summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/dmvpn.rst336
-rw-r--r--docs/configuration/vpn/index.rst26
-rw-r--r--docs/configuration/vpn/ipsec.rst192
-rw-r--r--docs/configuration/vpn/l2tp.rst232
-rw-r--r--docs/configuration/vpn/openconnect.rst95
-rw-r--r--docs/configuration/vpn/pptp.rst52
-rw-r--r--docs/configuration/vpn/rsa-keys.rst88
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst346
-rw-r--r--docs/configuration/vpn/sstp.rst353
9 files changed, 1720 insertions, 0 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
new file mode 100644
index 00000000..f902c388
--- /dev/null
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -0,0 +1,336 @@
+.. _vpn-dmvpn:
+
+#####
+DMVPN
+#####
+
+:abbr:`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic
+:abbr:`VPN (Virtual Private Network)` technology originally developed by Cisco.
+While their implementation was somewhat proprietary, the underlying
+technologies are actually standards based. The three technologies are:
+
+* :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332`
+* :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702`
+* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with
+ :rfc:`4301`
+
+NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint
+registration, and endpoint discovery/lookup), mGRE provides the tunnel
+encapsulation itself, and the IPSec protocols handle the key exchange, and
+crypto mechanism.
+
+In short, DMVPN provides the capability for creating a dynamic-mesh VPN
+network without having to pre-configure (static) all possible tunnel end-point
+peers.
+
+.. note:: DMVPN only automates the tunnel endpoint discovery and setup. A
+ complete solution also incorporates the use of a routing protocol. BGP is
+ particularly well suited for use with DMVPN.
+
+.. figure:: /_static/images/vpn_dmvpn_topology01.png
+ :scale: 40 %
+ :alt: Baseline DMVPN topology
+
+ Baseline DMVPN topology
+
+*************
+Configuration
+*************
+
+* Please refer to the :ref:`tunnel-interface` documentation for the individual
+ tunnel related options.
+
+* Please refer to the :ref:`ipsec` documentation for the individual IPSec
+ related options.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> cisco-authentication <secret>
+
+ Enables Cisco style authentication on NHRP packets. This embeds the secret
+ plaintext password to the outgoing NHRP packets. Incoming NHRP packets on
+ this interface are discarded unless the secret password is present. Maximum
+ length of the secret is 8 characters.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> dynamic-map <address>
+ nbma-domain-name <fqdn>
+
+ Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)`
+ addresses of the next hop servers are defined in the domain name
+ nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry.
+
+ Each dynamic NHS will get a peer entry with the configured network address
+ and the discovered NBMA address.
+
+ The first registration request is sent to the protocol broadcast address, and
+ the server's real protocol address is dynamically detected from the first
+ registration reply.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> holding-time <timeout>
+
+ Specifies the holding time for NHRP Registration Requests and Resolution
+ Replies sent from this interface or shortcut-target. The holdtime is specified
+ in seconds and defaults to two hours.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> map cisco
+
+ If the statically mapped peer is running Cisco IOS, specify the cisco keyword.
+ It is used to fix statically the Registration Request ID so that a matching
+ Purge Request can be sent if NBMA address has changed. This is to work around
+ broken IOS which requires Purge Request ID to match the original Registration
+ Request ID.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> map nbma-address <address>
+
+ Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast
+ multiple-access network)` address.
+
+ If the IP prefix mask is present, it directs opennhrp to use this peer as a
+ next hop server when sending Resolution Requests matching this subnet.
+
+ This is also known as the HUBs IP address or FQDN.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> map register
+
+ The optional parameter register specifies that Registration Request should be
+ sent to this peer on startup.
+
+ This option is required when running a DMVPN spoke.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> multicast <dynamic | nhs>
+
+ Determines how opennhrp daemon should soft switch the multicast traffic.
+ Currently, multicast traffic is captured by opennhrp daemon using a packet
+ socket, and resent back to proper destinations. This means that multicast
+ packet sending is CPU intensive.
+
+ Specfying nhs makes all multicast packets to be repeated to each statically
+ configured next hop.
+
+ Synamic instructs to forward to all peers which we have a direct connection
+ with. Alternatively, you can specify the directive multiple times for each
+ protocol-address the multicast traffic should be sent to.
+
+ .. warning:: It is very easy to misconfigure multicast repeating if you have
+ multiple NHSes.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> non-caching
+
+ Disables caching of peer information from forwarded NHRP Resolution Reply
+ packets. This can be used to reduce memory consumption on big NBMA subnets.
+
+ .. note:: Currently does not do much as caching is not implemented.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> redirect
+
+ Enable sending of Cisco style NHRP Traffic Indication packets. If this is
+ enabled and opennhrp detects a forwarded packet, it will send a message to
+ the original sender of the packet instructing it to create a direct connection
+ with the destination. This is basically a protocol independent equivalent of
+ ICMP redirect.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut
+
+ Enable creation of shortcut routes.
