summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
authorYuriy Andamasov <yuriy@vyos.io>2026-04-21 20:35:22 +0300
committerYuriy Andamasov <yuriy@vyos.io>2026-04-21 20:35:22 +0300
commitd0a0fd4998b35af5b4e59374a5706ffeb27c7ee5 (patch)
treebebe87c3f28f8f7bb8aaa2fbdd091749f629f95b /docs/configuration/vpn
parent5d4cdc95200e8ef8fa9ef0f52c5607b76e980692 (diff)
downloadvyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.tar.gz
vyos-documentation-d0a0fd4998b35af5b4e59374a5706ffeb27c7ee5.zip
fix: resolve all line-length lint warnings across 14 RST files
Wrap prose lines exceeding 80 chars and apply stop/start_vyoslinter markers around cfgcmd/opcmd directive lines that cannot be shortened (e.g. long option names with placeholder arguments). Affected files: bonding, wireguard, pim, conntrack-sync, dmvpn, ipsec_general, site2site_ipsec, vrf/index, bare-metal, inter-vrf-routing-vrf-lite, lac-lns, tunnelbroker, OpenVPN_with_LDAP, dmvpn-dualhub-dualcloud. 🤖 Generated by [robots](https://vyos.io)
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/dmvpn.rst60
-rw-r--r--docs/configuration/vpn/ipsec/ipsec_general.rst20
-rw-r--r--docs/configuration/vpn/ipsec/site2site_ipsec.rst24
3 files changed, 74 insertions, 30 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index dc796fe8..30398a25 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -64,9 +64,10 @@ To create NBMA GRE tunnel you might use the following:
* Please refer to the :ref:`tunnel-interface` documentation for the individual
tunnel related options.
- .. note:: The IP-address is assigned as host prefix to tunnel interface.
- NHRP will automatically create additional host routes pointing to tunnel interface
- when a connection with these hosts is established.
+ .. note:: The IP-address is assigned as host prefix to tunnel
+ interface. NHRP will automatically create additional host routes
+ pointing to tunnel interface when a connection with these hosts is
+ established.
The tunnel interface subnet prefix should be announced by routing protocol
from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing
@@ -112,46 +113,57 @@ NHRP protocol configuration
* **network-id** - NHRP network id <1-4294967295>
- Enable NHRP on this interface and set the interface’s network ID. The network ID
- is used to allow creating multiple nhrp domains on a router when multiple interfaces
- are configured on the router. Interfaces configured with the same ID are part of the
- same logical NBMA network. The ID is a local only parameter and is not sent to other
- NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are
- received on an interface they are assigned to the local NHRP domain for that interface.
+ Enable NHRP on this interface and set the interface’s network ID.
+ The network ID is used to allow creating multiple nhrp domains on a
+ router when multiple interfaces are configured on the router.
+ Interfaces configured with the same ID are part of the same logical
+ NBMA network. The ID is a local only parameter and is not sent to
+ other NHRP nodes and so IDs on different nodes do not need to match.
+ When NHRP packets are received on an interface they are assigned to
+ the local NHRP domain for that interface.
+
+.. stop_vyoslinter
.. cfgcmd:: set protocols nhrp tunnel <tunnel> nhs tunnel-ip <tunnel-ip> nbma <nbma-ip>
* **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic**
* **nbma-ip** - NBMA ip address in format **x.x.x.x**
- Configure the Next Hop Server address and its NBMA address. If dynamic is specified
- then Next Hop Server can have dynamic address which maps to its NBMA address.
+ Configure the Next Hop Server address and its NBMA address. If
+ dynamic is specified then Next Hop Server can have dynamic address
+ which maps to its NBMA address.
+
+.. start_vyoslinter
.. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect
- This enable redirect replies on the NHS similar to ICMP redirects except this is
- managed by the nhrp protocol. This setting allows spokes to communicate with each
- others directly.
+ This enable redirect replies on the NHS similar to ICMP redirects
+ except this is managed by the nhrp protocol. This setting allows
+ spokes to communicate with each others directly.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> registration-no-unique
- Allow the client to not set the unique flag in the NHRP packets. This is useful when
- a station has a dynamic IP address that could change over time.
+ Allow the client to not set the unique flag in the NHRP packets.
+ This is useful when a station has a dynamic IP address that could
+ change over time.
.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut
- Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly
- after establishing a connection without going through the hub.
+ Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to
+ each others directly after establishing a connection without going
+ through the hub.
IPSEC configuration
==============================
-* Please refer to the :ref:`ipsec_general` documentation for the individual IPSec
- related options.
+* Please refer to the :ref:`ipsec_general` documentation for the
+ individual IPSec related options.
