diff options
24 files changed, 717 insertions, 130 deletions
diff --git a/.github/workflows/update-translations.yml b/.github/workflows/update-translations.yml index dfb5dde4..3d70a6de 100644 --- a/.github/workflows/update-translations.yml +++ b/.github/workflows/update-translations.yml @@ -17,6 +17,11 @@ jobs: with: python-version: 3.x + - name: install lxml dependencies + run: | + sudo apt update + sudo apt install -y libxml2-dev libxslt-dev python3-lxml + - name: Install Dev Dependencies run: | python -m pip install --upgrade pip diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject c345f83ed46f5721757003fd4763186cfd7345e +Subproject fd9e2c24e739fd327f860c45fa00241fd1acca7 diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.mo Binary files differindex e300f5c4..0bbe8f6c 100644 --- a/docs/_locale/de/LC_MESSAGES/configuration.mo +++ b/docs/_locale/de/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index d2dc913e..6641dd72 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/en/LC_MESSAGES/configuration.mo b/docs/_locale/en/LC_MESSAGES/configuration.mo Binary files differindex db09832e..39936707 100644 --- a/docs/_locale/en/LC_MESSAGES/configuration.mo +++ b/docs/_locale/en/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/LC_MESSAGES/configuration.mo b/docs/_locale/es/LC_MESSAGES/configuration.mo Binary files differindex b431bd09..01a535c8 100644 --- a/docs/_locale/es/LC_MESSAGES/configuration.mo +++ b/docs/_locale/es/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index a05518ea..88324a87 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Nota importante sobre el uso de términos:** El cortafuegos utiliza lo msgid "**Interface name**" msgstr "**Nombre de interfaz**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Configuración hoja2:**" @@ -401,6 +409,14 @@ msgstr "**Grupos de IP basados en RADIUS (dirección IP enmarcada)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**Administración de sesiones RADIUS DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "** Verificación de ID de enrutador **" @@ -2619,7 +2635,7 @@ msgstr "Antes de habilitar cualquier descarga de segmentación de hardware, se r msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Antes de poder aplicar un conjunto de reglas a una zona, primero debe crear las zonas." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "El siguiente diagrama de flujo podría ser una referencia rápida para la combinación de acción de cierre, según cómo esté configurado el par." @@ -4609,7 +4625,7 @@ msgstr "No olvide, el CIDR declarado en la declaración de red **DEBE existir en msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "No olvide que el CIDR declarado en la declaración de red DEBE **existir en su tabla de enrutamiento (dinámico o estático), la mejor manera de asegurarse de que sea cierto es creando una ruta estática:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "No se confunda con la subred del túnel /31 utilizada. :rfc:`3021` le brinda información adicional para usar subredes /31 en enlaces punto a punto." @@ -7636,6 +7652,10 @@ msgstr "Además también puedes deshabilitar todo el servicio sin necesidad de e msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "Además, especificará la dirección IP o FQDN del cliente al que se conectará. El parámetro de dirección se puede usar hasta dos veces y se usa para asignar direcciones IPv4 (/32) o IPv6 (/128) específicas a los clientes." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "En lugar de enviar el nombre de host real del sistema al servidor DHCP, msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integridad: integridad del mensaje para garantizar que un paquete no haya sido manipulado durante el tránsito, incluido un mecanismo opcional de protección de reproducción de paquetes." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Generación de claves" msgid "Key Management" msgstr "Gestión de claves" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Parámetros clave:" @@ -10952,7 +10972,7 @@ msgstr "Reinicia el proceso de recurso de DNS. Esto también invalida el caché #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resultando en" @@ -12463,7 +12483,7 @@ msgstr "Tarjeta miniPCIe (LTE) Sierra Wireless AirPrime MC7455" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 tarjeta miniPCIe (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Se aplican combinaciones similares para la detección de pares muertos." @@ -13325,7 +13345,7 @@ msgstr "El servicio HTTP escucha en el puerto TCP 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "La dirección IP del sistema interno al que deseamos reenviar el tráfico." