diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2026-05-12 18:00:46 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-05-12 18:00:46 +0300 |
| commit | bfc681807ab2eafe3bfcea55be148deaba29f298 (patch) | |
| tree | f712601131b83af535bdf5e1b3182cabc71daac0 | |
| parent | 936abf4cd220de6a55efbf1f555801f2878a0578 (diff) | |
| parent | 9968c956f3eb7f80839148cd0496f3780915e176 (diff) | |
| download | vyos-documentation-bfc681807ab2eafe3bfcea55be148deaba29f298.tar.gz vyos-documentation-bfc681807ab2eafe3bfcea55be148deaba29f298.zip | |
Merge pull request #1997 from vyos/claude/scan-typos-errors-VJZ5E
docs: fix typos across configuration, contributing, and vpp docs
| -rw-r--r-- | docs/automation/terraform/terraformAWS.md | 8 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.md | 4 | ||||
| -rw-r--r-- | docs/configuration/policy/route.md | 4 | ||||
| -rw-r--r-- | docs/configuration/protocols/bgp.md | 6 | ||||
| -rw-r--r-- | docs/configuration/protocols/ospf.md | 11 | ||||
| -rw-r--r-- | docs/configuration/protocols/traffic-engineering.md | 5 | ||||
| -rw-r--r-- | docs/configuration/service/console-server.md | 2 | ||||
| -rw-r--r-- | docs/configuration/service/router-advert.md | 2 | ||||
| -rw-r--r-- | docs/configuration/service/webproxy.md | 4 | ||||
| -rw-r--r-- | docs/configuration/system/conntrack.md | 2 | ||||
| -rw-r--r-- | docs/contributing/debugging.md | 10 | ||||
| -rw-r--r-- | docs/vpp/configuration/ipsec.md | 92 |
12 files changed, 105 insertions, 45 deletions
diff --git a/docs/automation/terraform/terraformAWS.md b/docs/automation/terraform/terraformAWS.md index 488e7926..10740b99 100644 --- a/docs/automation/terraform/terraformAWS.md +++ b/docs/automation/terraform/terraformAWS.md @@ -103,6 +103,8 @@ Terraform, Ansible, and AWS, follow these steps: See `Structure of files in Ansible for AWS <#structure-of-files-in-ansible-for-aws>`__ for more details. You can obtain ``mykey.pem`` by creating a key `pair <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html>`__ in AWS and downloading your ``.pem`` key. + +.. start_vyoslinter ``` ### Deploy with Terraform @@ -305,7 +307,7 @@ Make sure Ansible can ping from Terraform. ├── vyos.tf # The main script ├── var.tf # The file of all variables in "vyos.tf" ├── versions.tf # File for the changing version of Terraform. -└── terraform.tfvars # The value of all variables (passwords, login, ip adresses and so on) +└── terraform.tfvars # The value of all variables (passwords, login, ip addresses and so on) ``` ## File contents of Terraform for AWS @@ -543,6 +545,10 @@ ansible_user: vyos All files related to deploying VyOS on AWS with Terraform and Ansible can be found in the [vyos-automation] repository. +% stop_vyoslinter + [group]: https://docs.aws.amazon.com/cli/latest/userguide/cli-services-ec2-sg.html [pair]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html [vyos-automation]: <https://github.com/vyos/vyos-automation/tree/main/TerraformCloud/AWS_terraform_ansible_single_vyos_instance-main> + +% start_vyoslinter diff --git a/docs/configuration/nat/nat44.md b/docs/configuration/nat/nat44.md index 8b02477e..2e877106 100644 --- a/docs/configuration/nat/nat44.md +++ b/docs/configuration/nat/nat44.md @@ -298,8 +298,8 @@ randomly. When defining the translated address, called `backends`, a `weight` must be configured. This lets the user define load balance distribution according -to their needs. Them sum of all the weights defined for the backends should -be equal to 100. In oder words, the weight defined for the backend is the +to their needs. The sum of all the weights defined for the backends should +be equal to 100. In other words, the weight defined for the backend is the percentage of the connections that will receive such backend. ```{cfgcmd} set nat [source | destination] rule \<rule\> load-balance hash [source-address | destination-address | source-port | destination-port | random] diff --git a/docs/configuration/policy/route.md b/docs/configuration/policy/route.md index b3ef6540..d2a6e8fa 100644 --- a/docs/configuration/policy/route.md +++ b/docs/configuration/policy/route.md @@ -201,7 +201,7 @@ about what type-name criteria are supported. ```{cfgcmd} set policy route6 \<name\> rule \<n\> ipsec \<match-ipsec|match-none\> -Set IPSec inbound match criterias, where: +Set IPSec inbound match criteria, where: * match-ipsec: match inbound IPsec packets. * match-none: match inbound non-IPsec packets. ``` @@ -270,7 +270,7 @@ Match based on packet type criteria. ```{cfgcmd} set policy route6 \<name\> rule \<n\> recent time \<1-4294967295\> Set parameters for matching recently seen sources. This match could be used -by seeting count (source address seen