diff options
-rw-r--r-- | docs/_include/draw.io/vpn_s2s_ikev2_c.drawio | 1 | ||||
-rw-r--r-- | docs/_static/images/vpn_s2s_ikev2_c.png | bin | 0 -> 69496 bytes | |||
-rw-r--r-- | docs/automation/vyos-api.rst | 6 | ||||
-rw-r--r-- | docs/cli.rst | 7 | ||||
-rw-r--r-- | docs/configuration/protocols/bgp.rst | 10 | ||||
-rw-r--r-- | docs/configuration/system/console.rst | 2 | ||||
-rw-r--r-- | docs/configuration/system/host-name.rst | 2 | ||||
-rw-r--r-- | docs/configuration/system/syslog.rst | 6 | ||||
-rw-r--r-- | docs/configuration/vpn/l2tp.rst | 4 | ||||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 54 | ||||
-rw-r--r-- | docs/installation/install.rst | 4 | ||||
-rw-r--r-- | docs/installation/virtual/vmware.rst | 4 | ||||
-rw-r--r-- | docs/introducing/about.rst | 4 |
13 files changed, 72 insertions, 32 deletions
diff --git a/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio b/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio new file mode 100644 index 00000000..833dba76 --- /dev/null +++ b/docs/_include/draw.io/vpn_s2s_ikev2_c.drawio @@ -0,0 +1 @@ +<mxfile host="app.diagrams.net" modified="2021-06-29T11:55:47.927Z" agent="5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36" etag="Bz4WAiXHzjjCvDkoEJPw" version="14.8.1" type="device"><diagram id="aAslkehIyZXHwb55RWRM" name="Page-1">7VpLc6M4EP41PpoCSbyOdhLPHjJVmUpVNnuUQbapBeQFObb3168EwjwkPzJrHKcK5xDUEq1W99etVosRfEh2PzK8Xv2kIYlHwAx3I/g4AgDYjsf/Ccq+pFi2bZaUZRaFklYTXqN/iSRWwzZRSPLWQEZpzKJ1mxjQNCUBa9FwltFte9iCxu1Z13hJFMJrgGOV+mcUslVJ9apVCPofJFquqpktU/YkuBosCfkKh3TbIMGnEXzIKGXlU7J7ILHQXqWX8r3Zkd6DYBlJ2SUvPMcQwd02m7w95GM/fv71vsVjyeUDxxu5YCks21cayOgmDYlgYo3gdLuKGHld40D0brnROW3Fklh2q0JVM5CMkV2DJIX8QWhCWLbnQ2TvGNlO+Y7EzBjaksm2tgBCqKStGtqHsLK8tPrywL1WDH+QuvmEnsAd6skyPXh3ioLnFcUdYS0ek91SBA0jiPKAGlx9jGS5/N/WVojzVaFZkzcWURw/0JhmBTdoQsfzXU7PWUb/Jo2eRfE79FTuy1U6FVqOuJM/4zmJX2gesYimvG9OGaNJY8Akjpaig1FhwNrEQpCDQ4tGQJMoqCSkKZvhJIqFXd5IFuIUS7IMcBa4GgZs1MYA8G0FA9DTYMDy/J4wgAYM3BIDCN4fBOwBAreEgItcw26DwLPgV4PAOQ8CEvJsSzZzsky4Dp5q0pSk4UQkcbw3pSlpw4HsIvYudM2XXrb+kpoXz4+7ZmPfsEkDG1M4mzmOiqbQJl6IdGhynCmYzRQ0QTnRC8kirjyB3HLylCuyFLIwdtEuxDT8qllLWrT2zZbKL5xFwgpF6yh0crrJAnJ+m2Y4WxJ23o+FmU4CsQGyKjVuYqyiZSTGLPpo59Y63MkZXmjEV1bj3HOg4cH610l/gNPmWKpBMmmmxgpf/xRf13cNp/Gz27OUSlRm4cDF+8awtRiQn1zckTh+XOzuG8g984ZrWiff4A+l3LXXH6z8+4HAHQJBIxB43h0FAvQ9AwFyQMthzY7L8iO60XHTi4MBdC3DUt29Ym07liZWXDsYAAQ+6dqoKpnc1LU9jWs7Mbf2dM4flqwAZ0kQLtdyeuefDa06xnmREk34AMtb7+rOiovlA24VzzANvswZQBVX3igZtyfj5IYAnWDD0yrWDiFt95YhphkLJAnLRDDgjlakp90MMYnCsIhYugJAO3G8RuKn7AC2qeb+FrJVT6zKUlfP+vxbIcIA9oCCclfvosCpij7NQpB7QxBUsegGKBBTDSAAYx+Y3TMgrElfBgRdhXkIB70iAZl3Fw509fMhHPQJAtCtCh5q/l8GAt3dQD+5ostzRc8AJhiSxebBxr+7ZNHS3RVcAwIfLKojwTzrWjxf4/Q4861cumCf0izBsQZjpjiKGGL9wrEOQCo5K/hqw64DsTOXhRfWm9uFCGt0UQUajZSax8IWf0dxLl6WolsaTJcl8mvA1TK7R2/f0qQzoDr7t+oMsC/A6m42vhNg4QDYvgCr1Gx886vRqruC+Z9bLkA6+GbFaoZttijEKZmX9himKY/2t8/qSvC9ACEmiwEHcv9C3QsqXQreEwze8zeeBrNfP6eTcLcC28dJvNB+7tVztfbUpqZSvjtiFHhoQHSimotQt4TjWuoewhOjG2JGd3TvWKBxOxfEOM/FDq9+7da5O7pIMze6TnL9zs7tmh11Xnx7pLByvA6rI1dEv3Ejo7XX7U/Z1kknv45LZ4SLg+fFAOFueMNoLlPCT3myvHnj09jTkf2oDwzaANKDv9tO198PaGn6O7zOHsGb9efGJdzqr7bh038=</diagram></mxfile>
\ No newline at end of file diff --git a/docs/_static/images/vpn_s2s_ikev2_c.png b/docs/_static/images/vpn_s2s_ikev2_c.png Binary files differnew file mode 100644 index 00000000..2d9e21b5 --- /dev/null +++ b/docs/_static/images/vpn_s2s_ikev2_c.png diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst index 1504a05a..988ff010 100644 --- a/docs/automation/vyos-api.rst +++ b/docs/automation/vyos-api.rst @@ -4,7 +4,7 @@ VyOS API ######## -for configuration and enabling the API see :ref:`http-api` +For configuration and enabling the API see :ref:`http-api` ************** Authentication @@ -13,7 +13,7 @@ Authentication All Endpoint only listen on HTTP POST requests and the API KEY must set as ``key`` in the formdata. -Below see one example or curl and one for python. +Below see one example for curl and one for python. In the following, the documentation is reduced to curl. .. code-block:: none @@ -314,4 +314,4 @@ To Load a configuration file. "success": true, "data": null, "error": null - }
