diff options
| author | rebortg <github@ghlr.de> | 2024-01-13 23:12:29 +0100 | 
|---|---|---|
| committer | rebortg <github@ghlr.de> | 2024-01-14 21:11:10 +0100 | 
| commit | 14c94be155255524d4e05c1f5308233f8b67be03 (patch) | |
| tree | d742ee314656029270aa8e7e315b2c2abf3e13e8 /docs/configuration/vpn | |
| parent | 0740593f13225ad72a127e99aaa49d5a32ba5325 (diff) | |
| parent | ad280ba6493a76a73b25ca4472365720b10bd412 (diff) | |
| download | vyos-documentation-14c94be155255524d4e05c1f5308233f8b67be03.tar.gz vyos-documentation-14c94be155255524d4e05c1f5308233f8b67be03.zip | |
Merge branch 'master' of github.com:vyos/vyos-documentation
Diffstat (limited to 'docs/configuration/vpn')
| -rw-r--r-- | docs/configuration/vpn/l2tp.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/vpn/pptp.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 129 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 18 | 
5 files changed, 97 insertions, 73 deletions
| diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 26de47b3..4a7657e7 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -17,8 +17,8 @@ with native Windows and Mac VPN clients):    set vpn ipsec interface eth0    set vpn l2tp remote-access outside-address 192.0.2.2 -  set vpn l2tp remote-access client-ip-pool start 192.168.255.2 -  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 +  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 +  set vpn l2tp remote-access default-pool 'L2TP-POOL'    set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret    set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>    set vpn l2tp remote-access authentication mode local @@ -95,8 +95,8 @@ Below is an example to configure a LNS:  .. code-block:: none    set vpn l2tp remote-access outside-address 192.0.2.2 -  set vpn l2tp remote-access client-ip-pool start 192.168.255.2 -  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 +  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 +  set vpn l2tp remote-access default-pool 'L2TP-POOL'    set vpn l2tp remote-access lns shared-secret 'secret'    set vpn l2tp remote-access ccp-disable    set vpn l2tp remote-access authentication mode local @@ -122,8 +122,8 @@ The rate-limit is set in kbit/sec.  .. code-block:: none    set vpn l2tp remote-access outside-address 192.0.2.2 -  set vpn l2tp remote-access client-ip-pool start 192.168.255.2 -  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 +  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254 +  set vpn l2tp remote-access default-pool 'L2TP-POOL'    set vpn l2tp remote-access authentication mode local    set vpn l2tp remote-access authentication local-users username test password test    set vpn l2tp remote-access authentication local-users username test rate-limit download 20480 diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1cc197e9..845d9196 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -165,6 +165,13 @@ Simple setup with one user added and password authentication:    set vpn openconnect ssl ca-certificate 'ca-ocserv'    set vpn openconnect ssl certificate 'srv-ocserv' +To enable the HTTP security headers in the configuration file, use the command: + +.. code-block:: none + +  set vpn openconnect http-security-headers + +  Adding a 2FA with an OTP-key  ============================ diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst index 12364acb..fe536eec 100644 --- a/docs/configuration/vpn/pptp.rst +++ b/docs/configuration/vpn/pptp.rst @@ -20,8 +20,8 @@ server example    set vpn pptp remote-access authentication local-users username test password 'test'    set vpn pptp remote-access authentication mode 'local' -  set vpn pptp remote-access client-ip-pool start '192.168.0.10' -  set vpn pptp remote-access client-ip-pool stop '192.168.0.15' +  set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15 +  set vpn pptp remote-access default-pool 'PPTP-POOL'    set vpn pptp remote-access gateway-address '10.100.100.1'    set vpn pptp remote-access outside-address '10.1.1.120' diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 8c0af774..23df1b76 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -10,8 +10,8 @@ connected/routed networks.  To configure site-to-site connection you need to add peers with the  ``set vpn ipsec site-to-site peer <name>`` command. -The peer name must be an alphanumeric and can have hypen or underscore as  -special characters. It is purely informational.  +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational.  Each site-to-site peer has the next options: @@ -20,11 +20,11 @@ Each site-to-site peer has the next options:   * ``psk`` - Preshared secret key name: -  * ``dhcp-interface`` - ID for authentication generated from DHCP address  +  * ``dhcp-interface`` - ID for authentication generated from DHCP address      dynamically; -  * ``id`` - static ID's for authentication. In general local and remote  +  * ``id`` - static ID's for authentication. In general local and remote      address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; -  * ``secret`` - predefined shared secret. Used if configured mode  +  * ``secret`` - predefined shared secret. Used if configured mode      ``pre-shared-secret``; @@ -110,7 +110,7 @@ Each site-to-site peer has the next options:  * ``remote-address`` - remote IP address or hostname for IPSec connection.    IPv4 or IPv6 address is used when a peer has a public static IP address. -  Hostname is a DNS name which could be used when a peer has a public IP  +  Hostname is a DNS name which could be used when a peer has a public IP    address and DNS name, but an IP address could be changed from time to time.  * ``tunnel`` - define criteria for traffic to be matched for encrypting and send @@ -149,9 +149,9 @@ Each site-to-site peer has the next options:   * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI     interface. -* ``virtual-address`` - Defines a virtual IP address which is requested by the  -  initiator and one or several IPv4 and/or IPv6 addresses are assigned from  -  multiple pools by the responder.  +* ``virtual-address`` - Defines a virtual IP address which is requested by the +  initiator and one or several IPv4 and/or IPv6 addresses are assigned from +  multiple pools by the responder.  Examples:  ------------------ @@ -308,31 +308,35 @@ Imagine the following topology    set interfaces dummy dum0 address '10.0.11.1/24'    set interfaces vti vti10 address '10.0.0.2/31' -  set vpn ipsec option disable-route-autoinstall -  set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' -  set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' -  set vpn ipsec authentication psk OFFICE-B secret 'secretkey' +  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' +  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' +  set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' +  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' +  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' +  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' +  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' +  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'    set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' -  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'    set vpn ipsec interface 'eth0.201' -  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' -  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' -  set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' -  set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' -  set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10' -  set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' -  set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' -  set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' +  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' +  