diff options
21 files changed, 463 insertions, 127 deletions
| diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject 7720ee247c03eeeab895da27804996571ffb476 +Subproject 2007a883125c7c6e1a0a1b06b0e0d32f9b1dc69 diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.moBinary files differ index e300f5c4..0bbe8f6c 100644 --- a/docs/_locale/de/LC_MESSAGES/configuration.mo +++ b/docs/_locale/de/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index d2dc913e..6641dd72 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term  msgid "**Interface name**"  msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +  #: ../../configuration/interfaces/vxlan.rst:214  msgid "**Leaf2 configuration:**"  msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**"  msgid "**RADIUS sessions management DM/CoA**"  msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +  #: ../../configuration/protocols/bgp.rst:113  msgid "**Router-ID check**"  msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa  msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."  msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413  msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."  msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in  msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"  msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295  msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."  msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r  msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."  msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +  #: ../../configuration/firewall/general.rst:194  #: ../../configuration/firewall/general-legacy.rst:170  msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit  msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."  msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602  msgid "Intel AX200"  msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation"  msgid "Key Management"  msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374  msgid "Key Parameters:"  msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f  #: ../../configuration/interfaces/wireless.rst:315  #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567  msgid "Resulting in"  msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"  msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"  msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418  msgid "Similar combinations are applicable for the dead-peer-detection."  msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80."  msgid "The IP address of the internal system we wish to forward traffic to."  msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604  msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"  msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`,  msgid "To generate the CA, the server private key and certificates the following commands can be used."  msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594  msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."  msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke  msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."  msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407  msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."  msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin  msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"  #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225  msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."  msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +  #: ../../configuration/interfaces/wireguard.rst:136  msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one."  msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas  msgid "``any-available`` any of the checking target addresses must be available to pass this check"  msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376  msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."  msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating  msgid "``clear`` set action to clear;"  msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402  msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."  msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check  msgid "``d`` - Execution interval in days"  msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391  msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."  msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con  msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."  msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387  msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."  msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/en/LC_MESSAGES/configuration.mo b/docs/_locale/en/LC_MESSAGES/configuration.moBinary files differ index db09832e..39936707 100644 --- a/docs/_locale/en/LC_MESSAGES/configuration.mo +++ b/docs/_locale/en/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/LC_MESSAGES/configuration.mo b/docs/_locale/es/LC_MESSAGES/configuration.moBinary files differ index b431bd09..01a535c8 100644 --- a/docs/_locale/es/LC_MESSAGES/configuration.mo +++ b/docs/_locale/es/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index a05518ea..88324a87 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Nota importante sobre el uso de términos:** El cortafuegos utiliza lo  msgid "**Interface name**"  msgstr "**Nombre de interfaz**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +  #: ../../configuration/interfaces/vxlan.rst:214  msgid "**Leaf2 configuration:**"  msgstr "**Configuración hoja2:**" @@ -401,6 +409,14 @@ msgstr "**Grupos de IP basados en RADIUS (dirección IP enmarcada)**"  msgid "**RADIUS sessions management DM/CoA**"  msgstr "**Administración de sesiones RADIUS DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +  #: ../../configuration/protocols/bgp.rst:113  msgid "**Router-ID check**"  msgstr "** Verificación de ID de enrutador **" @@ -2619,7 +2635,7 @@ msgstr "Antes de habilitar cualquier descarga de segmentación de hardware, se r  msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."  