+
+ A received NHRP Traffic Indication will trigger the resolution and
+ establishment of a shortcut route.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-destination
+
+ This instructs opennhrp to reply with authorative answers on NHRP Resolution
+ Requests destinied to addresses in this interface (instead of forwarding the
+ packets). This effectively allows the creation of shortcut routes to subnets
+ located on the interface.
+
+ When specified, this should be the only keyword for the interface.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address>
+
+ Defines an off-NBMA network prefix for which the GRE interface will act as a
+ gateway. This an alternative to defining local interfaces with
+ shortcut-destination flag.
+
+.. cfgcmd:: set protocols nhrp tunnel <tunnel> shortcut-target <address>
+ holding-time <timeout>
+
+ Specifies the holding time for NHRP Registration Requests and Resolution
+ Replies sent from this interface or shortcut-target. The holdtime is specified
+ in seconds and defaults to two hours.
+
+*******
+Example
+*******
+
+
+This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as
+multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual
+Environment NG)`.
+
+.. figure:: /_static/images/blueprint-dmvpn.png
+ :alt: DMVPN network
+
+ DMVPN example network
+
+Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29.
+
+The below referenced IP address `192.0.2.1` is used as example address
+representing a global unicast address under which the HUB can be contacted by
+each and every individual spoke.
+
+Configuration
+=============
+
+Hub
+---
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 192.0.2.1/24
+
+ set interfaces tunnel tun100 address '172.16.253.134/29'
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 local-ip '192.0.2.1'
+ set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 parameters ip key '1'
+
+ set protocols nhrp tunnel tun100 cisco-authentication 'secret'
+ set protocols nhrp tunnel tun100 holding-time '300'
+ set protocols nhrp tunnel tun100 multicast 'dynamic'
+ set protocols nhrp tunnel tun100 redirect
+ set protocols nhrp tunnel tun100 shortcut
+
+ set vpn ipsec esp-group ESP-HUB compression 'disable'
+ set vpn ipsec esp-group ESP-HUB lifetime '1800'
+ set vpn ipsec esp-group ESP-HUB mode 'transport'
+ set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+ set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
+ set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
+ set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
+ set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+ set vpn ipsec ike-group IKE-HUB lifetime '3600'
+ set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+ set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
+ set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+ set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
+ set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+ set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+ set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+.. note:: Setting this up on AWS will require a "Custom Protocol Rule" for
+ protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC
+ Network ACL, and secondly on the security group network ACL attached to the
+ EC2 instance. This has been tested as working for the official AMI image on
+ the AWS Marketplace. (Locate the correct VPC and security group by navigating
+ through the details pane below your EC2 instance in the AWS console).
+
+Spoke
+-----
+
+The individual spoke configurations only differ in the local IP address on the
+``tun10`` interface. See the above diagram for the individual IP addresses.
+
+spoke01-spoke04
+^^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+ crypto keyring DMVPN
+ pre-shared-key address 192.0.2.1 key secret
+ !
+ crypto isakmp policy 10
+ encr aes 256
+ authentication pre-share
+ group 2
+ crypto isakmp invalid-spi-recovery
+ crypto isakmp keepalive 30 30 periodic
+ crypto isakmp profile DMVPN
+ keyring DMVPN
+ match identity address 192.0.2.1 255.255.255.255
+ !
+ crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
+ mode transport
+ !
+ crypto ipsec profile DMVPN
+ set security-association idle-time 720
+ set transform-set DMVPN-AES256
+ set isakmp-profile DMVPN
+ !
+ interface Tunnel10
+ ! individual spoke tunnel IP must change
+ ip address 172.16.253.129 255.255.255.248
+ no ip redirects
+ ip nhrp authentication secret
+ ip nhrp map 172.16.253.134 192.0.2.1
+ ip nhrp map multicast 192.0.2.1
+ ip nhrp network-id 1
+ ip nhrp holdtime 600
+ ip nhrp nhs 172.16.253.134
+ ip nhrp registration timeout 75
+ tunnel source FastEthernet0/0
+ tunnel mode gre multipoint
+ tunnel key 1
+ !
+ interface FastEthernet0/0
+ ip address dhcp
+ duplex half
+
+
+spoke05
+^^^^^^^
+
+VyOS can also run in DMVPN spoke mode.