more than <1-255> times) and/or time +by setting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). ``` diff --git a/docs/configuration/protocols/bgp.md b/docs/configuration/protocols/bgp.md index 702a2b1f..cfa79ce4 100644 --- a/docs/configuration/protocols/bgp.md +++ b/docs/configuration/protocols/bgp.md @@ -285,7 +285,7 @@ and happen automatically if local-role is set. ```{cfgcmd} set protocols bgp neighbor \<address|interface\> shutdown -This command disable the peer or peer group. To reenable the peer use +This command disables the peer or peer group. To re-enable the peer, use the delete form of this command. ``` @@ -805,7 +805,7 @@ availability is also advertised. A route that continually fails and returns requires a great deal of network traffic to update the network about the route's status. -Route dampening wich described in {rfc}`2439` enables you to identify routes +Route dampening, described in {rfc}`2439`, enables you to identify routes that repeatedly fail and return. If route dampening is enabled, an unstable route accumulates penalties each time the route fails and returns. If the accumulated penalties exceed a threshold, the route is no longer advertised. @@ -1016,7 +1016,7 @@ peer. The {cfgcmd}`receive` keyword configures a router to advertise ORF receive capabilities. The {cfgcmd}`send` keyword configures a router to advertise ORF send capabilities. To advertise a filter from a sender, you must create an IP prefix list for the specified BGP peer applied in inbound -derection. +direction. ``` diff --git a/docs/configuration/protocols/ospf.md b/docs/configuration/protocols/ospf.md index 72fefb84..b3297b3d 100644 --- a/docs/configuration/protocols/ospf.md +++ b/docs/configuration/protocols/ospf.md @@ -807,7 +807,7 @@ interface. ```{opcmd} show ip ospf interface [\<interface\>] -This command displays state and configuration of OSPF the specified +This command displays state and configuration of OSPF for the specified interface, or all interfaces if no interface is given. ``` @@ -1402,8 +1402,8 @@ This command displays the neighbor DR choice information. ``` ```{opcmd} show ipv6 ospfv3 interface [prefix]|[\<interface\> [prefix]] -This command displays state and configuration of OSPF the specified -interface, or all interfaces if no interface is given. Whith the argument +This command displays state and configuration of OSPF for the specified +interface, or all interfaces if no interface is given. With the argument {cfgcmd}`prefix` this command shows connected prefixes to advertise. ``` ```{opcmd} show ipv6 ospfv3 route @@ -1460,8 +1460,9 @@ set protocols ospfv3 redistribute connected show ipv6 ospfv3 redistribute ``` -Cost calculation wireguard interfaces is unreliable as ospfv3 uses the link speed to calculate the link cost. -You might therefore want to set the link cost to a fixed value on WireGuard tunnels. +Cost calculation for WireGuard interfaces is unreliable as ospfv3 uses the +link speed to calculate the link cost. You might therefore want to set the +link cost to a fixed value on WireGuard tunnels. Example configuration for WireGuard interfaces: diff --git a/docs/configuration/protocols/traffic-engineering.md b/docs/configuration/protocols/traffic-engineering.md index 832023a7..fc0841c7 100644 --- a/docs/configuration/protocols/traffic-engineering.md +++ b/docs/configuration/protocols/traffic-engineering.md @@ -7,11 +7,12 @@ alternative path. ## Common link parameters -Traffic Engineering parameters are used for both IS-IS and OSPF (not supported yet). +Traffic Engineering parameters are used for both IS-IS and OSPF (not supported +yet). ```{cfgcmd} set protocols traffic-engineering admin-group \<admin-group-name\> bit-position \<bit-position-value\> -Create Administrative group and assosiate bit position with it. These groups can be +Create Administrative group and associate bit position with it. These groups can be used in the following commands. \<bit-position-value\> can have value 0-31. There cannot be two groups with same bit position. diff --git a/docs/configuration/service/console-server.md b/docs/configuration/service/console-server.md index f0556652..4e0ec575 100644 --- a/docs/configuration/service/console-server.md +++ b/docs/configuration/service/console-server.md @@ -60,7 +60,7 @@ left unconfigured. :::{note} USB to serial converters will handle most of their work in software -so you should be carefull with the selected baudrate as some times they +so you should be careful with the selected baudrate as sometimes they can't cope with the expected speed. ::: ``` diff --git a/docs/configuration/service/router-advert.md b/docs/configuration/service/router-advert.md index 