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "La tarjeta Intel AX200 no funciona de fábrica en modo AP, consulte https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. Todavía puede poner esta tarjeta en modo AP usando la siguiente configuración:" @@ -16258,7 +16278,7 @@ msgstr "Para reenviar todos los paquetes de difusión recibidos en el "puer msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "Para generar la CA, la clave privada del servidor y los certificados, se pueden utilizar los siguientes comandos." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "Para que funcione como un punto de acceso con esta configuración, deberá configurar un servidor DHCP para que funcione con esa red. Por supuesto, también puede unir la interfaz inalámbrica con cualquier puente configurado (:ref:`bridge-interface`) en el sistema." @@ -18077,7 +18097,7 @@ msgstr "Al iniciar un sistema VyOS en vivo (el CD de instalación), el diseño d msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "Cuando el servidor DHCP está considerando asignar dinámicamente una dirección IP a un cliente, primero envía una solicitud de eco ICMP (un ping) a la dirección asignada. Espera un segundo y, si no se escucha ninguna respuesta de eco ICMP, asigna la dirección." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "Cuando la opción de acción de cierre se establece en los pares, el tipo de conexión de cada par debe considerarse cuidadosamente. Por ejemplo, si la opción está configurada en ambos pares, ambos intentarán iniciar y mantener abiertas varias copias de cada SA secundario. Esto podría conducir a la inestabilidad del dispositivo o la utilización de la CPU/memoria." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "También debe agregar un firewall a su configuración anterior asignándolo al propio pppoe0 como se muestra aquí:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "También debe asegurarse de que el grupo de firewall OUTISDE_LOCAL se aplique a la interfaz WAN y una dirección (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "También necesitará la clave pública de su par, así como la(s) red(es) que desea tunelizar (ips permitidas) para configurar un túnel WireGuard. La clave pública a continuación es siempre la clave pública de su par, no la local." @@ -19112,7 +19135,7 @@ msgstr "``todas disponibles`` todas las direcciones de destino de verificación msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``cualquiera disponible`` cualquiera de las direcciones de destino de verificación debe estar disponible para pasar esta verificación" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id``: la identificación de IKE se utiliza para la validación de los dispositivos del mismo nivel de VPN durante la negociación de IKE. Si no configura la identidad local/remota, el dispositivo utiliza la dirección IPv4 o IPv6 que corresponde al par local/remoto de forma predeterminada. En ciertas configuraciones de red (como la interfaz ipsec con dirección dinámica o detrás de NAT), la ID de IKE recibida del par no coincide con la puerta de enlace IKE configurada en el dispositivo. Esto puede conducir a una falla de validación de Fase 1. Por lo tanto, asegúrese de configurar la identificación local/remota explícitamente y asegúrese de que la identificación IKE sea la misma que la identidad remota configurada en el dispositivo par." @@ -19168,7 +19191,7 @@ msgstr "``cert-file``: archivo de certificado, que se usará para autenticar el msgid "``clear`` set action to clear;" msgstr "``borrar`` establece la acción para borrar;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``cierre-acción = ninguno | claro | espera | restart`` - define la acción a tomar si el par remoto cierra inesperadamente un CHILD_SA (ver arriba para el significado de los valores). No se debe usar una acción de cierre si el par usa reautenticación o identificadores únicos." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - archivo con la Lista de Revocación de Certificados. Uso msgid "``d`` - Execution interval in days" msgstr "``d`` - Intervalo de ejecución en días" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``acción de detección de pares muertos = borrar | espera | reiniciar``: los mensajes de notificación R_U_THERE (IKEv1) o los mensajes INFORMATIVOS vacíos (IKEv2) se envían periódicamente para verificar la actividad del par IPsec. Los valores borrar, mantener y reiniciar activan DPD y determinan la acción a realizar en un tiempo de espera. Con ``clear`` la conexión se cierra sin que se realicen más acciones. ``hold`` instala una política de captura, que capturará el tráfico coincidente e intentará renegociar la conexión a pedido. ``reiniciar`` activará inmediatamente un intento de renegociar la conexión." