diff options
| -rw-r--r-- | docs/automation/vyos-api.rst | 5 | ||||
| -rw-r--r-- | docs/configuration/protocols/bgp.rst | 50 | ||||
| -rw-r--r-- | docs/configuration/vpn/l2tp.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 71 | 
4 files changed, 107 insertions, 21 deletions
| diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst index afcc1767..8fad05ca 100644 --- a/docs/automation/vyos-api.rst +++ b/docs/automation/vyos-api.rst @@ -250,13 +250,14 @@ The ``generate`` endpoint run a ``generate`` command.  .. code-block:: none     curl -k --location --request POST 'https://vyos/generate' \ -   --form data='{"op": "generate", "path": ["wireguard", "default-keypair"]}' \ +   --form data='{"op": "generate", "path": ["pki", "wireguard", "key-pair"]}' \     --form key='MY-HTTPS-API-PLAINTEXT-KEY'     response:     {        "success": true, -      "data": "", +      "data": "Private key: CFZR2eyhoVZwk4n3JFPMJx3E145f1EYgDM+ubytXYVY=\n +               Public key: jjtpPT8ycI1Q0bNtrWuxAkO4k88Xwzg5VHV9xGZ58lU=\n\n",        "error": null     } diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 8fc69111..3c983aae 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -209,35 +209,35 @@ Defining Peers  .. cfgcmd:: set protocols bgp neighbor <address|interface> local-role     <role> [strict] -   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to  -   add route leak prevention, detection and mitigation. The local Role  -   value is negotiated with the new BGP Role capability which has a  -   built-in check of the corresponding value. In case of a mismatch the  +   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to +   add route leak prevention, detection and mitigation. The local Role +   value is negotiated with the new BGP Role capability which has a +   built-in check of the corresponding value. In case of a mismatch the     new OPEN Roles Mismatch Notification <2, 11> would be sent.     The correct Role pairs are: -    +     Provider - Customer     Peer - Peer     RS-Server - RS-Client -   If :cfgcmd:`strict` is set the BGP session won’t become established  -   until the BGP neighbor sets local Role on its side. This  +   If :cfgcmd:`strict` is set the BGP session won’t become established +   until the BGP neighbor sets local Role on its side. This     configuration parameter is defined in RFC :rfc:`9234` and is used to     enforce the corresponding configuration at your counter-parts side. -    -   Routes that are sent from provider, rs-server, or the peer local-role  -   (or if received by customer, rs-client, or the peer local-role) will  + +   Routes that are sent from provider, rs-server, or the peer local-role +   (or if received by customer, rs-client, or the peer local-role) will     be marked with a new Only to Customer (OTC) attribute. -    +     Routes with this attribute can only be sent to your neighbor if your     local-role is provider or rs-server. Routes with this attribute can -   be received only if your local-role is customer or rs-client.  -    +   be received only if your local-role is customer or rs-client. +     In case of peer-peer relationship routes can be received only if OTC     value is equal to your neighbor AS number. -    +     All these rules with OTC will help to detect and mitigate route leaks     and happen automatically if local-role is set. @@ -584,6 +584,12 @@ General Configuration  Common parameters  ^^^^^^^^^^^^^^^^^ +.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop + +   When a peer receives a martian nexthop as part of the NLRI for a route +   permit the nexthop to be used as such, instead of rejecting and resetting +   the connection. +  .. cfgcmd:: set protocols bgp parameters router-id <id>     This command specifies the router-ID. If router ID is not specified it will @@ -598,6 +604,12 @@ Common parameters     Path (both AS number and AS path length), Origin code, MED, IGP     metric. Also, the next hop address for each path must be different. +.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset + +   Do not send Hard Reset CEASE Notification for "Administrative Reset" +   events. When set and Graceful Restart Notification capability is exchanged +   between the peers, Graceful Restart procedures apply, and routes will be retained. +  .. cfgcmd:: set protocols bgp parameters log-neighbor-changes     This command enable logging neighbor up/down changes and reset reason. @@ -643,6 +655,16 @@ Common parameters     compatibility with older versions of VyOS. With this option one can     enable :rfc:`8212` functionality to operate. +.