msgstr "Antes de poder aplicar un conjunto de reglas a una zona, primero debe crear las zonas." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413  msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."  msgstr "El siguiente diagrama de flujo podría ser una referencia rápida para la combinación de acción de cierre, según cómo esté configurado el par." @@ -4609,7 +4625,7 @@ msgstr "No olvide, el CIDR declarado en la declaración de red **DEBE existir en  msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"  msgstr "No olvide que el CIDR declarado en la declaración de red DEBE **existir en su tabla de enrutamiento (dinámico o estático), la mejor manera de asegurarse de que sea cierto es creando una ruta estática:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295  msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."  msgstr "No se confunda con la subred del túnel /31 utilizada. :rfc:`3021` le brinda información adicional para usar subredes /31 en enlaces punto a punto." @@ -7636,6 +7652,10 @@ msgstr "Además también puedes deshabilitar todo el servicio sin necesidad de e  msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."  msgstr "Además, especificará la dirección IP o FQDN del cliente al que se conectará. El parámetro de dirección se puede usar hasta dos veces y se usa para asignar direcciones IPv4 (/32) o IPv6 (/128) específicas a los clientes." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +  #: ../../configuration/firewall/general.rst:194  #: ../../configuration/firewall/general-legacy.rst:170  msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "En lugar de enviar el nombre de host real del sistema al servidor DHCP,  msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."  msgstr "Integridad: integridad del mensaje para garantizar que un paquete no haya sido manipulado durante el tránsito, incluido un mecanismo opcional de protección de reproducción de paquetes." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602  msgid "Intel AX200"  msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Generación de claves"  msgid "Key Management"  msgstr "Gestión de claves" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374  msgid "Key Parameters:"  msgstr "Parámetros clave:" @@ -10952,7 +10972,7 @@ msgstr "Reinicia el proceso de recurso de DNS. Esto también invalida el caché  #: ../../configuration/interfaces/wireless.rst:315  #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567  msgid "Resulting in"  msgstr "Resultando en" @@ -12463,7 +12483,7 @@ msgstr "Tarjeta miniPCIe (LTE) Sierra Wireless AirPrime MC7455"  msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"  msgstr "Sierra Wireless AirPrime MC7710 tarjeta miniPCIe (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418  msgid "Similar combinations are applicable for the dead-peer-detection."  msgstr "Se aplican combinaciones similares para la detección de pares muertos." @@ -13325,7 +13345,7 @@ msgstr "El servicio HTTP escucha en el puerto TCP 80."  msgid "The IP address of the internal system we wish to forward traffic to."  msgstr "La dirección IP del sistema interno al que deseamos reenviar el tráfico." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604  msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"  msgstr "La tarjeta Intel AX200 no funciona de fábrica en modo AP, consulte https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. Todavía puede poner esta tarjeta en modo AP usando la siguiente configuración:" @@ -16258,7 +16278,7 @@ msgstr "Para reenviar todos los paquetes de difusión recibidos en el "puer  msgid "To generate the CA, the server private key and certificates the following commands can be used."  msgstr "Para generar la CA, la clave privada del servidor y los certificados, se pueden utilizar los siguientes comandos." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594  msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."  msgstr "Para que funcione como un punto de acceso con esta configuración, deberá configurar un servidor DHCP para que funcione con esa red. Por supuesto, también puede unir la interfaz inalámbrica con cualquier puente configurado (:ref:`bridge-interface`) en el sistema." @@ -18077,7 +18097,7 @@ msgstr "Al iniciar un sistema VyOS en vivo (el CD de instalación), el diseño d  msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."  msgstr "Cuando el servidor DHCP está considerando asignar dinámicamente una dirección IP a un cliente, primero envía una solicitud de eco ICMP (un ping) a la dirección asignada. Espera un segundo y, si no se escucha ninguna respuesta de eco ICMP, asigna la dirección." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407  msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."  msgstr "Cuando la opción de acción de cierre se establece en los pares, el tipo de conexión de cada par debe considerarse cuidadosamente. Por ejemplo, si la opción está configurada en ambos pares, ambos intentarán iniciar y mantener abiertas varias copias de cada SA secundario. Esto podría conducir a la inestabilidad del dispositivo o la utilización de la CPU/memoria." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin  msgstr "También debe agregar un firewall a su configuración anterior asignándolo al propio pppoe0 como se muestra aquí:"  #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225  msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."  