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface``: use una dirección IP, recibida de DHCP para la cone msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall``: esta opción, cuando se configura, deshabilita las rutas instaladas en la tabla predeterminada 220 para ipsec de sitio a sitio. Se utiliza sobre todo con la configuración de VTI." diff --git a/docs/_locale/ja/LC_MESSAGES/configuration.mo b/docs/_locale/ja/LC_MESSAGES/configuration.mo Binary files differindex 336afc77..1716cef9 100644 --- a/docs/_locale/ja/LC_MESSAGES/configuration.mo +++ b/docs/_locale/ja/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index 9f253648..b76eeeb0 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/pt/LC_MESSAGES/configuration.mo b/docs/_locale/pt/LC_MESSAGES/configuration.mo Binary files differindex 08df0708..62817f09 100644 --- a/docs/_locale/pt/LC_MESSAGES/configuration.mo +++ b/docs/_locale/pt/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index 5a12333e..dbe8970c 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/uk/LC_MESSAGES/configuration.mo b/docs/_locale/uk/LC_MESSAGES/configuration.mo Binary files differindex d6a4812d..a7fe23ad 100644 --- a/docs/_locale/uk/LC_MESSAGES/configuration.mo +++ b/docs/_locale/uk/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index 1e440479..a3a1a512 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index f1aab4e5..c5192eab 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,34 @@ _ext/releasenotes.py +2023-10-26 +========== + +* :vytask:`T5684` ``(bug): services using VRF generates the error "Failed to load BPF prog: 'Operation not permitted'" when the system boots.`` +* :vytask:`T5594` ``(bug): VRRP - Error if using IPv6 Link Local as hello source address`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-19 +========== + +* :vytask:`T5669` ``(bug): VXLAN interface changing port does not work`` + + +2023-10-17 +========== + +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + + 2023-10-08 ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 0cc887ed..86b201df 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,127 @@ _ext/releasenotes.py +2023-11-05 +========== + +* :vytask:`T4020` ``(feature): Add ability to control FRR daemons options`` + + +2023-11-03 +========== + +* :vytask:`T5700` ``(bug): Monitoring telegraf deprecated plugins inputs outputs`` +* :vytask:`T5018` ``(bug): Redirect to IFB removed after change in qos policy`` + + +2023-11-02 +========== + +* :vytask:`T5701` ``(feature): Update telegraf package`` + + +2023-11-01 +========== + +* :vytask:`T5690` ``(bug): Change to definition of environment variable 'vyos_rootfs_dir' is incorrect`` + + +2023-10-31 +========== + +* :vytask:`T5699` ``(feature): vxlan: migrate "external" CLI know to "parameters external"`` +* :vytask:`T5668` ``(feature): Disable VXLAN bridge learning and enable neigh_suppress when using EVPN`` + + +2023-10-27 +========== + +* :vytask:`T5652` ``(bug): Config migrate to image upgrade does not properly generate home directory`` +* :vytask:`T4057` ``(bug): Commit time for deleting sflow configuration ~1.5 min`` + + +2023-10-26 +========== + +* :vytask:`T5683` ``(bug): reverse-proxy pki filenames mismatch`` +* :vytask:`T4903` ``(bug): conntrack ignore does not suppotr IPv6 addresses`` +* :vytask:`T4309` ``(feature): Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore`` +* :vytask:`T5606` ``(feature): IPSec VPN: Allow multiple CAs certificates`` +* :vytask:`T5650` ``(default): Progressbars suffer from staircasing effect`` +* :vytask:`T5568` ``(default): Install image from live ISO always defaults boot to KVM entry`` +* :vytask:`T3509` ``(default): No BCP38 for IPv6 on VyOS`` + + +2023-10-23 +========== + +* :vytask:`T5299` ``(bug): QoS shaper ceiling does not work`` +* :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp`` +* :vytask:`T5337` ``(bug): MPLS/BGP: Route leak does not happen from the VPNv4 table to specific vrf`` + + +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` +* :vytask:`T5414` ``(bug): dhcp-server does not allow valid bootfile-names`` +* :vytask:`T5261` ``(feature): Add AWS gateway load-balanceing tunnel handler (gwlbtun)`` +* :vytask:`T5260` ``(bug): Python3 module crypt is deprecated`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T5172` ``(default): Set Python3 