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null | +   ipv4-explicit-null | ipv6-explicit-null> + +   By default, locally advertised prefixes use the implicit-null label to +   encode in the outgoing NLRI. + +   The following command uses the explicit-null label value for all the +   BGP instances. + +  Administrative Distance  ^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 4a7657e7..ce3b6711 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -98,7 +98,7 @@ Below is an example to configure a LNS:    set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254    set vpn l2tp remote-access default-pool 'L2TP-POOL'    set vpn l2tp remote-access lns shared-secret 'secret' -  set vpn l2tp remote-access ccp-disable +  set vpn l2tp remote-access ppp-options disable-ccp    set vpn l2tp remote-access authentication mode local    set vpn l2tp remote-access authentication local-users username test password 'test' diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index 2c5cef6d..a9def827 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -179,35 +179,98 @@ SSL Certificates  PPP Settings  ------------ +.. cfgcmd:: set vpn sstp ppp-options disable-ccp + +  Disable Compression Control Protocol (CCP). +  CCP is enabled by default. + +.. cfgcmd:: set vpn sstp ppp-options interface-cache <number> + +  Specifies number of interfaces to keep in cache. It means that don’t +  destroy interface after corresponding session is destroyed, instead +  place it to cache and use it later for new sessions repeatedly. +  This should reduce kernel-level interface creation/deletion rate lack. +  Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny> + +  Specifies IPv4 negotiation preference. + +  * **require** - Require IPv4 negotiation +  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects +  * **allow** - Negotiate IPv4 only if client requests (Default value) +  * **deny** - Do not negotiate IPv4 + +.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny> + +  Specifies IPv6 negotiation preference. + +  * **require** - Require IPv6 negotiation +  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects +  * **allow** - Negotiate IPv6 only if client requests +  * **deny** - Do not negotiate IPv6 (default value) + +.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id + +  Accept peer interface identifier. By default is not defined. + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> + +  Specifies fixed or random interface identifier for IPv6. +  By default is fixed. + +  * **random** - Random interface identifier for IPv6 +  * **x:x:x:x** - Specify interface identifier for IPv6 + +.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x> + +  Specifies peer interface identifier for IPv6. By default is fixed. + +  * **random** - Random interface identifier for IPv6 +  * **x:x:x:x** - Specify interface identifier for IPv6 +  * **ipv4-addr** - Calculate interface identifier from IPv4 address. +  * **calling-sid** - Calculate interface identifier from calling-station-id. +  .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>    Defines the maximum `<number>` of unanswered echo requests. Upon reaching the -  value `<number>`, the session will be reset. +  value `<number>`, the session will be reset. Default value is **3**.  .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>    If this option is specified and is greater than 0, then the PPP module will    send LCP pings of the echo request every `<interval>` seconds. +  Default value is **30**.  .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout    Specifies timeout in seconds to wait for any peer activity. If this option    specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" -  is not used. +  is not used. Default value is **0**. + +.. cfgcmd:: set vpn sstp ppp-options min-mtu <number> + +  Defines minimum acceptable MTU. If client will try to negotiate less then +  specified MTU then it will be NAKed or disconnected if rejects greater MTU. +  Default value is **100**.  .. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny> -  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation +  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation    preference.    * **require** - ask client for mppe, if it rejects drop connection -  * **prefer** - ask client for mppe, if it rejects don't fail +  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)    * **deny** - deny mppe    Default behavior - don't ask client for mppe, but allow it if client wants.    Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy    attribute. +.. cfgcmd:: set vpn sstp ppp-options mru <number> + +  Defines preferred MRU. By default is not defined. +  RADIUS  ------ | 