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' +  set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' +  set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' +  set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' +  set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' +  set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' +  set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' +  set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'    set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 @@ -344,34 +348,35 @@ Imagine the following topology    set interfaces dummy dum0 address '10.0.12.1/24'    set interfaces vti vti10 address '10.0.0.3/31' -  set vpn ipsec option disable-route-autoinstall -  set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' -  set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' -  set vpn ipsec authentication psk OFFICE-A secret 'secretkey' +  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' +  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' +  set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' -  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' +  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' +  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'    set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'    set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' +  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'    set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' -  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'    set vpn ipsec interface 'eth0.202' -  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' -  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' -  set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' -  set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' -  set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' -  set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' -  set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' -  set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' +  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' +  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' +  set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' +  set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' +  set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' +  set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' +  set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' +  set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' +  set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'    set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 @@ -379,44 +384,44 @@ Key Parameters:  * ``authentication local-id/remote-id`` - IKE identification is used for    validation of VPN peer devices during IKE negotiation. If you do not configure -  local/remote-identity, the device uses the IPv4 or IPv6 address that  +  local/remote-identity, the device uses the IPv4 or IPv6 address that    corresponds to the local/remote peer by default. -  In certain network setups (like ipsec interface with dynamic address, or  -  behind the NAT ), the IKE ID received from the peer does not match the IKE  -  gateway configured on the device. This can lead to a Phase 1 validation  +  In certain network setups (like ipsec interface with dynamic address, or +  behind the NAT ), the IKE ID received from the peer does not match the IKE +  gateway configured on the device. This can lead to a Phase 1 validation    failure. -  So, make sure to configure the local/remote id explicitly and ensure that the  +  So, make sure to configure the local/remote id explicitly and ensure that the    IKE ID is the same as the remote-identity configured on the peer device.  * ``disable-route-autoinstall`` - This option when configured disables the    routes installed in the default table 220 for site-to-site ipsec.    It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE  -  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)  -  are periodically sent in order to check the liveliness of the IPsec peer. The  -  values clear, hold, and restart all activate DPD and determine the action to  +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) +  are periodically sent in order to check the liveliness of the IPsec peer. The +  values clear, hold, and restart all activate DPD and determine the action to    perform on a timeout. -  With ``clear`` the connection is closed with no further actions taken.  -  ``hold`` installs a trap policy, which will catch matching traffic and tries  -  to re-negotiate the connection on demand.  -  ``restart`` will immediately trigger an attempt to re-negotiate the  +  With ``clear`` the connection is closed with no further actions taken. +  ``hold`` installs a trap policy, which will catch matching traffic and tries +  to re-negotiate the connection on demand. +  ``restart`` will immediately trigger an attempt to re-negotiate the    connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take  -  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of  +* ``close-action = none | clear | hold | restart`` - defines the action to take +  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of    values). A closeaction should not be used if the peer uses reauthentication or    uniqueids. -   -  When the close-action option is set on the peers, the connection-type  + +  When the close-action option is set on the peers, the connection-type    of each peer has to considered carefully. For example, if the option is set -  on both peers, then both would attempt to initiate and hold open multiple  -  copies of each child SA. This might lead to instability of the device or  -  cpu/memory utilization.    -   -  Below flow-chart could be a quick reference for the close-action  -  combination depending on how the peer is configured.    +  on both peers, then both would attempt to initiate and hold open multiple +  copies of each child SA. This might lead to instability of the device or +  cpu/memory utilization. + +  Below flow-chart could be a quick reference for the close-action +  combination depending on how the peer is configured.  .. figure:: /_static/images/IPSec_close_action_settings.jpg -    +    Similar combinations are applicable for the dead-peer-detection. diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index f3e062fe..d9bb4353 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -116,9 +116,20 @@ Configuration    Specifies the port `<port>` that the SSTP port will listen on (default 443). -.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet> +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x> -  Use `<subnet>` as the IP pool for all connecting clients. +   Use this command to define the first IP address of a pool of +   addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``, +   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is +   used there is possibility to set host/netmask. + +.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME> + +   Use this command to define the next address pool name. + +.. cfgcmd:: set vpn sstp default-pool <POOL-NAME> + +   Use this command to define default address pool name.  .. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits> @@ -282,7 +293,8 @@ Example    set vpn sstp authentication local-users username vyos password vyos    set vpn sstp authentication mode local    set vpn sstp gateway-address 192.0.2.254 -  set vpn sstp client-ip-pool subnet 192.0.2.0/25 +  set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25 +  set vpn sstp default-pool 'SSTP-POOL'    set vpn sstp name-server 10.0.0.1    set vpn sstp name-server 10.0.0.2    set vpn sstp ssl ca-cert-file /config/auth/ca.crt | 