+
+.. code-block:: none
+
+ set interfaces ethernet eth0 address 'dhcp'
+
+ set interfaces tunnel tun100 address '172.16.253.133/29'
+ set interfaces tunnel tun100 local-ip 0.0.0.0
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 parameters ip key '1'
+
+ set protocols nhrp tunnel tun100 cisco-authentication 'secret'
+ set protocols nhrp tunnel tun100 holding-time '300'
+ set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1'
+ set protocols nhrp tunnel tun100 map 172.16.253.134/29 register
+ set protocols nhrp tunnel tun100 multicast 'nhs'
+ set protocols nhrp tunnel tun100 redirect
+ set protocols nhrp tunnel tun100 shortcut
+
+ set vpn ipsec esp-group ESP-HUB compression 'disable'
+ set vpn ipsec esp-group ESP-HUB lifetime '1800'
+ set vpn ipsec esp-group ESP-HUB mode 'transport'
+ set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+ set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
+ set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
+ set vpn ipsec ike-group IKE-HUB close-action 'none'
+ set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
+ set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+ set vpn ipsec ike-group IKE-HUB lifetime '3600'
+ set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+ set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
+ set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+ set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
+ set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+ set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+ set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
new file mode 100644
index 00000000..abaca198
--- /dev/null
+++ b/docs/configuration/vpn/index.rst
@@ -0,0 +1,26 @@
+###
+VPN
+###
+
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+
+ ipsec
+ l2tp
+ openconnect
+ pptp
+ rsa-keys
+ sstp
+
+
+
+pages to sort
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+
+ dmvpn
+ site2site_ipsec \ No newline at end of file
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
new file mode 100644
index 00000000..2888336c
--- /dev/null
+++ b/docs/configuration/vpn/ipsec.rst
@@ -0,0 +1,192 @@
+.. _ipsec:
+
+#####
+IPsec
+#####
+
+:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
+SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
+to protect the traffic inside a tunnel.
+
+An advantage of this scheme is that you get a real interface with its own
+address, which makes it easier to setup static routes or use dynamic routing
+protocols without having to modify IPsec policies. The other advantage is that
+it greatly simplifies router to router communication, which can be tricky with
+plain IPsec because the external outgoing address of the router usually doesn't
+match the IPsec policy of typical site-to-site setup and you need to add special
+configuration for it, or adjust the source address for outgoing traffic of your
+applications. GRE/IPsec has no such problem and is completely transparent for
+the applications.
+
+GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
+easy to implement between VyOS and virtually any other router.
+
+For simplicity we'll assume that the protocol is GRE, it's not hard to guess
+what needs to be changed to make it work with a different protocol. We assume
+that IPsec will use pre-shared secret authentication and will use AES128/SHA1
+for the cipher and hash. Adjust this as necessary.
+
+.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
+ adapters have known issues with GRE processing.
+
+*************************
+IPsec policy matching GRE
+*************************
+
+The first and arguably cleaner option is to make your IPsec policy match GRE
+packets between external addresses of your routers. This is the best option if
+both routers have static external addresses.
+
+Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
+and the RIGHT router is 203.0.113.45
+
+On the LEFT:
+
+.. code-block:: none
+
+ # GRE tunnel
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 local-ip 192.0.2.10
+ set interfaces tunnel tun0 remote-ip 203.0.113.45
+ set interfaces tunnel tun0 address 10.10.10.1/30
+
+ ## IPsec
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ # IKE group
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
+
+ # ESP group
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
+
+ # IPsec tunnel
+ set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
+ set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY
+
+ set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup
+
+ set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10
+
+ # This will match all GRE traffic to the peer
+ set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre
+
+On the RIGHT, setup by analogy and swap local and remote addresses.
+
+
+Source tunnel from loopbacks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The scheme above doesn't work when one of the routers has a dynamic external
+address though. The classic workaround for this is to setup an address on a
+loopback interface and use it as a source address for the GRE tunnel, then setup
+an IPsec policy to match those loopback addresses.
+
+We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
+RIGHT router has a dynamic address on eth0.
+
+**Setting up the GRE tunnel**
+
+On the LEFT:
+
+.. code-block:: none
+
+ set interfaces loopback lo address 192.168.99.1/32
+
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 address 10.10.10.1/30
+ set interfaces tunnel tun0 local-ip 192.168.99.1
+ set interfaces tunnel tun0 remote-ip 192.168.99.2
+
+On the RIGHT:
+
+.. code-block:: none
+
+ set interfaces loopback lo address 192.168.99.2/32
+
+ set interfaces tunnel tun0 encapsulation gre
+ set interfaces tunnel tun0 address 10.10.10.2/30
+ set interfaces tunnel tun0 local-ip 192.168.99.2
+ set interfaces tunnel tun0 remote-ip 192.168.99.1
+
+**Setting up IPSec**
+
+However, now you need to make IPsec work with dynamic address on one side. The
+tricky part is that pre-shared secret authentication doesn't work with dynamic
+address, so we'll have to use RSA keys.
+
+First, on both routers run the operational command "generate vpn rsa-key bits
+2048". You may choose different length than 2048 of course.
