host ``vyos-oobm`` will use as a ssh proxy. This host is just necessary for the Lab test." @@ -338,6 +342,10 @@ msgstr "After all is done and commit, let's take a look if the Wireguard interfa msgid "After configured all the VRFs involved in this topology we take a deeper look at both BGP and Routing table for the VRF LAN1" msgstr "After configured all the VRFs involved in this topology we take a deeper look at both BGP and Routing table for the VRF LAN1" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:206 +msgid "After some testing, we can check ipsec status, and counter on every tunnel:" +msgstr "After some testing, we can check ipsec status, and counter on every tunnel:" + #: ../../configexamples/qos.rst:81 msgid "After the interface eth0 on router VyOS3" msgstr "After the interface eth0 on router VyOS3" @@ -362,6 +370,10 @@ msgstr "All traffic coming in through eth2 is balanced between eth0 and eth1 on msgid "Allow DHCPv6 packets for router" msgstr "Allow DHCPv6 packets for router" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:32 +msgid "Allow access to the router only from trusted networks." +msgstr "Allow access to the router only from trusted networks." + #: ../../configexamples/pppoe-ipv6-basic.rst:86 msgid "Allow all established and related traffic for router and LAN" msgstr "Allow all established and related traffic for router and LAN" @@ -370,6 +382,26 @@ msgstr "Allow all established and related traffic for router and LAN" msgid "Allow all icmpv6 packets for router and LAN" msgstr "Allow all icmpv6 packets for router and LAN" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:38 +msgid "Allow all new connections from local subnets." +msgstr "Allow all new connections from local subnets." + +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:40 +msgid "Allow connections from LANs to LANs throught the tunnel." +msgstr "Allow connections from LANs to LANs throught the tunnel." + +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:34 +msgid "Allow dns requests only only for local networks." +msgstr "Allow dns requests only only for local networks." + +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:36 +msgid "Allow icmp on all interfaces." +msgstr "Allow icmp on all interfaces." + +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:220 +msgid "Also, we can check firewall counters:" +msgstr "Also, we can check firewall counters:" + #: ../../configexamples/l3vpn-hub-and-spoke.rst:716 msgid "Also we can verify how PE devices receives VPNv4 networks from the RRs and installing them to the specific customer VRFs:" msgstr "Also we can verify how PE devices receives VPNv4 networks from the RRs and installing them to the specific customer VRFs:" @@ -378,6 +410,10 @@ msgstr "Also we can verify how PE devices receives VPNv4 networks from the RRs a msgid "An L3VPN consists of multiple access links, multiple VPN routing and forwarding (VRF) tables, and multiple MPLS paths or multiple P2MP LSPs. An L3VPN can be configured to connect two or more customer sites. In hub-and-spoke MPLS L3VPN environments, the spoke routers need to have unique Route Distinguishers (RDs). In order to use the hub site as a transit point for connectivity in such an environment, the spoke sites export their routes to the hub. Spokes can talk to hubs, but never have direct paths to other spokes. All traffic between spokes is controlled and delivered over the hub site." msgstr "An L3VPN consists of multiple access links, multiple VPN routing and forwarding (VRF) tables, and multiple MPLS paths or multiple P2MP LSPs. An L3VPN can be configured to connect two or more customer sites. In hub-and-spoke MPLS L3VPN environments, the spoke routers need to have unique Route Distinguishers (RDs). In order to use the hub site as a transit point for connectivity in such an environment, the spoke sites export their routes to the hub. Spokes can talk to hubs, but never have direct paths to other spokes. All traffic between spokes is controlled and delivered over the hub site." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:191 +msgid "And NAT Configuration:" +msgstr "And NAT Configuration:" + #: ../../configexamples/autotest/Wireguard/Wireguard.rst:99 msgid "And ping the Branch PC from your central router to check the response." msgstr "And ping the Branch PC from your central router to check the response." @@ -541,7 +577,7 @@ msgstr "Both LANs have to be able to route between each other, both will have ma msgid "Branch" msgstr "Branch" -#: ../../configexamples/zone-policy.rst:141 +#: ../../configexamples/zone-policy.rst:151 msgid "By default, iptables does not allow traffic for established sessions to return, so you must explicitly allow this. I do this by adding two rules to every ruleset. 1 allows established and related state packets through and rule 2 drops and logs invalid state packets. We place the established/related rule at the top because the vast majority of traffic on a network is established and the invalid rule to prevent invalid state packets from mistakenly being matched against other rules. Having the most matched rule listed first reduces CPU load in high volume environments. Note: I have filed a bug to have this added as a default action as well." msgstr "By default, iptables does not allow traffic for established sessions to return, so you must explicitly allow this. I do this by adding two rules to every ruleset. 1 allows established and related state packets through and rule 2 drops and logs invalid state packets. We place the established/related rule at the top because the vast majority of traffic on a network is established and the invalid rule to prevent invalid state packets from mistakenly being matched against other rules. Having the most matched rule listed first reduces CPU load in high volume environments. Note: I have filed a bug to have this added as a default action as well." @@ -579,6 +615,10 @@ msgstr "Check the result." msgid "Checking the routing table of the VRF should reveal both static and connected entries active. A PING test between the Core and remote router is a way to validate connectivity within the VRF." msgstr "Checking the routing table of the VRF should reveal both static and connected entries active. A PING test between the Core and remote router is a way to validate connectivity within the VRF." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:204 +msgid "Checking through op-mode commands" +msgstr "Checking through op-mode commands" + #: ../../configexamples/ha.rst:90 msgid "Cisco VPC Crossconnect - Ports 39 and 40 bonded between each switch" msgstr "Cisco VPC Crossconnect - Ports 39 and 40 bonded between each switch" @@ -592,6 +632,10 @@ msgstr "Clamp the VTI's MSS to 1350 to avoid PMTU blackholes." msgid "Client configuration" msgstr "Client configuration" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:24 +msgid "Communication between private subnets should be done through ipsec tunnel without nat." +msgstr "Communication between private subnets should be done through ipsec tunnel without nat." + #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:601 msgid "Conclusions" msgstr "Conclusions" @@ -606,6 +650,7 @@ msgstr "Conclusions" #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:774 #: ../../configexamples/l3vpn-hub-and-spoke.rst:100 #: ../../configexamples/ospf-unnumbered.rst:12 +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:47 #: ../../configexamples/segment-routing-isis.rst:24 msgid "Configuration" msgstr "Configuration" @@ -630,7 +675,7 @@ msgstr "Configuration 'dcsp' and shaper using QoS" msgid "Configuration Blueprints" msgstr "Configuration Blueprints" -#: ../../configexamples/index.rst:27 +#: ../../configexamples/index.rst:28 msgid "Configuration Blueprints (autotest)" msgstr "Configuration Blueprints (autotest)" @@ -638,6 +683,10 @@ msgstr "Configuration Blueprints (autotest)" msgid "Configuration VyOS as OpenVPN Server" msgstr "Configuration VyOS as OpenVPN Server" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:27 +msgid "Configuration of basic firewall in one site, in order to:" +msgstr "Configuration of basic firewall in one site, in order to:" + #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:113 #: ../../configexamples/pppoe-ipv6-basic.rst:26 msgid "Configurations" @@ -771,11 +820,11 @@ msgstr "DHCP Relay trough GRE-Bridge" msgid "DHCPv6-PD Setup" msgstr "DHCPv6-PD Setup" -#: ../../configexamples/zone-policy.rst:364 +#: ../../configexamples/zone-policy.rst:374 msgid "DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a bunch at one time." msgstr "DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a bunch at one time." -#: ../../configexamples/zone-policy.rst:39 +#: ../../configexamples/zone-policy.rst:49 msgid "DMZ cannot access LAN resources." msgstr "DMZ cannot access LAN resources." @@ -803,11 +852,11 @@ msgstr "During address configuration, in addition to assigning an address to the msgid "Dynamic routing used between CE and PE nodes and eBGP peering established for the route exchanging between them. All routes received by PEs are then exported to L3VPN and delivered from Spoke sites to Hub and vise-versa based on previously configured L3VPN parameters." msgstr "Dynamic routing used between CE and PE nodes and eBGP peering established for the route exchanging between them. All routes received by PEs are then exported to L3VPN and delivered from Spoke sites to Hub and vise-versa based on previously configured L3VPN parameters." -#: ../../configexamples/zone-policy.rst:81 +#: ../../configexamples/zone-policy.rst:91 msgid "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same." msgstr "Each interface is assigned to a zone. The interface can be physical or virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the same." -#: ../../configexamples/index.rst:31 +#: ../../configexamples/index.rst:32 msgid "Each lab will build an test from an external script. The page content will generate, so changes will not take an effect." msgstr "Each lab will build an test from an external script. The page content will generate, so changes will not take an effect." @@ -832,7 +881,7 @@ msgstr "Enable SSH so you can now SSH into the routers, rather than using the co msgid "Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS." msgstr "Enables router advertisements. This is an IPv6 alternative for DHCP (though DHCPv6 can still be used). With RAs, Your devices will automatically find the information they need for routing and DNS." -#: ../../configexamples/zone-policy.rst:243 +#: ../../configexamples/zone-policy.rst:253 msgid "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set enable-default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts." msgstr "Even if the two zones will never communicate, it is a good idea to create the zone-pair-direction rulesets and set enable-default-log. This will allow you to log attempts to access the networks. Without it, you will never see the connection attempts." @@ -893,6 +942,10 @@ msgstr "Finally, let’s check the reachability between CEs:" msgid "Firewall" msgstr "Firewall" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:123 +msgid "Firewall Configuration:" +msgstr "Firewall Configuration:" + #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:39 msgid "First, we configure the ``vyos-wan`` interface to get a DHCP address." msgstr "First, we configure the ``vyos-wan`` interface to get a DHCP address." @@ -921,6 +974,10 @@ msgstr "For home network users, most of time ISP only provides /64 prefix, hence msgid "For redundant / active-active configurations see :ref:`examples-azure-vpn-dual-bgp`" msgstr "For redundant / active-active configurations see :ref:`examples-azure-vpn-dual-bgp`" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:10 +msgid "For simplicity, configuration and tests are done only using ipv4, and firewall configuration in done only on one router." +msgstr "For simplicity, configuration and tests are done only using ipv4, and firewall configuration in done only on one router." + #: ../../configexamples/ha.rst:146 msgid "For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every command is identical, this will not be specified unless different things need to be performed on different hosts." msgstr "For the hardware router, replace ``eth0`` with ``bond0``. As (almost) every command is identical, this will not be specified unless different things need to be performed on different hosts." @@ -965,7 +1022,7 @@ msgstr "Hardware" msgid "Hardware Router - Port 8 of each switch" msgstr "Hardware Router - Port 8 of each switch" -#: ../../configexamples/zone-policy.rst:272 +#: ../../configexamples/zone-policy.rst:282 msgid "Here is an example of an IPv6 DMZ-WAN ruleset." msgstr "Here is an example of an IPv6 DMZ-WAN ruleset." @@ -997,6 +1054,10 @@ msgstr "Hub" msgid "IP/MPLS technology is widely used by various service providers and large enterprises in order to achieve better network scalability, manageability and flexibility. It also provides the possibility to deliver different services for the customers in a seamless manner. Layer 3 VPN (L3VPN) is a type of VPN mode that is built and delivered through OSI layer 3 networking technologies. Often the border gateway protocol (BGP) is used to send and receive VPN-related data that is responsible for the control plane. L3VPN utilizes virtual routing and forwarding (VRF) techniques to receive and deliver user data as well as separate data planes of the end-users. It is built using a combination of IP- and MPLS-based information. Generally, L3VPNs are used to send data on back-end VPN infrastructures, such as for VPN connections between data centres, HQs and branches." msgstr "IP/MPLS technology is widely used by various service providers and large enterprises in order to achieve better network scalability, manageability and flexibility. It also provides the possibility to deliver different services for the customers in a seamless manner. Layer 3 VPN (L3VPN) is a type of VPN mode that is built and delivered through OSI layer 3 networking technologies. Often the border gateway protocol (BGP) is used to send and receive VPN-related data that is responsible for the control plane. L3VPN utilizes virtual routing and forwarding (VRF) techniques to receive and deliver user data as well as separate data planes of the end-users. It is built using a combination of IP- and MPLS-based information. Generally, L3VPNs are used to send data on back-end VPN infrastructures, such as for VPN connections between data centres, HQs and branches." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:65 +msgid "IPSec configuration:" +msgstr "IPSec configuration:" + #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:82 msgid "IP Schema" msgstr "IP Schema" @@ -1009,7 +1070,7 @@ msgstr "IPv4 Network" msgid "IPv6 Network" msgstr "IPv6 Network" -#: ../../configexamples/zone-policy.rst:373 +#: ../../configexamples/zone-policy.rst:383 msgid "IPv6 Tunnel" msgstr "IPv6 Tunnel" @@ -1030,11 +1091,11 @@ msgstr "ISP" msgid "I chose to run OSPF as the IGP (Interior Gateway Protocol). All required BGP sessions are established via a dummy interfaces (similar to the loopback, but in Linux you can have only one loopback, while there can be many dummy interfaces) on the PE routers. In case of a link failure, traffic is diverted in the other direction in this triangle setup and BGP sessions will not go down. One could even enable BFD (Bidirectional Forwarding Detection) on the links for a faster failover and resilience in the network." msgstr "I chose to run OSPF as the IGP (Interior Gateway Protocol). All required BGP sessions are established via a dummy interfaces (similar to the loopback, but in Linux you can have only one loopback, while there can be many dummy interfaces) on the PE routers. In case of a link failure, traffic is diverted in the other direction in this triangle setup and BGP sessions will not go down. One could even enable BFD (Bidirectional Forwarding Detection) on the links for a faster failover and resilience in the network." -#: ../../configexamples/zone-policy.rst:161 +#: ../../configexamples/zone-policy.rst:171 msgid "I create/configure the interfaces first. Build out the rulesets for each zone-pair-direction which includes at least the three state rules. Then I setup the zone-policies." msgstr "I create/configure the interfaces first. Build out the rulesets for each zone-pair-direction which includes at least the three state rules. Then I setup the zone-policies." -#: ../../configexamples/zone-policy.rst:90 +#: ../../configexamples/zone-policy.rst:100 msgid "I name rule sets to indicate which zone-pair-direction they represent. eg. ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN." msgstr "I name rule sets to indicate which zone-pair-direction they represent. eg. ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN." @@ -1058,7 +1119,7 @@ msgstr "If we need to retrieve information about a specific host/network inside msgid "If you are following through this document, it is strongly suggested you complete the entire document, ONLY doing the virtual router1 steps, and then come back and walk through it AGAIN on the backup hardware router." msgstr "If you are following through this document, it is strongly suggested you complete the entire document, ONLY doing the virtual router1 steps, and then come back and walk through it AGAIN on the backup hardware router." -#: ../../configexamples/zone-policy.rst:375 +#: ../../configexamples/zone-policy.rst:385 msgid "If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interfaces. One for v4 and one for v6." msgstr "If you are using a IPv6 tunnel from HE.net or someone else, the basis is the same except you have two WAN interfaces. One for v4 and one for v6." @@ -1066,7 +1127,7 @@ msgstr "If you are using a IPv6 tunnel from HE.net or someone else, the basis is msgid "If you use a routing protocol itself, you solve two problems at once. This is only a basic example, and is provided as a starting point." msgstr "If you use a routing protocol itself, you solve two problems at once. This is only a basic example, and is provided as a starting point." -#: ../../configexamples/zone-policy.rst:100 +#: ../../configexamples/zone-policy.rst:110 msgid "If your computer is on the LAN and you need to SSH into your VyOS box, you would need a rule to allow it in the LAN-Local ruleset. If you want to access a webpage from your VyOS box, you need a rule to allow it in the Local-LAN ruleset." msgstr "If your computer is on the LAN and you need to SSH into your VyOS box, you would need a rule to allow it in the LAN-Local ruleset. If you want to access a webpage from your VyOS box, you need a rule to allow it in the Local-LAN ruleset." @@ -1074,19 +1135,19 @@ msgstr "If your computer is on the LAN and you need to SSH into your VyOS box, y msgid "Image name: vyos-1.4-rolling-202110310317-amd64.iso" msgstr "Image name: vyos-1.4-rolling-202110310317-amd64.iso" -#: ../../configexamples/zone-policy.rst:93 +#: ../../configexamples/zone-policy.rst:103 msgid "In VyOS, you have to have unique Ruleset names. In the event of overlap, I add a \"-6\" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for each auto-completion and uniqueness." msgstr "In VyOS, you have to have unique Ruleset names. In the event of overlap, I add a \"-6\" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows for each auto-completion and uniqueness." -#: ../../configexamples/zone-policy.rst:157 +#: ../../configexamples/zone-policy.rst:167 msgid "In VyOS you must have the interfaces created before you can apply it to the zone and the rulesets must be created prior to applying it to a zone-policy." msgstr "In VyOS you must have the interfaces created before you can apply it to the zone and the rulesets must be created prior to applying it to a zone-policy." -#: ../../configexamples/zone-policy.rst:8 +#: ../../configexamples/zone-policy.rst:18 msgid "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``." msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``." -#: ../../configexamples/zone-policy.rst:105 +#: ../../configexamples/zone-policy.rst:115 msgid "In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be." msgstr "In rules, it is good to keep them named consistently. As the number of rules you have grows, the more consistency you have, the easier your life will be." @@ -1106,7 +1167,7 @@ msgstr "In the end, we will configure the traffic shaper using QoS mechanisms on msgid "In the end, you'll get a powerful instrument for monitoring the VyOS systems." msgstr "In the end, you'll get a powerful instrument for monitoring the VyOS systems." -#: ../../configexamples/zone-policy.rst:367 +#: ../../configexamples/zone-policy.rst:377 msgid "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is." msgstr "In the end, you will end up with something like this config. I took out everything but the Firewall, Interfaces, and zone-policy sections. It is long enough as is." @@ -1118,7 +1179,7 @@ msgstr "In this case, the hardware router has a different IP, so it would be" msgid "In this case, we'll try to make a simple lab using QoS and the general ability of the VyOS system. We recommend you to go through the main article about `QoS `_ first." msgstr "In this case, we'll try to make a simple lab using QoS and the general ability of the VyOS system. We recommend you to go through the main article about `QoS `_ first." -#: ../../configexamples/zone-policy.rst:355 +#: ../../configexamples/zone-policy.rst:365 msgid "In this case, we are setting the v6 ruleset that represents traffic sourced from the LAN, destined for the DMZ. Because the zone-policy firewall syntax is a little awkward, I keep it straight by thinking of it backwards." msgstr "In this case, we are setting the v6 ruleset that represents traffic sourced from the LAN, destined for the DMZ. Because the zone-policy firewall syntax is a little awkward, I keep it straight by thinking of it backwards." @@ -1138,11 +1199,11 @@ msgstr "In this example OpenVPN will be setup with a client certificate and user msgid "In this example two LAN interfaces exist in different subnets instead of one like in the previous examples:" msgstr "In this example two LAN interfaces exist in different subnets instead of one like in the previous examples:" -#: ../../configexamples/zone-policy.rst:97 +#: ../../configexamples/zone-policy.rst:107 msgid "In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the firewall itself." msgstr "In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the firewall itself." -#: ../../configexamples/zone-policy.rst:40 +#: ../../configexamples/zone-policy.rst:50 msgid "Inbound WAN connect to DMZ host." msgstr "Inbound WAN connect to DMZ host." @@ -1162,6 +1223,10 @@ msgstr "Inter-VRF Routing over VRF Lite" msgid "Inter-VRF routing is a well-known solution to address complex routing scenarios that enable -in a dynamic way- to leak routes between VRFs. Is recommended to take special consideration while designing route-targets and its application as it can minimize future interventions while creating a new VRF will automatically take the desired effect in its propagation." msgstr "Inter-VRF routing is a well-known solution to address complex routing scenarios that enable -in a dynamic way- to leak routes between VRFs. Is recommended to take special consideration while designing route-targets and its application as it can minimize future interventions while creating a new VRF will automatically take the desired effect in its propagation." