diff options
| author | Yuriy Andamasov <yuriy@vyos.io> | 2026-04-21 20:35:22 +0300 |
|---|---|---|
| committer | Yuriy Andamasov <yuriy@vyos.io> | 2026-04-21 20:35:22 +0300 |
| commit | d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5 (patch) | |
| tree | bebe87c3f28f8f7bb8aaa2fbdd091749f629f95b /docs/configuration/vpn/ipsec | |
| parent | 5d4cdc95200e8ef8fa9ef0f52c5607b76e980692 (diff) | |
| download | vyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.tar.gz vyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.zip | |
fix: resolve all line-length lint warnings across 14 RST files
Wrap prose lines exceeding 80 chars and apply stop/start_vyoslinter
markers around cfgcmd/opcmd directive lines that cannot be shortened
(e.g. long option names with placeholder arguments).
Affected files: bonding, wireguard, pim, conntrack-sync, dmvpn,
ipsec_general, site2site_ipsec, vrf/index, bare-metal,
inter-vrf-routing-vrf-lite, lac-lns, tunnelbroker, OpenVPN_with_LDAP,
dmvpn-dualhub-dualcloud.
🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/configuration/vpn/ipsec')
| -rw-r--r-- | docs/configuration/vpn/ipsec/ipsec_general.rst | 20 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/site2site_ipsec.rst | 24 |
2 files changed, 37 insertions, 7 deletions
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst index a9a1eb0f..3d21b81d 100644 --- a/docs/configuration/vpn/ipsec/ipsec_general.rst +++ b/docs/configuration/vpn/ipsec/ipsec_general.rst @@ -143,8 +143,9 @@ You can view the PPK column for information on if PPK is configured, and if it is in use. The output is in the format of ``<configured> / <in use>``. The options for configured are none if not conifugred, opt if configured but optional, and req is configured and required. The in use will show yes -Possible values of the ``configured`` field are ``none`` if not conifgured, ``opt`` if configured -but optional, and ``req`` is configured and required. The in use will show yes +Possible values of the ``configured`` field are ``none`` if not +conifgured, ``opt`` if configured but optional, and ``req`` is +configured and required. The in use will show yes @@ -200,6 +201,8 @@ VyOS IKE group has the next options: * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1 protocol aggressive mode is much more insecure compared to Main mode. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number> Dh-group. Default value is **2**. @@ -208,6 +211,8 @@ VyOS IKE group has the next options: Encryption algorithm. Default value is **aes128**. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash> Hash algorithm. Default value is **sha1**. @@ -232,10 +237,14 @@ DPD (Dead Peer Detection) Configuration * **restart** - Immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval> Keep-alive interval in seconds <2-86400> (default 30). +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout> Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only** @@ -292,10 +301,14 @@ VyOS ESP group has the next options: * **disable** - Disable PFS. * **<dh-group>** - Defines a Diffie-Hellman group for PFS. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption> Encryption algorithm. Default value is **aes128**. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash> Hash algorithm. Default value is **sha1**. @@ -351,7 +364,8 @@ Options IKEv2 Retransmission ==================== -If the peer does not respond on DPD packet, the router starts retransmission procedure. +If the peer does not respond on DPD packet, the router starts the +retransmission procedure. The following formula is used to calculate the timeout: diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst index 628b8e9d..9f8231e7 100644 --- a/docs/configuration/vpn/ipsec/site2site_ipsec.rst +++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst @@ -78,7 +78,8 @@ Tunnel information: * If Route based VPN is used * IP of the VTI interface is 10.0.0.1/30 -.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer. +.. note:: We do not recommend using policy-based vpn and route-based + vpn configurations to the same peer. **1. Configure ike-group (IKE Phase 1)** @@ -108,7 +109,8 @@ Tunnel information: set vpn ipsec interface eth0 -**4. Configure PSK keys and authentication ids for this key if authentication type is PSK** +**4. Configure PSK keys and authentication ids for this key if +authentication type is PSK** .. code-block:: none @@ -146,14 +148,16 @@ To set base64 secret encode plaintext password to base64 and set secret-type **6. Depends to vpn type (route-based vpn or policy-based vpn).** - **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.** + **6.1 For Policy-based VPN configure SAs using tunnel command + specifying remote and local networks.** .. code-block:: none set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24' set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24' - **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.** + **6.2 For Route-based VPN create VTI interface, set IP address to + this interface and bind this interface to the vpn peer.** .. code-block:: none @@ -243,6 +247,8 @@ Peer Authentication Commands address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key> Name of PKI key-pair with local private key. @@ -270,6 +276,8 @@ Peer Authentication Commands Name of certificate in PKI configuration, which will be used for authenticating local router on remote peer. +.. start_vyoslinter + .. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase> Private key passphrase, if needed. @@ -370,6 +378,8 @@ Policy-Based CHILD SAs Configuration Commands Every configured tunnel under peer configuration is a new CHILD SA. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable Disable this tunnel. @@ -406,6 +416,8 @@ Every configured tunnel under peer configuration is a new CHILD SA. Remote port number. Have effect only when used together with ``prefix``. +.. start_vyoslinter + Route-Based CHILD SAs Configuration Commands """"""""""""""""""""""""""""""""""""""""""""" @@ -435,6 +447,8 @@ for each remote network. Traffic-selectors parameters for traffic that should pass via vti interface. +.. stop_vyoslinter + .. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network> Local prefix for interesting traffic. @@ -443,6 +457,8 @@ interface. Remote prefix for interesting traffic. +.. start_vyoslinter + IPsec Op-mode Commands ====================== |