version dependency for vyos-1x to 3.10`` +* :vytask:`T4956` ``(default): 'show hardware cpu' issue on arm64`` +* :vytask:`T4837` ``(default): Expose "show ip route summary" in the op mode API`` +* :vytask:`T4770` ``(feature): Rewrite OpenVPN op-mode to vyos.opmode format`` +* :vytask:`T4657` ``(bug): op-mode scripts with type hints in `return` do not work`` +* :vytask:`T4604` ``(bug): bgpd eats huge amount of memory (about 500Megs a day)`` +* :vytask:`T4432` ``(default): Display load average normalized according to the number of CPU cores`` +* :vytask:`T4416` ``(default): Convert 'traceroute' operation to the new syntax and expand available options using python`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T3433` ``(default): A review of the use of racist language in VyOS`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + 2023-10-14 ========== diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst index a2f26fa7..3cb54a85 100644 --- a/docs/changelog/1.5.rst +++ b/docs/changelog/1.5.rst @@ -8,6 +8,108 @@ _ext/releasenotes.py +2023-11-03 +========== + +* :vytask:`T5700` ``(bug): Monitoring telegraf deprecated plugins inputs outputs`` + + +2023-11-02 +========== + +* :vytask:`T5701` ``(feature): Update telegraf package`` + + +2023-11-01 +========== + +* :vytask:`T5690` ``(bug): Change to definition of environment variable 'vyos_rootfs_dir' is incorrect`` + + +2023-10-31 +========== + +* :vytask:`T5699` ``(feature): vxlan: migrate "external" CLI know to "parameters external"`` +* :vytask:`T5668` ``(feature): Disable VXLAN bridge learning and enable neigh_suppress when using EVPN`` + + +2023-10-27 +========== + +* :vytask:`T5663` ``(bug): pmacct package contains unwanted data`` +* :vytask:`T5652` ``(bug): Config migrate to image upgrade does not properly generate home directory`` + + +2023-10-26 +========== + +* :vytask:`T5683` ``(bug): reverse-proxy pki filenames mismatch`` +* :vytask:`T5600` ``(bug): Firewall - Remove or extend constraint on 'interface-name'`` +* :vytask:`T5598` ``(bug): unknown parameter 'nf_conntrack_helper' ignored`` +* :vytask:`T5571` ``(bug): Firewall does not delete networks from the table raw`` +* :vytask:`T4903` ``(bug): conntrack ignore does not suppotr IPv6 addresses`` +* :vytask:`T4309` ``(feature): Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore`` +* :vytask:`T5594` ``(bug): VRRP - Error if using IPv6 Link Local as hello source address`` +* :vytask:`T5606` ``(feature): IPSec VPN: Allow multiple CAs certificates`` +* :vytask:`T5568` ``(default): Install image from live ISO always defaults boot to KVM entry`` +* :vytask:`T5558` ``(default): Update config test to check resulting migrations`` + + +2023-10-23 +========== + +* :vytask:`T5637` ``(bug): Firewall default-action log`` +* :vytask:`T5299` ``(bug): QoS shaper ceiling does not work`` +* :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp`` + + +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5644` ``(bug): Firewall groups deletion can break config`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + 2023-10-14 ========== diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index a0413bfd..5528d280 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -22,6 +22,7 @@ This chapter contains various configuration examples: segment-routing-isis nmp policy-based-ipsec-and-firewall + site-2-site-cisco Configuration Blueprints (autotest) diff --git a/docs/configexamples/site-2-site-cisco.rst b/docs/configexamples/site-2-site-cisco.rst new file mode 100644 index 00000000..96e48d07 --- /dev/null +++ b/docs/configexamples/site-2-site-cisco.rst @@ -0,0 +1,177 @@ +.. _examples-site-2-site-cisco: + +Site-to-Site IPSec VPN to Cisco using FlexVPN +--------------------------------------------- + +This guide shows a sample configuration for FlexVPN site-to-site Internet +Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel. + +FlexVPN is a newer "solution" for deployment of VPNs and it utilizes IKEv2 as +the key exchange protocol. The result is a flexible and scalable VPN solution +that can be easily adapted to fit various network needs. It can also support a +variety of encryption methods, including AES and 3DES. + +The lab was built using EVE-NG. + + +Configuration +^^^^^^^^^^^^^^ + +VyOS +===== + +- GRE: + +.. code-block:: none + + set interfaces tunnel tun1 encapsulation 'gre' + set interfaces tunnel tun1 ip adjust-mss '1336' + set interfaces tunnel tun1 mtu '1376' + set interfaces tunnel tun1 remote '10.1.1.6' + set interfaces tunnel tun1 source-address '88.2.2.1' + + +- IPsec: + +.. code-block:: none + + set vpn ipsec authentication psk vyos_cisco_l id 'vyos.net’ + set vpn ipsec authentication psk vyos_cisco_l id 'cisco.hub.net' + set vpn ipsec authentication psk vyos_cisco_l secret 'secret' + set vpn ipsec esp-group e1 lifetime '3600' + set vpn ipsec esp-group e1 mode 'tunnel' + set vpn ipsec esp-group e1 pfs 'disable' + set vpn ipsec esp-group e1 proposal 1 encryption 'aes128' + set vpn ipsec esp-group e1 proposal 1 hash 'sha256' + set vpn ipsec ike-group i1 key-exchange 'ikev2' + set vpn ipsec ike-group i1 lifetime '28800' + set vpn ipsec ike-group i1 proposal 1 dh-group '5' + set vpn ipsec ike-group i1 proposal 1 encryption 'aes256' + set vpn ipsec ike-group i1 proposal 1 hash 'sha256' + set vpn ipsec interface 'eth2' + set vpn ipsec options disable-route-autoinstall + set vpn ipsec options flexvpn + set vpn ipsec options interface 'tun1' + set vpn ipsec options virtual-ip + set vpn ipsec site-to-site peer cisco_hub authentication local-id 'vyos.net' + set vpn ipsec site-to-site peer cisco_hub authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer cisco_hub authentication remote-id 'cisco.hub.net' + set vpn ipsec site-to-site peer cisco_hub connection-type 'initiate' + set vpn ipsec site-to-site peer cisco_hub default-esp-group 'e1' + set vpn ipsec site-to-site peer cisco_hub ike-group 'i1' + set vpn ipsec site-to-site peer cisco_hub local-address '88.2.2.1' + set vpn ipsec site-to-site peer cisco_hub remote-address '10.1.1.6' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 local prefix '88.2.2.1/32' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 protocol 'gre' + set vpn ipsec site-to-site peer cisco_hub tunnel 1 remote prefix '10.1.1.6/32' + set vpn ipsec site-to-site peer cisco_hub virtual-address '0.0.0.0' + + +Cisco +===== +.. code-block:: none + + aaa new-model + ! + ! + aaa authorization network default local + ! + crypto ikev2 name-mangler GET_DOMAIN + fqdn all + email all + ! + ! + crypto ikev2 authorization policy vyos + pool mypool + aaa attribute list mylist + route set interface + route accept any tag 100 distance 5 + ! + crypto ikev2 keyring mykeys + peer peer1 + identity fqdn vyos.net + pre-shared-key local secret + pre-shared-key remote secret + crypto ikev2 profile my_profile + match identity remote fqdn vyos.net + identity local fqdn cisco.hub.net + authentication remote pre-share + authentication local pre-share + keyring local mykeys + dpd 10 3 periodic + aaa authorization group psk list local name-mangler GET_DOMAIN + aaa authorization user psk cached + virtual-template 1 + ! + ! + ! + crypto ipsec transform-set TSET esp-aes esp-sha256-hmac + mode tunnel + ! + ! + crypto ipsec profile my-ipsec-profile + set transform-set TSET + set ikev2-profile my_profile + ! + interface Virtual-Template1 type tunnel + no ip address + ip mtu 1376 + ip nhrp network-id 1 + ip nhrp shortcut virtual-template 1 + ip tcp adjust-mss 1336 + tunnel path-mtu-discovery + tunnel protection ipsec profile my-ipsec-profile + ! + ip local pool my_pool 172.16.122.1 172.16.122.254 + + +Since the tunnel is a point-to-point GRE tunnel, it behaves like any other +point-to-point interface (for example: serial, dialer), and it is possible to +run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over +the link in order to exchange routing information + +Verification +^^^^^^^^^^^^ + +.. code-block:: none + + vyos@vyos$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 - u/u + eth1 - u/u + eth2 88.2.2.1/24 u/u + eth3 172.16.1.2/24 u/u + lo 127.0.0.1/8 u/u + ::1/128 + tun1 172.16.122.2/32 u/u + + vyos@vyos:~$ show vpn ipsec sa + Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal + ------------------ ------- -------- -------------- ---------------- ---------------- --------------------- ----------------------------- + cisco_hub-tunnel-1 up 44m17s 35K/31K 382/367 10.1.1.6 cisco.hub.net AES_CBC_128/HMAC_SHA2_256_128 + + + Hub#sh crypto ikev2 sa detailed + IPv4 Crypto IKEv2 SA + + Tunnel-id Local Remote fvrf/ivrf Status + 5 10.1.1.6/4500 88.2.2.1/4500 none/none READY + Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK + Life/Active Time: 86400/2694 sec + CE id: 0, Session-id: 2 + Status Description: Negotiation done + Local spi: C94EE2DC92A60C47 Remote spi: 9AF0EF151BECF14C + Local id: cisco.hub.net + Remote id: vyos.net + Local req msg id: 269 Remote req msg id: 0 + Local next msg id: 269 Remote next msg id: 0 + Local req queued: 269 Remote req queued: 0 + Local window: 5 Remote window: 1 + DPD configured for 10 seconds, retry 3 + Fragmentation not configured. + Extended Authentication not