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:49 +msgid "Interface and routing configuration:" +msgstr "Interface and routing configuration:" + #: ../../configexamples/ha.rst:195 msgid "Internal Network" msgstr "Internal Network" @@ -1171,19 +1236,19 @@ msgstr "Internal Network" msgid "Internet" msgstr "Internet" -#: ../../configexamples/zone-policy.rst:30 +#: ../../configexamples/zone-policy.rst:40 msgid "Internet - 192.168.200.100 - TCP/25" msgstr "Internet - 192.168.200.100 - TCP/25" -#: ../../configexamples/zone-policy.rst:29 +#: ../../configexamples/zone-policy.rst:39 msgid "Internet - 192.168.200.100 - TCP/443" msgstr "Internet - 192.168.200.100 - TCP/443" -#: ../../configexamples/zone-policy.rst:31 +#: ../../configexamples/zone-policy.rst:41 msgid "Internet - 192.168.200.100 - TCP/53" msgstr "Internet - 192.168.200.100 - TCP/53" -#: ../../configexamples/zone-policy.rst:28 +#: ../../configexamples/zone-policy.rst:38 msgid "Internet - 192.168.200.100 - TCP/80" msgstr "Internet - 192.168.200.100 - TCP/80" @@ -1195,11 +1260,11 @@ msgstr "It's important to note that all your existing configurations will be mig msgid "It is assumed that the routers provided by upstream are capable of acting as a default router, add that as a static route." msgstr "It is assumed that the routers provided by upstream are capable of acting as a default router, add that as a static route." -#: ../../configexamples/zone-policy.rst:130 +#: ../../configexamples/zone-policy.rst:140 msgid "It is good practice to log both accepted and denied traffic. It can save you significant headaches when trying to troubleshoot a connectivity issue." msgstr "It is good practice to log both accepted and denied traffic. It can save you significant headaches when trying to troubleshoot a connectivity issue." -#: ../../configexamples/zone-policy.rst:50 +#: ../../configexamples/zone-policy.rst:60 msgid "It will look something like this:" msgstr "It will look something like this:" @@ -1223,7 +1288,7 @@ msgstr "L3VPN configuration parameters table:" msgid "L3VPN for Hub-and-Spoke connectivity with VyOS" msgstr "L3VPN for Hub-and-Spoke connectivity with VyOS" -#: ../../configexamples/zone-policy.rst:382 +#: ../../configexamples/zone-policy.rst:392 msgid "LAN, WAN, DMZ, local and TUN (tunnel)" msgstr "LAN, WAN, DMZ, local and TUN (tunnel)" @@ -1259,11 +1324,11 @@ msgstr "LAN 2" msgid "LAN Configuration" msgstr "LAN Configuration" -#: ../../configexamples/zone-policy.rst:37 +#: ../../configexamples/zone-policy.rst:47 msgid "LAN and DMZ hosts have basic outbound access: Web, FTP, SSH." msgstr "LAN and DMZ hosts have basic outbound access: Web, FTP, SSH." -#: ../../configexamples/zone-policy.rst:38 +#: ../../configexamples/zone-policy.rst:48 msgid "LAN can access DMZ resources." msgstr "LAN can access DMZ resources." @@ -1275,6 +1340,10 @@ msgstr "Let’s check IPv4 routing and MPLS information on provider nodes (same msgid "Let’s say we have a requirement to have multiple networks." msgstr "Let’s say we have a requirement to have multiple networks." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:22 +msgid "Local subnets should be able to reach internet using source nat." +msgstr "Local subnets should be able to reach internet using source nat." + #: ../../configexamples/inter-vrf-routing-vrf-lite.rst:58 msgid "MP-BGP or MultiProtocol BGP introduces two main concepts to solve this limitation: - Route Distinguisher (RD): Is used to distinguish between different VRFs –called VPNs- inside the BGP Process. The RD is appended to each IPv4 Network that is advertised into BGP for that VPN making it a unique VPNv4 route. - Route Target (RT): This is an extended BGP community append to the VPNv4 route in the Import/Export process. When a route passes from the VRF routing table into the BGP process it will add the configured export extended community(ies) for that VPN. When that route needs to go from BGP into the VRF routing table will only pass if that given VPN import policy matches any of the appended community(ies) into that prefix." msgstr "MP-BGP or MultiProtocol BGP introduces two main concepts to solve this limitation: - Route Distinguisher (RD): Is used to distinguish between different VRFs –called VPNs- inside the BGP Process. The RD is appended to each IPv4 Network that is advertised into BGP for that VPN making it a unique VPNv4 route. - Route Target (RT): This is an extended BGP community append to the VPNv4 route in the Import/Export process. When a route passes from the VRF routing table into the BGP process it will add the configured export extended community(ies) for that VPN. When that route needs to go from BGP into the VRF routing table will only pass if that given VPN import policy matches any of the appended community(ies) into that prefix." @@ -1322,7 +1391,7 @@ msgstr "NAT and conntrack-sync" msgid "NMP example" msgstr "NMP example" -#: ../../configexamples/zone-policy.rst:13 +#: ../../configexamples/zone-policy.rst:23 msgid "Native IPv4 and IPv6" msgstr "Native IPv4 and IPv6" @@ -1360,6 +1429,10 @@ msgstr "Network Topology" msgid "Network Topology Diagram" msgstr "Network Topology Diagram" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:14 +msgid "Network Topology and requirements" +msgstr "Network Topology and requirements" + #: ../../configexamples/qos.rst:31 msgid "Next, we will replace only all CS4 labels on the “VyOS2” router." msgstr "Next, we will replace only all CS4 labels on the “VyOS2” router." @@ -1388,7 +1461,7 @@ msgstr "Note that router1 is a VM that runs on one of the compute nodes." msgid "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)." msgstr "Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client)." -#: ../../configexamples/zone-policy.rst:401 +#: ../../configexamples/zone-policy.rst:411 msgid "Notice, none go to WAN since WAN wouldn't have a v6 address on it." msgstr "Notice, none go to WAN since WAN wouldn't have a v6 address on it." @@ -1449,7 +1522,7 @@ msgstr "Once all routers can be safely remotely managed and the core network is msgid "Once all the required certificates and keys are installed, the remaining OpenVPN Server configuration can be carried out." msgstr "Once all the required certificates and keys are installed, the remaining OpenVPN Server configuration can be carried out." -#: ../../configexamples/zone-policy.rst:345 +#: ../../configexamples/zone-policy.rst:355 msgid "Once you have all of your rulesets built, then you need to create your zone-policy." msgstr "Once you have all of your rulesets built, then you need to create your zone-policy." @@ -1557,6 +1630,10 @@ msgstr "Pings will be sent to four targets for health testing (33.44.55.66, 44.5 msgid "Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively." msgstr "Please note, 'autonomous-flag' and 'on-link-flag' are enabled by default, 'valid-lifetime' and 'preferred-lifetime' are set to default values of 30 days and 4 hours respectively." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:5 +msgid "Policy-Based Site-to-Site VPN and Firewall Configuration" +msgstr "Policy-Based Site-to-Site VPN and Firewall Configuration" + #: ../../configexamples/azure-vpn-bgp.rst:48 #: ../../configexamples/azure-vpn-dual-bgp.rst:47 msgid "Pre-shared key" @@ -1572,6 +1649,10 @@ msgstr "Prerequisites" msgid "Priorities" msgstr "Priorities" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:29 +msgid "Protect the router on 'WAN' interface, allowing only ipsec connections and ssh access from trusted ips." +msgstr "Protect the router on 'WAN' interface, allowing only ipsec connections and ssh access from trusted ips." + #: ../../configexamples/ha.rst:230 msgid "Public Network" msgstr "Public Network" @@ -1668,7 +1749,7 @@ msgstr "Router B:" msgid "Router id's must be unique." msgstr "Router id's must be unique." -#: ../../configexamples/zone-policy.rst:88 +#: ../../configexamples/zone-policy.rst:98 msgid "Ruleset are created per zone-pair-direction." msgstr "Ruleset are created per zone-pair-direction." @@ -1728,7 +1809,7 @@ msgstr "Similarly, to attach the firewall, you would use `set interfaces etherne msgid "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address." msgstr "Since some ISPs disconnects continuous connection for every 2~3 days, we set ``valid-lifetime`` to 2 days to allow PC for phasing out old address." -#: ../../configexamples/zone-policy.rst:226 +#: ../../configexamples/zone-policy.rst:236 msgid "Since we have 4 zones, we need to setup the following rulesets." msgstr "Since we have 4 zones, we need to setup the following rulesets." @@ -1744,7 +1825,7 @@ msgstr "Single LAN setup where eth2 is your LAN interface. Use the Tunnelbroker msgid "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:" msgstr "So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:" -#: ../../configexamples/zone-policy.rst:406 +#: ../../configexamples/zone-policy.rst:416 msgid "Something like:" msgstr "Something like:" @@ -1753,10 +1834,14 @@ msgstr "Something like:" msgid "Spoke" msgstr "Spoke" -#: ../../configexamples/zone-policy.rst:348 +#: ../../configexamples/zone-policy.rst:358 msgid "Start by setting the interface and default action for each zone." msgstr "Start by setting the interface and default action for each zone." +#: ../../configexamples/zone-policy.rst:8 +msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall `_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases." +msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall `_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases." + #: ../../configexamples/l3vpn-hub-and-spoke.rst:105 msgid "Step-1: Configuring IGP and enabling MPLS LDP" msgstr "Step-1: Configuring IGP and enabling MPLS LDP" @@ -1846,7 +1931,7 @@ msgstr "The Lab asume a full running Active Directory on the Windows Server. Her msgid "The Topology are consists of:" msgstr "The Topology are consists of:" -#: ../../configexamples/zone-policy.rst:47 +#: ../../configexamples/zone-policy.rst:57 msgid "The VyOS interface is assigned the .1/:1 address of their respective networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30." msgstr "The VyOS interface is assigned the .1/:1 address of their respective networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30." @@ -1870,11 +1955,11 @@ msgstr "The configuration steps are the same as in the previous example, except msgid "The example topology has 2 VyOS routers. One as The WAN Router and on as a Client, to test a single LAN setup" msgstr "The example topology has 2 VyOS routers. One as The WAN Router and on as a Client, to test a single LAN setup" -#: ../../configexamples/zone-policy.rst:123 +#: ../../configexamples/zone-policy.rst:133 msgid "The first two rules are to deal with the idiosyncrasies of VyOS and iptables." msgstr "The first two rules are to deal with the idiosyncrasies of VyOS and iptables." -#: ../../configexamples/zone-policy.rst:172 +#: ../../configexamples/zone-policy.rst:182 msgid "The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit." msgstr "The following are the rules that were created for this example (may not be complete), both in IPv4 and IPv6. If there is no IP specified, then the source/destination address is not explicit." @@ -1894,7 +1979,7 @@ msgstr "The format of these addresses:" msgid "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers." msgstr "The lab I built is using a VRF (called **mgmt**) to provide out-of-band SSH access to the PE (Provider Edge) routers." -#: ../../configexamples/index.rst:29 +#: ../../configexamples/index.rst:30 msgid "The next pages contains automatic full tested configuration examples." msgstr "The next pages contains automatic full tested configuration examples." @@ -1902,7 +1987,7 @@ msgstr "The next pages contains automatic full tested configuration examples." msgid "The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order." msgstr "The previous example used the failover command to send traffic through eth1 if eth0 fails. In this example, failover functionality is provided by rule order." -#: ../../configexamples/index.rst:37 +#: ../../configexamples/index.rst:38 msgid "The process will do the following steps:" msgstr "The process will do the following steps:" @@ -1966,6 +2051,10 @@ msgstr "This accomplishes a few things:" msgid "This chapter contains various configuration examples:" msgstr "This chapter contains various configuration examples:" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:16 +msgid "This configuration example and the requirments consists on:" +msgstr "This configuration example and the requirments consists on:" + #: ../../configexamples/ha.rst:13 msgid "This document aims to walk you through setting everything up, so at a point where you can reboot any machine and not lose more than a few seconds worth of connectivity." msgstr "This document aims to walk you through setting everything up, so at a point where you can reboot any machine and not lose more than a few seconds worth of connectivity." @@ -1998,6 +2087,10 @@ msgstr "This guide shows an example of a redundant (active-active) route-based I msgid "This guide shows an example of a route-based IKEv2 site-to-site VPN to Azure using VTI and BGP for dynamic routing updates." msgstr "This guide shows an example of a route-based IKEv2 site-to-site VPN to Azure using VTI and BGP for dynamic routing updates." +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:7 +msgid "This guide shows an example policy-based IKEv2 site-to-site VPN between two VyOS routers, and firewall configiuration." +msgstr "This guide shows an example policy-based IKEv2 site-to-site VPN between two VyOS routers, and firewall configiuration." + #: ../../configexamples/autotest/tunnelbroker/tunnelbroker.rst:10 msgid "This guide walks through the setup of https://www.tunnelbroker.net/ for an IPv6 Tunnel." msgstr "This guide walks through the setup of https://www.tunnelbroker.net/ for an IPv6 Tunnel." @@ -2010,7 +2103,7 @@ msgstr "This has a floating IP address of 10.200.201.1/24, using virtual router msgid "This has a floating IP address of 203.0.113.1/24, using virtual router ID 113. The virtual router ID is just a random number between 1 and 254, and can be set to whatever you want. Best practices suggest you try to keep them unique enterprise-wide." msgstr "This has a floating IP address of 203.0.113.1/24, using virtual router ID 113. The virtual router ID is just a random number between 1 and 254, and can be set to whatever you want. Best practices suggest you try to keep them unique enterprise-wide." -#: ../../configexamples/zone-policy.rst:248 +#: ../../configexamples/zone-policy.rst:258 msgid "This is an example of the three base rules." msgstr "This is an example of the three base rules." @@ -2062,7 +2155,7 @@ msgstr "Thus you can easily match it to one of the devices/networks below." msgid "To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure, please contact your ISP for more information." msgstr "To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure, please contact your ISP for more information." -#: ../../configexamples/zone-policy.rst:134 +#: ../../configexamples/zone-policy.rst:144 msgid "To add logging to the default rule, do:" msgstr "To add logging to the default rule, do:" @@ -2091,7 +2184,7 @@ msgstr "To reach the network, a route must be set on each VyOS host. In this str msgid "Topology" msgstr "Topology" -#: ../../configexamples/zone-policy.rst:85 +#: ../../configexamples/zone-policy.rst:95 msgid "Traffic flows from zone A to zone B. That flow is what I refer to as a zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations." msgstr "Traffic flows from zone A to zone B. That flow is what I refer to as a zone-pair-direction. eg. A->B and B->A are two zone-pair-destinations." @@ -2107,6 +2200,10 @@ msgstr "Tunnelbroker.net (IPv6)" msgid "Tunnelbroker topology image" msgstr "Tunnelbroker topology image" +#: ../../configexamples/policy-based-ipsec-and-firewall.rst:18 +msgid "Two VyOS routers with public IP address." +msgstr "Two VyOS routers with public IP address." + #: ../../configexamples/wan-load-balancing.rst:105 msgid "Two rules will be created, the first rule directs traffic coming in from eth2 to eth0 and the second rule directs the traffic to eth1. If eth0 fails the first rule is bypassed and the second rule matches, directing traffic to eth1." msgstr "Two rules will be created, the first rule directs traffic coming in from eth2 to eth0 and the second rule directs the traffic to eth1. If eth0 fails the first rule is bypassed and the second rule matches, directing traffic to eth1." @@ -2264,7 +2361,7 @@ msgstr "VyOS-RR2:" msgid "VyOS 1.3 added initial support for VRFs (including IPv4/IPv6 static routing) and VyOS 1.4 now enables full dynamic routing protocol support for OSPF, IS-IS, and BGP for individual VRFs." msgstr "VyOS 1.3 added initial support for VRFs (including IPv4/IPv6 static routing) and VyOS 1.4 now enables full dynamic routing protocol support for OSPF, IS-IS, and BGP for individual VRFs." -#: ../../configexamples/zone-policy.rst:32 +#: ../../configexamples/zone-policy.rst:42 msgid "VyOS acts as DHCP, DNS forwarder, NAT, router and firewall." msgstr "VyOS acts as DHCP, DNS forwarder, NAT, router and firewall." @@ -2337,7 +2434,7 @@ msgstr "We explicitly exclude the primary upstream network so that BGP or OSPF t msgid "We have four hosts on the local network 172.17.1.0/24. All hosts are labeled CS0 by default. We need to replace labels on all hosts except vpc8. We will replace the labels on the nearest router “VyOS3” using the IP addresses of the sources." msgstr "We have four hosts on the local network 172.17.1.0/24. All hosts are labeled CS0 by default. We need to replace labels on all hosts except vpc8. We will replace the labels on the nearest router “VyOS3” using the IP addresses of the sources." -#: ../../configexamples/zone-policy.rst:15 +#: ../../configexamples/zone-policy.rst:25 msgid "We have three networks." msgstr "We have three networks." @@ -2437,11 +2534,11 @@ msgstr "You should now be able to ping something by IPv6 DNS name:" msgid "You should now be able to see the advertised network on the other host." msgstr "You should now be able to see the advertised network on the other host." -#: ../../configexamples/zone-policy.rst:378 +#: ../../configexamples/zone-policy.rst:388 msgid "You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN." msgstr "You would have 5 zones instead of just 4 and you would configure your v6 ruleset between your tunnel interface and your LAN/DMZ zones instead of to the WAN." -#: ../../configexamples/zone-policy.rst:403 +#: ../../configexamples/zone-policy.rst:413 msgid "You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in." msgstr "You would have to add a couple of rules on your wan-local ruleset to allow protocol 41 in." @@ -2449,15 +2546,15 @@ msgstr "You would have to add a couple of rules on your wan-local ruleset to all msgid "Zone-Policy example" msgstr "Zone-Policy example" -#: ../../configexamples/zone-policy.rst:79 +#: ../../configexamples/zone-policy.rst:89 msgid "Zones Basics" msgstr "Zones Basics" -#: ../../configexamples/zone-policy.rst:126 +#: ../../configexamples/zone-policy.rst:136 msgid "Zones and Rulesets both have a default action statement. When using Zone-Policies, the default action is set by the zone-policy statement and is represented by rule 10000." msgstr "Zones and Rulesets both have a default action statement. When using Zone-Policies, the default action is set by the zone-policy statement and is represented by rule 10000." -#: ../../configexamples/zone-policy.rst:165 +#: ../../configexamples/zone-policy.rst:175 msgid "Zones do not allow for a default action of accept; either drop or reject. It is important to remember this because if you apply an interface to a zone and commit, any active connections will be dropped. Specifically, if you are SSH’d into VyOS and add local or the interface you are connecting through to a zone and do not have rulesets in place to allow SSH and established sessions, you will not be able to connect." msgstr "Zones do not allow for a default action of accept; either drop or reject. It is important to remember this because if you apply an interface to a zone and commit, any active connections will be dropped. Specifically, if you are SSH’d into VyOS and add local or the interface you are connecting through to a zone and do not have rulesets in place to allow SSH and established sessions, you will not be able to connect." @@ -2526,15 +2623,15 @@ msgstr "compute3 - Port 11 of each switch" msgid "compute3 (VMware ESXi 6.5)" msgstr "compute3 (VMware ESXi 6.5)" -#: ../../configexamples/index.rst:40 +#: ../../configexamples/index.rst:41 msgid "configure each host in the lab" msgstr "configure each host in the lab" -#: ../../configexamples/index.rst:39 +#: ../../configexamples/index.rst:40 msgid "create the lab on a eve-ng server" msgstr "create the lab on a eve-ng server" -#: ../../configexamples/index.rst:41 +#: ../../configexamples/index.rst:42 msgid "do some defined tests" msgstr "do some defined tests" @@ -2555,7 +2652,7 @@ msgstr "extended community and remote label of specific destination" msgid "first the PCA" msgstr "first the PCA" -#: ../../configexamples/index.rst:43 +#: ../../configexamples/index.rst:44 msgid "generate the documentation and include files" msgstr "generate the documentation and include files" @@ -2567,7 +2664,7 @@ msgstr "green uses local routing table id and VNI 4000" msgid "information between PE and CE:" msgstr "information between PE and CE:" -#: ../../configexamples/index.rst:42 +#: ../../configexamples/index.rst:43 msgid "optional do an upgrade to a higher version and do step 3 again." msgstr "optional do an upgrade to a higher version and do step 3 again." @@ -2583,7 +2680,7 @@ msgstr "router2 (Random 1RU machine with 4 NICs)" msgid "save the output to a file and import it in nearly all openvpn clients." msgstr "save the output to a file and import it in nearly all openvpn clients." -#: ../../configexamples/index.rst:44 +#: ../../configexamples/index.rst:45 msgid "shutdown and destroy the lab, if there is no error" msgstr "shutdown and destroy the lab, if there is no error" @@ -2599,7 +2696,7 @@ msgstr "switch1 (Nexus 10gb Switch)" msgid "switch2 (Nexus 10gb Switch)" msgstr "switch2 (Nexus 10gb Switch)" -#: ../../configexamples/zone-policy.rst:384 +#: ../../configexamples/zone-policy.rst:394 msgid "v6 pairs would be:" msgstr "v6 pairs would be:" diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index 4e898103..ae73e71e 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -193,6 +193,10 @@ msgstr "**IPv6 (DSCP value, maximum payload length, protocol, source address,** msgid "**If you are looking for a policy for your outbound traffic** but you don't know which one you need and you don't want to go through every possible policy shown here, **our bet is that highly likely you are looking for a** Shaper_ **policy and you want to** :ref:`set its queues ` **as FQ-CoDel**." msgstr "**If you are looking for a policy for your outbound traffic** but you don't know which one you need and you don't want to go through every possible policy shown here, **our bet is that highly likely you are looking for a** Shaper_ **policy and you want to** :ref:`set its queues ` **as FQ-CoDel**." +#: ../../configuration/firewall/general-legacy.rst:9 +msgid "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-202308040557" +msgstr "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-202308040557" + #: ../../configuration/firewall/general-legacy.rst:9 msgid "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-YYYYMMDDHHmm" msgstr "**Wichtiger Hinweis: ** Diese Dokumentation ist nur für VyOS Sagitta vor 1.4-Rolling-YYYYMMDDHHMM gültig" @@ -1340,7 +1344,7 @@ msgstr "A Bridge is a way to connect two Ethernet segments together in a protoco msgid "A GRE tunnel operates at layer 3 of the OSI model and is represented by IP protocol 47. The main benefit of a GRE tunnel is that you are able to carry multiple protocols inside the same tunnel. GRE also supports multicast traffic and supports routing protocols that leverage multicast to form neighbor adjacencies." msgstr "A GRE tunnel operates at layer 3 of the OSI model and is represented by IP protocol 47. The main benefit of a GRE tunnel