msgstr "También debe asegurarse de que el grupo de firewall OUTISDE_LOCAL se aplique a la interfaz WAN y una dirección (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +  #: ../../configuration/interfaces/wireguard.rst:136  msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one."  msgstr "También necesitará la clave pública de su par, así como la(s) red(es) que desea tunelizar (ips permitidas) para configurar un túnel WireGuard. La clave pública a continuación es siempre la clave pública de su par, no la local." @@ -19112,7 +19135,7 @@ msgstr "``todas disponibles`` todas las direcciones de destino de verificación  msgid "``any-available`` any of the checking target addresses must be available to pass this check"  msgstr "``cualquiera disponible`` cualquiera de las direcciones de destino de verificación debe estar disponible para pasar esta verificación" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376  msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."  msgstr "``authentication local-id/remote-id``: la identificación de IKE se utiliza para la validación de los dispositivos del mismo nivel de VPN durante la negociación de IKE. Si no configura la identidad local/remota, el dispositivo utiliza la dirección IPv4 o IPv6 que corresponde al par local/remoto de forma predeterminada. En ciertas configuraciones de red (como la interfaz ipsec con dirección dinámica o detrás de NAT), la ID de IKE recibida del par no coincide con la puerta de enlace IKE configurada en el dispositivo. Esto puede conducir a una falla de validación de Fase 1. Por lo tanto, asegúrese de configurar la identificación local/remota explícitamente y asegúrese de que la identificación IKE sea la misma que la identidad remota configurada en el dispositivo par." @@ -19168,7 +19191,7 @@ msgstr "``cert-file``: archivo de certificado, que se usará para autenticar el  msgid "``clear`` set action to clear;"  msgstr "``borrar`` establece la acción para borrar;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402  msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."  msgstr "``cierre-acción = ninguno | claro | espera | restart`` - define la acción a tomar si el par remoto cierra inesperadamente un CHILD_SA (ver arriba para el significado de los valores). No se debe usar una acción de cierre si el par usa reautenticación o identificadores únicos." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - archivo con la Lista de Revocación de Certificados. Uso  msgid "``d`` - Execution interval in days"  msgstr "``d`` - Intervalo de ejecución en días" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391  msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."  msgstr "``acción de detección de pares muertos = borrar | espera | reiniciar``: los mensajes de notificación R_U_THERE (IKEv1) o los mensajes INFORMATIVOS vacíos (IKEv2) se envían periódicamente para verificar la actividad del par IPsec. Los valores borrar, mantener y reiniciar activan DPD y determinan la acción a realizar en un tiempo de espera. Con ``clear`` la conexión se cierra sin que se realicen más acciones. ``hold`` instala una política de captura, que capturará el tráfico coincidente e intentará renegociar la conexión a pedido. ``reiniciar`` activará inmediatamente un intento de renegociar la conexión." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface``: use una dirección IP, recibida de DHCP para la cone  msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."  msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387  msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."  msgstr "``disable-route-autoinstall``: esta opción, cuando se configura, deshabilita las rutas instaladas en la tabla predeterminada 220 para ipsec de sitio a sitio. Se utiliza sobre todo con la configuración de VTI." diff --git a/docs/_locale/ja/LC_MESSAGES/configuration.mo b/docs/_locale/ja/LC_MESSAGES/configuration.moBinary files differ index 336afc77..1716cef9 100644 --- a/docs/_locale/ja/LC_MESSAGES/configuration.mo +++ b/docs/_locale/ja/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index 9f253648..b76eeeb0 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term  msgid "**Interface name**"  msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +  #: ../../configuration/interfaces/vxlan.rst:214  msgid "**Leaf2 configuration:**"  msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**"  msgid "**RADIUS sessions management DM/CoA**"  msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +  #: ../../configuration/protocols/bgp.rst:113  msgid "**Router-ID check**"  msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa  msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."  msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413  msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."  msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in  msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"  msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295  msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."  msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r  msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."  msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +  #: ../../configuration/firewall/general.rst:194  #: ../../configuration/firewall/general-legacy.rst:170  msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit  msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."  msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602  msgid "Intel AX200"  msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation"  msgid "Key Management"  msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374  msgid "Key Parameters:"  msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f  #: ../../configuration/interfaces/wireless.rst:315  #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567  msgid "Resulting in"  msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"  msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"  msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418  msgid "Similar combinations are applicable for the dead-peer-detection."  msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80."  