configured. + NAT-T is not detected + Cisco Trust Security SGT is disabled + Assigned host addr: 172.16.122.2 diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 2cb0b2f1..a84ed16f 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -67,15 +67,27 @@ VXLAN specific options Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. -.. cfgcmd:: set interfaces vxlan <interface> external +.. cfgcmd:: set interfaces vxlan <interface> gpe + + Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only + supported together with the external keyword. + +.. cfgcmd:: set interfaces vxlan <interface> parameters external Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used. -.. cfgcmd:: set interfaces vxlan <interface> gpe +.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only - supported together with the external keyword. + In order to minimize the flooding of ARP and ND messages in the VXLAN network, + EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs + to suppress such messages in case they know the MAC-IP binding and can reply + on behalf of the remote host. + +.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning + + Specifies if unknown source link layer addresses and IP addresses are entered + into the VXLAN device forwarding database. Unicast ^^^^^^^ @@ -155,7 +167,7 @@ interface is no longer required for each VNI. .. code-block:: none set interfaces bridge br0 member interface vxlan0 - set interfaces vxlan vxlan0 external + set interfaces vxlan vxlan0 parameters external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index c660f8f4..b42c6cfe 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. + this translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. - Example: + Examples: .. code-block:: none - set nat source rule 20 outbound-interface eth0 + set nat source rule 20 outbound-interface name eth0 + set nat source rule 30 outbound-interface name bond1* + set nat source rule 20 outbound-interface name !vtun2 + set nat source rule 20 outbound-interface group GROUP1 + set nat source rule 20 outbound-interface group !GROUP2 + * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. + translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. Example: .. code-block:: none - set nat destination rule 20 inbound-interface eth1 + set nat destination rule 20 inbound-interface name eth0 + set nat destination rule 30 inbound-interface name bond1* + set nat destination rule 20 inbound-interface name !vtun2 + set nat destination rule 20 inbound-interface group GROUP1 + set nat destination rule 20 inbound-interface group !GROUP2 + * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -323,7 +335,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -332,7 +344,9 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface eth0 + outbound-interface { + name eth0 + } source { address 192.168.0.0/24 } @@ -424,19 +438,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 inbound-interface name 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 inbound-interface name 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 outbound-interface name 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -452,7 +466,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface pppoe0 + inbound-interface { + name pppoe0 + } protocol tcp translation { address 192.0.2.40 @@ -463,7 +479,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface eth0.10 + inbound-interface { + name eth0.10 + } protocol tcp translation { address 192.0.2.40 @@ -476,7 +494,9 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface eth0.10 + outbound-interface { + name eth0.10 + } protocol tcp source { address 192.0.2.0/24 @@ -515,7 +535,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface 'eth0' + set nat destination rule 10 inbound-interface name 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface eth0 + inbound-interface { + name eth0 + } protocol tcp translation { address 192.168.0.100 @@ -546,43 +568,45 @@ Which would generate the following NAT destination configuration: This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. -It is important to note that when creating firewall rules that the DNAT +Firewall rules for Destination NAT +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100. -So in our firewall policy, we want to allow traffic coming in on the -outside interface, destined for TCP port 80 and the IP address of -192.168.0.100. +So in our firewall ruleset, we want to allow traffic which previously matched +a destination nat rule. In order to avoid creating many rules, one for each +destination nat rule, we