+
+.. code-block:: none
+
+ vyos@left# run generate vpn rsa-key bits 2048
+ Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
+
+ Your new local RSA key has been generated
+ The public portion of the key is:
+
+ 0sAQO2335[long string here]
+
+Then on the opposite router, add the RSA key to your config.
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
+
+Now you are ready to setup IPsec. You'll need to use an ID instead of address
+for the peer on the dynamic side.
+
+On the LEFT (static address):
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
+ set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT
+ set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
+ set vpn ipsec site-to-site peer @RIGHT connection-type respond
+ set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
+
+
+On the RIGHT (dynamic address):
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT
+ set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
+ set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
+ set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 192.0.2.10 local-address any
+ set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
new file mode 100644
index 00000000..0df5080c
--- /dev/null
+++ b/docs/configuration/vpn/l2tp.rst
@@ -0,0 +1,232 @@
+.. _l2tp:
+
+L2TP
+----
+
+VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used
+with local authentication or a connected RADIUS server.
+
+L2TP over IPsec
+===============
+
+Example for configuring a simple L2TP over IPsec VPN for remote access (works
+with native Windows and Mac VPN clients):
+
+.. code-block:: none
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal enable
+ set vpn ipsec nat-networks allowed-network 0.0.0.0/0
+
+ set vpn l2tp remote-access outside-address 192.0.2.2
+ set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+ set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
+ set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
+ set vpn l2tp remote-access authentication mode local
+ set vpn l2tp remote-access authentication local-users username test password 'test'
+
+In the example above an external IP of 192.0.2.2 is assumed.
+
+If a local firewall policy is in place on your external interface you will need
+to allow the ports below:
+
+* UDP port 500 (IKE)
+* IP protocol number 50 (ESP)
+* UDP port 1701 for IPsec
+
+As well as the below to allow NAT-traversal (when NAT is detected by the
+VPN client, ESP is encapsulated in UDP for NAT-traversal):
+
+* UDP port 4500 (NAT-T)
+
+Example:
+
+.. code-block:: none
+
+ set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
+ set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
+ set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
+ set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
+ set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
+ set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
+ set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
+ set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
+
+To allow VPN-clients access via your external address, a NAT rule is required:
+
+
+.. code-block:: none
+
+ set nat source rule 110 outbound-interface 'eth0'
+ set nat source rule 110 source address '192.168.255.0/24'
+ set nat source rule 110 translation address masquerade
+
+
+VPN-clients will request configuration parameters, optionally you can DNS
+parameter to the client.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access name-server '198.51.100.8'
+ set vpn l2tp remote-access name-server '198.51.100.4'
+
+Established sessions can be viewed using the **show vpn remote-access**
+operational command, or **show l2tp-server sessions**
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn remote-access
+ ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
+ --------+----------+--------------+---------------+------------+------+------+--------+----------
+ ppp0 | vyos | 192.168.0.36 | 192.168.255.1 | | l2tp | | active | 00:06:13
+
+
+LNS (L2TP Network Server)
+=========================
+
+LNS are often used to connect to a LAC (L2TP Access Concentrator).
+
+Below is an example to configure a LNS:
+
+.. code-block:: none
+
+ set vpn l2tp remote-access outside-address 192.0.2.2
+ set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+ set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access lns shared-secret 'secret'
+ set vpn l2tp remote-access ccp-disable
+ set vpn l2tp remote-access authentication mode local
+ set vpn l2tp remote-access authentication local-users username test password 'test'
+
+The example above uses 192.0.2.2 as external IP address. A LAC normally requires
+an authentication password, which is set in the example configuration to
+``lns shared-secret 'secret'``. This setup requires the Compression Control
+Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access
+ccp-disable`` accomplishes that.
+
+
+Bandwidth Shaping
+=================
+
+Bandwidth rate limits can be set for local users or via RADIUS based attributes.
+
+Bandwidth Shaping for local users
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The rate-limit is set in kbit/sec.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access outside-address 192.0.2.2
+ set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+ set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+ set vpn l2tp remote-access authentication mode local
+ set vpn l2tp remote-access authentication local-users username test password test
+ set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
+ set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
+
+ vyos@vyos:~$ show vpn remote-access
+ ifname | username | calling-sid | ip | rate-limit | type | comp | state | uptime
+ -------+----------+--------------+---------------+-------------+------+------+--------+-----------
+ ppp0 | test | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp | | active | 00:06:30
+
+RADIUS authentication
+======================
+
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication mode <local|radius>
+
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
+ set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
+
+.. note:: Some RADIUS_ severs use an access control list which allows or denies
+ queries, make sure to add your VyOS router to the allowed client list.
+
+RADIUS source address
+^^^^^^^^^^^^^^^^^^^^^
+
+If you are using OSPF as IGP always the closets interface connected to the
+RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius source-address 10.0.0.3
+
+Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
+on this NAS.
+
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+ Best proctice would be a loopback or dummy interface.
