diff options
| -rw-r--r-- | docs/configexamples/azure-vpn-bgp.rst | 5 | ||||
| -rw-r--r-- | docs/configexamples/azure-vpn-dual-bgp.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 11 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 27 | 
6 files changed, 19 insertions, 37 deletions
| diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst index fc6e1a04..f272aafd 100644 --- a/docs/configexamples/azure-vpn-bgp.rst +++ b/docs/configexamples/azure-vpn-bgp.rst @@ -60,7 +60,6 @@ Vyos configuration  .. code-block:: none -  set vpn ipsec esp-group AZURE compression 'disable'    set vpn ipsec esp-group AZURE lifetime '3600'    set vpn ipsec esp-group AZURE mode 'tunnel'    set vpn ipsec esp-group AZURE pfs 'dh-group2' @@ -70,7 +69,7 @@ Vyos configuration    set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'    set vpn ipsec ike-group AZURE dead-peer-detection interval '15'    set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' -  set vpn ipsec ike-group AZURE ikev2-reauth 'yes' +  set vpn ipsec ike-group AZURE ikev2-reauth    set vpn ipsec ike-group AZURE key-exchange 'ikev2'    set vpn ipsec ike-group AZURE lifetime '28800'    set vpn ipsec ike-group AZURE proposal 1 dh-group '2' @@ -94,7 +93,7 @@ Vyos configuration  .. code-block:: none -  set firewall options interface vti1 adjust-mss 1350 +  set interfaces vti vti1 ip adjust-mss 1350  - Configure the VPN tunnel diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst index 7f4987bb..d019092c 100644 --- a/docs/configexamples/azure-vpn-dual-bgp.rst +++ b/docs/configexamples/azure-vpn-dual-bgp.rst @@ -59,7 +59,6 @@ Vyos configuration  .. code-block:: none -  set vpn ipsec esp-group AZURE compression 'disable'    set vpn ipsec esp-group AZURE lifetime '3600'    set vpn ipsec esp-group AZURE mode 'tunnel'    set vpn ipsec esp-group AZURE pfs 'dh-group2' @@ -69,7 +68,7 @@ Vyos configuration    set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'    set vpn ipsec ike-group AZURE dead-peer-detection interval '15'    set vpn ipsec ike-group AZURE dead-peer-detection timeout '30' -  set vpn ipsec ike-group AZURE ikev2-reauth 'yes' +  set vpn ipsec ike-group AZURE ikev2-reauth    set vpn ipsec ike-group AZURE key-exchange 'ikev2'    set vpn ipsec ike-group AZURE lifetime '28800'    set vpn ipsec ike-group AZURE proposal 1 dh-group '2' @@ -96,8 +95,8 @@ Vyos configuration  .. code-block:: none -  set firewall options interface vti1 adjust-mss 1350 -  set firewall options interface vti2 adjust-mss 1350 +  set interfaces vti vti1 ip adjust-mss 1350 +  set interfaces vti vti2 ip adjust-mss 1350  - Configure the VPN tunnels diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 403de912..6afd47e9 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -6,13 +6,14 @@  Zone Based Firewall  ################### -.. note:: **Important note:** -   This documentation is valid only for VyOS Sagitta prior to -   1.4-rolling-YYYYMMDDHHmm +.. note:: For latest releases, refer the `firewall  +   <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_  +   main page to configure zone based rules. New syntax was introduced here  +   :vytask:`T5160`  In zone-based policy, interfaces are assigned to zones, and inspection policy  is applied to traffic moving between the zones and acted on according to -firewall rules. A Zone is a group of interfaces that have similar functions or +firewall rules. A zone is a group of interfaces that have similar functions or  features. It establishes the security borders of a network. A zone defines a  boundary where traffic is subjected to policy restrictions as it crosses to  another region of a network. @@ -40,7 +41,7 @@ firewall can be created to simplify configuration when multiple interfaces  belong to the same security zone. Instead of applying rule-sets to interfaces,  they are applied to source zone-destination zone pairs. -An basic introduction to zone-based firewalls can be found `here +A basic introduction to zone-based firewalls can be found `here  <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,  and an example at :ref:`examples-zone-policy`. diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index 9aeb581e..c660f8f4 