summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/ipsec
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-04-21 20:35:22 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-04-21 20:35:22 +0300
commitd0a0fd4998b35af5b4e59374a5706ffeb27c7ee5 (patch)
treebebe87c3f28f8f7bb8aaa2fbdd091749f629f95b /docs/configuration/vpn/ipsec
parent5d4cdc95200e8ef8fa9ef0f52c5607b76e980692 (diff)
downloadvyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.tar.gz
vyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.zip
fix: resolve all line-length lint warnings across 14 RST files
Wrap prose lines exceeding 80 chars and apply stop/start_vyoslinter markers around cfgcmd/opcmd directive lines that cannot be shortened (e.g. long option names with placeholder arguments). Affected files: bonding, wireguard, pim, conntrack-sync, dmvpn, ipsec_general, site2site_ipsec, vrf/index, bare-metal, inter-vrf-routing-vrf-lite, lac-lns, tunnelbroker, OpenVPN_with_LDAP, dmvpn-dualhub-dualcloud. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/configuration/vpn/ipsec')
-rw-r--r--docs/configuration/vpn/ipsec/ipsec_general.rst20
-rw-r--r--docs/configuration/vpn/ipsec/site2site_ipsec.rst24
2 files changed, 37 insertions, 7 deletions
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
index a9a1eb0f..3d21b81d 100644
--- a/docs/configuration/vpn/ipsec/ipsec_general.rst
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -143,8 +143,9 @@ You can view the PPK column for information on if PPK is configured, and
if it is in use. The output is in the format of ``<configured> / <in use>``.
The options for configured are none if not conifugred, opt if configured
but optional, and req is configured and required. The in use will show yes
-Possible values of the ``configured`` field are ``none`` if not conifgured, ``opt`` if configured
-but optional, and ``req`` is configured and required. The in use will show yes
+Possible values of the ``configured`` field are ``none`` if not
+conifgured, ``opt`` if configured but optional, and ``req`` is
+configured and required. The in use will show yes
@@ -200,6 +201,8 @@ VyOS IKE group has the next options:
* **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
protocol aggressive mode is much more insecure compared to Main mode.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
Dh-group. Default value is **2**.
@@ -208,6 +211,8 @@ VyOS IKE group has the next options:
Encryption algorithm. Default value is **aes128**.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
@@ -232,10 +237,14 @@ DPD (Dead Peer Detection) Configuration
* **restart** - Immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
Keep-alive interval in seconds <2-86400> (default 30).
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
@@ -292,10 +301,14 @@ VyOS ESP group has the next options:
* **disable** - Disable PFS.
* **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
@@ -351,7 +364,8 @@ Options
IKEv2 Retransmission
====================
-If the peer does not respond on DPD packet, the router starts retransmission procedure.
+If the peer does not respond on DPD packet, the router starts the
+retransmission procedure.
The following formula is used to calculate the timeout:
diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
index 628b8e9d..9f8231e7 100644
--- a/docs/configuration/vpn/ipsec/site2site_ipsec.rst
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -78,7 +78,8 @@ Tunnel information:
* If Route based VPN is used
* IP of the VTI interface is 10.0.0.1/30
-.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
+.. note:: We do not recommend using policy-based vpn and route-based
+ vpn configurations to the same peer.
**1. Configure ike-group (IKE Phase 1)**
@@ -108,7 +109,8 @@ Tunnel information:
set vpn ipsec interface eth0
-**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
+**4. Configure PSK keys and authentication ids for this key if
+authentication type is PSK**
.. code-block:: none
@@ -146,14 +148,16 @@ To set base64 secret encode plaintext password to base64 and set secret-type
**6. Depends to vpn type (route-based vpn or policy-based vpn).**
- **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
+ **6.1 For Policy-based VPN configure SAs using tunnel command
+ specifying remote and local networks.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
- **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
+ **6.2 For Route-based VPN create VTI interface, set IP address to
+ this interface and bind this interface to the vpn peer.**
.. code-block:: none
@@ -243,6 +247,8 @@ Peer Authentication Commands
address. Useful in case if the remote peer is behind NAT
or if ``mode x509`` is used.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
Name of PKI key-pair with local private key.
@@ -270,6 +276,8 @@ Peer Authentication Commands
Name of certificate in PKI configuration, which will be used
for authenticating local router on remote peer.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
Private key passphrase, if needed.
@@ -370,6 +378,8 @@ Policy-Based CHILD SAs Configuration Commands
Every configured tunnel under peer configuration is a new CHILD SA.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
Disable this tunnel.
@@ -406,6 +416,8 @@ Every configured tunnel under peer configuration is a new CHILD SA.
Remote port number. Have effect only when used together with
``prefix``.
+.. start_vyoslinter
+
Route-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
@@ -435,6 +447,8 @@ for each remote network.
Traffic-selectors parameters for traffic that should pass via vti
interface.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
Local prefix for interesting traffic.
@@ -443,6 +457,8 @@ interface.
Remote prefix for interesting traffic.
+.. start_vyoslinter
+
IPsec Op-mode Commands
======================