+
+RADIUS bandwidth shaping attribute
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To enable bandwidth shaping via RADIUS, the option rate-limit needs to be
+enabled.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius rate-limit enable
+
+The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may
+also redefine it.
+
+.. code-block:: none
+
+ set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
+
+.. note:: If you set a custom RADIUS attribute you must define it on both
+ dictionaries at RADIUS server and client, which is the vyos router in our
+ example.
+
+The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``
+
+RADIUS advanced features
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+*****************************************
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ip-pool within the CLI
+config is being ignored.
+
+Renaming clients interfaces by RADIUS
+*************************************
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+ characters, otherwise the interface won't be renamed.
+
+
+.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
+.. _Quad9: https://quad9.net
+.. _CloudFlare: https://blog.cloudflare.com/announcing-1111
+.. _OpenNIC: https://www.opennic.org/
+.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS
+.. _FreeRADIUS: https://freeradius.org
+.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
+.. _accel-ppp: https://accel-ppp.org/
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
new file mode 100644
index 00000000..feb0bab1
--- /dev/null
+++ b/docs/configuration/vpn/openconnect.rst
@@ -0,0 +1,95 @@
+.. _vpn-openconnect:
+
+###########
+OpenConnect
+###########
+
+OpenConnect-compatible server feature is available from this release.
+Openconnect VPN supports SSL connection and offers full network access. SSL VPN
+network extension connects the end-user system to the corporate network with
+access controls based only on network layer information, such as destination IP
+address and port number. So, it provides safe communication for all types of
+device traffic across public networks and private networks, also encrypts the
+traffic with SSL protocol.
+
+The remote user will use the openconnect client to connect to the router and
+will receive an IP address from a VPN pool, allowing full access to the network.
+
+.. note:: All certificates should be stored on VyOS under /config/auth. If
+ certificates are not stored in the /config directory they will not be
+ migrated during a software update.
+
+*************
+Configuration
+*************
+
+SSL Certificates
+================
+
+We need to generate the certificate which authenticates users who attempt to
+access the network resource through the SSL VPN tunnels. The following command
+will create a self signed certificates and will be stored in the file path
+`/config/auth`.
+
+.. code-block:: none
+
+ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
+ openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt
+
+We can also create the certificates using Cerbort which is an easy-to-use client
+that fetches a certificate from Let's Encrypt an open certificate authority
+launched by the EFF, Mozilla, and others and deploys it to a web server.
+
+.. code-block:: none
+
+ sudo certbot certonly --standalone --preferred-challenges http -d <domain name>
+
+Server Configuration
+====================
+
+.. code-block:: none
+
+ set vpn openconnect authentication local-users username <user> password <pass>
+ set vpn openconnect authentication mode <local|radius>
+ set vpn opneconnect network-settings client-ip-settings subnet <subnet>
+ set vpn openconnect network-settings name-server <address>
+ set vpn openconnect network-settings name-server <address>
+ set vpn openconnect ssl ca-cert-file <file>
+ set vpn openconnect ssl cert-file <file>
+ set vpn openconnect ssl key-file <file>
+
+
+*******
+Example
+*******
+
+Use local user name "user4" with password "SecretPassword"
+Client IP addresses will be provided from pool 100.64.0.0/24
+The Gateway IP Address must be in one of the router´s interfaces.
+
+.. code-block:: none
+
+ set vpn openconnect authentication local-users username user4 password 'SecretPassword'
+ set vpn openconnect authentication mode 'local'
+ set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
+ set vpn openconnect network-settings name-server '10.1.1.1'
+ set vpn openconnect network-settings name-server '10.1.1.2'
+ set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
+ set vpn openconnect ssl cert-file '/config/auth/cert.pem'
+ set vpn openconnect ssl key-file '/config/auth/privkey.pem'
+
+
+************
+Verification
+************
+
+.. code-block:: none
+
+
+ vyos@RTR1:~$ show openconnect-server sessions
+
+ interface username ip remote IP RX TX state uptime
+ ----------- ---------- ------------ ------------- -------- -------- --------- --------
+ sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s
+
+.. note:: It is compatible with Cisco (R) AnyConnect (R) clients.
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
new file mode 100644
index 00000000..12364acb
--- /dev/null
+++ b/docs/configuration/vpn/pptp.rst
@@ -0,0 +1,52 @@
+.. _pptp:
+
+PPTP-Server
+-----------
+
+The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only
+for backwards compatibility. PPTP has many well known security issues and you
+should use one of the many other new VPN implementations.
+
+As per default and if not otherwise defined, mschap-v2 is being used for
+authentication and mppe 128-bit (stateless) for encryption. If no
+gateway-address is set within the configuration, the lowest IP out of the /24
+client-ip-pool is being used. For instance, in the example below it would be
+192.168.0.1.