10753105..b81dddc7 100644 --- a/docs/configuration/service/router-advert.md +++ b/docs/configuration/service/router-advert.md @@ -108,7 +108,7 @@ Router Advertisements unless this option is set. ## Example Your LAN connected on eth0 uses prefix `2001:db8:beef:2::/64` with the router -beeing `2001:db8:beef:2::1` +being `2001:db8:beef:2::1` ```none set interfaces ethernet eth0 address 2001:db8:beef:2::1/64 diff --git a/docs/configuration/service/webproxy.md b/docs/configuration/service/webproxy.md index 28156b2b..0a21bed1 100644 --- a/docs/configuration/service/webproxy.md +++ b/docs/configuration/service/webproxy.md @@ -317,7 +317,7 @@ Defaults to 'uid' :::{note} This can only be done if all your users are located directly under the same position in the LDAP tree and the login name is used for naming -each user object. If your LDAP tree does not match these criterias or if you +each user object. If your LDAP tree does not match these criteria or if you want to filter who are valid users then you need to use a search filter to search for your users DN (filter-expression). ::: @@ -369,7 +369,7 @@ Download/Update complete blacklist vyos@vyos:~$ update webproxy blacklists Warning: No url-filtering blacklist installed Would you like to download a default blacklist? [confirm][y] -Connecting to ftp.univ-tlse1.fr (193.49.48.249:21) +Connecting to ftp.example.com (192.0.2.249:21) blacklists.gz 100% |*************************************************************************************************************| 17.0M 0:00:00 ETA Uncompressing blacklist... Checking permissions... diff --git a/docs/configuration/system/conntrack.md b/docs/configuration/system/conntrack.md index 2b7279f6..e27e2187 100644 --- a/docs/configuration/system/conntrack.md +++ b/docs/configuration/system/conntrack.md @@ -175,7 +175,7 @@ the future the conntrack ignore rules will be removed. .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> tcp flags [not] <text> - Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + Allowed values for TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for inverted selection use ``not``, as shown in the example. ``` diff --git a/docs/contributing/debugging.md b/docs/contributing/debugging.md index d3b4b513..07dd80a4 100644 --- a/docs/contributing/debugging.md +++ b/docs/contributing/debugging.md @@ -164,8 +164,8 @@ The file `/tmp/foo` contains the migrated configuration. ### Configuration Error on System Boot Running the latest rolling releases sometimes exposes bugs due to edge cases -missed in design. File these bugs via [Phabricator](https://vyos.dev/), but you can help narrow -down the issue by following these steps: +missed in design. File these bugs via [Phabricator](https://vyos.dev/), but +you can help narrow down the issue by following these steps: 1. Log in to your VyOS system. 2. Enter configuration mode: `configure` @@ -193,12 +193,16 @@ You can also make this permanent by editing `/boot/grub/grub.cfg`. VyOS CLI depends heavily on priorities. Every CLI node has a corresponding `node.def` file and possibly an attached script. Nodes can have priorities, -and on system bootup or any `commit` to the configuration, scripts execute +and on system boot or any `commit` to the configuration, scripts execute from lowest to highest priority. This provides deterministic behavior. To debug priority issues or see script execution order, use the `/opt/vyatta/sbin/priority.pl` script, which lists the execution order of scripts. +% stop_vyoslinter + [bootchart.conf]: https://github.com/vyos/vyos-build/blob/current/data/live-build-config/includes.chroot/etc/systemd/bootchart.conf [vyatta-cfg]: https://github.com/vyos/vyatta-cfg + +% start_vyoslinter diff --git a/docs/vpp/configuration/ipsec.md b/docs/vpp/configuration/ipsec.md index 523b4a90..6ec442e3 100644 --- a/docs/vpp/configuration/ipsec.md +++ b/docs/vpp/configuration/ipsec.md @@ -9,27 +9,39 @@ lastproofread: '2025-09-04' # VPP IPsec Configuration -VPP Dataplane in VyOS can offload IPSec processing from kernel. This allows to speed-up IPSec traffic handling significantly, when necessary conditions are met. +VPP Dataplane in VyOS can offload IPSec processing from the kernel. This can +significantly speed up IPSec traffic handling when the necessary conditions +are met. :::{note} -VPP IPsec implementation is not as feature rich as Linux kernel IPsec. It supports only a subset of algorithms and modes. +VPP IPsec implementation is not as feature-rich as Linux kernel IPsec. It +supports only a subset of algorithms and modes. ::: ## Requirements To make IPSec offloading work, following requirements must be met: - VPP dataplane must be configured. -- VPP {doc}`IPsec