is that you are able to carry multiple protocols inside the same tunnel. GRE also supports multicast traffic and supports routing protocols that leverage multicast to form neighbor adjacencies." -#: ../../configuration/firewall/general-legacy.rst:746 +#: ../../configuration/firewall/general-legacy.rst:749 msgid "A Rule-Set can be applied to every interface:" msgstr "A Rule-Set can be applied to every interface:" @@ -1368,7 +1372,7 @@ msgstr "A :abbr:`NIS (Network Information Service)` domain can be set to be used msgid "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well." msgstr "A basic configuration requires a tunnel source (source-address), a tunnel destination (remote), an encapsulation type (gre), and an address (ipv4/ipv6). Below is a basic IPv4 only configuration example taken from a VyOS router and a Cisco IOS router. The main difference between these two configurations is that VyOS requires you explicitly configure the encapsulation type. The Cisco router defaults to GRE IP otherwise it would have to be configured as well." -#: ../../configuration/firewall/zone.rst:44 +#: ../../configuration/firewall/zone.rst:54 msgid "A basic introduction to zone-based firewalls can be found `here `_, and an example at :ref:`examples-zone-policy`." msgstr "A basic introduction to zone-based firewalls can be found `here `_, and an example at :ref:`examples-zone-policy`." @@ -1385,7 +1389,7 @@ msgstr "A class can have multiple match filters:" msgid "A common example is the case of some policies which, in order to be effective, they need to be applied to an interface that is directly connected where the bottleneck is. If your router is not directly connected to the bottleneck, but some hop before it, you can emulate the bottleneck by embedding your non-shaping policy into a classful shaping one so that it takes effect." msgstr "A common example is the case of some policies which, in order to be effective, they need to be applied to an interface that is directly connected where the bottleneck is. If your router is not directly connected to the bottleneck, but some hop before it, you can emulate the bottleneck by embedding your non-shaping policy into a classful shaping one so that it takes effect." -#: ../../configuration/interfaces/openvpn.rst:486 +#: ../../configuration/interfaces/openvpn.rst:538 msgid "A complete LDAP auth OpenVPN configuration could look like the following example:" msgstr "A complete LDAP auth OpenVPN configuration could look like the following example:" @@ -1478,7 +1482,7 @@ msgid "A pool of addresses can be defined by using a hyphen between two IP addre msgstr "A pool of addresses can be defined by using a hyphen between two IP addresses:" #: ../../configuration/firewall/general.rst:766 -#: ../../configuration/firewall/general-legacy.rst:503 +#: ../../configuration/firewall/general-legacy.rst:506 msgid "A port can be set with a port number or a name which is here defined: ``/etc/services``." msgstr "A port can be set with a port number or a name which is here defined: ``/etc/services``." @@ -1584,7 +1588,7 @@ msgstr "A value of 0 disables ARP monitoring. The default value is 0." msgid "A very small buffer will soon start dropping packets." msgstr "A very small buffer will soon start dropping packets." -#: ../../configuration/firewall/zone.rst:23 +#: ../../configuration/firewall/zone.rst:33 msgid "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone." msgstr "A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone." @@ -1713,7 +1717,7 @@ msgstr "Additional global parameters are set, including the maximum number conne msgid "Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context" msgstr "Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context" -#: ../../configuration/interfaces/openvpn.rst:363 +#: ../../configuration/interfaces/openvpn.rst:415 msgid "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side." msgstr "Additionally, each client needs a copy of ca cert and its own client key and cert files. The files are plaintext so they may be copied either manually from the CLI. Client key and cert files should be signed with the proper ca cert and generated on the server side." @@ -1782,7 +1786,7 @@ msgstr "Advertising a Prefix" msgid "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:" msgstr "After commit the plaintext passwords will be hashed and stored in your configuration. The resulting CLI config will look like:" -#: ../../configuration/vrf/index.rst:287 +#: ../../configuration/vrf/index.rst:323 msgid "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3." msgstr "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3." @@ -1854,11 +1858,11 @@ msgstr "All these rules with OTC will help to detect and mitigate route leaks an msgid "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS." msgstr "All those protocols are grouped under ``interfaces tunnel`` in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS." -#: ../../configuration/firewall/zone.rst:26 +#: ../../configuration/firewall/zone.rst:36 msgid "All traffic between zones is affected by existing policies" msgstr "All traffic between zones is affected by existing policies" -#: ../../configuration/firewall/zone.rst:25 +#: ../../configuration/firewall/zone.rst:35 msgid "All traffic to and from an interface within a zone is permitted." msgstr "All traffic to and from an interface within a zone is permitted." @@ -1895,7 +1899,7 @@ msgid "Allow this BFD peer to not be directly connected" msgstr "Allow this BFD peer to not be directly connected" #: ../../configuration/firewall/general.rst:1142 -#: ../../configuration/firewall/general-legacy.rst:691 +#: ../../configuration/firewall/general-legacy.rst:694 msgid "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol." msgstr "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol." @@ -1999,6 +2003,10 @@ msgstr "An alternate command could be \"mpls-te on\" (Traffic Engineering)" msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)" msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)" +#: ../../configuration/firewall/general-legacy.rst:424 +msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)." +msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)." + #: ../../configuration/firewall/general.rst:624 msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)" msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_)" @@ -2074,11 +2082,11 @@ msgstr "Apply a route-map filter to routes for the specified protocol. The follo msgid "Apply routing policy to **inbound** direction of out VLAN interfaces" msgstr "Apply routing policy to **inbound** direction of out VLAN interfaces" -#: ../../configuration/firewall/zone.rst:72 +#: ../../configuration/firewall/zone.rst:82 msgid "Applying a Rule-Set to a Zone" msgstr "Applying a Rule-Set to a Zone" -#: ../../configuration/firewall/general-legacy.rst:744 +#: ../../configuration/firewall/general-legacy.rst:747 msgid "Applying a Rule-Set to an Interface" msgstr "Applying a Rule-Set to an Interface" @@ -2173,11 +2181,11 @@ msgstr "As VyOS makes use of the QMI interface to connect to the WWAN modem card msgid "As a reference: for 10mbit/s on Intel, you might need at least 10kbyte buffer if you want to reach your configured rate." msgstr "As a reference: for 10mbit/s on Intel, you might need at least 10kbyte buffer if you want to reach your configured rate." -#: ../../configuration/interfaces/openvpn.rst:614 +#: ../../configuration/interfaces/openvpn.rst:666 msgid "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel." msgstr "As a result, the processing of each packet becomes more efficient, potentially leveraging hardware encryption offloading support available in the kernel." -#: ../../configuration/firewall/zone.rst:39 +#: ../../configuration/firewall/zone.rst:49 msgid "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs." msgstr "As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs." @@ -2189,6 +2197,10 @@ msgstr "As more and more routers run on Hypervisors, expecially with a :abbr:`NO msgid "As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations." msgstr "As network address translation modifies the IP address information in packets, NAT implementations may vary in their specific behavior in various addressing cases and their effect on network traffic. The specifics of NAT behavior are not commonly documented by vendors of equipment containing NAT implementations." +#: ../../configuration/interfaces/openvpn.rst:48 +msgid "As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates." +msgstr "As of VyOS 1.4, OpenVPN site-to-site mode can use either pre-shared keys or x.509 certificates." + #: ../../configuration/vpn/pptp.rst:10 msgid "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1." msgstr "As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption. If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1." @@ -2229,7 +2241,7 @@ msgstr "As with other policies, you can embed_ other policies into the classes ( msgid "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:" msgstr "As you can see, Leaf2 and Leaf3 configuration is almost identical. There are lots of commands above, I'll try to into more detail below, command descriptions are placed under the command boxes:" -#: ../../configuration/firewall/general-legacy.rst:767 +#: ../../configuration/firewall/general-legacy.rst:770 msgid "As you can see in the example here, you can assign the same rule-set to several interfaces. An interface can only have one rule-set per chain." msgstr "As you can see in the example here, you can assign the same rule-set to several interfaces. An interface can only have one rule-set per chain." @@ -2322,7 +2334,7 @@ msgid "At every round, the deficit counter adds the quantum so that even large p msgstr "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued." #: ../../configuration/firewall/general.rst:1451 -#: ../../configuration/firewall/general-legacy.rst:969 +#: ../../configuration/firewall/general-legacy.rst:972 msgid "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``" msgstr "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``" @@ -2358,7 +2370,7 @@ msgstr "Authentication application client-secret." msgid "Authentication application tenant-id" msgstr "Authentication application tenant-id" -#: ../../configuration/interfaces/openvpn.rst:397 +#: ../../configuration/interfaces/openvpn.rst:449 msgid "Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates" msgstr "Authentication is done by using the ``openvpn-auth-ldap.so`` plugin which is shipped with every VyOS installation. A dedicated configuration file is required. It is best practise to store it in ``/config`` to survive image updates" @@ -2474,7 +2486,7 @@ msgstr "BGP roles are defined in RFC :rfc:`9234` and provide an easy way to add msgid "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable." msgstr "BGP routers connected inside the same AS through BGP belong to an internal BGP session, or IBGP. In order to prevent routing table loops, IBGP speaker does not advertise IBGP-learned routes to other IBGP speaker (Split Horizon mechanism). As such, IBGP requires a full mesh of all peers. For large networks, this quickly becomes unscalable." -#: ../../configuration/vrf/index.rst:375 +#: ../../configuration/vrf/index.rst:411 msgid "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN." msgstr "BGP routes may be leaked (i.e. copied) between a unicast VRF RIB and the VPN SAFI RIB of the default VRF for use in MPLS-based L3VPNs. Unicast routes may also be leaked between any VRFs (including the unicast RIB of the default BGP instance). A shortcut syntax is also available for specifying leaking from one VRF to another VRF using the default instance’s VPN RIB as the intemediary . A common application of the VRF-VRF feature is to connect a customer’s private routing domain to a provider’s VPN service. Leaking is configured from the point of view of an individual VRF: import refers to routes leaked from VPN to a unicast VRF, whereas export refers to routes leaked from a unicast VRF to VPN." @@ -2575,7 +2587,7 @@ msgstr "Because existing sessions do not automatically fail over to a new path, msgid "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted." msgstr "Before enabling any hardware segmentation offload a corresponding software offload is required in GSO. Otherwise it becomes possible for a frame to be re-routed between devices and end up being unable to be transmitted." -#: ../../configuration/firewall/zone.rst:74 +#: ../../configuration/firewall/zone.rst:84 msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." @@ -2678,7 +2690,7 @@ msgstr "Both local administered and remote administered :abbr:`RADIUS (Remote Au msgid "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on." msgstr "Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on." -#: ../../configuration/interfaces/openvpn.rst:376 +#: ../../configuration/interfaces/openvpn.rst:428 msgid "Branch 1's router might have the following lines:" msgstr "Branch 1's router might have the following lines:" @@ -2820,7 +2832,7 @@ msgstr "Certificates" msgid "Change system keyboard layout to given language." msgstr "Change system keyboard layout to given language." -#: ../../configuration/firewall/zone.rst:65 +#: ../../configuration/firewall/zone.rst:75 msgid "Change the default-action with this setting." msgstr "Change the default-action with this setting." @@ -2844,7 +2856,7 @@ msgstr "Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range f msgid "Check if the Intel® QAT device is up and ready to do the job." msgstr "Check if the Intel® QAT device is up and ready to do the job." -#: ../../configuration/interfaces/openvpn.rst:654 +#: ../../configuration/interfaces/openvpn.rst:706 msgid "Check status" msgstr "Check status" @@ -2907,7 +2919,7 @@ msgstr "Classless static route" msgid "Clear all BGP extcommunities." msgstr "Clear all BGP extcommunities." -#: ../../configuration/interfaces/openvpn.rst:519 +#: ../../configuration/interfaces/openvpn.rst:571 msgid "Client" msgstr "Client" @@ -2927,7 +2939,7 @@ msgstr "Client Authentication" msgid "Client IP addresses will be provided from pool `192.0.2.0/25`" msgstr "Client IP addresses will be provided from pool `192.0.2.0/25`" -#: ../../configuration/interfaces/openvpn.rst:562 +#: ../../configuration/interfaces/openvpn.rst:614 msgid "Client Side" msgstr "Client Side" @@ -2947,7 +2959,7 @@ msgstr "Client domain search" msgid "Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS." msgstr "Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS." -#: ../../configuration/interfaces/openvpn.rst:347 +#: ../../configuration/interfaces/openvpn.rst:399 msgid "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:" msgstr "Clients are identified by the CN field of their x.509 certificates, in this example the CN is ``client0``:" @@ -2972,7 +2984,7 @@ msgid "Command should probably be extended to list also the real interfaces assi msgstr "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview." #: ../../configuration/firewall/general.rst:1506 -#: ../../configuration/firewall/general-legacy.rst:1051 +#: ../../configuration/firewall/general-legacy.rst:1054 msgid "Command used to update GeoIP database and firewall sets." msgstr "Command used to update GeoIP database and firewall sets." @@ -3012,7 +3024,7 @@ msgid "Confidentiality – Encryption of packets to prevent snooping by an unaut msgstr "Confidentiality – Encryption of packets to prevent snooping by an unauthorized source." #: ../../configuration/container/index.rst:12 -#: ../../configuration/firewall/zone.rst:37 +#: ../../configuration/firewall/zone.rst:47 #: ../../configuration/interfaces/bonding.rst:17 #: ../../configuration/interfaces/bridge.rst:21 #: ../../configuration/interfaces/dummy.rst:28 @@ -3021,7 +3033,6 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau #: ../../configuration/interfaces/l2tpv3.rst:31 #: ../../configuration/interfaces/loopback.rst:26 #: ../../configuration/interfaces/macsec.rst:20 -#: ../../configuration/interfaces/openvpn.rst:533 #: ../../configuration/interfaces/pppoe.rst:59 #: ../../configuration/interfaces/pseudo-ethernet.rst:45 #: ../../configuration/interfaces/sstp-client.rst:20 @@ -3078,7 +3089,8 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau #: ../../configuration/vpn/sstp.rst:65 #: ../../configuration/vrf/index.rst:16 #: ../../configuration/vrf/index.rst:253 -#: ../../configuration/vrf/index.rst:398 +#: ../../configuration/vrf/index.rst:286 +#: ../../configuration/vrf/index.rst:434 msgid "Configuration" msgstr "Configuration" @@ -3111,7 +3123,7 @@ msgstr "Configuration commands for the private and public key will be displayed msgid "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:" msgstr "Configuration commands will display. Note the command with the public key (set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). Then do the same on the opposite router:" -#: ../../configuration/vrf/index.rst:392 +#: ../../configuration/vrf/index.rst:428 msgid "Configuration for these exported routes must, at a minimum, specify these two parameters." msgstr "Configuration for these exported routes must, at a minimum, specify these two parameters." @@ -3123,7 +3135,7 @@ msgstr "Configuration of :ref:`routing-static`" msgid "Configuration of a DHCP failover pair" msgstr "Configuration of a DHCP failover pair" -#: ../../configuration/vrf/index.rst:400 +#: ../../configuration/vrf/index.rst:436 msgid "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family." msgstr "Configuration of route leaking between a unicast VRF RIB and the VPN SAFI RIB of the default VRF is accomplished via commands in the context of a VRF address-family." @@ -3744,11 +3756,11 @@ msgstr "Custom health-check script allows checking real-server availability" msgid "Customized ignore rules, based on a packet and flow selector." msgstr "Customized ignore rules, based on a packet and flow selector." -#: ../../configuration/interfaces/openvpn.rst:633 +#: ../../configuration/interfaces/openvpn.rst:685 msgid "DCO can be enabled for both new and existing tunnels,VyOS adds an option in each tunnel configuration where we can enable this function .The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients." msgstr "DCO can be enabled for both new and existing tunnels,VyOS adds an option in each tunnel configuration where we can enable this function .The current best practice is to create a new tunnel with DCO to minimize the chance of problems with existing clients." -#: ../../configuration/interfaces/openvpn.rst:629 +#: ../../configuration/interfaces/openvpn.rst:681 msgid "DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they have in the past." msgstr "DCO support is a per-tunnel option and it is not automatically enabled by default for new or upgraded tunnels. Existing tunnels will continue to function as they have in the past." @@ -3864,7 +3876,7 @@ msgid "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``" msgstr "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``" #: ../../configuration/firewall/general.rst:719 -#: ../../configuration/firewall/general-legacy.rst:477 +#: ../../configuration/firewall/general-legacy.rst:480 msgid "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated." msgstr "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated." @@ -3992,7 +4004,7 @@ msgstr "Define a IPv4 or IPv6 Network group." msgid "Define a IPv4 or a IPv6 address group" msgstr "Define a IPv4 or a IPv6 address group" -#: ../../configuration/firewall/zone.rst:49 +#: ../../configuration/firewall/zone.rst:59 msgid "Define a Zone" msgstr "Define a Zone" @@ -4139,7 +4151,7 @@ msgstr "Define number of packets to queue inside the kernel before sending them msgid "Define the time interval to update the local cache" msgstr "Define the time interval to update the local cache" -#: ../../configuration/firewall/zone.rst:60 +#: ../../configuration/firewall/zone.rst:70 msgid "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself." msgstr "Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself." @@ -4231,7 +4243,7 @@ msgstr "Description" msgid "Despite the Drop-Tail policy does not slow down packets, if many packets are to be sent, they could get dropped when trying to get enqueued at the tail. This can happen if the queue has still not been able to release enough packets from its head." msgstr "Despite the Drop-Tail policy does not slow down packets, if many packets are to be sent, they could get dropped when trying to get enqueued at the tail. This can happen if the queue has still not been able to release enough packets from its head." -#: ../../configuration/interfaces/openvpn.rst:433 +#: ../../configuration/interfaces/openvpn.rst:485 msgid "Despite the fact that AD is a superset of LDAP" msgstr "Despite the fact that AD is a superset of LDAP" @@ -4355,7 +4367,7 @@ msgstr "Disable this service." msgid "Disable transmit of LLDP frames on given ``. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled." msgstr "Disable transmit of LLDP frames on given ``. Useful to exclude certain interfaces from LLDP when ``all`` have been enabled." -#: ../../configuration/interfaces/openvpn.rst:643 +#: ../../configuration/interfaces/openvpn.rst:695 msgid "Disabled by default - no kernel module loaded." msgstr "Disabled by default - no kernel module loaded." @@ -4809,7 +4821,7 @@ msgstr "Enable OSPF with route redistribution of the loopback and default origin msgid "Enable OTP 2FA for user `username` with default settings, using the BASE32 encoded 2FA/MFA key specified by ``." msgstr "Enable OTP 2FA for user `username` with default settings, using the BASE32 encoded 2FA/MFA key specified by ``." -#: ../../configuration/interfaces/openvpn.rst:640 +#: ../../configuration/interfaces/openvpn.rst:692 msgid "Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel module." msgstr "Enable OpenVPN Data Channel Offload feature by loading the appropriate kernel module." @@ -4920,7 +4932,7 @@ msgstr "Enable spanning tree protocol. STP is disabled by default." msgid "Enable the Opaque-LSA capability (rfc2370), necessary to transport label on IGP" msgstr "Enable the Opaque-LSA capability (rfc2370), necessary to transport label on IGP" -#: ../../configuration/interfaces/openvpn.rst:645 +#: ../../configuration/interfaces/openvpn.rst:697 msgid "Enable this feature causes an interface reset." msgstr "Enable this feature causes an interface reset." @@ -4936,7 +4948,7 @@ msgstr "Enabled on-demand PPPoE connections bring up the link only when traffic msgid "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters." msgstr "Enables Cisco style authentication on NHRP packets. This embeds the secret plaintext password to the outgoing NHRP packets. Incoming NHRP packets on this interface are discarded unless the secret password is present. Maximum length of the secret is 8 characters." -#: ../../configuration/vrf/index.rst:423 +#: ../../configuration/vrf/index.rst:459 msgid "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained." msgstr "Enables an MPLS label to be attached to a route exported from the current unicast VRF to VPN. If the value specified is auto, the label value is automatically assigned from a pool maintained." @@ -4944,7 +4956,7 @@ msgstr "Enables an MPLS label to be attached to a route exported from the curren msgid "Enables bandwidth shaping via RADIUS." msgstr "Enables bandwidth shaping via RADIUS." -#: ../../configuration/vrf/index.rst:445 +#: ../../configuration/vrf/index.rst:481 msgid "Enables import or export of routes between the current unicast VRF and VPN." msgstr "Enables import or export of routes between the current unicast VRF and VPN." @@ -4980,7 +4992,7 @@ msgstr "Enslave `` interface to bond ``." msgid "Ensure that when comparing routes where both are equal on most metrics, including local-pref, AS_PATH length, IGP cost, MED, that the tie is broken based on router-ID." msgstr "Ensure that when comparing routes where both are equal on most metrics, including local-pref, AS_PATH length, IGP cost, MED, that the tie is broken based on router-ID." -#: ../../configuration/interfaces/openvpn.rst:393 +#: ../../configuration/interfaces/openvpn.rst:445 msgid "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend." msgstr "Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using LDAP/AD as single user backend." @@ -5708,7 +5720,7 @@ msgid "Example Network" msgstr "Example Network" #: ../../configuration/firewall/general.rst:1457 -#: ../../configuration/firewall/general-legacy.rst:976 +#: ../../configuration/firewall/general-legacy.rst:979 msgid "Example Partial Config" msgstr "Example Partial Config" @@ -5913,7 +5925,7 @@ msgstr "Firewall-Legacy" msgid "Firewall Description" msgstr "Firewall Description" -#: ../../configuration/interfaces/openvpn.rst:157 +#: ../../configuration/interfaces/openvpn.rst:209 #: ../../configuration/interfaces/wireguard.rst:207 msgid "Firewall Exceptions" msgstr "Firewall Exceptions" @@ -5938,7 +5950,7 @@ msgstr "Firewall groups represent collections of IP addresses, networks, ports, msgid "Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value" msgstr "Firewall mark. It possible to loadbalancing traffic based on ``fwmark`` value" -#: ../../configuration/interfaces/openvpn.rst:259 +#: ../../configuration/interfaces/openvpn.rst:311 msgid "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces." msgstr "Firewall policy can also be applied to the tunnel interface for `local`, `in`, and `out` directions and functions identically to ethernet interfaces." @@ -5962,6 +5974,10 @@ msgstr "First, on both routers run the operational command \"generate pki key-pa msgid "First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret` command. Once generated, you will need to install this key on the local system, then copy and install this key to the remote router." msgstr "First, one of the systems generate the key using the :ref:`generate pki openvpn shared-secret` command. Once generated, you will need to install this key on the local system, then copy and install this key to the remote router." +#: ../../configuration/interfaces/openvpn.rst:176 +msgid "First, you need to generate a key by running ``run generate pki openvpn shared-secret install `` from configuration mode. You can use any name, we will use ``s2s``." +msgstr "First, you need to generate a key by running ``run generate pki openvpn shared-secret install `` from configuration mode. You can use any name, we will use ``s2s``." + #: ../../configuration/policy/route-map.rst:60 msgid "First hop interface of a route to match." msgstr "First hop interface of a route to match." @@ -5982,7 +5998,7 @@ msgstr "First steps" msgid "First the OTP keys must be generated and sent to the user and to the configuration:" msgstr "First the OTP keys must be generated and sent to the user and to the configuration:" -#: ../../configuration/interfaces/openvpn.rst:290 +#: ../../configuration/interfaces/openvpn.rst:342 msgid "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads." msgstr "First we need to specify the basic settings. 1194/UDP is the default. The ``persistent-tunnel`` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads." @@ -6026,11 +6042,11 @@ msgstr "Follow the instructions to generate CA cert (in configuration mode):" msgid "Follow the instructions to generate server cert (in configuration mode):" msgstr "Follow the instructions to generate server cert (in configuration mode):" -#: ../../configuration/interfaces/openvpn.rst:206 +#: ../../configuration/interfaces/openvpn.rst:258 msgid "For Encryption:" msgstr "For Encryption:" -#: ../../configuration/interfaces/openvpn.rst:243 +#: ../../configuration/interfaces/openvpn.rst:295 msgid "For Hashing:" msgstr "For Hashing:" @@ -6126,6 +6142,10 @@ msgstr "For ipv4:" msgid "For latest releases, refer the `firewall `_ main page to configure zone based rules. New syntax was introduced here :vytask:`T5160`" msgstr "For latest releases, refer the `firewall `_ main page to configure zone based rules. New syntax was introduced here :vytask:`T5160`" +#: ../../configuration/firewall/zone.rst:19 +msgid "For latest releases, refer the `firewall (interface-groups) `_ main page to configure zone based rules. New syntax was introduced here :vytask:`T5160`" +msgstr "For latest releases, refer the `firewall (interface-groups) `_ main page to configure zone based rules. New syntax was introduced here :vytask:`T5160`" + #: ../../configuration/protocols/mpls.rst:27 msgid "For more information on how MPLS label switching works, please go visit `Wikipedia (MPLS)`_." msgstr "For more information on how MPLS label switching works, please go visit `Wikipedia (MPLS)`_." @@ -6158,7 +6178,7 @@ msgstr "For serial via USB port information please refor to: :ref:`hardware_usb` msgid "For simplicity we'll assume that the protocol is GRE, it's not hard to guess what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary." msgstr "For simplicity we'll assume that the protocol is GRE, it's not hard to guess what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary." -#: ../../configuration/interfaces/openvpn.rst:159 +#: ../../configuration/interfaces/openvpn.rst:211 msgid "For the OpenVPN traffic to pass through the WAN interface, you must create a firewall exception." msgstr "For the OpenVPN traffic to pass through the WAN interface, you must create a firewall exception." @@ -6339,7 +6359,7 @@ msgstr "Getting started" msgid "Given the fact that open DNS recursors could be used on DDoS amplification attacks, you must configure the networks which are allowed to use this recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and IPv6 networks to query this server. This is generally a bad idea." msgstr "Given the fact that open DNS recursors could be used on DDoS amplification attacks, you must configure the networks which are allowed to use this recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and IPv6 networks to query this server. This is generally a bad idea." -#: ../../configuration/interfaces/openvpn.rst:525 +#: ../../configuration/interfaces/openvpn.rst:577 msgid "Given the following example we have one VyOS router acting as OpenVPN server and another VyOS router acting as OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate." msgstr "Given the following example we have one VyOS router acting as OpenVPN server and another VyOS router acting as OpenVPN client. The server also pushes a static client IP address to the OpenVPN client. Remember, clients are identified using their CN attribute in the SSL certificate." @@ -6381,7 +6401,7 @@ msgstr "Groups" msgid "Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append \"-v4\" or \"-v6\" to your group names." msgstr "Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append \"-v4\" or \"-v6\" to your group names." -#: ../../configuration/interfaces/openvpn.rst:368 +#: ../../configuration/interfaces/openvpn.rst:420 msgid "HQ's router requires the following steps to generate crypto materials for the Branch 1:" msgstr "HQ's router requires the following steps to generate crypto materials for the Branch 1:" @@ -6454,7 +6474,7 @@ msgstr "Here's the neighbors up:" msgid "Here's the routes:" msgstr "Here's the routes:" -#: ../../configuration/firewall/general-legacy.rst:756 +#: ../../configuration/firewall/general-legacy.rst:759 msgid "Here are some examples for applying a rule-set to an interface" msgstr "Here are some examples for applying a rule-set to an interface" @@ -6555,6 +6575,10 @@ msgstr "How to make it work" msgid "However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys." msgstr "However, now you need to make IPsec work with dynamic address on one side. The tricky part is that pre-shared secret authentication doesn't work with dynamic address, so we'll have to use RSA keys." +#: ../../configuration/interfaces/openvpn.rst:80 +msgid "However, since VyOS 1.4, it is possible to verify self-signed certificates using certificate fingerprints." +msgstr "However, since VyOS 1.4, it is possible to verify self-signed certificates using certificate fingerprints." + #: ../../configuration/interfaces/wireguard.rst:319 msgid "However, split-tunneling can be achieved by specifying the remote subnets. This ensures that only traffic destined for the remote site is sent over the tunnel. All other traffic is unaffected." msgstr "However, split-tunneling can be achieved by specifying the remote subnets. This ensures that only traffic destined for the remote site is sent over the tunnel. All other traffic is unaffected." @@ -7072,7 +7096,7 @@ msgstr "If guaranteed traffic for a class is met and there is room for more traf msgid "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled." msgstr "If it's vital that the daemon should act exactly like a real multicast client on the upstream interface, this function should be enabled." -#: ../../configuration/interfaces/openvpn.rst:72 +#: ../../configuration/interfaces/openvpn.rst:69 msgid "If known, the IP of the remote router can be configured using the ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router." msgstr "If known, the IP of the remote router can be configured using the ``remote-host`` directive; if unknown, it can be omitted. We will assume a dynamic IP for our remote router." @@ -7080,7 +7104,7 @@ msgstr "If known, the IP of the remote router can be configured using the ``remo msgid "If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below." msgstr "If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below." -#: ../../configuration/interfaces/openvpn.rst:262 +#: ../../configuration/interfaces/openvpn.rst:314 msgid "If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)." msgstr "If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)." @@ -7329,7 +7353,7 @@ msgstr "If you've completed all the above steps you no doubt want to see if it's msgid "If you apply a parameter to an individual neighbor IP address, you override the action defined for a peer group that includes that IP address." msgstr "If you apply a parameter to an individual neighbor IP address, you override the action defined for a peer group that includes that IP address." -#: ../../configuration/interfaces/openvpn.rst:585 +#: ../../configuration/interfaces/openvpn.rst:637 msgid "If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN." msgstr "If you are a hacker or want to try on your own we support passing raw OpenVPN options to OpenVPN." @@ -7353,7 +7377,7 @@ msgstr "If you are using FQ-CoDel embedded into Shaper_ and you have large rates msgid "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface." msgstr "If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface." -#: ../../configuration/interfaces/openvpn.rst:254 +#: ../../configuration/interfaces/openvpn.rst:306 msgid "If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up." msgstr "If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up." @@ -7396,7 +7420,7 @@ msgstr "If you have configured the `INSIDE-OUT` policy, you will need to add add msgid "If you need to sample also egress traffic, you may want to configure egress flow-accounting:" msgstr "If you need to sample also egress traffic, you may want to configure egress flow-accounting:" -#: ../../configuration/interfaces/openvpn.rst:466 +#: ../../configuration/interfaces/openvpn.rst:518 msgid "If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient:" msgstr "If you only want to check if the user account is enabled and can authenticate (against the primary group) the following snipped is sufficient:" @@ -7501,7 +7525,7 @@ msgstr "In VyOS the terms ``vif-s`` and ``vif-c`` stand for the ethertype tags t msgid "In :rfc:`3069` it is called VLAN Aggregation" msgstr "In :rfc:`3069` it is called VLAN Aggregation" -#: ../../configuration/firewall/zone.rst:31 +#: ../../configuration/firewall/zone.rst:41 msgid "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``." msgstr "In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``." @@ -7556,6 +7580,10 @@ msgstr "In addition you will specifiy the IP address or FQDN for the client wher msgid "In an **address group** a single IP address or IP address ranges are defined." msgstr "In an **address group** a single IP address or IP address ranges are defined." +#: ../../configuration/interfaces/openvpn.rst:57 +msgid "In both cases, we will use the following settings:" +msgstr "In both cases, we will use the following settings:" + #: ../../configuration/system/flow-accounting.rst:78 msgid "In case, if you need to catch some logs from flow-accounting daemon, you may configure logging facility:" msgstr "In case, if you need to catch some logs from flow-accounting daemon, you may configure logging facility:" @@ -7759,7 +7787,7 @@ msgstr "In this example, we will be using the example Quick Start configuration msgid "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used." msgstr "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used." -#: ../../configuration/interfaces/openvpn.rst:282 +#: ../../configuration/interfaces/openvpn.rst:334 msgid "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it." msgstr "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it." @@ -7783,7 +7811,7 @@ msgstr "In typical uses of SNMP, one or more administrative computers called man msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network." msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network." -#: ../../configuration/firewall/zone.rst:14 +#: ../../configuration/firewall/zone.rst:24 msgid "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network." msgstr "In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network." @@ -8033,7 +8061,7 @@ msgstr "It generates the keypair, which includes the public and private parts. T msgid "It helps to support as HELPER only for planned restarts." msgstr "It helps to support as HELPER only for planned restarts." -#: ../../configuration/firewall/zone.rst:77 +#: ../../configuration/firewall/zone.rst:87 msgid "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*" msgstr "It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone*" @@ -8057,7 +8085,7 @@ msgstr "It is highly recommended to use the same address for both the LDP router msgid "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100." msgstr "It is important to note that when creating firewall rules that the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100." -#: ../../configuration/vrf/index.rst:467 +#: ../../configuration/vrf/index.rst:503 msgid "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place." msgstr "It is not sufficient to only configure a L3VPN VRFs but L3VPN VRFs must be maintained, too.For L3VPN VRF maintenance the following operational commands are in place." @@ -8073,7 +8101,7 @@ msgstr "It is not valid to use the `vif 1` option for VLAN aware bridges because msgid "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user." msgstr "It is possible to enhance authentication security by using the :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` feature together with :abbr:`OTP (One-Time-Pad)` on VyOS. :abbr:`2FA (Two-factor authentication)`/:abbr:`MFA (Multi-factor authentication)` is configured independently per each user. If an OTP key is configured for a user, 2FA/MFA is automatically enabled for that particular user. If a user does not have an OTP key configured, there is no 2FA/MFA check for that user." -#: ../../configuration/vrf/index.rst:458 +#: ../../configuration/vrf/index.rst:494 msgid "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected." msgstr "It is possible to permit BGP install VPN prefixes without transport labels. This configuration will install VPN prefixes originated from an e-bgp session, and with the next-hop directly connected." @@ -8145,7 +8173,7 @@ msgstr "Key Management" msgid "Key Parameters:" msgstr "Key Parameters:" -#: ../../configuration/firewall/zone.rst:21 +#: ../../configuration/firewall/zone.rst:31 msgid "Key Points:" msgstr "Key Points:" @@ -8198,11 +8226,11 @@ msgstr "L2TPv3 is described in :rfc:`3931`." msgid "L2TPv3 options" msgstr "L2TPv3 options" -#: ../../configuration/vrf/index.rst:361 +#: ../../configuration/vrf/index.rst:397 msgid "L3VPN VRFs" msgstr "L3VPN VRFs" -#: ../../configuration/interfaces/openvpn.rst:391 +#: ../../configuration/interfaces/openvpn.rst:443 #: ../../configuration/service/webproxy.rst:203 msgid "LDAP" msgstr "LDAP" @@ -8395,8 +8423,8 @@ msgstr "Load the container image in op-mode." msgid "Local" msgstr "Local" -#: ../../configuration/interfaces/openvpn.rst:77 -#: ../../configuration/interfaces/openvpn.rst:189 +#: ../../configuration/interfaces/openvpn.rst:134 +#: ../../configuration/interfaces/openvpn.rst:241 msgid "Local Configuration:" msgstr "Local Configuration:" @@ -8681,7 +8709,7 @@ msgstr "Mark the private key as password protected. User is asked for the passwo msgid "Match BGP large communities." msgstr "Match BGP large communities." -#: ../../configuration/firewall/general-legacy.rst:471 +#: ../../configuration/firewall/general-legacy.rst:474 msgid "Match IP addresses based on its geolocation. More info: `geoip matching `_." msgstr "Match IP addresses based on its geolocation. More info: `geoip matching `_." @@ -8698,17 +8726,17 @@ msgid "Match a protocol criteria. A protocol number or a name which is defined i msgstr "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol." #: ../../configuration/firewall/general.rst:1096 -#: ../../configuration/firewall/general-legacy.rst:668 +#: ../../configuration/firewall/general-legacy.rst:671 msgid "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol." msgstr "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol." #: ../../configuration/firewall/general.rst:1163 -#: ../../configuration/firewall/general-legacy.rst:706 +#: ../../configuration/firewall/general-legacy.rst:709 msgid "Match against the state of a packet." msgstr "Match against the state of a packet." #: ../../configuration/firewall/general.rst:929 -#: ../../configuration/firewall/general-legacy.rst:587 +#: ../../configuration/firewall/general-legacy.rst:590 msgid "Match based on dscp value." msgstr "Match based on dscp value." @@ -8717,18 +8745,18 @@ msgid "Match based on dscp value criteria. Multiple values from 0 to 63 and rang msgstr "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported." #: ../../configuration/firewall/general.rst:942 -#: ../../configuration/firewall/general-legacy.rst:594 +#: ../../configuration/firewall/general-legacy.rst:597 msgid "Match based on fragment criteria." msgstr "Match based on fragment criteria." #: ../../configuration/firewall/general.rst:961 -#: ../../configuration/firewall/general-legacy.rst:601 +#: ../../configuration/firewall/general-legacy.rst:604 #: ../../configuration/policy/route.rst:131 msgid "Match based on icmp|icmpv6 code and type." msgstr "Match based on icmp|icmpv6 code and type." #: ../../configuration/firewall/general.rst:980 -#: ../../configuration/firewall/general-legacy.rst:607 +#: ../../configuration/firewall/general-legacy.rst:610 msgid "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported." msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported." @@ -8736,7 +8764,7 @@ msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information a msgid "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what type-name criteria are supported." msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what type-name criteria are supported." -#: ../../configuration/firewall/general-legacy.rst:619 +#: ../../configuration/firewall/general-legacy.rst:622 msgid "Match based on inbound/outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``" msgstr "Match based on inbound/outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``" @@ -8745,7 +8773,7 @@ msgid "Match based on inbound interface. Wilcard ``*`` can be used. For example: msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``" #: ../../configuration/firewall/general.rst:1018 -#: ../../configuration/firewall/general-legacy.rst:627 +#: ../../configuration/firewall/general-legacy.rst:630 msgid "Match based on ipsec criteria." msgstr "Match based on ipsec criteria." @@ -8754,29 +8782,29 @@ msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``" #: ../../configuration/firewall/general.rst:1069 -#: ../../configuration/firewall/general-legacy.rst:653 +#: ../../configuration/firewall/general-legacy.rst:656 #: ../../configuration/policy/route.rst:176 msgid "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported." msgstr "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported." #: ../../configuration/firewall/general.rst:1083 -#: ../../configuration/firewall/general-legacy.rst:661 +#: ../../configuration/firewall/general-legacy.rst:664 #: ../../configuration/policy/route.rst:184 msgid "Match based on packet type criteria." msgstr "Match based on packet type criteria." #: ../../configuration/firewall/general.rst:1044 -#: ../../configuration/firewall/general-legacy.rst:641 +#: ../../configuration/firewall/general-legacy.rst:644 msgid "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**" msgstr "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**" #: ../../configuration/firewall/general.rst:1031 -#: ../../configuration/firewall/general-legacy.rst:634 +#: ../../configuration/firewall/general-legacy.rst:637 msgid "Match based on the maximum number of packets to allow in excess of rate." msgstr "Match based on the maximum number of packets to allow in excess of rate." #: ../../configuration/firewall/general.rst:1129 -#: ../../configuration/firewall/general-legacy.rst:686 +#: ../../configuration/firewall/general-legacy.rst:689 msgid "Match bases on recently seen sources." msgstr "Match bases on recently seen sources." @@ -8799,7 +8827,7 @@ msgid "Match domain name" msgstr "Match domain name" #: ../../configuration/firewall/general.rst:1239 -#: ../../configuration/firewall/general-legacy.rst:729 +#: ../../configuration/firewall/general-legacy.rst:732 #: ../../configuration/policy/route.rst:234 msgid "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'." msgstr "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'." @@ -8813,13 +8841,13 @@ msgid "Match route metric." msgstr "Match route metric." #: ../../configuration/firewall/general.rst:1227 -#: ../../configuration/firewall/general-legacy.rst:723 +#: ../../configuration/firewall/general-legacy.rst:726 #: ../../configuration/policy/route.rst:229 msgid "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'." msgstr "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'." #: ../../configuration/firewall/general.rst:1264 -#: ../../configuration/firewall/general-legacy.rst:739 +#: ../../configuration/firewall/general-legacy.rst:742 msgid "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts." msgstr "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts." @@ -8909,7 +8937,7 @@ msgstr "Mount a volume into the container" msgid "Multi" msgstr "Multi" -#: ../../configuration/interfaces/openvpn.rst:275 +#: ../../configuration/interfaces/openvpn.rst:327 msgid "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup." msgstr "Multi-client server is the most popular OpenVPN mode on routers. It always uses x.509 authentication and therefore requires a PKI setup. Refer this topic :ref:`configuration/pki/index:pki` to generate a CA certificate, a server certificate and key, a certificate revocation list, a Diffie-Hellman key exchange parameters file. You do not need client certificates and keys for the server setup." @@ -9001,7 +9029,7 @@ msgid "Multiple services can be used per interface. Just specify as many service msgstr "Multiple services can be used per interface. Just specify as many services per interface as you like!" #: ../../configuration/firewall/general.rst:775 -#: ../../configuration/firewall/general-legacy.rst:512 +#: ../../configuration/firewall/general-legacy.rst:515 msgid "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:" msgstr "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:" @@ -9262,6 +9290,10 @@ msgstr "Normal but significant conditions - conditions that are not error condit msgid "Not all transmit policies may be 802.3ad compliant, particularly in regards to the packet misordering requirements of section 43.2.4 of the 802.3ad standard." msgstr "Not all transmit policies may be 802.3ad compliant, particularly in regards to the packet misordering requirements of section 43.2.4 of the 802.3ad standard." +#: ../../configuration/interfaces/openvpn.rst:127 +msgid "Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary." +msgstr "Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote' but they can be arbitrary." + #: ../../configuration/system/syslog.rst:246 msgid "Note that deleting the log file does not stop the system from logging events. If you use this command while the system is logging events, old log events will be deleted, but events after the delete operation will be recorded in the new file. To delete the file altogether, first delete logging to the file using system syslog :ref:`custom-file` command, and then delete the file." msgstr "Note that deleting the log file does not stop the system from logging events. If you use this command while the system is logging events, old log events will be deleted, but events after the delete operation will be recorded in the new file. To delete the file altogether, first delete logging to the file using system syslog :ref:`custom-file` command, and then delete the file." @@ -9287,7 +9319,7 @@ msgstr "Now the noted public keys should be entered on the opposite routers." msgid "Now we add the option to the scope, adapt to your setup" msgstr "Now we add the option to the scope, adapt to your setup" -#: ../../configuration/interfaces/openvpn.rst:333 +#: ../../configuration/interfaces/openvpn.rst:385 msgid "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients." msgstr "Now we need to specify the server network settings. In all cases we need to specify the subnet for client tunnel endpoints. Since we want clients to access a specific network behind our router, we will use a push-route option for installing that route on clients." @@ -9359,6 +9391,10 @@ msgstr "Often you will also have to configure your *default* traffic in the same msgid "On active router run:" msgstr "On active router run:" +#: ../../configuration/interfaces/openvpn.rst:83 +msgid "On both sides, you need to generate a self-signed certificate, preferrably using the \"ec\" (elliptic curve) type. You can generate them by executing command ``run generate pki certificate self-signed install `` in the configuration mode. Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. You can then review the proposed changes and commit them." +msgstr "On both sides, you need to generate a self-signed certificate, preferrably using the \"ec\" (elliptic curve) type. You can generate them by executing command ``run generate pki certificate self-signed install `` in the configuration mode. Once the command is complete, it will add the certificate to the configuration session, to the ``pki`` subtree. You can then review the proposed changes and commit them." + #: ../../configuration/trafficpolicy/index.rst:487 msgid "On low rates (below 40Mbit) you may want to tune `quantum` down to something like 300 bytes." msgstr "On low rates (below 40Mbit) you may want to tune `quantum` down to something like 300 bytes." @@ -9519,7 +9555,7 @@ msgid "Only VRRP is supported. Required option." msgstr "Only VRRP is supported. Required option." #: ../../configuration/firewall/general.rst:736 -#: ../../configuration/firewall/general-legacy.rst:487 +#: ../../configuration/firewall/general-legacy.rst:490 msgid "Only in the source criteria, you can specify a mac-address." msgstr "Only in the source criteria, you can specify a mac-address." @@ -9587,19 +9623,19 @@ msgstr "OpenConnect supports a subset of it's configuration options to be applie msgid "OpenVPN" msgstr "OpenVPN" -#: ../../configuration/interfaces/openvpn.rst:355 +#: ../../configuration/interfaces/openvpn.rst:407 msgid "OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:" msgstr "OpenVPN **will not** automatically create routes in the kernel for client subnets when they connect and will only use client-subnet association internally, so we need to create a route to the 10.23.0.0/20 network ourselves:" -#: ../../configuration/interfaces/openvpn.rst:617 +#: ../../configuration/interfaces/openvpn.rst:669 msgid "OpenVPN DCO is not full OpenVPN features supported , is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation." msgstr "OpenVPN DCO is not full OpenVPN features supported , is currently considered experimental. Furthermore, there are certain OpenVPN features and use cases that remain incompatible with DCO. To get a comprehensive understanding of the limitations associated with DCO, refer to the list of known limitations in the documentation." -#: ../../configuration/interfaces/openvpn.rst:606 +#: ../../configuration/interfaces/openvpn.rst:658 msgid "OpenVPN Data Channel Offload (DCO)" msgstr "OpenVPN Data Channel Offload (DCO)" -#: ../../configuration/interfaces/openvpn.rst:608 +#: ../../configuration/interfaces/openvpn.rst:660 msgid "OpenVPN Data Channel Offload (DCO) enables significant performance enhancement in encrypted OpenVPN data processing. By minimizing context switching for each packet, DCO effectively reduces overhead. This optimization is achieved by keeping most data handling tasks within the kernel, avoiding frequent switches between kernel and user space for encryption and packet handling." msgstr "OpenVPN Data Channel Offload (DCO) enables significant performance enhancement in encrypted OpenVPN data processing. By minimizing context switching for each packet, DCO effectively reduces overhead. This optimization is achieved by keeping most data handling tasks within the kernel, avoiding frequent switches between kernel and user space for encryption and packet handling." @@ -9607,7 +9643,11 @@ msgstr "OpenVPN Data Channel Offload (DCO) enables significant performance enhan msgid "OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible." msgstr "OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible." -#: ../../configuration/interfaces/openvpn.rst:268 +#: ../../configuration/interfaces/openvpn.rst:43 +msgid "OpenVPN is popular for client-server setups, but its site-to-site mode remains a relatively obscure feature, and many router appliances still don't support it. However, it's very useful for quickly setting up tunnels between routers." +msgstr "OpenVPN is popular for client-server setups, but its site-to-site mode remains a relatively obscure feature, and many router appliances still don't support it. However, it's very useful for quickly setting up tunnels between routers." + +#: ../../configuration/interfaces/openvpn.rst:320 msgid "OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options." msgstr "OpenVPN status can be verified using the `show openvpn` operational commands. See the built-in help for a complete list of options." @@ -9643,13 +9683,13 @@ msgstr "Operating Modes" #: ../../configuration/system/default-route.rst:25 #: ../../configuration/system/flow-accounting.rst:175 #: ../../configuration/vrf/index.rst:111 -#: ../../configuration/vrf/index.rst:285 -#: ../../configuration/vrf/index.rst:465 +#: ../../configuration/vrf/index.rst:321 +#: ../../configuration/vrf/index.rst:501 msgid "Operation" msgstr "Operation" #: ../../configuration/firewall/general.rst:1269 -#: ../../configuration/firewall/general-legacy.rst:775 +#: ../../configuration/firewall/general-legacy.rst:778 msgid "Operation-mode Firewall" msgstr "Operation-mode Firewall" @@ -9741,7 +9781,7 @@ msgstr "Optional Configuration" msgid "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix." msgstr "Optionally set a specific static IPv4 or IPv6 address for the container. This address must be within the named network prefix." -#: ../../configuration/interfaces/openvpn.rst:579 +#: ../../configuration/interfaces/openvpn.rst:631 #: ../../configuration/service/dhcp-relay.rst:53 #: ../../configuration/service/dhcp-relay.rst:158 #: ../../configuration/service/dhcp-server.rst:257 @@ -9825,7 +9865,7 @@ msgid "Overview and basic concepts" msgstr "Overview and basic concepts" #: ../../configuration/firewall/general.rst:1423 -#: ../../configuration/firewall/general-legacy.rst:905 +#: ../../configuration/firewall/general-legacy.rst:908 msgid "Overview of defined groups. You see the type, the members, and where the group is used." msgstr "Overview of defined groups. You see the type, the members, and where the group is used." @@ -10125,6 +10165,10 @@ msgstr "Port to listen for HTTPS requests; default 443" msgid "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN." msgstr "Portions of the network which are VLAN-aware (i.e., IEEE 802.1q_ conformant) can include VLAN tags. When a frame enters the VLAN-aware portion of the network, a tag is added to represent the VLAN membership. Each frame must be distinguishable as being within exactly one VLAN. A frame in the VLAN-aware portion of the network that does not contain a VLAN tag is assumed to be flowing on the native VLAN." +#: ../../configuration/interfaces/openvpn.rst:169 +msgid "Pre-shared keys" +msgstr "Pre-shared keys" + #: ../../configuration/trafficpolicy/index.rst:787 #: ../../configuration/trafficpolicy/index.rst:862 msgid "Precedence" @@ -10234,11 +10278,11 @@ msgstr "Prepend the given string of AS numbers to the AS_PATH of the BGP path's msgid "Principle of SNMP Communication" msgstr "Principle of SNMP Communication" -#: ../../configuration/vrf/index.rst:494 +#: ../../configuration/vrf/index.rst:530 msgid "Print a summary of neighbor connections for the specified AFI/SAFI combination." msgstr "Print a summary of neighbor connections for the specified AFI/SAFI combination." -#: ../../configuration/vrf/index.rst:473 +#: ../../configuration/vrf/index.rst:509 msgid "Print active IPV4 or IPV6 routes advertised via the VPN SAFI." msgstr "Print active IPV4 or IPV6 routes advertised via the VPN SAFI." @@ -10672,8 +10716,8 @@ msgstr "Remote Access \"RoadWarrior\" Example" msgid "Remote Access \"RoadWarrior\" clients" msgstr "Remote Access \"RoadWarrior\" clients" -#: ../../configuration/interfaces/openvpn.rst:120 -#: ../../configuration/interfaces/openvpn.rst:195 +#: ../../configuration/interfaces/openvpn.rst:152 +#: ../../configuration/interfaces/openvpn.rst:247 msgid "Remote Configuration:" msgstr "Remote Configuration:" @@ -10721,6 +10765,10 @@ msgstr "Remote transmission interval will be multiplied by this value" msgid "Renaming clients interfaces by RADIUS" msgstr "Renaming clients interfaces by RADIUS" +#: ../../configuration/interfaces/openvpn.rst:129 +msgid "Repeat the procedure on the other router." +msgstr "Repeat the procedure on the other router." + #: ../../configuration/interfaces/macsec.rst:93 msgid "Replay protection" msgstr "Replay protection" @@ -10765,7 +10813,7 @@ msgstr "Requirements:" msgid "Reset" msgstr "Reset" -#: ../../configuration/interfaces/openvpn.rst:673 +#: ../../configuration/interfaces/openvpn.rst:725 msgid "Reset OpenVPN" msgstr "Reset OpenVPN" @@ -10923,7 +10971,7 @@ msgstr "Router Lifetime" msgid "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``." msgstr "Router receives DHCP client requests on ``eth1`` and relays them to the server at 10.0.1.4 on ``eth2``." -#: ../../configuration/vrf/index.rst:387 +#: ../../configuration/vrf/index.rst:423 msgid "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:" msgstr "Routes exported from a unicast VRF to the VPN RIB must be augmented by two parameters:" @@ -10965,7 +11013,7 @@ msgid "Rule-Sets" msgstr "Rule-Sets" #: ../../configuration/firewall/general.rst:1272 -#: ../../configuration/firewall/general-legacy.rst:778 +#: ../../configuration/firewall/general-legacy.rst:781 msgid "Rule-set overview" msgstr "Rule-set overview" @@ -11214,7 +11262,7 @@ msgstr "Segment routing defines a control plane network architecture and can be msgid "Select cipher suite used for cryptographic operations. This setting is mandatory." msgstr "Select cipher suite used for cryptographic operations. This setting is mandatory." -#: ../../configuration/vrf/index.rst:430 +#: ../../configuration/vrf/index.rst:466 msgid "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop." msgstr "Select how labels are allocated in the given VRF. By default, the per-vrf mode is selected, and one label is used for all prefixes from the VRF. The per-nexthop will use a unique label for all prefixes that are reachable via the same nexthop." @@ -11246,7 +11294,7 @@ msgstr "Serial Console" msgid "Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips)." msgstr "Serial interfaces can be any interface which is directly connected to the CPU or chipset (mostly known as a ttyS interface in Linux) or any other USB to serial converter (Prolific PL2303 or FTDI FT232/FT4232 based chips)." -#: ../../configuration/interfaces/openvpn.rst:273 +#: ../../configuration/interfaces/openvpn.rst:325 #: ../../configuration/vpn/sstp.rst:199 msgid "Server" msgstr "Server" @@ -11263,7 +11311,7 @@ msgstr "Server Certificate" msgid "Server Configuration" msgstr "Server Configuration" -#: ../../configuration/interfaces/openvpn.rst:536 +#: ../../configuration/interfaces/openvpn.rst:588 msgid "Server Side" msgstr "Server Side" @@ -11388,7 +11436,7 @@ msgstr "Set a human readable, descriptive alias for this connection. Alias is us msgid "Set a limit on the maximum number of concurrent logged-in users on the system." msgstr "Set a limit on the maximum number of concurrent logged-in users on the system." -#: ../../configuration/firewall/zone.rst:69 +#: ../../configuration/firewall/zone.rst:79 msgid "Set a meaningful description." msgstr "Set a meaningful description." @@ -11528,7 +11576,7 @@ msgstr "Set if antenna pattern does not change during the lifetime of an associa msgid "Set inbound interface to match." msgstr "Set inbound interface to match." -#: ../../configuration/firewall/zone.rst:55 +#: ../../configuration/firewall/zone.rst:65 msgid "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone." msgstr "Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone." @@ -11919,6 +11967,18 @@ msgstr "Setting name" msgid "Setting this up on AWS will require a \"Custom Protocol Rule\" for protocol number \"47\" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console)." msgstr "Setting this up on AWS will require a \"Custom Protocol Rule\" for protocol number \"47\" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console)." +#: ../../configuration/interfaces/openvpn.rst:132 +msgid "Setting up OpenVPN" +msgstr "Setting up OpenVPN" + +#: ../../configuration/interfaces/openvpn.rst:76 +msgid "Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, compared to server setups that need to support multiple clients." +msgstr "Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, compared to server setups that need to support multiple clients." + +#: ../../configuration/interfaces/openvpn.rst:74 +msgid "Setting up certificates" +msgstr "Setting up certificates" + #: ../../configuration/service/dhcp-server.rst:432 msgid "Setup DHCP failover for network 192.0.2.0/24" msgstr "Setup DHCP failover for network 192.0.2.0/24" @@ -11971,7 +12031,7 @@ msgstr "Short GI capabilities for 20 and 40 MHz" msgid "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full." msgstr "Short bursts can be allowed to exceed the limit. On creation, the Rate-Control traffic is stocked with tokens which correspond to the amount of traffic that can be burst in one go. Tokens arrive at a steady rate, until the bucket is full." -#: ../../configuration/vrf/index.rst:450 +#: ../../configuration/vrf/index.rst:486 msgid "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s." msgstr "Shortcut syntax for specifying automatic leaking from vrf VRFNAME to the current VRF using the VPN RIB as intermediary. The RD and RT are auto derived and should not be specified explicitly for either the source or destination VRF’s." @@ -11989,7 +12049,7 @@ msgid "Show DHCPv6 server daemon log file" msgstr "Show DHCPv6 server daemon log file" #: ../../configuration/firewall/general.rst:1444 -#: ../../configuration/firewall/general-legacy.rst:962 +#: ../../configuration/firewall/general-legacy.rst:965 msgid "Show Firewall log" msgstr "Show Firewall log" @@ -12237,7 +12297,7 @@ msgid "Show the local container images." msgstr "Show the local container images." #: ../../configuration/firewall/general.rst:1448 -#: ../../configuration/firewall/general-legacy.rst:966 +#: ../../configuration/firewall/general-legacy.rst:969 msgid "Show the logs of a specific Rule-Set." msgstr "Show the logs of a specific Rule-Set." @@ -12306,7 +12366,7 @@ msgstr "Simple text password authentication is insecure and deprecated in favour msgid "Since both routers do not know their effective public addresses, we set the local-address of the peer to \"any\"." msgstr "Since both routers do not know their effective public addresses, we set the local-address of the peer to \"any\"." -#: ../../configuration/interfaces/openvpn.rst:343 +#: ../../configuration/interfaces/openvpn.rst:395 msgid "Since it's a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this." msgstr "Since it's a HQ and branch offices setup, we will want all clients to have fixed addresses and we will route traffic to specific subnets through them. We need configuration for each client to achieve this." @@ -12416,7 +12476,7 @@ msgstr "Some services don't work correctly when being handled via a web proxy. S msgid "Some users tend to connect their mobile devices using WireGuard to their VyOS router. To ease deployment one can generate a \"per mobile\" configuration from the VyOS CLI." msgstr "Some users tend to connect their mobile devices using WireGuard to their VyOS router. To ease deployment one can generate a \"per mobile\" configuration from the VyOS CLI." -#: ../../configuration/interfaces/openvpn.rst:599 +#: ../../configuration/interfaces/openvpn.rst:651 msgid "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement." msgstr "Sometimes option lines in the generated OpenVPN configuration require quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement." @@ -12492,7 +12552,7 @@ msgstr "Specifies IP address for Dynamic Authorization Extension server (DM/CoA) msgid "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation preference." msgstr "Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation preference." -#: ../../configuration/vrf/index.rst:439 +#: ../../configuration/vrf/index.rst:475 msgid "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN." msgstr "Specifies an optional route-map to be applied to routes imported or exported between the current unicast VRF and VPN." @@ -12573,11 +12633,11 @@ msgstr "Specifies the port `` that the SSTP port will listen on (default 4 msgid "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password." msgstr "Specifies the protection scope (aka realm name) which is to be reported to the client for the authentication scheme. It is commonly part of the text the user will see when prompted for their username and password." -#: ../../configuration/vrf/index.rst:414 +#: ../../configuration/vrf/index.rst:450 msgid "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute." msgstr "Specifies the route-target list to be attached to a route (export) or the route-target list to match against (import) when exporting/importing between the current unicast VRF and VPN.The RTLIST is a space-separated list of route-targets, which are BGP extended community values as described in Extended Communities Attribute." -#: ../../configuration/vrf/index.rst:407 +#: ../../configuration/vrf/index.rst:443 msgid "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN." msgstr "Specifies the route distinguisher to be added to a route exported from the current unicast VRF to VPN." @@ -12606,7 +12666,7 @@ msgid "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be msgstr "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined." #: ../../configuration/firewall/general.rst:668 -#: ../../configuration/firewall/general-legacy.rst:452 +#: ../../configuration/firewall/general-legacy.rst:455 msgid "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query." msgstr "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query." @@ -12756,6 +12816,10 @@ msgstr "Squid_ is a caching and forwarding HTTP web proxy. It has a wide variety msgid "Start by checking for IPSec SAs (Security Associations) with:" msgstr "Start by checking for IPSec SAs (Security Associations) with:" +#: ../../configuration/firewall/zone.rst:9 +msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall `_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases." +msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall `_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases." + #: ../../configuration/firewall/index.rst:5 msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations. Documentation for most new firewall cli can be found here:" msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations. Documentation for most new firewall cli can be found here:" @@ -12788,7 +12852,7 @@ msgstr "Static Keys" msgid "Static Routes" msgstr "Static Routes" -#: ../../configuration/interfaces/openvpn.rst:183 +#: ../../configuration/interfaces/openvpn.rst:235 msgid "Static Routing:" msgstr "Static Routing:" @@ -12814,7 +12878,7 @@ msgstr "Static mappings aren't shown. To show all states, use ``show dhcp server msgid "Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes, including static routes, from the :abbr:`RIPB (Routing Information Base)` that used this interface to reach the next hop. In general, static routes should only be used for very simple network topologies, or to override the behavior of a dynamic routing protocol for a small number of routes. The collection of all routes the router has learned from its configuration or from its dynamic routing protocols is stored in the RIB. Unicast routes are directly used to determine the forwarding table used for unicast packet forwarding." msgstr "Static routes are manually configured routes, which, in general, cannot be updated dynamically from information VyOS learns about the network topology from other routing protocols. However, if a link fails, the router will remove routes, including static routes, from the :abbr:`RIPB (Routing Information Base)` that used this interface to reach the next hop. In general, static routes should only be used for very simple network topologies, or to override the behavior of a dynamic routing protocol for a small number of routes. The collection of all routes the router has learned from its configuration or from its dynamic routing protocols is stored in the RIB. Unicast routes are directly used to determine the forwarding table used for unicast packet forwarding." -#: ../../configuration/interfaces/openvpn.rst:185 +#: ../../configuration/interfaces/openvpn.rst:237 msgid "Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:" msgstr "Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:" @@ -12871,7 +12935,7 @@ msgstr "Supports as HELPER for configured grace period." msgid "Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45" msgstr "Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, and the RIGHT router is 203.0.113.45" -#: ../../configuration/interfaces/openvpn.rst:286 +#: ../../configuration/interfaces/openvpn.rst:338 msgid "Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20. All clients need access to the 192.168.0.0/16 network." msgstr "Suppose you want to use 10.23.1.0/24 network for client tunnel endpoints and all client subnets belong to 10.23.0.0/20. All clients need access to the 192.168.0.0/16 network." @@ -13233,7 +13297,7 @@ msgstr "The ``http`` service is lestens on port 80 and force redirects from HTTP msgid "The ``https`` service listens on port 443 with backend `bk-default` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination." msgstr "The ``https`` service listens on port 443 with backend `bk-default` to handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination." -#: ../../configuration/interfaces/openvpn.rst:69 +#: ../../configuration/interfaces/openvpn.rst:66 msgid "The ``persistent-tunnel`` directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface." msgstr "The ``persistent-tunnel`` directive will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface." @@ -13342,7 +13406,7 @@ msgstr "The computers on an internal network can use any of the addresses set as msgid "The configuration will look as follows:" msgstr "The configuration will look as follows:" -#: ../../configuration/interfaces/openvpn.rst:201 +#: ../../configuration/interfaces/openvpn.rst:253 msgid "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:" msgstr "The configurations above will default to using 256-bit AES in GCM mode for encryption (if both sides support NCP) and SHA-1 for HMAC authentication. SHA-1 is considered weak, but other hashing algorithms are available, as are encryption algorithms:" @@ -13529,11 +13593,11 @@ msgstr "The following PPP configuration tests MSCHAP-v2:" msgid "The following command can be used to generate the OTP key as well as the CLI commands to configure them:" msgstr "The following command can be used to generate the OTP key as well as the CLI commands to configure them:" -#: ../../configuration/interfaces/openvpn.rst:656 +#: ../../configuration/interfaces/openvpn.rst:708 msgid "The following commands let you check tunnel status." msgstr "The following commands let you check tunnel status." -#: ../../configuration/interfaces/openvpn.rst:675 +#: ../../configuration/interfaces/openvpn.rst:727 msgid "The following commands let you reset OpenVPN." msgstr "The following commands let you reset OpenVPN." @@ -13700,7 +13764,7 @@ msgstr "The local IPv4 or IPv6 addresses to bind the DNS forwarder to. The forwa msgid "The local IPv4 or IPv6 addresses to use as a source address for sending queries. The forwarder will send forwarded outbound DNS requests from this address." msgstr "The local IPv4 or IPv6 addresses to use as a source address for sending queries. The forwarder will send forwarded outbound DNS requests from this address." -#: ../../configuration/interfaces/openvpn.rst:61 +#: ../../configuration/interfaces/openvpn.rst:62 msgid "The local site will have a subnet of 10.0.0.0/16." msgstr "The local site will have a subnet of 10.0.0.0/16." @@ -13764,7 +13828,7 @@ msgstr "The number of milliseconds to wait for a remote authoritative server to msgid "The number parameter (1-10) configures the amount of accepted occurences of the system AS number in AS path." msgstr "The number parameter (1-10) configures the amount of accepted occurences of the system AS number in AS path." -#: ../../configuration/interfaces/openvpn.rst:67 +#: ../../configuration/interfaces/openvpn.rst:64 msgid "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN." msgstr "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN." @@ -13806,6 +13870,10 @@ msgstr "The ping command is used to test whether a network host is reachable or msgid "The popular Unix/Linux ``dig`` tool sets the AD-bit in the query. This might lead to unexpected query results when testing. Set ``+noad`` on the ``dig`` command line when this is the case." msgstr "The popular Unix/Linux ``dig`` tool sets the AD-bit in the query. This might lead to unexpected query results when testing. Set ``+noad`` on the ``dig`` command line when this is the case." +#: ../../configuration/interfaces/openvpn.rst:50 +msgid "The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys is significantly less secure than using TLS." +msgstr "The pre-shared key mode is deprecated and will be removed from future OpenVPN versions, so VyOS will have to remove support for that option as well. The reason is that using pre-shared keys is significantly less secure than using TLS." + #: ../../configuration/protocols/rpki.rst:49 msgid "The prefix and ASN that originated it match a signed ROA. These are probably trustworthy route announcements." msgstr "The prefix and ASN that originated it match a signed ROA. These are probably trustworthy route announcements." @@ -13854,11 +13922,11 @@ msgstr "The protocol overhead of L2TPv3 is also significantly bigger than MPLS." msgid "The proxy service in VyOS is based on Squid_ and some related modules." msgstr "The proxy service in VyOS is based on Squid_ and some related modules." -#: ../../configuration/interfaces/openvpn.rst:58 +#: ../../configuration/interfaces/openvpn.rst:59 msgid "The public IP address of the local side of the VPN will be 198.51.100.10." msgstr "The public IP address of the local side of the VPN will be 198.51.100.10." -#: ../../configuration/interfaces/openvpn.rst:59 +#: ../../configuration/interfaces/openvpn.rst:60 msgid "The public IP address of the remote side of the VPN will be 203.0.113.11." msgstr "The public IP address of the remote side of the VPN will be 203.0.113.11." @@ -13875,7 +13943,7 @@ msgstr "The regular expression matches if and only if the entire string matches msgid "The remote peer `to-wg02` uses XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI= as its public key portion" msgstr "The remote peer `to-wg02` uses XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI= as its public key portion" -#: ../../configuration/interfaces/openvpn.rst:62 +#: ../../configuration/interfaces/openvpn.rst:63 msgid "The remote site will have a subnet of 10.1.0.0/16." msgstr "The remote site will have a subnet of 10.1.0.0/16." @@ -13883,7 +13951,7 @@ msgstr "The remote site will have a subnet of 10.1.0.0/16." msgid "The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network." msgstr "The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network." -#: ../../configuration/interfaces/openvpn.rst:406 +#: ../../configuration/interfaces/openvpn.rst:458 msgid "The required config file may look like this:" msgstr "The required config file may look like this:" @@ -13988,7 +14056,7 @@ msgstr "The task scheduler allows you to execute tasks on a given schedule. It m msgid "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address." msgstr "The translation address must be set to one of the available addresses on the configured `outbound-interface` or it must be set to `masquerade` which will use the primary IP address of the `outbound-interface` as its translation address." -#: ../../configuration/interfaces/openvpn.rst:60 +#: ../../configuration/interfaces/openvpn.rst:61 msgid "The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote." msgstr "The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote." @@ -14043,10 +14111,18 @@ msgstr "The wireless client (supplicant) authenticates against the RADIUS server msgid "Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE." msgstr "Then a corresponding SNAT rule is created to NAT outgoing traffic for the internal IP to a reserved external IP. This dedicates an external IP address to an internal IP address and is useful for protocols which don't have the notion of ports, such as GRE." -#: ../../configuration/interfaces/openvpn.rst:307 +#: ../../configuration/interfaces/openvpn.rst:359 msgid "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration." msgstr "Then we need to generate, add and specify the names of the cryptographic materials. Each of the install command should be applied to the configuration and commited before using under the openvpn interface configuration." +#: ../../configuration/interfaces/openvpn.rst:196 +msgid "Then you need to install the key on the remote router:" +msgstr "Then you need to install the key on the remote router:" + +#: ../../configuration/interfaces/openvpn.rst:202 +msgid "Then you need to set the key in your OpenVPN interface settings:" +msgstr "Then you need to set the key in your OpenVPN interface settings:" + #: ../../configuration/interfaces/openvpn.rst:24 msgid "There's a variety of client GUI frontends for any platform" msgstr "There's a variety of client GUI frontends for any platform" @@ -15266,16 +15342,16 @@ msgid "This command will generate a default-route in L2 database." msgstr "This command will generate a default-route in L2 database." #: ../../configuration/firewall/general.rst:1419 -#: ../../configuration/firewall/general-legacy.rst:901 +#: ../../configuration/firewall/general-legacy.rst:904 msgid "This command will give an overview of a rule in a single rule-set" msgstr "This command will give an overview of a rule in a single rule-set" -#: ../../configuration/firewall/general-legacy.rst:937 +#: ../../configuration/firewall/general-legacy.rst:940 msgid "This command will give an overview of a rule in a single rule-set." msgstr "This command will give an overview of a rule in a single rule-set." #: ../../configuration/firewall/general.rst:1397 -#: ../../configuration/firewall/general-legacy.rst:929 +#: ../../configuration/firewall/general-legacy.rst:932 msgid "This command will give an overview of a single rule-set." msgstr "This command will give an overview of a single rule-set." @@ -15403,7 +15479,7 @@ msgid "This feature summarises originated external LSAs (Type-5 and Type-7). Sum msgstr "This feature summarises originated external LSAs (Type-5 and Type-7). Summary Route will be originated on-behalf of all matched external LSAs." #: ../../configuration/firewall/general.rst:631 -#: ../../configuration/firewall/general-legacy.rst:430 +#: ../../configuration/firewall/general-legacy.rst:431 msgid "This functions for both individual addresses and address groups." msgstr "This functions for both individual addresses and address groups." @@ -15693,11 +15769,11 @@ msgstr "This set the default action of the rule-set if no rule matched a packet msgid "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available." msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available." -#: ../../configuration/interfaces/openvpn.rst:226 +#: ../../configuration/interfaces/openvpn.rst:278 msgid "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients." msgstr "This sets the accepted ciphers to use when version => 2.4.0 and NCP is enabled (which is the default). Default NCP cipher for versions >= 2.4.0 is aes256gcm. The first cipher in this list is what server pushes to clients." -#: ../../configuration/interfaces/openvpn.rst:208 +#: ../../configuration/interfaces/openvpn.rst:260 msgid "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0." msgstr "This sets the cipher when NCP (Negotiable Crypto Parameters) is disabled or OpenVPN version < 2.4.0." @@ -15798,21 +15874,21 @@ msgid "This will render the following ddclient_ configuration entry:" msgstr "This will render the following ddclient_ configuration entry:" #: ../../configuration/firewall/general.rst:1276 -#: ../../configuration/firewall/general-legacy.rst:782 +#: ../../configuration/firewall/general-legacy.rst:785 msgid "This will show you a basic firewall overview" msgstr "This will show you a basic firewall overview" -#: ../../configuration/firewall/general-legacy.rst:933 +#: ../../configuration/firewall/general-legacy.rst:936 msgid "This will show you a rule-set statistic since the last boot." msgstr "This will show you a rule-set statistic since the last boot." #: ../../configuration/firewall/general.rst:1441 -#: ../../configuration/firewall/general-legacy.rst:897 +#: ../../configuration/firewall/general-legacy.rst:900 msgid "This will show you a statistic of all rule-sets since the last boot." msgstr "This will show you a statistic of all rule-sets since the last boot." #: ../../configuration/firewall/general.rst:1339 -#: ../../configuration/firewall/general-legacy.rst:848 +#: ../../configuration/firewall/general-legacy.rst:851 msgid "This will show you a summary of rule-sets and groups" msgstr "This will show you a summary of rule-sets and groups" @@ -15857,7 +15933,7 @@ msgid "Time is in minutes and defaults to 60." msgstr "Time is in minutes and defaults to 60." #: ../../configuration/firewall/general.rst:1216 -#: ../../configuration/firewall/general-legacy.rst:719 +#: ../../configuration/firewall/general-legacy.rst:722 #: ../../configuration/policy/route.rst:225 msgid "Time to match the defined rule." msgstr "Time to match the defined rule." @@ -15960,7 +16036,7 @@ msgstr "To create more than one tunnel, use distinct UDP ports." msgid "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:" msgstr "To create routing table 100 and add a new default gateway to be used by traffic matching our route policy:" -#: ../../configuration/firewall/zone.rst:51 +#: ../../configuration/firewall/zone.rst:61 msgid "To define a zone setup either one with interfaces or a local zone." msgstr "To define a zone setup either one with interfaces or a local zone." @@ -16134,7 +16210,7 @@ msgstr "Traffic Filters are used to control which packets will have the defined msgid "Traffic Policy" msgstr "Traffic Policy" -#: ../../configuration/firewall/zone.rst:27 +#: ../../configuration/firewall/zone.rst:37 msgid "Traffic cannot flow between zone member interface and any interface that is not a zone member." msgstr "Traffic cannot flow between zone member interface and any interface that is not a zone member." @@ -16158,7 +16234,6 @@ msgstr "Transition scripts can help you implement various fixups, such as starti msgid "Transparent Proxy" msgstr "Transparent Proxy" -#: ../../configuration/interfaces/openvpn.rst:649 #: ../../configuration/interfaces/tunnel.rst:227 msgid "Troubleshooting" msgstr "Troubleshooting" @@ -16256,6 +16331,10 @@ msgstr "Unit of this command is MB." msgid "Units" msgstr "Units" +#: ../../configuration/interfaces/openvpn.rst:171 +msgid "Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, you need to still need to know how to use it." +msgstr "Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. However, if you need to set up a tunnel to an older VyOS version or a system with older OpenVPN, you need to still need to know how to use it." + #: ../../configuration/trafficpolicy/index.rst:705 msgid "Up to seven queues -defined as classes_ with different priorities- can be configured. Packets are placed into queues based on associated match criteria. Packets are transmitted from the queues in priority order. If classes with a higher priority are being filled with packets continuously, packets from lower priority classes will only be transmitted after traffic volume from higher priority classes decreases." msgstr "Up to seven queues -defined as classes_ with different priorities- can be configured. Packets are placed into queues based on associated match criteria. Packets are transmitted from the queues in priority order. If classes with a higher priority are being filled with packets continuously, packets from lower priority classes will only be transmitted after traffic volume from higher priority classes decreases." @@ -16269,7 +16348,7 @@ msgid "Update container image" msgstr "Update container image" #: ../../configuration/firewall/general.rst:1502 -#: ../../configuration/firewall/general-legacy.rst:1047 +#: ../../configuration/firewall/general-legacy.rst:1050 msgid "Update geoip database" msgstr "Update geoip database" @@ -16323,27 +16402,27 @@ msgid "Use a persistent LDAP connection. Normally the LDAP connection is only op msgstr "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations." #: ../../configuration/firewall/general.rst:804 -#: ../../configuration/firewall/general-legacy.rst:528 +#: ../../configuration/firewall/general-legacy.rst:531 msgid "Use a specific address-group. Prepend character ``!`` for inverted matching criteria." msgstr "Use a specific address-group. Prepend character ``!`` for inverted matching criteria." #: ../../configuration/firewall/general.rst:879 -#: ../../configuration/firewall/general-legacy.rst:564 +#: ../../configuration/firewall/general-legacy.rst:567 msgid "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria." msgstr "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria." #: ../../configuration/firewall/general.rst:904 -#: ../../configuration/firewall/general-legacy.rst:576 +#: ../../configuration/firewall/general-legacy.rst:579 msgid "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria." msgstr "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria." #: ../../configuration/firewall/general.rst:829 -#: ../../configuration/firewall/general-legacy.rst:540 +#: ../../configuration/firewall/general-legacy.rst:543 msgid "Use a specific network-group. Prepend character ``!`` for inverted matching criteria." msgstr "Use a specific network-group. Prepend character ``!`` for inverted matching criteria." #: ../../configuration/firewall/general.rst:854 -#: ../../configuration/firewall/general-legacy.rst:552 +#: ../../configuration/firewall/general-legacy.rst:555 msgid "Use a specific port-group. Prepend character ``!`` for inverted matching criteria." msgstr "Use a specific port-group. Prepend character ``!`` for inverted matching criteria." @@ -16386,7 +16465,7 @@ msgstr "Use auth key file at ``/config/auth/my.key``" msgid "Use configured `` to determine your IP address. ddclient_ will load `` and tries to extract your IP address from the response." msgstr "Use configured `` to determine your IP address. ddclient_ will load `` and tries to extract your IP address from the response." -#: ../../configuration/firewall/general-legacy.rst:475 +#: ../../configuration/firewall/general-legacy.rst:478 msgid "Use inverse-match to match anything except the given country-codes." msgstr "Use inverse-match to match anything except the given country-codes." @@ -16478,15 +16557,15 @@ msgstr "Use this command to allow the selected interface to join a multicast gro msgid "Use this command to allow the selected interface to join a source-specific multicast group." msgstr "Use this command to allow the selected interface to join a source-specific multicast group." -#: ../../configuration/interfaces/openvpn.rst:660 +#: ../../configuration/interfaces/openvpn.rst:712 msgid "Use this command to check the tunnel status for OpenVPN client interfaces." msgstr "Use this command to check the tunnel status for OpenVPN client interfaces." -#: ../../configuration/interfaces/openvpn.rst:664 +#: ../../configuration/interfaces/openvpn.rst:716 msgid "Use this command to check the tunnel status for OpenVPN server interfaces." msgstr "Use this command to check the tunnel status for OpenVPN server interfaces." -#: ../../configuration/interfaces/openvpn.rst:668 +#: ../../configuration/interfaces/openvpn.rst:720 msgid "Use this command to check the tunnel status for OpenVPN site-to-site interfaces." msgstr "Use this command to check the tunnel status for OpenVPN site-to-site interfaces." @@ -16886,7 +16965,7 @@ msgstr "Use this command to enable the logging of the default action on custom c msgid "Use this command to flush the kernel IPv6 route cache. An address can be added to flush it only for that route." msgstr "Use this command to flush the kernel IPv6 route cache. An address can be added to flush it only for that route." -#: ../../configuration/firewall/general-legacy.rst:945 +#: ../../configuration/firewall/general-legacy.rst:948 msgid "Use this command to get an overview of a zone." msgstr "Use this command to get an overview of a zone." @@ -16931,11 +17010,11 @@ msgstr "Use this command to reset IPv6 Neighbor Discovery Protocol cache for an msgid "Use this command to reset an LDP neighbor/TCP session that is established" msgstr "Use this command to reset an LDP neighbor/TCP session that is established" -#: ../../configuration/interfaces/openvpn.rst:683 +#: ../../configuration/interfaces/openvpn.rst:735 msgid "Use this command to reset the OpenVPN process on a specific interface." msgstr "Use this command to reset the OpenVPN process on a specific interface." -#: ../../configuration/interfaces/openvpn.rst:679 +#: ../../configuration/interfaces/openvpn.rst:731 msgid "Use this command to reset the specified OpenVPN client." msgstr "Use this command to reset the specified OpenVPN client." @@ -17095,7 +17174,7 @@ msgstr "User-level messages" msgid "Using 'soft-reconfiguration' we get the policy update without bouncing the neighbor." msgstr "Using 'soft-reconfiguration' we get the policy update without bouncing the neighbor." -#: ../../configuration/interfaces/openvpn.rst:294 +#: ../../configuration/interfaces/openvpn.rst:346 msgid "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur." msgstr "Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur." @@ -17184,19 +17263,23 @@ msgstr "VPN-clients will request configuration parameters, optionally you can DN msgid "VRF" msgstr "VRF" -#: ../../configuration/vrf/index.rst:373 +#: ../../configuration/vrf/index.rst:409 msgid "VRF Route Leaking" msgstr "VRF Route Leaking" -#: ../../configuration/vrf/index.rst:342 +#: ../../configuration/vrf/index.rst:283 +msgid "VRF and NAT" +msgstr "VRF and NAT" + +#: ../../configuration/vrf/index.rst:378 msgid "VRF blue routing table" msgstr "VRF blue routing table" -#: ../../configuration/vrf/index.rst:309 +#: ../../configuration/vrf/index.rst:345 msgid "VRF default routing table" msgstr "VRF default routing table" -#: ../../configuration/vrf/index.rst:325 +#: ../../configuration/vrf/index.rst:361 msgid "VRF red routing table" msgstr "VRF red routing table" @@ -17391,7 +17474,7 @@ msgstr "VyOS can also run in DMVPN spoke mode." msgid "VyOS can be configured to track connections using the connection tracking subsystem. Connection tracking becomes operational once either stateful firewall or NAT is configured." msgstr "VyOS can be configured to track connections using the connection tracking subsystem. Connection tracking becomes operational once either stateful firewall or NAT is configured." -#: ../../configuration/interfaces/openvpn.rst:521 +#: ../../configuration/interfaces/openvpn.rst:573 msgid "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server." msgstr "VyOS can not only act as an OpenVPN site-to-site or server for multiple clients. You can indeed also configure any VyOS OpenVPN interface as an OpenVPN client connecting to a VyOS OpenVPN server or any other OpenVPN server." @@ -17481,7 +17564,7 @@ msgstr "VyOS provides policies commands exclusively for BGP traffic filtering an msgid "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **large-community-list** is one of them." msgstr "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **large-community-list** is one of them." -#: ../../configuration/interfaces/openvpn.rst:651 +#: ../../configuration/interfaces/openvpn.rst:703 msgid "VyOS provides some operational commands on OpenVPN." msgstr "VyOS provides some operational commands on OpenVPN." @@ -17584,6 +17667,10 @@ msgstr "Warning" msgid "Warning conditions" msgstr "Warning conditions" +#: ../../configuration/interfaces/openvpn.rst:54 +msgid "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode." +msgstr "We'll configure OpenVPN using self-signed certificates, and then discuss the legacy pre-shared key mode." + #: ../../configuration/nat/nat44.rst:760 msgid "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too." msgstr "We'll use the IKE and ESP groups created above for this VPN. Because we need access to 2 different subnets on the far side, we will need two different tunnels. If you changed the names of the ESP group and IKE group in the previous step, make sure you use the correct names here too." @@ -17608,7 +17695,7 @@ msgstr "We can build route-maps for import based on these states. Here is a simp msgid "We could expand on this and also deny link local and multicast in the rule 20 action deny." msgstr "We could expand on this and also deny link local and multicast in the rule 20 action deny." -#: ../../configuration/interfaces/openvpn.rst:581 +#: ../../configuration/interfaces/openvpn.rst:633 msgid "We do not have CLI nodes for every single OpenVPN option. If an option is missing, a feature request should be opened at Phabricator_ so all users can benefit from it (see :ref:`issues_features`)." msgstr "We do not have CLI nodes for every single OpenVPN option. If an option is missing, a feature request should be opened at Phabricator_ so all users can benefit from it (see :ref:`issues_features`)." @@ -17931,11 +18018,11 @@ msgstr "While normal GRE is for layer 3, GRETAP is for layer 2. GRETAP can encap msgid "Whitelist of addresses and networks. Always allow inbound connections from these systems." msgstr "Whitelist of addresses and networks. Always allow inbound connections from these systems." -#: ../../configuration/interfaces/openvpn.rst:590 +#: ../../configuration/interfaces/openvpn.rst:642 msgid "Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax." msgstr "Will add ``persistent-key`` at the end of the generated OpenVPN configuration. Please use this only as last resort - things might break and OpenVPN won't start if you pass invalid options/syntax." -#: ../../configuration/interfaces/openvpn.rst:597 +#: ../../configuration/interfaces/openvpn.rst:649 msgid "Will add ``push \"keepalive 1 10\"`` to the generated OpenVPN config file." msgstr "Will add ``push \"keepalive 1 10\"`` to the generated OpenVPN config file." @@ -18024,7 +18111,7 @@ msgstr "With this command, you can specify how the URL path should be matched ag msgid "Y" msgstr "Y" -#: ../../configuration/firewall/zone.rst:89 +#: ../../configuration/firewall/zone.rst:99 msgid "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair." msgstr "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair." @@ -18142,7 +18229,7 @@ msgstr "You can specify a static DHCP assignment on a per host basis. You will n msgid "You can test the SNMPv3 functionality from any linux based system, just run the following command: ``snmpwalk -v 3 -u vyos -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv 192.0.2.1 .1``" msgstr "You can test the SNMPv3 functionality from any linux based system, just run the following command: ``snmpwalk -v 3 -u vyos -a SHA -A vyos12345678 -x AES -X vyos12345678 -l authPriv 192.0.2.1 .1``" -#: ../../configuration/firewall/general-legacy.rst:771 +#: ../../configuration/firewall/general-legacy.rst:774 msgid "You can use wildcard ``*`` to match a group of interfaces." msgstr "You can use wildcard ``*`` to match a group of interfaces." @@ -18158,6 +18245,10 @@ msgstr "You can view that the policy is being correctly (or incorrectly) utilise msgid "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`." msgstr "You cannot easily redistribute IPv6 routes via OSPFv3 on a WireGuard interface link. This requires you to configure link-local addresses manually on the WireGuard interfaces, see :vytask:`T1483`." +#: ../../configuration/interfaces/openvpn.rst:119 +msgid "You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:" +msgstr "You do **not** need to copy the certificate to the other router. Instead, you need to retrieve its SHA-256 fingerprint. OpenVPN only supports SHA-256 fingerprints at the moment, so you need to use the following command:" + #: ../../configuration/system/flow-accounting.rst:135 msgid "You may also additionally configure timeouts for different types of connections." msgstr "You may also additionally configure timeouts for different types of connections." @@ -18170,7 +18261,7 @@ msgstr "You may prefer locally configured capabilities more than the negotiated msgid "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature." msgstr "You may want to disable sending Capability Negotiation OPEN message optional parameter to the peer when remote peer does not implement Capability Negotiation. Please use :cfgcmd:`disable-capability-negotiation` command to disable the feature." -#: ../../configuration/firewall/zone.rst:29 +#: ../../configuration/firewall/zone.rst:39 msgid "You need 2 separate firewalls to define traffic: one for each direction." msgstr "You need 2 separate firewalls to define traffic: one for each direction." @@ -18190,7 +18281,7 @@ msgstr "You now see the longer AS path." msgid "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" -#: ../../configuration/interfaces/openvpn.rst:175 +#: ../../configuration/interfaces/openvpn.rst:227 #: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." @@ -18215,7 +18306,7 @@ msgstr "Zebra/Kernel route filtering" msgid "Zebra supports prefix-lists and Route Mapss to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel." msgstr "Zebra supports prefix-lists and Route Mapss to match routes received from other FRR components. The permit/deny facilities provided by these commands can be used to filter which routes zebra will install in the kernel." -#: ../../configuration/firewall/general-legacy.rst:941 +#: ../../configuration/firewall/general-legacy.rst:944 msgid "Zone-Policy Overview" msgstr "Zone-Policy Overview" @@ -18314,7 +18405,7 @@ msgstr ":abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc msgid ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP." msgstr ":abbr:`IS-IS (Intermediate System to Intermediate System)` is a link-state interior gateway protocol (IGP) which is described in ISO10589, :rfc:`1195`, :rfc:`5308`. IS-IS runs the Dijkstra shortest-path first (SPF) algorithm to create a database of the network’s topology, and from that database to determine the best (that is, lowest cost) path to a destination. The intermediate systems (the name for routers) exchange topology information with their directly conencted neighbors. IS-IS runs directly on the data link layer (Layer 2). IS-IS addresses are called :abbr:`NETs (Network Entity Titles)` and can be 8 to 20 bytes long, but are generally 10 bytes long. The tree database that is created with IS-IS is similar to the one that is created with OSPF in that the paths chosen should be similar. Comparisons to OSPF are inevitable and often are reasonable ones to make in regards to the way a network will respond with either IGP." -#: ../../configuration/vrf/index.rst:363 +#: ../../configuration/vrf/index.rst:399 msgid ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking." msgstr ":abbr:`L3VPN VRFs ( Layer 3 Virtual Private Networks )` bgpd supports for IPv4 RFC 4364 and IPv6 RFC 4659. L3VPN routes, and their associated VRF MPLS labels, can be distributed to VPN SAFI neighbors in the default, i.e., non VRF, BGP instance. VRF MPLS labels are reached using core MPLS labels which are distributed using LDP or BGP labeled unicast. bgpd also supports inter-VRF route leaking." @@ -19096,7 +19187,7 @@ msgstr "``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticat msgid "``ikev2`` use IKEv2 for Key Exchange;" msgstr "``ikev2`` use IKEv2 for Key Exchange;" -#: ../../configuration/firewall/general-legacy.rst:748 +#: ../../configuration/firewall/general-legacy.rst:751 msgid "``in``: Ruleset for forwarded packets on an inbound interface" msgstr "``in``: Ruleset for forwarded packets on an inbound interface" @@ -19184,7 +19275,7 @@ msgstr "``local-as`` - Well-known communities value NO_EXPOR msgid "``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer;" msgstr "``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer;" -#: ../../configuration/firewall/general-legacy.rst:750 +#: ../../configuration/firewall/general-legacy.rst:753 msgid "``local``: Ruleset for packets destined for this router" msgstr "``local``: Ruleset for packets destined for this router" @@ -19352,7 +19443,7 @@ msgstr "``ospf`` - Open Shortest Path First (OSPFv2)" msgid "``ospfv3`` - Open Shortest Path First (IPv6) (OSPFv3)" msgstr "``ospfv3`` - Open Shortest Path First (IPv6) (OSPFv3)" -#: ../../configuration/firewall/general-legacy.rst:749 +#: ../../configuration/firewall/general-legacy.rst:752 msgid "``out``: Ruleset for forwarded packets on an outbound interface" msgstr "``out``: Ruleset for forwarded packets on an outbound interface" @@ -19693,7 +19784,7 @@ msgstr "alert" msgid "all" msgstr "all" -#: ../../configuration/vrf/index.rst:390 +#: ../../configuration/vrf/index.rst:426 msgid "an RD / RTLIST" msgstr "an RD / RTLIST" @@ -19963,7 +20054,7 @@ msgstr "host: single host IP address to match." msgid "https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf" msgstr "https://access.redhat.com/sites/default/files/attachments/201501-perf-brief-low-latency-tuning-rhel7-v2.1.pdf" -#: ../../configuration/interfaces/openvpn.rst:623 +#: ../../configuration/interfaces/openvpn.rst:675 msgid "https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features" msgstr "https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features" diff --git a/docs/_locale/de/contributing.pot b/docs/_locale/de/contributing.pot index cc517b6e..f9195a6f 100644 --- a/docs/_locale/de/contributing.pot +++ b/docs/_locale/de/contributing.pot @@ -80,8 +80,8 @@ msgstr "Eine einzelne, kurze Zusammenfassung des Commits (empfohlen 50 Zeichen o msgid "Abbreviations and acronyms **must** be capitalized." msgstr "Abkürzungen und Akronyme **müssen** groß geschrieben werden." -#: ../../contributing/build-vyos.rst:407 -#: ../../contributing/build-vyos.rst:643 +#: ../../contributing/build-vyos.rst:403 +#: ../../contributing/build-vyos.rst:591 msgid "Accel-PPP" msgstr "Accel-PPP" @@ -101,14 +101,13 @@ msgstr "Eine oder mehrere IP-Adressen hinzufügen" msgid "Address" msgstr "Adresse" -#: ../../contributing/build-vyos.rst:852 +#: ../../contributing/build-vyos.rst:800 msgid "After a minute or two you will find the generated DEB packages next to the vyos-1x source directory:" msgstr "Nach ein oder zwei Minuten finden Sie die generierten DEB-Pakete neben dem vyos-1x Quellverzeichnis:" -#: ../../contributing/build-vyos.rst:638 -#: ../../contributing/build-vyos.rst:679 -#: ../../contributing/build-vyos.rst:708 -#: ../../contributing/build-vyos.rst:743 +#: ../../contributing/build-vyos.rst:627 +#: ../../contributing/build-vyos.rst:656 +#: ../../contributing/build-vyos.rst:691 msgid "After compiling the packages you will find yourself the newly generated `*.deb` binaries in ``vyos-build/packages/linux-kernel`` from which you can copy them to the ``vyos-build/packages`` folder for inclusion during the ISO build." msgstr "Nach dem Kompilieren der Pakete finden Sie die neu erzeugten `*.deb`-Binärdateien in ``vyos-build/packages/linux-kernel``, von wo aus sie in den ``vyos-build/packages``-Ordner kopiert werden können, um sie während der ISO-Erstellung einzubinden." @@ -148,11 +147,11 @@ msgstr "Verwenden Sie immer die Option ``-x`` für den Befehl ``git cherry-pick` msgid "Another advantage is testability of the code. Mocking the entire config subsystem is hard, while constructing an internal representation by hand is way simpler." msgstr "Ein weiterer Vorteil ist die Testbarkeit des Codes. Das Mocking des gesamten Konfigurations-Subsystems ist schwierig, während die Konstruktion einer internen Darstellung von Hand viel einfacher ist." -#: ../../contributing/build-vyos.rst:754 +#: ../../contributing/build-vyos.rst:702 msgid "Any \"modified\" package may refer to an altered version of e.g. vyos-1x package that you would like to test before filing a pull request on GitHub." msgstr "Jedes \"modifizierte\" Paket kann sich auf eine geänderte Version von z.B. des vyos-1x Pakets beziehen, das Sie testen möchten, bevor Sie einen Pull Request auf GitHub stellen." -#: ../../contributing/build-vyos.rst:883 +#: ../../contributing/build-vyos.rst:831 msgid "Any packages in the packages directory will be added to the iso during build, replacing the upstream ones. Make sure you delete them (both the source directories and built deb packages) if you want to build an iso from purely upstream packages." msgstr "Alle Pakete im Paketverzeichnis werden während des Builds zur iso hinzugefügt und ersetzen die Upstream-Pakete. Stellen Sie sicher, dass Sie diese löschen (sowohl die Quellverzeichnisse als auch die erstellten deb-Pakete), wenn Sie eine Iso aus reinen Upstream-Paketen erstellen wollen." @@ -164,7 +163,7 @@ msgstr "Da Smoketests die Systemkonfiguration ändern und Sie aus der Ferne eing msgid "As the VyOS documentation is not only for users but also for the developers - and we keep no secret documentation - this section describes how the automated testing works." msgstr "Da die VyOS-Dokumentation nicht nur für die Benutzer, sondern auch für die Entwickler gedacht ist - und wir keine geheime Dokumentation führen - wird in diesem Abschnitt beschrieben, wie das automatische Testen funktioniert." -#: ../../contributing/build-vyos.rst:829 +#: ../../contributing/build-vyos.rst:777 msgid "Assume we want to build the vyos-1x package on our own and modify it to our needs. We first need to clone the repository from GitHub." msgstr "Nehmen wir an, wir wollen das vyos-1x Paket selbst erstellen und es an unsere Bedürfnisse anpassen. Zuerst müssen wir das Repository von GitHub klonen." @@ -216,7 +215,7 @@ msgstr "Startzeitpunkt" msgid "Bug Report/Issue" msgstr "Fehlerbericht/Ereignis" -#: ../../contributing/build-vyos.rst:837 +#: ../../contributing/build-vyos.rst:785 msgid "Build" msgstr "Erstellen" @@ -224,7 +223,7 @@ msgstr "Erstellen" msgid "Build Container" msgstr "Container bauen" -#: ../../contributing/build-vyos.rst:180 +#: ../../contributing/build-vyos.rst:182 msgid "Build ISO" msgstr "ISO erstellen" @@ -232,31 +231,31 @@ msgstr "ISO erstellen" msgid "Build VyOS" msgstr "VyOS erstellen" -#: ../../contributing/build-vyos.rst:83 +#: ../../contributing/build-vyos.rst:85 msgid "Build from source" msgstr "Aus dem Quellcode erstellen" -#: ../../contributing/build-vyos.rst:586 +#: ../../contributing/build-vyos.rst:582 msgid "Building Out-Of-Tree Modules" msgstr "Erstellen von Out-Of-Tree-Modulen" -#: ../../contributing/build-vyos.rst:439 +#: ../../contributing/build-vyos.rst:435 msgid "Building The Kernel" msgstr "Den Kernel bauen" -#: ../../contributing/build-vyos.rst:244 +#: ../../contributing/build-vyos.rst:246 msgid "Building VyOS on Windows WSL2 with Docker integrated into WSL2 will work like a charm. No problems are known so far!" msgstr "Die Erstellung von VyOS auf Windows WSL2 mit Docker, das in WSL2 integriert ist, funktioniert problemlos. Bislang sind keine Probleme bekannt!" -#: ../../contributing/build-vyos.rst:757 +#: ../../contributing/build-vyos.rst:705 msgid "Building an ISO with any customized package is in no way different than building a regular (customized or not) ISO image. Simply place your modified `*.deb` package inside the `packages` folder within `vyos-build`. The build process will then pickup your custom package and integrate it into your ISO." msgstr "Die Erstellung eines ISO-Images mit einem angepassten Paket unterscheidet sich in keiner Weise von der Erstellung eines regulären ISO-Images (angepasst oder nicht). Legen Sie einfach Ihr modifiziertes `*.deb`-Paket in den Ordner `packages` innerhalb von `vyos-build`. Der Build-Prozess wird dann Ihr angepasstes Paket aufnehmen und in Ihr ISO integrieren." -#: ../../contributing/build-vyos.rst:588 +#: ../../contributing/build-vyos.rst:584 msgid "Building the kernel is one part, but now you also need to build the required out-of-tree modules so everything is lined up and the ABIs match. To do so, you can again take a look at ``vyos-build/packages/linux-kernel/Jenkinsfile`` to see all of the required modules and their selected versions. We will show you how to build all the current required modules." msgstr "Den Kernel zu bauen ist ein Teil, aber jetzt müssen Sie auch die benötigten Out-of-Tree-Module bauen, damit alles zusammenpasst und die ABIs übereinstimmen. Um dies zu tun, können Sie wieder einen Blick auf ``vyos-build/packages/linux-kernel/Jenkinsfile`` werfen, um alle benötigten Module und ihre ausgewählten Versionen zu sehen. Wir werden Ihnen zeigen, wie Sie alle aktuell benötigten Module bauen können." -#: ../../contributing/build-vyos.rst:479 +#: ../../contributing/build-vyos.rst:475 msgid "Building the kernel will take some time depending on the speed and quantity of your CPU/cores and disk speed. Expect 20 minutes (or even longer) on lower end hardware." msgstr "Die Erstellung des Kernels wird einige Zeit in Anspruch nehmen, abhängig von der Geschwindigkeit und Anzahl Ihrer CPU/Kerne und der Festplattengeschwindigkeit. Rechnen Sie mit 20 Minuten (oder sogar länger) auf weniger leistungsfähiger Hardware." @@ -276,7 +275,7 @@ msgstr "C++ Backend-Code" msgid "Capitalization and punctuation" msgstr "Großschreibung und Zeichensetzung" -#: ../../contributing/build-vyos.rst:452 +#: ../../contributing/build-vyos.rst:448 msgid "Check out the required kernel version - see ``vyos-build/data/defaults.json`` file (example uses kernel 4.19.146):" msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/defaults.json`` Datei (das Beispiel verwendet Kernel 4.19.146):" @@ -284,7 +283,7 @@ msgstr "Überprüfen Sie die benötigte Kernelversion - siehe ``vyos-build/data/ msgid "Clone: ``git clone https://github.com//vyos-1x.git``" msgstr "Klonen: ``git clone https://github.com//vyos-1x.git``" -#: ../../contributing/build-vyos.rst:445 +#: ../../contributing/build-vyos.rst:441 msgid "Clone the kernel source to `vyos-build/packages/linux-kernel/`:" msgstr "Klonen Sie den Kernel-Quellcode nach `vyos-build/packages/linux-kernel/`:" @@ -324,7 +323,7 @@ msgstr "Ziehen Sie die documentation_ zu Rate, um sicherzustellen, dass Sie Ihr msgid "Continuous Integration" msgstr "Continuous Integration" -#: ../../contributing/build-vyos.rst:253 +#: ../../contributing/build-vyos.rst:255 msgid "Customize" msgstr "Anpassen" @@ -336,19 +335,19 @@ msgstr "DHCP-Client und DHCPv6-Präfix-Delegation" msgid "DMVPN patches are added by this commit: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226" msgstr "DMVPN-Patches werden durch diesen Commit hinzugefügt: https://github.com/vyos/vyos-strongswan/commit/1cf12b0f2f921bfc51affa3b81226" -#: ../../contributing/build-vyos.rst:765 +#: ../../contributing/build-vyos.rst:713 msgid "Debian APT is not very verbose when it comes to errors. If your ISO build breaks for whatever reason and you suspect it's a problem with APT dependencies or installation you can add this small patch which increases the APT verbosity during ISO build." msgstr "Debian APT ist nicht sehr ausführlich, wenn es um Fehler geht. Wenn Ihre ISO-Erstellung aus irgendeinem Grund fehlschlägt und Sie vermuten, dass es ein Problem mit APT-Abhängigkeiten oder der Installation ist, können Sie diesen kleinen Patch hinzufügen, der die Ausführlichkeit von APT während der ISO-Erstellung erhöht." -#: ../../contributing/build-vyos.rst:152 +#: ../../contributing/build-vyos.rst:154 msgid "Debian Bullseye for VyOS 1.4 (sagitta, current) - aka the rolling release" msgstr "Debian Bullseye für VyOS 1.4 (sagitta, current) - auch bekannt als rolling release" -#: ../../contributing/build-vyos.rst:151 +#: ../../contributing/build-vyos.rst:153 msgid "Debian Buster for VyOS 1.3 (equuleus)" msgstr "Debian Buster für VyOS 1.3 (equuleus)" -#: ../../contributing/build-vyos.rst:150 +#: ../../contributing/build-vyos.rst:152 msgid "Debian Jessie for VyOS 1.2 (crux)" msgstr "Debian Jessie für VyOS 1.2 (Kernstück)" @@ -404,7 +403,7 @@ msgstr "Während der Migration und des umfangreichen Umschreibens von Funktional msgid "Each module is build on demand if a new commit on the branch in question is found. After a successful run the resulting Debian Package(s) will be deployed to our Debian repository which is used during build time. It is located here: http://dev.packages.vyos.net/repositories/." msgstr "Jedes Modul wird bei Bedarf gebaut, wenn ein neuer Commit für den betreffenden Zweig gefunden wird. Nach einem erfolgreichen Lauf werden die resultierenden Debian-Pakete in unserem Debian-Repository bereitgestellt, das während der Build-Zeit verwendet wird. Es befindet sich hier: http://dev.packages.vyos.net/repositories/." -#: ../../contributing/build-vyos.rst:411 +#: ../../contributing/build-vyos.rst:407 msgid "Each of those modules holds a dependency on the kernel version and if you are lucky enough to receive an ISO build error which sounds like:" msgstr "Jedes dieser Module ist von der Kernel-Version abhängig, und wenn Sie das Glück haben, einen ISO-Build-Fehler zu erhalten, der sich wie folgt anhört:" @@ -454,12 +453,11 @@ msgstr "FRR" msgid "Feature Request" msgstr "Feature Anfrage" -#: ../../contributing/build-vyos.rst:564 +#: ../../contributing/build-vyos.rst:560 msgid "Firmware" msgstr "Firmware" -#: ../../contributing/build-vyos.rst:597 -#: ../../contributing/build-vyos.rst:645 +#: ../../contributing/build-vyos.rst:593 msgid "First, clone the source code and check out the appropriate version by running:" msgstr "Klonen Sie zunächst den Quellcode und auschecken Sie die entsprechende Version aus:" @@ -487,7 +485,7 @@ msgstr "Zum Beispiel kann ``/tmp/vyos.ifconfig.debug`` erstellt werden, um das D msgid "For example running, ``export VYOS_IFCONFIG_DEBUG=\"\"`` on your vbash, will have the same effect as ``touch /tmp/vyos.ifconfig.debug``." msgstr "Wenn Sie zum Beispiel ``export VYOS_IFCONFIG_DEBUG=\"\"`` in Ihrer vbash ausführen, hat das den gleichen Effekt wie ``touch /tmp/vyos.ifconfig.debug``." -#: ../../contributing/build-vyos.rst:168 +#: ../../contributing/build-vyos.rst:170 msgid "For the packages required, you can refer to the ``docker/Dockerfile`` file in the repository_. The ``./build-vyos-image`` script will also warn you if any dependencies are missing." msgstr "Die erforderlichen Pakete finden Sie in der Datei ``docker/Dockerfile`` im repository_. Das Skript ``./build-vyos-image`` wird Sie auch warnen, wenn irgendwelche Abhängigkeiten fehlen." @@ -536,7 +534,7 @@ msgstr "Gut: PPPoE, IPsec" msgid "Good: RADIUS (as in remote authentication for dial-in user services)" msgstr "Gut: RADIUS (as in remote authentication for dial-in user services)" -#: ../../contributing/build-vyos.rst:242 +#: ../../contributing/build-vyos.rst:244 msgid "Good luck!" msgstr "Viel Glück!" @@ -568,7 +566,7 @@ msgstr "Wie können wir diesen Fehler reproduzieren?" msgid "IP and IPv6 options" msgstr "IP- und IPv6-Optionen" -#: ../../contributing/build-vyos.rst:306 +#: ../../contributing/build-vyos.rst:308 msgid "ISO Build Issues" msgstr "ISO Build-Probleme" @@ -592,11 +590,11 @@ msgstr "Falls zutreffend, sollte ein Verweis auf einen vorhergehenden Commit gem msgid "If there is no Phabricator_ reference in the commits of your pull request, we have to ask you to amend the commit message. Otherwise we will have to reject it." msgstr "Wenn in den Commits Ihres Pull-Requests keine Phabricator_ Referenz vorhanden ist, müssen wir Sie bitten, die Commit-Nachricht zu ändern. Andernfalls müssen wir sie ablehnen." -#: ../../contributing/build-vyos.rst:751 +#: ../../contributing/build-vyos.rst:699 msgid "If you are brave enough to build yourself an ISO image containing any modified package from our GitHub organisation - this is the place to be." msgstr "Wenn Sie mutig genug sind, sich ein ISO-Image zu erstellen, das ein beliebiges modifiziertes Paket aus unserer GitHub-Organisation enthält, sind Sie hier genau richtig." -#: ../../contributing/build-vyos.rst:566 +#: ../../contributing/build-vyos.rst:562 msgid "If you upgrade your kernel or include new drivers you may need new firmware. Build a new ``vyos-linux-firmware`` package with the included helper scripts." msgstr "Wenn Sie Ihren Kernel aktualisieren oder neue Treiber einbinden, benötigen Sie möglicherweise eine neue Firmware. Erstellen Sie ein neues ``vyos-linux-firmware`` Paket mit den enthaltenen Hilfsskripten." @@ -624,7 +622,7 @@ msgstr "In order to retrieve the debug output on the command-line you need to di msgid "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together." msgstr "In some contexts, the first line is treated as the subject of an email and the rest of the text as the body. The blank line separating