+
+server example
+^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+ set vpn pptp remote-access authentication local-users username test password 'test'
+ set vpn pptp remote-access authentication mode 'local'
+ set vpn pptp remote-access client-ip-pool start '192.168.0.10'
+ set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
+ set vpn pptp remote-access gateway-address '10.100.100.1'
+ set vpn pptp remote-access outside-address '10.1.1.120'
+
+
+client example (debian 9)
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Install the client software via apt and execute pptpsetup to generate the
+configuration.
+
+
+.. code-block:: none
+
+ apt-get install pptp-linux
+ pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt
+ pon TESTTUNNEL
+
+The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
+
+
+All tunnel sessions can be checked via:
+
+.. code-block:: none
+
+ run sh pptp-server sessions
+ ifname | username | calling-sid | ip | type | comp | state | uptime
+ --------+----------+-------------+--------------+------+------+--------+----------
+ ppp0 | test | 10.1.1.99 | 192.168.0.10 | pptp | mppe | active | 00:00:58
diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst
new file mode 100644
index 00000000..7912cffe
--- /dev/null
+++ b/docs/configuration/vpn/rsa-keys.rst
@@ -0,0 +1,88 @@
+
+########
+RSA-Keys
+########
+RSA can be used for services such as key exchanges and for encryption purposes.
+To make IPSec work with dynamic address on one/both sides, we will have to use
+RSA keys for authentication. They are very fast and easy to setup.
+
+First, on both routers run the operational command “generate vpn rsa-key
+bits 2048”. You may choose different length than 2048 of course.
+
+.. code-block:: none
+
+ vyos@left# run generate vpn rsa-key bits 2048
+ Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
+
+ Your new local RSA key has been generated
+ The public portion of the key is:
+
+ 0sAQO2335[long string here]
+
+Please note down this public key, as you have to add this RSA key in the opposite router.
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE
+
+Now you are ready to setup IPsec. The key points:
+
+1. Since both routers do not know their effective public addresses, we set the local-address of the peer to "any".
+2. On the initiator, we set the peer address to its public address, but on the responder we only set the id.
+3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly.
+4. On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work.
+5. Don't forget to enable NAT traversal on both sides, "set vpn ipsec nat-traversal enable".
+
+LEFT SIDE:
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name RIGHT rsa-key <PUBLIC KEY FROM THE RIGHT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal 'enable'
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication mode rsa
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication id @LEFT
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication rsa-key-name RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.60 authentication remote-id RIGHT
+ set vpn ipsec site-to-site peer 192.0.2.60 default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer 192.0.2.60 ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer 192.0.2.60 local-address any
+ set vpn ipsec site-to-site peer 192.0.2.60 connection-type initiate
+ set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 local prefix 192.168.99.1/32
+ set vpn ipsec site-to-site peer 192.0.2.60 tunnel 1 remote prefix 192.168.99.2/32
+
+RIGHT SIDE:
+
+.. code-block:: none
+
+ set vpn rsa-keys rsa-key-name LEFT rsa-key <PUBLIC KEY FROM THE LEFT>
+
+ set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec nat-traversal 'enable'
+
+ set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
+ set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
+
+ set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
+ set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
+ set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
+
+ set vpn ipsec site-to-site peer @LEFT authentication id @RIGHT
+ set vpn ipsec site-to-site peer @LEFT authentication mode rsa
+ set vpn ipsec site-to-site peer @LEFT authentication rsa-key-name LEFT
+ set vpn ipsec site-to-site peer @LEFT connection-type respond
+ set vpn ipsec site-to-site peer @LEFT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer @LEFT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer @LEFT local-address any
+ set vpn ipsec site-to-site peer @LEFT tunnel 1 local prefix 192.168.99.2/32
+ set vpn ipsec site-to-site peer @LEFT tunnel 1 remote prefix 192.168.99.1/32
+
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
new file mode 100644
index 00000000..e81c5c3b
--- /dev/null
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -0,0 +1,346 @@
+.. _size2site_ipsec:
+
+Site-to-Site
+============
+
+Site-to-site mode provides a way to add remote peers, which could be configured
+to exchange encrypted information between them and VyOS itself or
+connected/routed networks.
+
+To configure site-to-site connection you need to add peers with the
+``set vpn ipsec site-to-site`` command.
+
+You can identify a remote peer with:
+
+* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used
+ when a peer has a public static IP address;
+* Hostname. This mode is similar to IP address, only you define DNS name instead
+ of an IP. Could be used when a peer has a public IP address and DNS name, but
+ an IP address could be changed from time to time;
+* Remote ID of the peer. In this mode, there is no predefined remote address
+ nor DNS name of the peer. This mode is useful when a peer doesn't have a
+ publicly available IP address (NAT between it and VyOS), or IP address could
+ be changed.
