From 4d7e44d3e7a80d028a12785ccaed4d78ab7636bd Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Thu, 26 Oct 2023 02:00:19 -0400 Subject: Added config example of vpn ipsec site-to-site --- docs/configuration/vpn/ipsec.rst | 4 ++-- docs/configuration/vpn/site2site_ipsec.rst | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'docs/configuration/vpn') diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index c91feea0..ece06fa2 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -161,11 +161,11 @@ Options (Global IPsec settings) Attributes * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. + * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. ************************* IPsec policy matching GRE diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e89d25c6..5f8e5263 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -149,6 +149,10 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. + Examples: ------------------ -- cgit v1.2.3