can accept all **'dnat'** connections with one simple +rule, using ``connection-status`` matcher: .. code-block:: none - set firewall name OUTSIDE-IN rule 20 action 'accept' - set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' - set firewall name OUTSIDE-IN rule 20 destination port '80' - set firewall name OUTSIDE-IN rule 20 protocol 'tcp' - set firewall name OUTSIDE-IN rule 20 state new 'enable' + set firewall ipv4 forward filter rule 10 action accept + set firewall ipv4 forward filter rule 10 connection-status nat destination + set firewall ipv4 forward filter rule 10 state new enable This would generate the following configuration: .. code-block:: none - rule 20 { - action accept - destination { - address 192.168.0.100 - port 80 - } - protocol tcp - state { - new enable + ipv4 { + forward { + filter { + rule 10 { + action accept + connection-status { + nat destination + } + state { + new enable + } + } + } } } -.. note:: - - If you have configured the `INSIDE-OUT` policy, you will need to add - additional rules to permit inbound NAT traffic. 1-to-1 NAT ---------- @@ -610,10 +634,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface 'eth1' + set nat destination rule 2000 inbound-interface name 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface 'eth1' + set nat source rule 2000 outbound-interface name 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -639,7 +663,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface eth0 + set nat destination rule 10 inbound-interface inbound-interface eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address @@ -655,7 +679,7 @@ We will generate the hash randomly. .. code-block:: none - set nat source rule 10 outbound-interface eth0 + set nat source rule 10 outbound-interface name eth0 set nat source rule 10 source address 10.0.0.0/8 set nat source rule 10 load-balance hash random set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -709,12 +733,10 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' - set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' - set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index c91feea0..ece06fa2 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -161,11 +161,11 @@ Options (Global IPsec settings) Attributes * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; - * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; + * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation; * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. + * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy. ************************* IPsec policy matching GRE diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 57b45181..2b3403f5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -149,6 +149,10 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. + Examples: ------------------ diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 80f800c2..bb212e2f 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -92,8 +92,8 @@ The container can also be built directly from source: $ git clone -b crux --single-branch https://github.com/vyos/vyos-build # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build $ cd vyos-build $ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2 @@ -151,7 +151,7 @@ following Debian versions installed: - Debian Jessie for VyOS 1.2 (crux) - Debian Buster for VyOS 1.3 (equuleus) -- Debian Bullseye for VyOS 1.4 (sagitta, current) - aka the rolling release +- Debian Bullseye for VyOS 1.4 (sagitta) To start, clone the repository to your local machine: @@ -163,8 +163,8 @@ To start, clone the repository to your local machine: # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build For the packages required, you can refer to the ``docker/Dockerfile`` file @@ -193,8 +193,8 @@ Please note as this will differ for both `current` and `crux`. # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run: @@ -208,8 +208,8 @@ Now a fresh build of the VyOS ISO can begin. Change directory to the # For VyOS 1.3 (equuleus) $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:equuleus bash - # For VyOS 1.4 (sagitta, current) - $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash + # For VyOS 1.4 (sagitta) + $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:sagitta bash .. code-block:: none diff --git a/requirements.txt b/requirements.txt index 9ca1cac2..a433b957 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,6 +3,6 @@ Sphinx==4.5.0 sphinx-rtd-theme==1.0.0 sphinx-autobuild==2021.3.14 sphinx-notfound-page==0.8 -lxml==4.9.1 +lxml==4.8.0 myst-parser==0.17.1 sphinx-panels==0.6.0 |