settings </vpp/configuration/dataplane/ipsec>` should be configured as needed. -- IPSec should be configured in the VPN configuration section, see {doc}`/configuration/vpn/ipsec/index`. -- Both source and destination of the IPSec traffic must be reachable via VPP interfaces, so it can perform both encryption and decryption of the traffic. +- VPP {doc}`IPsec settings </vpp/configuration/dataplane/ipsec>` should be + configured as needed. +- IPSec should be configured in the VPN configuration section, see + {doc}`/configuration/vpn/ipsec/index`. +- Both source and destination of the IPSec traffic must be reachable via VPP + interfaces, so it can perform both encryption and decryption of the traffic. ## Integration Details -VPP Dataplane offloads IPSec processing from kernel, but does not handle IPSec configuration itself. IPSec configuration management and control-plane operation, like IKE negotiation, is still done by the kernel and other daemons. +VPP Dataplane offloads IPSec processing from kernel, but does not handle IPSec +configuration itself. IPSec configuration management and control-plane +operation, like IKE negotiation, is still done by the kernel and other daemons. -After an IPSec tunnel is configured in the kernel, VPP receives the necessary information via netlink messages and creates a corresponding SAs and policies to be able to offload the traffic. +After an IPSec tunnel is configured in the kernel, VPP receives the necessary +information via netlink messages and creates corresponding SAs and policies +to be able to offload the traffic. -When VPP is used for offloading IPsec, it creates a virtual interface of a specific type to connect to a peer. The type of the interface can be configured using the `interface-type` parameter in the dataplane settings. +When VPP is used for offloading IPsec, it creates a virtual interface of a +specific type to connect to a peer. The type of the interface can be +configured using the `interface-type` parameter in the dataplane settings. ## Supported IPsec Modes @@ -40,7 +52,10 @@ VPP supports offloading IPsec connections in the following IPsec modes: ## Supported Encryption and Integrity Algorithms :::{warning} -Since VPP dataplane is used only to offload IPsec traffic processing, algorithms mentioned below are applicable to ESP profiles in the IPsec configuration. IKE profiles are not affected by these limitations and can use any algorithms supported by the kernel. +Since VPP dataplane is used only to offload IPsec traffic processing, +algorithms mentioned below are applicable to ESP profiles in the IPsec +configuration. IKE profiles are not affected by these limitations and can +use any algorithms supported by the kernel. ::: VPP **supports** only the following **encryption algorithms**: @@ -77,13 +92,17 @@ VPP **does not** support the following **integrity algorithms**: - AES CMAC - AES-GMAC -If you have configured ESP profiles with algorithms not supported by VPP and the traffic for such peers flows trough VPP interfaces, such traffic will be dropped. +If you have configured ESP profiles with algorithms not supported by VPP and +the traffic for such peers flows through VPP interfaces, such traffic will be +dropped. ## Configuration Examples **ACL for VPP IPsec Traffic** -When using VPP for offloading IPsec traffic, you may need to adjust your firewall rules to allow the necessary protocols and ports. Below is an example of how to configure ACLs for VPP IPsec traffic: +When using VPP for offloading IPsec traffic, you may need to adjust your +firewall rules to allow the necessary protocols and ports. Below is an +example of how to configure ACLs for VPP IPsec traffic: ```none set vpp acl ip interface <interface-name> input acl-tag 10 tag-name 'IPSEC' @@ -104,7 +123,9 @@ set vpp acl ip tag-name IPSEC rule 50 action 'permit' set vpp acl ip tag-name IPSEC rule 50 protocol 'esp' ``` -Pay attention to the order of the rules, as they are processed sequentially. Make sure to place IPsec-related rules before any other rules that might deny traffic to ensure that IPsec traffic is allowed. +Pay attention to the order of the rules, as they are processed sequentially. +Make sure to place IPsec-related rules before any other rules that might +deny traffic to ensure that IPsec traffic is allowed. **Simple VTI-based IPsec Tunnel** @@ -151,18 +172,24 @@ set vpp settings lcp ignore-kernel-routes Where: - `eth1` is the interface connected to the IPsec peer. -- `eth2` is the interface connected to the local subnet, where unencrypted traffic is expected. -- `192.168.100.0/24` is the local subnet that will be accessible through the IPsec tunnel. -- `192.168.200.0/24` is the remote subnet