+
+Each site-to-site peer has the next options:
+
+* ``authentication`` - configure authentication between VyOS and a remote peer.
+ Suboptions:
+
+ * ``id`` - ID for the local VyOS router. If defined, during the authentication
+ it will be send to remote peer;
+
+ * ``mode`` - mode for authentication between VyOS and remote peer:
+
+ * ``pre-shared-secret`` - use predefined shared secret phrase, must be the
+ same for local and remote side;
+
+ * ``rsa`` - use simple shared RSA key. The key must be defined in the
+ ``set vpn rsa-keys`` section;
+
+ * ``x509`` - use certificates infrastructure for authentication.
+
+ * ``pre-shared-secret`` - predefined shared secret. Used if configured
+ ``mode pre-shared-secret``;
+
+ * ``remote-id`` - define an ID for remote peer, instead of using peer name or
+ address. Useful in case if the remote peer is behind NAT or if ``mode x509``
+ is used;
+
+ * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
+ in the ``set vpn rsa-keys`` section;
+
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+ ``id`` is defined;
+
+ * ``x509`` - options for x509 authentication mode:
+
+ * ``ca-cert-file`` - CA certificate file. Using for authenticating
+ remote peer;
+
+ * ``cert-file`` - certificate file, which will be used for authenticating
+ local router on remote peer;
+
+ * ``crl-file`` - file with the Certificate Revocation List. Using to check if
+ a certificate for the remote peer is valid or revoked;
+
+ * ``key`` - a private key, which will be used for authenticating local router
+ on remote peer:
+
+ * ``file`` - path to the key file;
+
+ * ``password`` - passphrase private key, if needed.
+
+* ``connection-type`` - how to handle this connection process. Possible
+ variants:
+
+ * ``initiate`` - do initial connection to remote peer immediately after
+ configuring and after boot. In this mode the connection will not be restarted
+ in case of disconnection, therefore should be used only together with DPD or
+ another session tracking methods;
+
+ * ``respond`` - do not try to initiate a connection to a remote peer. In this
+ mode, the IPSec session will be established only after initiation from a
+ remote peer. Could be useful when there is no direct connectivity to the
+ peer due to firewall or NAT in the middle of the local and remote side.
+
+* ``default-esp-group`` - ESP group to use by default for traffic encryption.
+ Might be overwritten by individual settings for tunnel or VTI interface
+ binding;
+
+* ``description`` - description for this peer;
+
+* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
+ connection with this peer, instead of ``local-address``;
+
+* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams.
+ Useful in case if between local and remote side is firewall or NAT, which not
+ allows passing plain ESP packets between them;
+
+* ``ike-group`` - IKE group to use for key exchanges;
+
+* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
+ Can be used only with IKEv2:
+
+ * ``yes`` - create a new IKE_SA from the scratch and try to recreate all
+ IPsec SAs;
+
+ * ``no`` - rekey without uninstalling the IPsec SAs;
+
+ * ``inherit`` - use default behavior for the used IKE group.
+
+* ``local-address`` - local IP address for IPSec connection with this peer.
+ If defined ``any``, then an IP address which configured on interface with
+ default route will be used;
+
+* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
+ it to a peer:
+
+ * ``disable`` - disable this tunnel;
+
+ * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
+
+ * ``local`` - define a local source for match traffic, which should be
+ encrypted and send to this peer:
+
+ * ``port`` - define port. Have effect only when used together with ``prefix``;
+
+ * ``prefix`` - IP network at local side.
+
+ * ``protocol`` - define the protocol for match traffic, which should be
+ encrypted and send to this peer;
+
+ * ``remote`` - define the remote destination for match traffic, which should be
+ encrypted and send to this peer:
+
+ * ``port`` - define port. Have effect only when used together with ``prefix``;
+
+ * ``prefix`` - IP network at remote side.
+
+* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
+ be send to VTI interface will be encrypted and send to this peer. Using VTI
+ makes IPSec configuration much flexible and easier in complex situation, and
+ allows to dynamically add/delete remote networks, reachable via a peer, as in
+ this mode router don't need to create additional SA/policy for each remote
+ network:
+
+ * ``bind`` - select a VTI interface to bind to this peer;
+
+ * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
+ interface.