the summary from the body is critical (unless you omit the body entirely); tools like rebase can get confused if you run the two together." -#: ../../contributing/build-vyos.rst:558 +#: ../../contributing/build-vyos.rst:554 msgid "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above." msgstr "In the end you will be presented with the kernel binary packages which you can then use in your custom ISO build process, by placing all the `*.deb` files in the vyos-build/packages folder where they will be used automatically when building VyOS as documented above." @@ -640,7 +638,7 @@ msgstr "Ausgabe einbeziehen" msgid "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in." msgstr "Insert the following statement right before the section where you want to investigate a problem (e.g. a statement you see in a backtrace): ``import pdb; pdb.set_trace()`` Optionally you can surrounded this statement by an ``if`` which only triggers under the condition you are interested in." -#: ../../contributing/build-vyos.rst:862 +#: ../../contributing/build-vyos.rst:810 msgid "Install" msgstr "Installieren" @@ -656,19 +654,19 @@ msgstr "Installing Docker_ and prerequisites:" msgid "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:" msgstr "Instead of supplying all those XML nodes multiple times there are now include files with predefined features. Brief overview:" -#: ../../contributing/build-vyos.rst:684 +#: ../../contributing/build-vyos.rst:632 msgid "Intel NIC" msgstr "Intel NIC" -#: ../../contributing/build-vyos.rst:408 +#: ../../contributing/build-vyos.rst:404 msgid "Intel NIC drivers" msgstr "Intel NIC drivers" -#: ../../contributing/build-vyos.rst:713 +#: ../../contributing/build-vyos.rst:661 msgid "Intel QAT" msgstr "Intel QAT" -#: ../../contributing/build-vyos.rst:409 +#: ../../contributing/build-vyos.rst:405 msgid "Inter QAT" msgstr "Inter QAT" @@ -696,7 +694,7 @@ msgstr "It is also possible to set up the debugging using environment variables. msgid "Jenkins CI" msgstr "Jenkins CI" -#: ../../contributing/build-vyos.rst:868 +#: ../../contributing/build-vyos.rst:816 msgid "Just install using the following commands:" msgstr "Just install using the following commands:" @@ -712,7 +710,7 @@ msgstr "Keepalived normally isn't updated to newer feature releases between Debi msgid "Kernel" msgstr "Kernel" -#: ../../contributing/build-vyos.rst:839 +#: ../../contributing/build-vyos.rst:787 msgid "Launch Docker container and build package" msgstr "Launch Docker container and build package" @@ -736,7 +734,7 @@ msgstr "Like any other project we have some small guidelines about our source co msgid "Limits:" msgstr "Limits:" -#: ../../contributing/build-vyos.rst:388 +#: ../../contributing/build-vyos.rst:390 msgid "Linux Kernel" msgstr "Linux Kernel" @@ -772,7 +770,7 @@ msgstr "Migrating old CLI" msgid "Move default values to scripts" msgstr "Move default values to scripts" -#: ../../contributing/build-vyos.rst:145 +#: ../../contributing/build-vyos.rst:147 msgid "Native Build" msgstr "Native Build" @@ -809,23 +807,23 @@ msgstr "None" msgid "Notes" msgstr "Notes" -#: ../../contributing/build-vyos.rst:197 +#: ../../contributing/build-vyos.rst:199 msgid "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:" msgstr "Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run:" -#: ../../contributing/build-vyos.rst:182 +#: ../../contributing/build-vyos.rst:184 msgid "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`." msgstr "Now as you are aware of the prerequisites we can continue and build our own ISO from source. For this we have to fetch the latest source code from GitHub. Please note as this will differ for both `current` and `crux`." -#: ../../contributing/build-vyos.rst:382 +#: ../../contributing/build-vyos.rst:384 msgid "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!" msgstr "Now it's time to fix the package mirror and rerun the last step until the package installation succeeds again!" -#: ../../contributing/build-vyos.rst:473 +#: ../../contributing/build-vyos.rst:469 msgid "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages." msgstr "Now we can use the helper script ``build-kernel.sh`` which does all the necessary voodoo by applying required patches from the `vyos-build/packages/linux-kernel/patches` folder, copying our kernel configuration ``x86_64_vyos_defconfig`` to the right location, and finally building the Debian packages." -#: ../../contributing/build-vyos.rst:131 +#: ../../contributing/build-vyos.rst:133 msgid "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory." msgstr "Now you are prepared with two new aliases ``vybld`` and ``vybld_crux`` to spawn your development containers in your current working directory." @@ -837,7 +835,7 @@ msgstr "Old concept/syntax" msgid "On the other hand - as each test is contain in its own file - one can always execute a single Smoketest by hand by simply running the Python test scripts." msgstr "On the other hand - as each test is contain in its own file - one can always execute a single Smoketest by hand by simply running the Python test scripts." -#: ../../contributing/build-vyos.rst:172 +#: ../../contributing/build-vyos.rst:174 msgid "Once you have the required dependencies installed, you may proceed with the steps described in :ref:`build_iso`." msgstr "Once you have the required dependencies installed, you may proceed with the steps described in :ref:`build_iso`." @@ -881,8 +879,8 @@ msgstr "Our op mode scripts use the python-vici module, which is not included in msgid "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested." msgstr "Our smoketests not only test daemons and serives, but also check if what we configure for an interface works. Thus there is a common base classed named: ``base_interfaces_test.py`` which holds all the common code that an interface supports and is tested." -#: ../../contributing/build-vyos.rst:749 -#: ../../contributing/build-vyos.rst:818 +#: ../../contributing/build-vyos.rst:697 +#: ../../contributing/build-vyos.rst:766 msgid "Packages" msgstr "Packages" @@ -954,7 +952,7 @@ msgstr "Python 3 **shall** be used. How long can we keep Python 2 alive anyway? msgid "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable." msgstr "Python (or any other language, for that matter) does not provide automatic protection from bad design, so we need to also devise design guidelines and follow them to keep the system extensible and maintainable." -#: ../../contributing/build-vyos.rst:797 +#: ../../contributing/build-vyos.rst:745 msgid "QEMU" msgstr "QEMU" @@ -970,20 +968,20 @@ msgstr "Recent versions use the ``vyos.frr`` framework. The Python class is loca msgid "Report a Bug" msgstr "Report a Bug" -#: ../../contributing/build-vyos.rst:799 +#: ../../contributing/build-vyos.rst:747 msgid "Run the following command after building the ISO image." msgstr "Run the following command after building the ISO image." -#: ../../contributing/build-vyos.rst:808 +#: ../../contributing/build-vyos.rst:756 msgid "Run the following command after building the QEMU image." msgstr "Run the following command after building the QEMU image." -#: ../../contributing/build-vyos.rst:689 -#: ../../contributing/build-vyos.rst:718 +#: ../../contributing/build-vyos.rst:637 +#: ../../contributing/build-vyos.rst:666 msgid "Simply use our wrapper script to build all of the driver modules." msgstr "Simply use our wrapper script to build all of the driver modules." -#: ../../contributing/build-vyos.rst:100 +#: ../../contributing/build-vyos.rst:102 msgid "Since VyOS has switched to Debian (11) Bullseye in its ``current`` branch, you will require individual container for `current`, `equuleus` and `crux` builds." msgstr "Since VyOS has switched to Debian (11) Bullseye in its ``current`` branch, you will require individual container for `current`, `equuleus` and `crux` builds." @@ -999,7 +997,7 @@ msgstr "Smoketests executes predefined VyOS CLI commands and checks if the desir msgid "So if you plan to build your own custom ISO image and wan't to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed." msgstr "So if you plan to build your own custom ISO image and wan't to make use of our smoketests, ensure that you have the `vyos-1x-smoketest` package installed." -#: ../../contributing/build-vyos.rst:134 +#: ../../contributing/build-vyos.rst:136 msgid "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail." msgstr "Some VyOS packages (namely vyos-1x) come with build-time tests which verify some of the internal library calls that they work as expected. Those tests are carried out through the Python Unittest module. If you want to build the ``vyos-1x`` package (which is our main development package) you need to start your Docker container using the following argument: ``--sysctl net.ipv6.conf.lo.disable_ipv6=0``, otherwise those tests will fail." @@ -1015,7 +1013,7 @@ msgstr "Some of the configurations have preconditions which need to be met. Thos msgid "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb." msgstr "Sometimes it might be useful to debug Python code interactively on the live system rather than a IDE. This can be achieved using pdb." -#: ../../contributing/build-vyos.rst:227 +#: ../../contributing/build-vyos.rst:229 msgid "Start the build:" msgstr "Start the build:" @@ -1059,15 +1057,15 @@ msgstr "Text generation" msgid "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code." msgstr "The CLI parser used in VyOS is a mix of bash, bash-completion helper and the C++ backend library [vyatta-cfg](https://github.com/vyos/vyatta-cfg). This section is a reference of common CLI commands and the respective entry point in the C/C++ code." -#: ../../contributing/build-vyos.rst:686 +#: ../../contributing/build-vyos.rst:634 msgid "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them." msgstr "The Intel NIC drivers do not come from a Git repository, instead we just fetch the tarballs from our mirror and compile them." -#: ../../contributing/build-vyos.rst:714 +#: ../../contributing/build-vyos.rst:662 msgid "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website." msgstr "The Intel QAT (Quick Assist Technology) drivers do not come from a Git repository, instead we just fetch the tarballs from 01.org, Intel's open-source website." -#: ../../contributing/build-vyos.rst:390 +#: ../../contributing/build-vyos.rst:392 msgid "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:" msgstr "The Linux kernel used by VyOS is heavily tied to the ISO build process. The file ``data/defaults.json`` hosts a JSON definition of the kernel version used ``kernel_version`` and the ``kernel_flavor`` of the kernel which represents the kernel's LOCAL_VERSION. Both together form the kernel version variable in the system:" @@ -1111,7 +1109,7 @@ msgstr "The build process needs to be built on a local file system, building on msgid "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs" msgstr "The configurations are all derived from production systems and can not only act as a testcase but also as reference if one wants to enable a certain feature. The configurations can be found here: https://github.com/vyos/vyos-1x/tree/current/smoketest/configs" -#: ../../contributing/build-vyos.rst:85 +#: ../../contributing/build-vyos.rst:87 msgid "The container can also be built directly from source:" msgstr "The container can also be built directly from source:" @@ -1123,7 +1121,7 @@ msgstr "The container can be built by hand or by fetching the pre-built one from msgid "The default template processor for VyOS code is Jinja2_." msgstr "The default template processor for VyOS code is Jinja2_." -#: ../../contributing/build-vyos.rst:825 +#: ../../contributing/build-vyos.rst:773 msgid "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages." msgstr "The easiest way to compile your package is with the above mentioned :ref:`build_docker` container, it includes all required dependencies for all VyOS related packages." @@ -1151,11 +1149,11 @@ msgstr "The great thing about schemas is not only that people can know the compl msgid "The information is used in three ways:" msgstr "The information is used in three ways:" -#: ../../contributing/build-vyos.rst:441 +#: ../../contributing/build-vyos.rst:437 msgid "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it." msgstr "The kernel build is quite easy, most of the required steps can be found in the ``vyos-build/packages/linux-kernel/Jenkinsfile`` but we will walk you through it." -#: ../../contributing/build-vyos.rst:429 +#: ../../contributing/build-vyos.rst:425 msgid "The most obvious reasons could be:" msgstr "The most obvious reasons could be:" @@ -1207,7 +1205,7 @@ msgstr "The switch to the Python programming language for new code is not merely msgid "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader." msgstr "The system startup can be debugged (like loading in the configuration file from ``/config/config.boot``. This can be achieve by extending the Kernel command-line in the bootloader." -#: ../../contributing/build-vyos.rst:308 +#: ../../contributing/build-vyos.rst:310 msgid "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:" msgstr "There are (rare) situations where building an ISO image is not possible at all due to a broken package feed in the background. APT is not very good at reporting the root cause of the issue. Your ISO build will likely fail with a more or less similar looking error message:" @@ -1223,7 +1221,7 @@ msgstr "There are extensions to e.g. VIM (xmllint) which will help you to get yo msgid "There are two flags available to aid in debugging configuration scripts. Since configuration loading issues will manifest during boot, the flags are passed as kernel boot parameters." msgstr "There are two flags available to aid in debugging configuration scripts. Since configuration loading issues will manifest during boot, the flags are passed as kernel boot parameters." -#: ../../contributing/build-vyos.rst:255 +#: ../../contributing/build-vyos.rst:257 msgid "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:" msgstr "This ISO can be customized with the following list of configure options. The full and current list can be generated with ``./build-vyos-image --help``:" @@ -1251,7 +1249,7 @@ msgstr "This package doesn't exist in Debian. A debianized fork is kept at https msgid "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay" msgstr "This package doesn't exist in Debian. A debianized fork is kept at https://github.com/vyos/udp-broadcast-relay" -#: ../../contributing/build-vyos.rst:576 +#: ../../contributing/build-vyos.rst:572 msgid "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:" msgstr "This tries to automatically detect which blobs are needed based on which drivers were built. If it fails to find the correct files you can add them manually to ``vyos-build/packages/linux-kernel/build-linux-firmware.sh``:" @@ -1267,7 +1265,7 @@ msgstr "This will limit the `bond` interface test to only make use of `eth1` and msgid "Those common tests consists out of:" msgstr "Those common tests consists out of:" -#: ../../contributing/build-vyos.rst:105 +#: ../../contributing/build-vyos.rst:107 msgid "Tips and Tricks" msgstr "Tips and Tricks" @@ -1275,7 +1273,7 @@ msgstr "Tips and Tricks" msgid "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``." msgstr "To be able to use Docker_ without ``sudo``, the current non-root user must be added to the ``docker`` group by calling: ``sudo usermod -aG docker yourusername``." -#: ../../contributing/build-vyos.rst:147 +#: ../../contributing/build-vyos.rst:149 msgid "To build VyOS natively you require a properly configured build host with the following Debian versions installed:" msgstr "To build VyOS natively you require a properly configured build host with the following Debian versions installed:" @@ -1287,7 +1285,7 @@ msgstr "To build our modules we utilize a CI/CD Pipeline script. Each and every msgid "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts." msgstr "To debug issues in priorities or to see what's going on in the background you can use the ``/opt/vyatta/sbin/priority.pl`` script which lists to you the execution order of the scripts." -#: ../../contributing/build-vyos.rst:331 +#: ../../contributing/build-vyos.rst:333 msgid "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directry. This is explained in the following step by step procedure:" msgstr "To debug the build process and gain additional information of what could be the root cause, you need to use `chroot` to change into the build directry. This is explained in the following step by step procedure:" @@ -1311,15 +1309,15 @@ msgstr "To make this approach work, every change must be associated with a task msgid "To manually download the container from DockerHub, run:" msgstr "To manually download the container from DockerHub, run:" -#: ../../contributing/build-vyos.rst:154 +#: ../../contributing/build-vyos.rst:156 msgid "To start, clone the repository to your local machine:" msgstr "To start, clone the repository to your local machine:" -#: ../../contributing/build-vyos.rst:864 +#: ../../contributing/build-vyos.rst:812 msgid "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one." msgstr "To take your newly created package on a test drive you can simply SCP it to a running VyOS instance and install the new `*.deb` package over the current running one." -#: ../../contributing/build-vyos.rst:763 +#: ../../contributing/build-vyos.rst:711 msgid "Troubleshooting" msgstr "Troubleshooting" @@ -1363,7 +1361,7 @@ msgstr "VIF (incl. VIF-S/VIF-C)" msgid "VLANs (QinQ and regular 802.1q)" msgstr "VLANs (QinQ and regular 802.1q)" -#: ../../contributing/build-vyos.rst:806 +#: ../../contributing/build-vyos.rst:754 msgid "VMware" msgstr "VMware" @@ -1375,7 +1373,7 @@ msgstr "Verbs, when they are necessary, **should** be in their infinitive form." msgid "Verbs **should** be avoided. If a verb can be omitted, omit it." msgstr "Verbs **should** be avoided. If a verb can be omitted, omit it." -#: ../../contributing/build-vyos.rst:794 +#: ../../contributing/build-vyos.rst:742 msgid "Virtualization Platforms" msgstr "Virtualization Platforms" @@ -1383,7 +1381,7 @@ msgstr "Virtualization Platforms" msgid "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to higest priority. This is good as this gives a deterministic behavior." msgstr "VyOS CLI is all about priorities. Every CLI node has a corresponding ``node.def`` file and possibly an attached script that is executed when the node is present. Nodes can have a priority, and on system bootup - or any other ``commit`` to the config all scripts are executed from lowest to higest priority. This is good as this gives a deterministic behavior." -#: ../../contributing/build-vyos.rst:820 +#: ../../contributing/build-vyos.rst:768 msgid "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package." msgstr "VyOS itself comes with a bunch of packages that are specific to our system and thus cannot be found in any Debian mirror. Those packages can be found at the `VyOS GitHub project`_ in their source format can easily be compiled into a custom Debian (`*.deb`) package." @@ -1391,8 +1389,7 @@ msgstr "VyOS itself comes with a bunch of packages that are specific to our syst msgid "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO." msgstr "VyOS makes use of Jenkins_ as our Continuous Integration (CI) service. Our `VyOS CI`_ server is publicly accessible here: https://ci.vyos.net. You can get a brief overview of all required components shipped in a VyOS ISO." -#: ../../contributing/build-vyos.rst:606 -#: ../../contributing/build-vyos.rst:652 +#: ../../contributing/build-vyos.rst:600 msgid "We again make use of a helper script and some patches to make the build work. Just run the following command:" msgstr "We again make use of a helper script and some patches to make the build work. Just run the following command:" @@ -1400,11 +1397,11 @@ msgstr "We again make use of a helper script and some patches to make the build msgid "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository." msgstr "We differentiate in two independent tests, which are both run in parallel by two separate QEmu instances which are launched via ``make test`` and ``make testc`` from within the vyos-build_ repository." -#: ../../contributing/build-vyos.rst:347 +#: ../../contributing/build-vyos.rst:349 msgid "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository." msgstr "We now are free to run any command we would like to use for debugging, e.g. re-installing the failed package after updating the repository." -#: ../../contributing/build-vyos.rst:339 +#: ../../contributing/build-vyos.rst:341 msgid "We now need to mount some required, volatile filesystems" msgstr "We now need to mount some required, volatile filesystems" @@ -1440,7 +1437,7 @@ msgstr "When having trouble compiling your own ISO image or debugging Jenkins is msgid "When modifying the source code, remember these rules of the legacy elimination campaign:" msgstr "When modifying the source code, remember these rules of the legacy elimination campaign:" -#: ../../contributing/build-vyos.rst:239 +#: ../../contributing/build-vyos.rst:241 msgid "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``." msgstr "When the build is successful, the resulting iso can be found inside the ``build`` directory as ``live-image-[architecture].hybrid.iso``." @@ -1493,11 +1490,11 @@ msgstr "XML interface definition files use the `xml.in` file extension which was msgid "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes." msgstr "XML interface definitions for VyOS come with a RelaxNG schema and are located in the vyos-1x_ module. This schema is a slightly modified schema from VyConf_ alias VyOS 2.0 So VyOS 1.2.x interface definitions will be reusable in Nextgen VyOS Versions with very minimal changes." -#: ../../contributing/build-vyos.rst:879 +#: ../../contributing/build-vyos.rst:827 msgid "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information." msgstr "You can also place the generated `*.deb` into your ISO build environment to include it in a custom iso, see :ref:`build_custom_packages` for more information." -#: ../../contributing/build-vyos.rst:107 +#: ../../contributing/build-vyos.rst:109 msgid "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:" msgstr "You can create yourself some handy Bash aliases to always launch the latest - per release train (`current` or `crux`) - container. Add the following to your ``.bash_aliases`` file:" @@ -1509,6 +1506,10 @@ msgstr "You can type ``help`` to get an overview of the available commands, and msgid "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project." msgstr "You have an idea of how to make VyOS better or you are in need of a specific feature which all users of VyOS would benefit from? To send a feature request please search Phabricator_ if there is already a request pending. You can enhance it or if you don't find one, create a new one by use the quick link in the left side under the specific project." +#: ../../contributing/build-vyos.rst:430 +msgid "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers" +msgstr "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, Intel QAT or Intel NIC drivers" + #: ../../contributing/build-vyos.rst:434 msgid "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, WireGuard, Intel QAT, Intel NIC" msgstr "You have your own custom kernel `*.deb` packages in the `packages` folder but neglected to create all required out-of tree modules like Accel-PPP, WireGuard, Intel QAT, Intel NIC" @@ -1581,7 +1582,7 @@ msgstr "``log`` - In some rare cases, it may be useful to see what the OS is doi msgid "``set``" msgstr "``set``" -#: ../../contributing/build-vyos.rst:431 +#: ../../contributing/build-vyos.rst:427 msgid "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us." msgstr "``vyos-build`` repo is outdated, please ``git pull`` to update to the latest release kernel version from us." -- cgit v1.2.3