msgid "The IP address of the internal system we wish to forward traffic to."  msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604  msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"  msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`,  msgid "To generate the CA, the server private key and certificates the following commands can be used."  msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594  msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."  msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke  msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."  msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407  msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."  msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin  msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"  #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225  msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."  msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +  #: ../../configuration/interfaces/wireguard.rst:136  msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one."  msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas  msgid "``any-available`` any of the checking target addresses must be available to pass this check"  msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376  msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."  msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating  msgid "``clear`` set action to clear;"  msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402  msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."  msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check  msgid "``d`` - Execution interval in days"  msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391  msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."  msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con  msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."  msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387  msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."  msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/pt/LC_MESSAGES/configuration.mo b/docs/_locale/pt/LC_MESSAGES/configuration.moBinary files differ index 08df0708..62817f09 100644 --- a/docs/_locale/pt/LC_MESSAGES/configuration.mo +++ b/docs/_locale/pt/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index 5a12333e..dbe8970c 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term  msgid "**Interface name**"  msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +  #: ../../configuration/interfaces/vxlan.rst:214  msgid "**Leaf2 configuration:**"  msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**"  msgid "**RADIUS sessions management DM/CoA**"  msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +  #: ../../configuration/protocols/bgp.rst:113  msgid "**Router-ID check**"  msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa  msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."  msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413  msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."  msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in  msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"  msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295  msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."  msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r  msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."  msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +  #: ../../configuration/firewall/general.rst:194  #: ../../configuration/firewall/general-legacy.rst:170  msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit  msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."  msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602  msgid "Intel AX200"  msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation"  msgid "Key Management"  msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374  msgid "Key Parameters:"  msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f  #: ../../configuration/interfaces/wireless.rst:315  #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567  msgid "Resulting in"  msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"  msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"  msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418  msgid "Similar combinations are applicable for the dead-peer-detection."  msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80."  msgid "The IP address of the internal system we wish to forward traffic to."  msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604  msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"  msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`,  msgid "To generate the CA, the server private key and certificates the following commands can be used."  msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594  msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."  msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke  msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."  msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407  msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."  msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin  msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"  #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225  msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."  msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +  #: ../../configuration/interfaces/wireguard.rst:136  msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one."  msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas  msgid "``any-available`` any of the checking target addresses must be available to pass this check"  msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376  msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."  msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating  msgid "``clear`` set action to clear;"  msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402  msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."  msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check  msgid "``d`` - Execution interval in days"  msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391  msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."  msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con  msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."  msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387  msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."  msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/uk/LC_MESSAGES/configuration.mo b/docs/_locale/uk/LC_MESSAGES/configuration.moBinary files differ index d6a4812d..a7fe23ad 100644 --- a/docs/_locale/uk/LC_MESSAGES/configuration.mo +++ b/docs/_locale/uk/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index 1e440479..a3a1a512 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term  msgid "**Interface name**"  msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +  #: ../../configuration/interfaces/vxlan.rst:214  msgid "**Leaf2 configuration:**"  msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**"  msgid "**RADIUS sessions management DM/CoA**"  msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +  #: ../../configuration/protocols/bgp.rst:113  msgid "**Router-ID check**"  msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa  msgid "Before you are able to apply a rule-set to a zone you have to create the zones first."  msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413  msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured."  msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in  msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**"  msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295  msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links."  msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r  msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."  msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +  #: ../../configuration/firewall/general.rst:194  #: ../../configuration/firewall/general-legacy.rst:170  msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit  msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism."  msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602  msgid "Intel AX200"  msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation"  msgid "Key Management"  msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374  msgid "Key Parameters:"  msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f  #: ../../configuration/interfaces/wireless.rst:315  #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567  msgid "Resulting in"  msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)"  msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)"  msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418  msgid "Similar combinations are applicable for the dead-peer-detection."  msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80."  msgid "The IP address of the internal system we wish to forward traffic to."  msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604  msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:"  msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`,  msgid "To generate the CA, the server private key and certificates the following commands can be used."  msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594  msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system."  msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke  msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address."  msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407  msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."  msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin  msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:"  #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225  msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)."  msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +  #: ../../configuration/interfaces/wireguard.rst:136  msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one."  msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas  msgid "``any-available`` any of the checking target addresses must be available to pass this check"  msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376  msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device."  msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating  msgid "``clear`` set action to clear;"  msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402  msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids."  msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check  msgid "``d`` - Execution interval in days"  msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391  msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection."  msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con  msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default."  msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387  msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration."  msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index dc9c3414..7e84dbff 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,27 @@     _ext/releasenotes.py +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-19 +========== + +* :vytask:`T5669` ``(bug): VXLAN interface changing port does not work`` + + +2023-10-17 +========== + +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + +  2023-10-08  ========== @@ -229,12 +250,6 @@  * :vytask:`T5313` ``(bug): UDP broadcast relay - missing verify() that relay interfaces have an IP address assigned`` -2023-06-28 -========== - -* :vytask:`T1237` ``(feature): Static Route Path Monitoring, failover`` - -  2023-06-26  ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 86fec4d4..7c7cf59e 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,101 @@     _ext/releasenotes.py +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` +* :vytask:`T5414` ``(bug): dhcp-server does not allow valid bootfile-names`` +* :vytask:`T5261` ``(feature): Add AWS gateway load-balanceing tunnel handler (gwlbtun)`` +* :vytask:`T5260` ``(bug): Python3 module crypt is deprecated`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T5172` ``(default): Set Python3 version dependency for vyos-1x to 3.10`` +* :vytask:`T4956` ``(default): 'show hardware cpu' issue on arm64`` +* :vytask:`T4837` ``(default): Expose "show ip route summary" in the op mode API`` +* :vytask:`T4770` ``(feature): Rewrite OpenVPN op-mode to vyos.opmode format`` +* :vytask:`T4657` ``(bug): op-mode scripts with type hints in `return` do not work`` +* :vytask:`T4604` ``(bug): bgpd eats huge amount of memory (about 500Megs a day)`` +* :vytask:`T4432` ``(default): Display load average normalized according to the number of CPU cores`` +* :vytask:`T4416` ``(default): Convert 'traceroute' operation to the new syntax and expand available options using python`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T3433` ``(default): A review of the use of racist language in VyOS`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + +2023-10-14 +========== + +* :vytask:`T5629` ``(bug): Policy local-route bug after migration to destination node address`` + + +2023-10-13 +========== + +* :vytask:`T5227` ``(feature): mDNS reflector should allow additional domains to browse and allow filtering services`` +* :vytask:`T5166` ``(feature): Remove local minisign package from build repo for 1.4`` +* :vytask:`T5118` ``(bug): Cleanup vestigial ntp completion script`` +* :vytask:`T5115` ``(default): Support custom port for name servers for forwarding zones`` +* :vytask:`T5113` ``(default): PDNS: Support custom port for DNS forwarders`` +* :vytask:`T5112` ``(feature): Enable support for Network Time Security (NTS) for chrony`` +* :vytask:`T5143` ``(enhancment): Apply constraint on powerdns forward-zones configuration`` + + +2023-10-12 +========== + +* :vytask:`T5649` ``(bug): vyos-1x should generate XML cache after building command templates for less cryptic error on typo`` + + +2023-10-10 +========== + +* :vytask:`T5489` ``(feature): Change to BBR as TCP congestion control, or at least make it an config option`` +* :vytask:`T5479` ``(bug): Helper leftovers found in nftables (firewall) even with all helpers disabled`` +* :vytask:`T5436` ``(bug): vyos-preconfig-bootup.script is missing`` +* :vytask:`T5014` ``(feature): Destination NAT - Add Load Balancing capabilities`` + +  2023-10-08  ========== diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst index a91af953..2583fcfe 100644 --- a/docs/changelog/1.5.rst +++ b/docs/changelog/1.5.rst @@ -8,6 +8,72 @@     _ext/releasenotes.py +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5644` ``(bug): Firewall groups deletion can break config`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + +2023-10-14 +========== + +* :vytask:`T5629` ``(bug): Policy local-route bug after migration to destination node address`` + + +2023-10-12 +========== + +* :vytask:`T5649` ``(bug): vyos-1x should generate XML cache after building command templates for less cryptic error on typo`` + + +2023-10-10 +========== + +* :vytask:`T5589` ``(bug): Nonstripped binaries exists in VyOS`` +* :vytask:`T5489` ``(feature): Change to BBR as TCP congestion control, or at least make it an config option`` + +  2023-10-08  ========== diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 8b829b64..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -222,7 +222,7 @@ firewall exception.      set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp      set firewall ipv4 name OUTSIDE_LOCAL rule 20 source -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the  WAN interface and a direction (local).  .. code-block:: none @@ -413,7 +413,7 @@ the VyOS CLI.    into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become    the peer name in the snippet. -  In addition you will specifiy the IP address or FQDN for the client where it +  In addition you will specify the IP address or FQDN for the client where it    will connect to. The address parameter can be used up to two times and is used    to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index e853a1ec..df153763 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -562,6 +562,7 @@ The WAP in this example has the following characteristics:    set interfaces wireless wlan0 security wpa mode wpa2    set interfaces wireless wlan0 security wpa cipher CCMP    set interfaces wireless wlan0 security wpa passphrase '12345678' +  set interfaces wireless wlan0 country-code de  Resulting in @@ -572,6 +573,7 @@ Resulting in      wireless wlan0 {            address 192.168.2.1/24            channel 1 +          country-code de            mode n            security {                wpa { diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index c660f8f4..b42c6cfe 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule.  * **outbound-interface** - applicable only to :ref:`source-nat`. It    configures the interface which is used for the outside traffic that -  this translation rule applies to. +  this translation rule applies to. Interface groups, inverted +  selection and wildcard, are also supported. -  Example: +  Examples:    .. code-block:: none -    set nat source rule 20 outbound-interface eth0 +    set nat source rule 20 outbound-interface name eth0 +    set nat source rule 30 outbound-interface name bond1* +    set nat source rule 20 outbound-interface name !vtun2 +    set nat source rule 20 outbound-interface group GROUP1 +    set nat source rule 20 outbound-interface group !GROUP2 +  * **inbound-interface** - applicable only to :ref:`destination-nat`. It    configures the interface which is used for the inside traffic the -  translation rule applies to. +  translation rule applies to. Interface groups, inverted +  selection and wildcard, are also supported.    