From 8f3c52096c017b96c988c2275e0cbd67c70cc84d Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Fri, 26 Nov 2021 11:26:57 +1000 Subject: IKE group parameters --- docs/configuration/vpn/ipsec.rst | 82 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 50814b6e..29dc5a0e 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -29,6 +29,88 @@ for the cipher and hash. Adjust this as necessary. .. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 adapters have known issues with GRE processing. +************************************** +IKE (Internet Key Exchange) Attributes +************************************** +IKE performs mutual authentication between two parties and establishes +an IKE security association (SA) that includes shared secret information +that can be used to efficiently establish SAs for Encapsulating Security +Payload (ESP) or Authentication Header (AH) and a set of cryptographic +algorithms to be used by the SAs to protect the traffic that they carry. +https://datatracker.ietf.org/doc/html/rfc5996 + +In VyOS, IKE attributes are specified through IKE groups. +Multiple proposals can be specified in a single group. + +VyOS IKE group has the next options: + +* ``close-action`` defines the action to take if the remote peer unexpectedly + closes a CHILD_SA: + + * ``none`` set action to none (default); + + * ``hold`` set action to hold; + + * ``clear`` set action to clear; + + * ``restart`` set action to restart; + +* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol + (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty + INFORMATIONAL messages (IKEv2) are periodically sent in order to check the + liveliness of the IPsec peer: + + * ``action`` keep-alive failure action: + + * ``hold`` set action to hold (default) + + * ``clear`` set action to clear; + + * ``restart`` set action to restart; + + * ``interval`` keep-alive interval in seconds <2-86400> (default 30); + + * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only + +* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate + the peer. In IKEv1, reauthentication is always done: + + * ``yes`` enable remote host re-authentication during an IKE rekey; + + * ``no`` disable remote host re-authenticaton during an IKE rekey; + +* ``key-exchange`` which protocol should be used to initialize the connection + If not set both protocols are handled and connections will use IKEv2 when + initiating, but accept any protocol version when responding: + + * ``ikev1`` use IKEv1 for Key Exchange; + + * ``ikev2`` use IKEv2 for Key Exchange; + +* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800); + +* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2: + + * ``enable`` enable MOBIKE (default for IKEv2); + + * ``disable`` disable MOBIKE; + +* ``mode`` IKEv1 Phase 1 Mode Selection: + + * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol + (Recommended Default); + + * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol + aggressive mode is much more insecure compared to Main mode; + +* ``proposal`` the list of proposals and their parameters: + + * ``dh-group`` dh-group; + + * ``encryption`` encryption algorithm; + + * ``hash`` hash algorithm. + ************************* IPsec policy matching GRE ************************* -- cgit v1.2.3 From 8ff3e99af120d69084c4b682790d6f7a315b28e8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 27 Nov 2021 19:46:51 +0100 Subject: ospfv3: rename intname -> interface on CLI examples --- docs/configuration/protocols/ospf.rst | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index ccddcd92..8c858ce1 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -37,12 +37,12 @@ starts when the first ospf enabled interface is configured. This command is also used to enable the OSPF process. The area number can be specified in decimal notation in the range from 0 to 4294967295. Or it can be specified in dotted decimal notation similar to ip address. - + Prefix length in interface must be equal or bigger (i.e. smaller network) than prefix length in network statement. For example statement above doesn't enable ospf on interface with address 192.168.1.1/23, but it does on interface with address 192.168.1.129/25. - + In some cases it may be more convenient to enable OSPF on a per interface/subnet basis :cfgcmd:`set protocols ospf interface area ` @@ -549,12 +549,12 @@ Operational Mode Commands This command displays the neighbors information in a detailed form for a neighbor whose IP address is specified. -.. opcmd:: show ip ospf neighbor +.. opcmd:: show ip ospf neighbor This command displays the neighbors status for a neighbor on the specified interface. -.. opcmd:: show ip ospf interface [] +.. opcmd:: show ip ospf interface [] This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given. @@ -826,20 +826,20 @@ Area Configuration Interface Configuration ----------------------- -.. cfgcmd:: set protocols ospfv3 interface ipv6 cost +.. cfgcmd:: set protocols ospfv3 interface ipv6 cost This command sets link cost for the specified interface. The cost value is set to router-LSA’s metric field and used for SPF calculation. The cost range is 1 to 65535. -.. cfgcmd:: set protocols ospfv3 interface dead-interval +.. cfgcmd:: set protocols ospfv3 interface dead-interval Set number of seconds for router Dead Interval timer value used for Wait Timer and Inactivity Timer. This value must be the same for all routers attached to a common network. The default value is 40 seconds. The interval range is 1 to 65535. -.. cfgcmd:: set protocols ospfv3 interface hello-interval +.. cfgcmd:: set protocols ospfv3 interface hello-interval Set number of seconds for Hello Interval timer value. Setting this value, @@ -848,14 +848,14 @@ Interface Configuration common network. The default value is 10 seconds. The interval range is 1 to 65535. -.. cfgcmd:: set protocols ospfv3 interface mtu-ignore +.. cfgcmd:: set protocols ospfv3 interface mtu-ignore This command disables check of the MTU value in the OSPF DBD packets. Thus, use of this command allows the OSPF adjacency to reach the FULL state even though there is an interface MTU mismatch between two OSPF routers. -.. cfgcmd:: set protocols ospfv3 interface network +.. cfgcmd:: set protocols ospfv3 interface network This command allows to specify the distribution type for the network connected to this interface: @@ -863,20 +863,20 @@ Interface Configuration **broadcast** – broadcast IP addresses distribution. **point-to-point** – address distribution in point-to-point networks. -.. cfgcmd:: set protocols ospfv3 interface priority +.. cfgcmd:: set protocols ospfv3 interface