\ No newline at end of file + } diff --git a/docs/cli.rst b/docs/cli.rst index 7578ef8d..884c3d51 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -110,8 +110,7 @@ files. Terminology ########### -live -A VyOS system has three major types of configurations: +A live VyOS system has three major types of configurations: * **Active** or **running configuration** is the system configuration that is loaded and currently active (used by VyOS). Any change in @@ -404,7 +403,7 @@ different levels in the hierarchy. Use this command to preserve configuration changes upon reboot. By default it is stored at */config/config.boot*. In the case you want to store the configuration file somewhere else, you can add a local - path, an SCP address, an FTP address or a TFTP address. + path, a SCP address, a FTP address or a TFTP address. .. code-block:: none @@ -455,7 +454,7 @@ different levels in the hierarchy. a firewall, and you are not sure there are no mistakes that will lock you out of your system. You can use confirmed commit. If you issue the ``commit-confirm`` command, your changes will be commited, and if - you don't issue issue the ``confirm`` command in 10 minutes, your + you don't issue the ``confirm`` command in 10 minutes, your system will reboot into previous config revision. .. code-block:: none diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst index 25ec3038..d6baa0b9 100644 --- a/docs/configuration/protocols/bgp.rst +++ b/docs/configuration/protocols/bgp.rst @@ -190,7 +190,7 @@ Defining Peers This command creates a new neighbor whose remote-as is <nasn>. The neighbor address can be an IPv4 address or an IPv6 address or an interface to use - for the connection. The command it applicable for peer and peer group. + for the connection. The command is applicable for peer and peer group. .. cfgcmd:: set protocols bgp neighbor <address|interface> remote-as internal @@ -809,7 +809,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor <address|interface> address-family <ipv4-unicast|ipv6-unicast> distribute-list <export|import> <number> - This command applys the access list filters named in <number> to the + This command applies the access list filters named in <number> to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the access list are applied. @@ -817,7 +817,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor <address|interface> address-family <ipv4-unicast|ipv6-unicast> prefix-list <export|import> <name> - This command applys the prfefix list filters named in <name> to the + This command applies the prfefix list filters named in <name> to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the prefix list are applied. @@ -825,7 +825,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor <address|interface> address-family <ipv4-unicast|ipv6-unicast> route-map <export|import> <name> - This command applys the route map named in <name> to the specified BGP + This command applies the route map named in <name> to the specified BGP neighbor to control and modify routing information that is exchanged between peers. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the route map are applied. @@ -833,7 +833,7 @@ For outbound updates the order of preference is: .. cfgcmd:: set protocols bgp neighbor <address|interface> address-family <ipv4-unicast|ipv6-unicast> filter-list <export|import> <name> - This command applys the AS path access list filters named in <name> to the + This command applies the AS path access list filters named in <name> to the specified BGP neighbor to restrict the routing information that BGP learns and/or advertises. The arguments :cfgcmd:`export` and :cfgcmd:`import` specify the direction in which the AS path access list are applied. diff --git a/docs/configuration/system/console.rst b/docs/configuration/system/console.rst index 4890da92..1f917e54 100644 --- a/docs/configuration/system/console.rst +++ b/docs/configuration/system/console.rst @@ -43,4 +43,4 @@ Major