Example:    .. code-block:: none -    set nat destination rule 20 inbound-interface eth1 +    set nat destination rule 20 inbound-interface name eth0 +    set nat destination rule 30 inbound-interface name bond1* +    set nat destination rule 20 inbound-interface name !vtun2 +    set nat destination rule 20 inbound-interface group GROUP1 +    set nat destination rule 20 inbound-interface group !GROUP2 +  * **protocol** - specify which types of protocols this translation rule    applies to. Only packets matching the specified protocol are NATed. @@ -323,7 +335,7 @@ demonstrate the following configuration:  .. code-block:: none -  set nat source rule 100 outbound-interface 'eth0' +  set nat source rule 100 outbound-interface name 'eth0'    set nat source rule 100 source address '192.168.0.0/24'    set nat source rule 100 translation address 'masquerade' @@ -332,7 +344,9 @@ Which generates the following configuration:  .. code-block:: none    rule 100 { -      outbound-interface eth0 +      outbound-interface { +          name eth0 +      }        source {            address 192.168.0.0/24        } @@ -424,19 +438,19 @@ Example:    set nat destination rule 100 description 'Regular destination NAT from external'    set nat destination rule 100 destination port '3389' -  set nat destination rule 100 inbound-interface 'pppoe0' +  set nat destination rule 100 inbound-interface name 'pppoe0'    set nat destination rule 100 protocol 'tcp'    set nat destination rule 100 translation address '192.0.2.40'    set nat destination rule 110 description 'NAT Reflection: INSIDE'    set nat destination rule 110 destination port '3389' -  set nat destination rule 110 inbound-interface 'eth0.10' +  set nat destination rule 110 inbound-interface name 'eth0.10'    set nat destination rule 110 protocol 'tcp'    set nat destination rule 110 translation address '192.0.2.40'    set nat source rule 110 description 'NAT Reflection: INSIDE'    set nat source rule 110 destination address '192.0.2.0/24' -  set nat source rule 110 outbound-interface 'eth0.10' +  set nat source rule 110 outbound-interface name 'eth0.10'    set nat source rule 110 protocol 'tcp'    set nat source rule 110 source address '192.0.2.0/24'    set nat source rule 110 translation address 'masquerade' @@ -452,7 +466,9 @@ Which results in a configuration of:             destination {                 port 3389             } -           inbound-interface pppoe0 +           inbound-interface { +               name pppoe0 +           }             protocol tcp             translation {                 address 192.0.2.40 @@ -463,7 +479,9 @@ Which results in a configuration of:             destination {                 port 3389             } -           inbound-interface eth0.10 +           inbound-interface { +               name eth0.10 +           }             protocol tcp             translation {                 address 192.0.2.40 @@ -476,7 +494,9 @@ Which results in a configuration of:             destination {                 address 192.0.2.0/24             } -           outbound-interface eth0.10 +           outbound-interface { +               name eth0.10 +           }             protocol tcp             source {                 address 192.0.2.0/24 @@ -515,7 +535,7 @@ Our configuration commands would be:    set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100'    set nat destination rule 10 destination port '80' -  set nat destination rule 10 inbound-interface 'eth0' +  set nat destination rule 10 inbound-interface name 'eth0'    set nat destination rule 10 protocol 'tcp'    set nat destination rule 10 translation address '192.168.0.100' @@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration:                destination {                    port 80                } -              inbound-interface eth0 +              inbound-interface { +                  name eth0 +              }                protocol tcp                translation {                    address 192.168.0.100 @@ -546,43 +568,45 @@ Which would generate the following NAT destination configuration:  This establishes our Port Forward rule, but if we created a firewall  policy it will likely block the traffic. -It is important to note that when creating firewall rules that the DNAT +Firewall rules for Destination NAT +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is important to note that when creating firewall rules, the DNAT  translation occurs **before** traffic traverses the firewall. In other  words, the destination address has already been translated to  192.168.0.100. -So in our firewall policy, we want to allow traffic coming in on the -outside interface, destined for TCP port 80 and the IP address of -192.168.0.100. +So in our firewall ruleset, we want to allow traffic which previously matched +a destination nat rule. In order to avoid creating many rules, one for each +destination nat rule, we can accept all **'dnat'** connections with one simple +rule, using ``connection-status`` matcher:  .. code-block:: none -  set firewall name OUTSIDE-IN rule 20 action 'accept' -  set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' -  set firewall name OUTSIDE-IN rule 20 destination port '80' -  set firewall name OUTSIDE-IN rule 20 protocol 'tcp' -  set firewall name OUTSIDE-IN rule 20 state new 'enable' +  set firewall ipv4 forward filter rule 10 action accept +  set firewall ipv4 forward filter rule 10 connection-status nat destination +  set firewall ipv4 forward filter rule 10 state new enable  This would generate the following configuration:  .. code-block:: none -  rule 20 { -      action accept -      destination { -          address 192.168.0.100 -          port 80 -      } -      protocol tcp -      state { -          new enable +  ipv4 { +      forward { +          filter { +              rule 10 { +                  action accept +                  connection-status { +                      nat destination +                  } +                  state { +                      new enable +                  } +              } +          }        }    } -.. note:: - -  If you have configured the `INSIDE-OUT` policy, you will need to add -  additional rules to permit inbound NAT traffic.  