Age | Commit message (Collapse) | Author |
|
Used by both site2site and remote-access/road-warrior VPN connections.
|
|
|
|
|
|
|
|
|
|
|
|
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
|
|
|
|
|
|
pki: T3642: Add support for signing and revoking subordinate CAs
|
|
Renamed CLI from "logging log-modes" to "log subsystem" and "logging log-level"
to "log level". THat is more human firendly.
|
|
|
|
VyOS has a known to work mechanism in supplying CLI default values into the
Python configuration scripts. This commit removes hardcoded default values from
the Jinja2 template and places them into the appropriate XML definitions.
The big advantage is that the default value itself and the corresponding help
string are located in the exact same file.
|
|
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
|
|
|
|
|
|
|
|
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x:
pki: ipsec: T3642: Update migration script to account for file permission issues
pki: ipsec: T3642: Migrate IPSec to use PKI configuration
pki: T3642: New PKI config and management
|
|
|
|
|
|
|
|
|
|
and port
Tested using:
set destination rule 100 inbound-interface 'eth0'
set destination rule 100 translation address '19.13.23.42'
set destination rule 100 translation options address-mapping 'random'
set destination rule 100 translation options port-mapping 'none'
set source rule 1000 outbound-interface 'eth0'
set source rule 1000 translation address '122.233.231.12'
set source rule 1000 translation options address-mapping 'persistent'
set source rule 1000 translation options port-mapping 'fully-random'
|
|
|
|
|
|
|
|
|
|
|
|
Use the validation string/system available within vyos-1x. This also works on
VyOS 1.2 series systems.
|
|
|
|
Key was already present as "extcommunity-rt".
|
|
|
|
Thi adds a new configuration level "set extcommunity" which then holds rt and
soo als leaf-nodes below. This is the foundational work required to
properly implement T3624 ("BGP: add support for extended community bandwidth
definition")
|
|
selectors, and selectors with VTI.
|
|
Some APNs require a username/password. Add CLI nodes (matching the PPPoE
syntax) for client authentication.
One APN would be the IPv4/IPv6 APN from Deutsche Telekom (Germany)
APN Name: Telekom Internet IPv6
APN: internet.v6.telekom
Benutzername: telekom
Passwort: tm
(cherry picked from commit c667a45a8fb06cb76c907348c4f1e3ec708b6e03)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- set vpn ipsec nat-traversal
- set vpn ipsec nat-networks allowed-network
|
|
nhrp: T3599: Migrate NHRP to XML/Python
|
|
|
|
|
|
tunnels: T3592: Set default TTL to 64
|
|
Set default TTL value for tunnels from 0 to 64
There are a lot of situation when default value 0 (inherit)
not work properly when you have routing configuration for OSPF
or BGP over the tunnels. To fix it you need explicit set TTL
value other then 0. Or hardcode another value as default.
|
|
|
|
Some application layer gateway (ALG) modules can be disabled during runtime
if requireq.
|