that will be accessible through the IPsec tunnel. +- `eth2` is the interface connected to the local subnet, where unencrypted + traffic is expected. +- `192.168.100.0/24` is the local subnet that will be accessible through the + IPsec tunnel. +- `192.168.200.0/24` is the remote subnet that will be accessible through the + IPsec tunnel. - `vti1` is the VTI interface created by VPP for the IPsec tunnel. -- `peerA` and `peerB` are the identifiers for the local side and remote peer, respectively. +- `peerA` and `peerB` are the identifiers for the local side and remote peer, + respectively. :::{note} **What is important in this configuration** -VPP uses only remote traffic-selector to determine what traffic should be offloaded to the IPsec tunnel. +VPP uses only remote traffic-selector to determine what traffic should be +offloaded to the IPsec tunnel. -Adding additional routes via VTI interface does not affect actual VPP IPsec operation. +Adding additional routes via VTI interface does not affect actual VPP IPsec +operation. ::: ## Potential Issues and Troubleshooting @@ -170,19 +197,40 @@ Adding additional routes via VTI interface does not affect actual VPP IPsec oper Improper IPsec configuration can lead to various issues, including: - **Unidirectional traffic flow or acceleration** - If kernel has a conflicting route for the remote subnet, such route may take precedence over the policy route created for the IPsec tunnel in VPP. This may lead to unidirectional traffic flow or acceleration only in one direction. This has no security impact because traffic will still be encrypted by the kernel, but it may lead to performance degradation. To avoid this, ensure that no conflicting routes exist in the kernel routing table. + If kernel has a conflicting route for the remote subnet, such route may + take precedence over the policy route created for the IPsec tunnel in VPP. + This may lead to unidirectional traffic flow or acceleration only in one + direction. This has no security impact because traffic will still be + encrypted by the kernel, but it may lead to performance degradation. To + avoid this, ensure that no conflicting routes exist in the kernel routing + table. - **Conflicting with kernel routes** - If the kernel routes synchronization option is enabled, VPP will install all the routes from kernel. If you have there routes configured via VTI interfaces to the IPsec peer, they will conflict with the policy routes created for the IPsec tunnel in VPP. Consider using policy-based IPSec configuration to avoid this or [disable the kernel routes synchronization](lcp.md#vpp-lcp-configuration). + If the kernel routes synchronization option is enabled, VPP will install + all the routes from kernel. If you have these routes configured via VTI + interfaces to the IPsec peer, they will conflict with the policy routes + created for the IPsec tunnel in VPP. Consider using policy-based IPSec + configuration to avoid this or + [disable the kernel routes synchronization](lcp.md#vpp-lcp-configuration). - **Unsupported algorithms** - If you have configured ESP profiles with algorithms not supported by VPP and the traffic for such peers flows through VPP interfaces, such traffic will be dropped. You can check system logs for messages from VPP with `linux-cp/ipsec: Invalid/Unsupported crypto algo` or `linux-cp/ipsec: Invalid/Unsupported integ algo` line to identify such cases. + If you have configured ESP profiles with algorithms not supported by VPP + and the traffic for such peers flows through VPP interfaces, such traffic + will be dropped. You can check system logs for messages from VPP with + `linux-cp/ipsec: Invalid/Unsupported crypto algo` or + `linux-cp/ipsec: Invalid/Unsupported integ algo` line to identify such + cases. - **Connection is established but no traffic flows** - Even if you use compatible algorithms, there can be other reasons why traffic is not flowing. One of most frequent is blocking traffic between peers - that is especially common in public clouds. Make sure that TCP/UDP ports 500 and 4500 and ESP protocol are allowed between the peers. Alternatively, consider enforcing UDP encapsulation on both sides of the tunnel: + Even if you use compatible algorithms, there can be other reasons why + traffic is not flowing. One of most frequent is blocking traffic between + peers - that is especially common in public clouds. Make sure that TCP/UDP + ports 500 and 4500 and ESP protocol are allowed between the peers. + Alternatively, consider enforcing UDP encapsulation on both sides of the + tunnel: ```{cfgcmd} set vpn ipsec site-to-site peer \<peer-name\> force-udp-encapsulation ```
\ No newline at end of file |