upgrades to the installed distribution may also require console access. control. This means you should start with a common baud rate (most likely 9600 baud) as otherwise you probably can not connect to the device using high speed baud rates as your serial converter simply can not process this - datarate. + data rate. diff --git a/docs/configuration/system/host-name.rst b/docs/configuration/system/host-name.rst index 30efe01e..79fae851 100644 --- a/docs/configuration/system/host-name.rst +++ b/docs/configuration/system/host-name.rst @@ -22,7 +22,7 @@ the command line prompt. .. cfgcmd:: set system host-name <hostname> - Set system hostname. The hostname can be up to 63 characters. A hostname + The hostname can be up to 63 characters. A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen. diff --git a/docs/configuration/system/syslog.rst b/docs/configuration/system/syslog.rst index 9ba9d415..ab427d99 100644 --- a/docs/configuration/system/syslog.rst +++ b/docs/configuration/system/syslog.rst @@ -33,7 +33,7 @@ Custom File .. cfgcmd:: set system syslog file <filename> facility <keyword> level <keyword> - Log syslog messages to file specified via `<filename>`, for en explanation on + Log syslog messages to file specified via `<filename>`, for an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. @@ -62,7 +62,7 @@ sending the messages via port 514/UDP. .. cfgcmd:: set system syslog host <address> facility <keyword> level <keyword> Log syslog messages to remote host specified by `<address>`. The address - can be specified by either FQDN or IP address. For en explanation on + can be specified by either FQDN or IP address. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. @@ -81,7 +81,7 @@ Local User Account If logging to a local user account is configured, all defined log messages are display on the console if the local user is logged in, if the user is not - logged in, no messages are being displayed. For en explanation on + logged in, no messages are being displayed. For an explanation on :ref:`syslog_facilities` keywords and :ref:`syslog_severity_level` keywords see tables below. diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index bbe2b881..411b7b5e 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -160,7 +160,7 @@ servers can be setup and will be used subsequentially. RADIUS source address ^^^^^^^^^^^^^^^^^^^^^ -If you are using OSPF as IGP always the closets interface connected to the +If you are using OSPF as IGP, always the closest interface connected to the RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a single source IP e.g. the loopback interface. @@ -172,7 +172,7 @@ Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries on this NAS. .. note:: The ``source-address`` must be configured on one of VyOS interface. - Best proctice would be a loopback or dummy interface. + Best practice would be a loopback or dummy interface. RADIUS bandwidth shaping attribute ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e81c5c3b..aace98aa 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -264,9 +264,15 @@ rules. (if you used the default configuration at the top of this page) IKEv2 ^^^^^ +Example: + +* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device +* left public_ip:172.18.201.10 +* right local_ip: 172.18.202.10 # right side WAN IP + Imagine the following topology -.. figure:: /_static/images/vpn_s2s_ikev2.png +.. figure:: /_static/images/vpn_s2s_ikev2_c.png :scale: 50 % :alt: IPSec IKEv2 site2site VPN @@ -289,9 +295,6 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' @@ -304,10 +307,10 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate' + set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond' set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' - set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10' set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' @@ -323,7 +326,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' @@ -344,3 +347,40 @@ Imagine the following topology set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' + +Key