diff options
| -rw-r--r-- | docs/configuration/firewall/index.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/interfaces/vti.rst | 19 | ||||
| -rw-r--r-- | docs/configuration/interfaces/wireguard.rst | 1 | 
3 files changed, 25 insertions, 1 deletions
| diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index b4a884f0..c5be158f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -490,6 +490,12 @@ Applying a Rule-Set to a Zone  Before you are able to apply a rule-set to a zone you have to create the zones  first. +It helps to think of the syntax as: (see below). The 'rule-set' should be  +written from the perspective of: *Source Zone*-to->*Destination Zone* + +.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone>  +   firewall name <rule-set> +  .. cfgcmd::  set zone-policy zone <name> from <name> firewall name     <rule-set>  .. cfgcmd::  set zone-policy zone <name> from <name> firewall ipv6-name diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -20,4 +20,21 @@ Results in:        address 192.168.2.249/30        address 2001:db8:2::249/64        description "Description" -  }
\ No newline at end of file +  } + +.. warning:: When using site-to-site IPsec with VTI interfaces, +   be sure to disable route autoinstall + +.. code-block:: none +   +  set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic  +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even  +though actual routing decision is made according to netfilter marks. Unless  +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a  +default route through the VTI peer address, which makes all traffic routed  +to nowhere.
\ No newline at end of file diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index df6433c6..1c4b734c 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one.  .. code-block:: none    set interfaces wireguard wg01 address '10.1.0.1/30' +  set interfaces wireguard wg01 description 'VPN-to-wg02'    set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'    set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1'    set interfaces wireguard wg01 peer to-wg02 port '51820' | 