priority This command sets Router Priority integer value. The router with the highest priority will be more eligible to become Designated Router. Setting the value to 0, makes the router ineligible to become Designated Router. The default value is 1. The interval range is 0 to 255. -.. cfgcmd:: set protocols ospfv3 interface passive +.. cfgcmd:: set protocols ospfv3 interface passive This command specifies interface as passive. Passive interface advertises its address, but does not run the OSPF protocol (adjacencies are not formed and hello packets are not generated). -.. cfgcmd:: set protocols ospfv3 interface retransmit-interval +.. cfgcmd:: set protocols ospfv3 interface retransmit-interval This command sets number of seconds for RxmtInterval timer value. This @@ -884,7 +884,7 @@ Interface Configuration Request packets if acknowledge was not received. The default value is 5 seconds. The interval range is 3 to 65535. -.. cfgcmd:: set protocols ospfv3 interface transmit-delay +.. cfgcmd:: set protocols ospfv3 interface transmit-delay This command sets number of seconds for InfTransDelay value. It allows to @@ -927,7 +927,7 @@ Operational Mode Commands This command displays the neighbor DR choice information. -.. opcmd:: show ipv6 ospfv3 interface [prefix]|[ [prefix]] +.. opcmd:: show ipv6 ospfv3 interface [prefix]|[ [prefix]] This command displays state and configuration of OSPF the specified interface, or all interfaces if no interface is given. Whith the argument -- cgit v1.2.3 From 244eced690fb641bba72097ede510fe8e0a81c46 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 27 Nov 2021 19:47:22 +0100 Subject: ospf: T3753: document new CLI for passive mode --- docs/configuration/protocols/ospf.rst | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 8c858ce1..3e4b0217 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -145,12 +145,16 @@ Optional This command should NOT be set normally. -.. cfgcmd:: set protocols ospf passive-interface +.. cfgcmd:: set protocols ospf interface passive [disable] This command specifies interface as passive. Passive interface advertises its address, but does not run the OSPF protocol (adjacencies are not formed and hello packets are not generated). + The optional `disable` option allows to exclude interface from passive state. + This command is used if the command :cfgcmd:`passive-interface default` was + configured. + .. cfgcmd:: set protocols ospf passive-interface default This command specifies all interfaces as passive by default. Because this @@ -158,11 +162,6 @@ Optional interfaces where router adjacencies are expected need to be configured with the :cfgcmd:`passive-interface-exclude` command. -.. cfgcmd:: set protocols ospf passive-interface-exclude - - This command allows exclude interface from passive state. This command is - used if the command :cfgcmd:`passive-interface default` was configured. - .. cfgcmd:: set protocols ospf refresh timers The router automatically updates link-state information with its neighbors. -- cgit v1.2.3 From 9328b4c35eb54b8dda033fbb5a766924f98ee98e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 28 Nov 2021 10:04:35 +0100 Subject: ospfv3: add vrf support --- docs/configuration/protocols/ospf.rst | 2 ++ docs/configuration/vrf/index.rst | 2 ++ 2 files changed, 4 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index 3e4b0217..bb67653e 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -753,6 +753,8 @@ address and the node 1 sending the default route: set policy route-map CONNECT rule 10 match interface lo +.. _routing-ospfv3: + ************* OSPFv3 (IPv6) ************* diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index 05904209..90d99c56 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -62,6 +62,7 @@ Currently dynamic routing is supported for the following protocols: - :ref:`routing-bgp` - :ref:`routing-isis` - :ref:`routing-ospf` +- :ref:`routing-ospfv3` - :ref:`routing-static` The CLI configuration is same as mentioned in above articles. The only @@ -77,6 +78,7 @@ routing protocol inside a given vrf: - :ref:`routing-bgp`: ``set vrf name protocols bgp ...`` - :ref:`routing-isis`: ``set vrf name protocols isis ...`` - :ref:`routing-ospf`: ``set vrf name protocols ospf ...`` +- :ref:`routing-ospfv3`: ``set vrf name protocols ospfv3 ...`` - :ref:`routing-static`: ``set vrf name protocols static ...`` Operation -- cgit v1.2.3 From 57818f5b4bac8802f8789cc141e94b9c07726855 Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Mon, 29 Nov 2021 14:50:49 +0300 Subject: tftp: Add VRF support --- docs/configuration/service/tftp-server.rst | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'docs/configuration') diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index 11011144..b794e703 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -28,6 +28,10 @@ Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and IPv6 addresses can be given. There will be one TFTP server instances listening on each IP address. +.. cfgcmd:: set service tftp-server listen-address
vrf + +Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context + .. note:: Configuring a listen-address is essential for the service to work. .. cfgcmd:: set service tftp-server allow-upload -- cgit v1.2.3 From dd7f4793eac57ab64577578162d41fc2d53163a8 Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Mon, 29 Nov 2021 14:58:55 +0300 Subject: Create tftp-server.rst --- docs/configuration/service/tftp-server.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index b794e703..ff0a93cf 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -30,7 +30,8 @@ on each IP address. .. cfgcmd:: set service tftp-server listen-address
vrf -Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context +Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and +Forwarding)` context .. note:: Configuring a listen-address is essential for the service to work. -- cgit v1.2.3 From 2b09e1b76d483c843699acdf199870e66f3a818b Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Mon, 29 Nov 2021 15:37:28 +0300 Subject: Update tftp-server.rst --- docs/configuration/service/tftp-server.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index ff0a93cf..0ca75efe 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -30,8 +30,11 @@ on each IP address. .. cfgcmd:: set service tftp-server listen-address
vrf -Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and -Forwarding)` context +.. stop_vyoslinter + +Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context + +.. start_vyoslinter .. note:: Configuring a listen-address is essential for the service to work. -- cgit v1.2.3