Parameters: + +* ``authentication id/remote-id`` - IKE identification is used for validation + of VPN peer devices during IKE negotiation. If you do not configure local/ + remote-identity, the device uses the IPv4 or IPv6 address that corresponds + to the local/remote peer by default. + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation + failure. + So, make sure to configure the local/remote id explicitly and ensure that the + IKE ID is the same as the remote-identity configured on the peer device. + +* ``disable-route-autoinstall`` - This option when configured disables the + routes installed in the default table 220 for site-to-site ipsec. + It is mostly used with VTI configuration. + +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of theIPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to + perform on a timeout. + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the + connection. + +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of + values). A closeaction should not be used if the peer uses reauthentication or + uniqueids. + + For a responder, close-action or dead-peer-detection must not be enabled. + For an initiator DPD with `restart` action, and `close-action 'restart'` + is recommended in IKE profile. diff --git a/docs/installation/install.rst b/docs/installation/install.rst index 75c1713d..0af61ea4 100644 --- a/docs/installation/install.rst +++ b/docs/installation/install.rst @@ -62,7 +62,7 @@ LTS images are signed by VyOS lead package-maintainer private key. With the official public key, the authenticity of the package can be verified. :abbr:`GPG (GNU Privacy Guard)` is used for verification. -.. note:: This subsection only applies e applies to LTS images, for +.. note:: This subsection only applies to LTS images, for Rolling images please jump to :ref:`live_installation`. Preparing for the verification @@ -326,7 +326,7 @@ In order to proceed with a permanent installation: Done! - 3. After the installation is complete, remove the live USB stick or + 3. After the installation is completed, remove the live USB stick or CD. 4. Reboot the system. diff --git a/docs/installation/virtual/vmware.rst b/docs/installation/virtual/vmware.rst index 28614573..c9880a01 100644 --- a/docs/installation/virtual/vmware.rst +++ b/docs/installation/virtual/vmware.rst @@ -17,7 +17,7 @@ installing from the ISO using the normal process around `install image`. Memory Contention Considerations
--------------------------------
When the underlying ESXi host is approaching ~92% memory utilisation it will
-start the balloon process in s a 'soft' state to start reclaiming memory from
+start the balloon process in a 'soft' state to start reclaiming memory from
guest operating systems. This causes an artificial pressure using the vmmemctl
driver on memory usage on the virtual guest. As VyOS by default does not have
a swap file, this vmmemctl pressure is unable to force processes to move in
@@ -43,4 +43,4 @@ References https://muralidba.blogspot.com/2018/03/how-does-linux-out-of-memory-oom-killer.html
-.. start_vyoslinter
\ No newline at end of file +.. start_vyoslinter
diff --git a/docs/introducing/about.rst b/docs/introducing/about.rst index 0411344b..944ff0a1 100644 --- a/docs/introducing/about.rst +++ b/docs/introducing/about.rst @@ -8,10 +8,10 @@ VyOS is an open source network operating system based on Debian GNU/Linux. VyOS provides a free routing platform that competes directly with other commercially available solutions from well known network providers. Because -VyOS is run on standard amd64, i586 and ARM systems, it is able to be used +VyOS runs on standard amd64, i586 and ARM systems, it is able to be used as a router and firewall platform for cloud deployments. -We use multiple live versions of our manual hosted thankfully by +We use multiple live versions of our manual, hosted thankfully by https://readthedocs.org. We will provide one version of the manual for every VyOS major version starting with VyOS 1.2 which will receive Long-term support (LTS). |