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -740,14 +740,12 @@ external interface in the image above)  .. code-block:: none -  set vpn ipsec ike-group my-ike ikev2-reauth 'no'    set vpn ipsec ike-group my-ike key-exchange 'ikev1'    set vpn ipsec ike-group my-ike lifetime '7800'    set vpn ipsec ike-group my-ike proposal 1 dh-group '14'    set vpn ipsec ike-group my-ike proposal 1 encryption 'aes256'    set vpn ipsec ike-group my-ike proposal 1 hash 'sha256' -  set vpn ipsec esp-group my-esp compression 'disable'    set vpn ipsec esp-group my-esp lifetime '3600'    set vpn ipsec esp-group my-esp mode 'tunnel'    set vpn ipsec esp-group my-esp pfs 'disable' diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 6680d46a..a85e03b4 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -200,7 +200,6 @@ Hub    set protocols nhrp tunnel tun100 redirect    set protocols nhrp tunnel tun100 shortcut -  set vpn ipsec esp-group ESP-HUB compression 'disable'    set vpn ipsec esp-group ESP-HUB lifetime '1800'    set vpn ipsec esp-group ESP-HUB mode 'transport'    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' @@ -208,7 +207,6 @@ Hub    set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' -  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'    set vpn ipsec ike-group IKE-HUB lifetime '3600'    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' @@ -309,7 +307,6 @@ VyOS can also run in DMVPN spoke mode.    set protocols nhrp tunnel tun100 redirect    set protocols nhrp tunnel tun100 shortcut -  set vpn ipsec esp-group ESP-HUB compression 'disable'    set vpn ipsec esp-group ESP-HUB lifetime '1800'    set vpn ipsec esp-group ESP-HUB mode 'transport'    set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' @@ -318,7 +315,6 @@ VyOS can also run in DMVPN spoke mode.    set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'    set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'    set vpn ipsec ike-group IKE-HUB close-action 'none' -  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'    set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'    set vpn ipsec ike-group IKE-HUB lifetime '3600'    set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 327f3abb..c91feea0 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -51,8 +51,6 @@ VyOS IKE group has the next options:   * ``hold`` set action to hold; - * ``clear`` set action to clear; -    * ``restart`` set action to restart;  * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol  @@ -73,11 +71,9 @@ VyOS IKE group has the next options:   * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only  * ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate  -  the peer. In IKEv1, reauthentication is always done: -   - * ``yes`` enable remote host re-authentication during an IKE rekey; -  - * ``no`` disable remote host re-authenticaton during an IKE rekey; +  the peer. In IKEv1, reauthentication is always done. +  Setting this parameter enables remote host re-authentication during an IKE  +  rekey.  * ``key-exchange`` which protocol should be used to initialize the connection    If not set both protocols are handled and connections will use IKEv2 when  @@ -87,13 +83,10 @@ VyOS IKE group has the next options:   * ``ikev2`` use IKEv2 for Key Exchange; -* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800); - -* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2: +* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800); - * ``enable`` enable MOBIKE (default for IKEv2); -  - * ``disable`` disable MOBIKE; +* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 +  and enabled by default.  * ``mode`` IKEv1 Phase 1 Mode Selection: @@ -126,12 +119,8 @@ Multiple proposals can be specified in a single group.  VyOS ESP group has the next options: -* ``compression`` whether IPComp compression of content is proposed  -  on the connection: - - * ``disable`` disable IPComp compression (default); -  - * ``enable`` enable IPComp compression; +* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which +  allows compressing the content of IP packets.    * ``life-bytes`` ESP life in bytes <1024-26843545600000>.     Number of bytes transmitted over an IPsec SA before it expires; | 