-.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action'
- parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action'
- always is set to 'clear'.
+.. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's
+ why 'close-action' parameter in IKE configuration always is set to
+ 'close' and 'dead-peer-detection action' always is set to 'clear'.
+
+.. stop_vyoslinter
.. cfgcmd:: set vpn ipsec profile <profile-name> authentication mode pre-shared-secret
@@ -161,6 +173,8 @@ IPSEC configuration
Set preshared secret
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec profile <profile-name> bind tunnel <tunnel name>
Bind IPSEC profile to the specific tunnel interface.
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
index a9a1eb0f..3d21b81d 100644
--- a/docs/configuration/vpn/ipsec/ipsec_general.rst
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -143,8 +143,9 @@ You can view the PPK column for information on if PPK is configured, and
if it is in use. The output is in the format of ``<configured> / <in use>``.
The options for configured are none if not conifugred, opt if configured
but optional, and req is configured and required. The in use will show yes
-Possible values of the ``configured`` field are ``none`` if not conifgured, ``opt`` if configured
-but optional, and ``req`` is configured and required. The in use will show yes
+Possible values of the ``configured`` field are ``none`` if not
+conifgured, ``opt`` if configured but optional, and ``req`` is
+configured and required. The in use will show yes
@@ -200,6 +201,8 @@ VyOS IKE group has the next options:
* **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
protocol aggressive mode is much more insecure compared to Main mode.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
Dh-group. Default value is **2**.
@@ -208,6 +211,8 @@ VyOS IKE group has the next options:
Encryption algorithm. Default value is **aes128**.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
@@ -232,10 +237,14 @@ DPD (Dead Peer Detection) Configuration
* **restart** - Immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
Keep-alive interval in seconds <2-86400> (default 30).
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
@@ -292,10 +301,14 @@ VyOS ESP group has the next options:
* **disable** - Disable PFS.
* **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
Encryption algorithm. Default value is **aes128**.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
Hash algorithm. Default value is **sha1**.
@@ -351,7 +364,8 @@ Options
IKEv2 Retransmission
====================
-If the peer does not respond on DPD packet, the router starts retransmission procedure.
+If the peer does not respond on DPD packet, the router starts the
+retransmission procedure.
The following formula is used to calculate the timeout:
diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
index 628b8e9d..9f8231e7 100644
--- a/docs/configuration/vpn/ipsec/site2site_ipsec.rst
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -78,7 +78,8 @@ Tunnel information:
* If Route based VPN is used
* IP of the VTI interface is 10.0.0.1/30
-.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
+.. note:: We do not recommend using policy-based vpn and route-based
+ vpn configurations to the same peer.
**1. Configure ike-group (IKE Phase 1)**
@@ -108,7 +109,8 @@ Tunnel information:
set vpn ipsec interface eth0
-**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
+**4. Configure PSK keys and authentication ids for this key if
+authentication type is PSK**
.. code-block:: none
@@ -146,14 +148,16 @@ To set base64 secret encode plaintext password to base64 and set secret-type
**6. Depends to vpn type (route-based vpn or policy-based vpn).**
- **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
+ **6.1 For Policy-based VPN configure SAs using tunnel command
+ specifying remote and local networks.**
.. code-block:: none
set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
- **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
+ **6.2 For Route-based VPN create VTI interface, set IP address to
+ this interface and bind this interface to the vpn peer.**
.. code-block:: none
@@ -243,6 +247,8 @@ Peer Authentication Commands
address. Useful in case if the remote peer is behind NAT
or if ``mode x509`` is used.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
Name of PKI key-pair with local private key.
@@ -270,6 +276,8 @@ Peer Authentication Commands
Name of certificate in PKI configuration, which will be used
for authenticating local router on remote peer.
+.. start_vyoslinter
+
.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
Private key passphrase, if needed.
@@ -370,6 +378,8 @@ Policy-Based CHILD SAs Configuration Commands
Every configured tunnel under peer configuration is a new CHILD SA.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
Disable this tunnel.
@@ -406,6 +416,8 @@ Every configured tunnel under peer configuration is a new CHILD SA.
Remote port number. Have effect only when used together with
``prefix``.
+.. start_vyoslinter
+
Route-Based CHILD SAs Configuration Commands
"""""""""""""""""""""""""""""""""""""""""""""
@@ -435,6 +447,8 @@ for each remote network.
Traffic-selectors parameters for traffic that should pass via vti
interface.
+.. stop_vyoslinter
+
.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
Local prefix for interesting traffic.
@@ -443,6 +457,8 @@ interface.
Remote prefix for interesting traffic.
+.. start_vyoslinter
+
IPsec Op-mode Commands
======================