1-to-1 NAT  ---------- @@ -610,10 +634,10 @@ and one external interface:    set interfaces ethernet eth1 description 'Outside interface'    set nat destination rule 2000 description '1-to-1 NAT example'    set nat destination rule 2000 destination address '192.0.2.30' -  set nat destination rule 2000 inbound-interface 'eth1' +  set nat destination rule 2000 inbound-interface name 'eth1'    set nat destination rule 2000 translation address '192.168.1.10'    set nat source rule 2000 description '1-to-1 NAT example' -  set nat source rule 2000 outbound-interface 'eth1' +  set nat source rule 2000 outbound-interface name 'eth1'    set nat source rule 2000 source address '192.168.1.10'    set nat source rule 2000 translation address '192.0.2.30' @@ -639,7 +663,7 @@ We will use source and destination address for hash generation.  .. code-block:: none -  set nat destination rule 10 inbound-interface eth0 +  set nat destination rule 10 inbound-interface inbound-interface eth0    set nat destination rule 10 protocol tcp    set nat destination rule 10 destination port 80    set nat destination rule 10 load-balance hash source-address @@ -655,7 +679,7 @@ We will generate the hash randomly.  .. code-block:: none -  set nat source rule 10 outbound-interface eth0 +  set nat source rule 10 outbound-interface name eth0    set nat source rule 10 source address 10.0.0.0/8    set nat source rule 10 load-balance hash random    set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -709,12 +733,10 @@ NAT Configuration    set nat source rule 110 description 'Internal to ASP'    set nat source rule 110 destination address '172.27.1.0/24' -  set nat source rule 110 outbound-interface 'any'    set nat source rule 110 source address '192.168.43.0/24'    set nat source rule 110 translation address '172.29.41.89'    set nat source rule 120 description 'Internal to ASP'    set nat source rule 120 destination address '10.125.0.0/16' -  set nat source rule 120 outbound-interface 'any'    set nat source rule 120 source address '192.168.43.0/24'    set nat source rule 120 translation address '172.29.41.89' diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index a85e03b4..7a4b81f7 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -190,7 +190,7 @@ Hub    set interfaces tunnel tun100 address '172.16.253.134/29'    set interfaces tunnel tun100 encapsulation 'gre' -  set interfaces tunnel tun100 local-ip '192.0.2.1' +  set interfaces tunnel tun100 source-address '192.0.2.1'    set interfaces tunnel tun100 enable-multicast    set interfaces tunnel tun100 parameters ip key '1' @@ -294,7 +294,7 @@ VyOS can also run in DMVPN spoke mode.    set interfaces ethernet eth0 address 'dhcp'    set interfaces tunnel tun100 address '172.16.253.133/29' -  set interfaces tunnel tun100 local-ip 0.0.0.0 +  set interfaces tunnel tun100 source-address 0.0.0.0    set interfaces tunnel tun100 encapsulation 'gre'    set interfaces tunnel tun100 enable-multicast    set interfaces tunnel tun100 parameters ip key '1' diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 5f8e5263..2b3403f5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -284,17 +284,31 @@ Imagine the following topology     IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)  .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`     gives you additional information for using /31 subnets on point-to-point     links. -**left** +**LEFT**  .. code-block:: none +  set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' +  set interfaces dummy dum0 address '10.0.11.1/24'    set interfaces vti vti10 address '10.0.0.2/31' +  set vpn ipsec option disable-route-autoinstall    set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'    set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'    set vpn ipsec authentication psk OFFICE-B secret 'secretkey' @@ -315,17 +329,22 @@ Imagine the following topology    set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'    set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'    set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' -  set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' +  set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'    set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'    set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'    set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' -**right** +  set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 + +**RIGHT**  .. code-block:: none +  set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' +  set interfaces dummy dum0 address '10.0.12.1/24'    set interfaces vti vti10 address '10.0.0.3/31' +  set vpn ipsec option disable-route-autoinstall    set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'    set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'    set vpn ipsec authentication psk OFFICE-A secret 'secretkey' @@ -354,6 +373,8 @@ Imagine the following topology    set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'    set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' +  set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 +  Key Parameters:  * ``authentication local-id/remote-id`` - IKE identification is used for diff --git a/requirements.txt b/requirements.txt index 02303cc9..9ca1cac2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -urllib3==1.26.17 +urllib3==1.26.18  Sphinx==4.5.0  sphinx-rtd-theme==1.0.0  sphinx-autobuild==2021.3.14 | 
