diff options
Diffstat (limited to 'docs/configuration/vpn')
| -rw-r--r-- | docs/configuration/vpn/dmvpn.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.rst | 33 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 40 |
4 files changed, 68 insertions, 17 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index 66fc79da..6680d46a 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -191,7 +191,7 @@ Hub set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 local-ip '192.0.2.1' - set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' set protocols nhrp tunnel tun100 cisco-authentication 'secret' @@ -298,7 +298,7 @@ VyOS can also run in DMVPN spoke mode. set interfaces tunnel tun100 address '172.16.253.133/29' set interfaces tunnel tun100 local-ip 0.0.0.0 set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' set protocols nhrp tunnel tun100 cisco-authentication 'secret' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 4721cbcd..327f3abb 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -111,6 +111,8 @@ VyOS IKE group has the next options: * ``hash`` hash algorithm. + * ``prf`` pseudo-random function. + *********************************************** ESP (Encapsulating Security Payload) Attributes *********************************************** @@ -200,6 +202,11 @@ On the LEFT: ## IPsec set vpn ipsec interface eth0 + # Pre-shared-secret + set vpn ipsec authentication psk vyos id 192.0.2.10 + set vpn ipsec authentication psk vyos id 203.0.113.45 + set vpn ipsec authentication psk vyos secret MYSECRETKEY + # IKE group set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' @@ -211,7 +218,6 @@ On the LEFT: # IPsec tunnel set vpn ipsec site-to-site peer right authentication mode pre-shared-secret - set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 set vpn ipsec site-to-site peer right ike-group MyIKEGroup diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1b48571d..1b4d4b4c 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -56,7 +56,7 @@ Server Configuration set vpn openconnect ssl passphrase <pki-password> 2FA OTP support -==================== +=============== Instead of password only authentication, 2FA password authentication + OTP key can be used. Alternatively, OTP authentication only, @@ -221,3 +221,34 @@ To display the configured OTP user settings, use the command: .. code-block:: none show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> + +Configuring RADIUS accounting +============================= + +OpenConnect can be configured to send accounting information to a +RADIUS server to capture user session data such as time of +connect/disconnect, data transferred, and so on. + +Configure an accounting server and enable accounting with: + +.. code-block:: none + + set vpn openconnect accounting mode radius + set vpn openconnect accounting radius server 172.20.20.10 + set vpn openconnect accounting radius server 172.20.20.10 port 1813 + set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret + +.. warning:: The RADIUS accounting feature must be used with the OpenConnect + authentication mode RADIUS. It cannot be used with local authentication. + You must configure the OpenConnect authentication mode to "radius". + +An example of the data captured by a FREERADIUS server with sql accounting: + +.. code-block:: none + + mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct; + +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ + | username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start | + +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ + | test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 | + +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+ diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index bc30a711..e89d25c6 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -18,23 +18,29 @@ Each site-to-site peer has the next options: * ``authentication`` - configure authentication between VyOS and a remote peer. Suboptions: + * ``psk`` - Preshared secret key name: + + * ``dhcp-interface`` - ID for authentication generated from DHCP address + dynamically; + * ``id`` - static ID's for authentication. In general local and remote + address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; + * ``secret`` - predefined shared secret. Used if configured mode + ``pre-shared-secret``; + + * ``local-id`` - ID for the local VyOS router. If defined, during the authentication it will be send to remote peer; * ``mode`` - mode for authentication between VyOS and remote peer: - * ``pre-shared-secret`` - use predefined shared secret phrase, must be the - same for local and remote side; + * ``pre-shared-secret`` - use predefined shared secret phrase; * ``rsa`` - use simple shared RSA key. The key must be defined in the ``set vpn rsa-keys`` section; * ``x509`` - use certificates infrastructure for authentication. - * ``pre-shared-secret`` - predefined shared secret. Used if configured - ``mode pre-shared-secret``; - * ``remote-id`` - define an ID for remote peer, instead of using peer name or address. Useful in case if the remote peer is behind NAT or if ``mode x509`` is used; @@ -161,6 +167,9 @@ Example: .. code-block:: none # server config + set vpn ipsec authentication psk OFFICE-B id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-B id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -171,8 +180,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' @@ -182,6 +191,9 @@ Example: set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21' # remote office config + set vpn ipsec authentication psk OFFICE-A id '198.51.100.3' + set vpn ipsec authentication psk OFFICE-A id '203.0.113.2' + set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey' set vpn ipsec esp-group office-srv-esp lifetime '1800' set vpn ipsec esp-group office-srv-esp mode 'tunnel' set vpn ipsec esp-group office-srv-esp pfs 'enable' @@ -192,8 +204,8 @@ Example: set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256' set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1' set vpn ipsec interface 'eth1' + set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' @@ -279,6 +291,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.2/31' + set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-B secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -293,7 +308,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.201' set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' @@ -308,6 +322,9 @@ Imagine the following topology set interfaces vti vti10 address '10.0.0.3/31' + set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' + set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' + set vpn ipsec authentication psk OFFICE-A secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -325,7 +342,6 @@ Imagine the following topology set vpn ipsec interface 'eth0.202' set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' @@ -375,9 +391,7 @@ Key Parameters: Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured. - -.. image:: /_static/images/IPSec_close_action_settings.jpg - :width: 50% - :align: center + +.. figure:: /_static/images/IPSec_close_action_settings.jpg Similar combinations are applicable for the dead-peer-detection. |