From ae6a2ba810a19d81cbad5b0da29e791a7b5e411f Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Wed, 30 Jun 2021 06:17:12 -0400 Subject: configuration page: corrected spelling and grammatical mistakes There were minimal grammatical and spelling mistakes in the files which I corrected as documentation proof reading. Also added information about few ipsec vpn parameters. --- docs/configuration/protocols/bgp.rst | 10 +++--- docs/configuration/system/console.rst | 2 +- docs/configuration/system/host-name.rst | 2 +- docs/configuration/system/syslog.rst | 6 ++-- docs/configuration/vpn/l2tp.rst | 4 +-- docs/configuration/vpn/site2site_ipsec.rst | 54 ++++++++++++++++++++++++++---- 6 files changed, 59 insertions(+), 19 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 25ec3038..d6baa0b9 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -190,7 +190,7 @@ Defining Peers This command creates a new neighbor whose remote-as is . The neighbor address can be an IPv4 address or an IPv6 address or an interface to use - for the connection. The command it applicable for peer and peer group. + for the connection. The command is applicable for peer and peer group. .. cfgcmd:: set protocols bgp neighbor remote-as internal @@ -809,7 +809,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor address-family distribute-list - This command applys the access list filters named in to the + This command applies the access list filters named in to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the access list are applied. @@ -817,7 +817,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor address-family prefix-list - This command applys the prfefix list filters named in to the + This command applies the prfefix list filters named in to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the prefix list are applied. @@ -825,7 +825,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor address-family route-map - This command applys the route map named in to the specified BGP + This command applies the route map named in to the specified BGP neighbor to control and modify routing information that is exchanged between peers. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the route map are applied. @@ -833,7 +833,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor address-family filter-list - This command applys the AS path access list filters named in to the + This command applies the AS path access list filters named in to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the AS path access list are applied. diff --git a/docs/configuration/system/console.rst b/docs/configuration/system/console.rst index 4890da92..1f917e54 100644 --- a/docs/configuration/system/console.rst +++ b/docs/configuration/system/console.rst @@ -43,4 +43,4 @@ Major upgrades to the installed distribution may also require console access. control. This means you should start with a common baud rate (most likely 9600 baud) as otherwise you probably can not connect to the device using high speed baud rates as your serial converter simply can not process this - datarate. + data rate. diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst index 30efe01e..79fae851 100644 --- a/docs/configuration/system/host-name.rst +++ b/docs/configuration/system/host-name.rst @@ -22,7 +22,7 @@ the command line prompt. .. cfgcmd:: set system host-name - Set system hostname. The hostname can be up to 63 characters. A hostname + The hostname can be up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen. diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst index 9ba9d415..ab427d99 100644 --- a/docs/configuration/system/syslog.rst +++ b/docs/configuration/system/syslog.rst @@ -33,7 +33,7 @@ Custom File .. cfgcmd:: set system syslog file facility level - Log syslog messages to file specified via ``, for en explanation on + Log syslog messages to file specified via ``, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. @@ -62,7 +62,7 @@ sending the messages via port 514/UDP. .. cfgcmd:: set system syslog host
facility level Log syslog messages to remote host specified by `
`. The address - can be specified by either FQDN or IP address. For en explanation on + can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. @@ -81,7 +81,7 @@ Local User Account If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not - logged in, no messages are being displayed. For en explanation on + logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index bbe2b881..411b7b5e 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -160,7 +160,7 @@ servers can be setup and will be used subsequentially. RADIUS source address ^^^^^^^^^^^^^^^^^^^^^ -If you are using OSPF as IGP always the closets interface connected to the +If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. @@ -172,7 +172,7 @@ Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries on this NAS. .. note:: The ``source-address`` must be configured on one of VyOS interface. - Best proctice would be a loopback or dummy interface. + Best practice would be a loopback or dummy interface. RADIUS bandwidth shaping attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e81c5c3b..aace98aa 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -264,9 +264,15 @@ rules. (if you used the default configuration at the top of this page) IKEv2 ^^^^^ +Example: + +* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device +* left public_ip:172.18.201.10 +* right local_ip: 172.18.202.10 # right side WAN IP + Imagine the following topology -.. figure:: /_static/images/vpn_s2s_ikev2.png +.. figure:: /_static/images/vpn_s2s_ikev2_c.png :scale: 50 % :alt: IPSec IKEv2 site2site VPN @@ -289,9 +295,6 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' @@ -304,10 +307,10 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate' + set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond' set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10' set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' @@ -323,7 +326,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' @@ -344,3 +347,40 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + +Key Parameters: + +* ``authentication id/remote-id`` - IKE identification is used for validation + of VPN peer devices during IKE negotiation. If you do not configure local/ + remote-identity, the device uses the IPv4 or IPv6 address that corresponds + to the local/remote peer by default. + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation + failure. + So, make sure to configure the local/remote id explicitly and ensure that the + IKE ID is the same as the remote-identity configured on the peer device. + +* ``disable-route-autoinstall`` - This option when configured disables the + routes installed in the default table 220 for site-to-site ipsec. + It is mostly used with VTI configuration. + +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of theIPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to + perform on a timeout. + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the + connection. + +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of + values). A closeaction should not be used if the peer uses reauthentication or + uniqueids. + + For a responder, close-action or dead-peer-detection must not be enabled. + For an initiator DPD with `restart` action, and `close-action 'restart'` + is recommended in IKE profile. -- cgit v1.2.3