+
+Examples:
+------------------
+
+IKEv1
+^^^^^
+
+Example:
+
+* WAN interface on `eth1`
+* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
+ there is no client or server roles)
+* left local_ip: `198.51.100.3` # server side WAN IP
+* right subnet: `10.0.0.0/24` site2,remote office side
+* right local_ip: `203.0.113.2` # remote office side WAN IP
+
+.. code-block:: none
+
+ # server config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24'
+ set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21'
+
+ # remote office config
+ set vpn ipsec esp-group office-srv-esp compression 'disable'
+ set vpn ipsec esp-group office-srv-esp lifetime '1800'
+ set vpn ipsec esp-group office-srv-esp mode 'tunnel'
+ set vpn ipsec esp-group office-srv-esp pfs 'enable'
+ set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
+ set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
+ set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
+ set vpn ipsec ike-group office-srv-ike lifetime '3600'
+ set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth1'
+ set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21'
+ set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24'
+
+Show status of new setup:
+
+.. code-block:: none
+
+ vyos@srv-gw0:~$ show vpn ike sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 203.0.113.2 198.51.100.3
+ State Encrypt Hash D-H Grp NAT-T A-Time L-Time
+ ----- ------- ---- ------- ----- ------ ------
+ up aes256 sha1 5 no 734 3600
+
+ vyos@srv-gw0:~$ show vpn ipsec sa
+ Peer ID / IP Local ID / IP
+ ------------ -------------
+ 203.0.113.2 198.51.100.3
+ Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
+ ------ ----- ------------- ------- ---- ----- ------ ------ -----
+ 0 up 7.5M/230.6K aes256 sha1 no 567 1800 all
+
+If there is SNAT rules on eth1, need to add exclude rule
+
+.. code-block:: none
+
+ # server side
+ set nat source rule 10 destination address '10.0.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '192.168.0.0/24'
+
+ # remote office side
+ set nat source rule 10 destination address '192.168.0.0/24'
+ set nat source rule 10 'exclude'
+ set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 source address '10.0.0.0/24'
+
+To allow traffic to pass through to clients, you need to add the following
+rules. (if you used the default configuration at the top of this page)
+
+.. code-block:: none
+
+ # server side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
+
+ # remote office side
+ set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
+
+IKEv2
+^^^^^
+
+Imagine the following topology
+
+.. figure:: /_static/images/vpn_s2s_ikev2.png
+ :scale: 50 %
+ :alt: IPSec IKEv2 site2site VPN
+
+ IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
+
+
+.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
+ gives you additional information for using /31 subnets on point-to-point
+ links.
+
+**left**
+
+.. code-block:: none
+
+ set interfaces vti vti10 address '10.0.0.2/31'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ipsec-interfaces interface 'eth0.201'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
+
+**right**
+
+.. code-block:: none
+
+ set interfaces vti vti10 address '10.0.0.3/31'
+
+ set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
+ set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
+ set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
+ set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+ set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
+ set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
+ set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
+ set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
+ set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
+ set vpn ipsec ipsec-interfaces interface 'eth0.202'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
+ set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
+ set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
+ set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
new file mode 100644
index 00000000..3600681f
--- /dev/null
+++ b/docs/configuration/vpn/sstp.rst
@@ -0,0 +1,353 @@
+.. _sstp:
+
+####
+SSTP
+####
+
+:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
+(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
+traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
+with key negotiation, encryption and traffic integrity checking. The use of
+SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
+and proxy servers except for authenticated web proxies.
+
+SSTP is available for Linux, BSD, and Windows.
+
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
+local and RADIUS authentication.
+
+As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
+certificates as well as a private PKI is required.
+
+.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
+ certificates are not stored in the ``/config`` directory they will not be
+ migrated during a software update.
+
+Certificates
+============
+
+Self Signed CA
+--------------
+
+To generate the CA, the server private key and certificates the following
+commands can be used.
+
+.. code-block:: none
+
+ vyos@vyos:~$ mkdir -p /config/user-data/sstp
+ vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
+
+ Generating a 4096 bit RSA private key
+ .........................++
+ ...............................................................++
+ writing new private key to 'server.key'
+ [...]
+ Country Name (2 letter code) [AU]:
+ State or Province Name (full name) [Some-State]:
+ Locality Name (eg, city) []:
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+ Organizational Unit Name (eg, section) []:
+ Common Name (e.g. server FQDN or YOUR name) []:
+ Email Address []:
+
+ vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
+ [...]
+ Country Name (2 letter code) [AU]:
+ State or Province Name (full name) [Some-State]:
+ Locality Name (eg, city) []:
+ Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+ Organizational Unit Name (eg, section) []:
+ Common Name (e.g. server FQDN or YOUR name) []:
+ Email Address []:
+
+
+Configuration
+=============
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password
+ <pass>
+
+ Create `<user>` for local authentication on this system. The users password
+ will be set to `<pass>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+ Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+ <address>
+
+ Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+ download <bandwidth>
+
+ Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+ upload <bandwidth>
+
+ Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols
+ <pap | chap | mschap | mschap-v2>
+
+ Require the peer to authenticate itself using one of the following protocols:
+ pap, chap, mschap, mschap-v2.
+
+.. cfgcmd:: set vpn sstp authentication mode <local | radius>
+
+ Set authentication backend. The configured authentication backend is used
+ for all queries.
+
+ * **radius**: All authentication queries are handled by a configured RADIUS
+ server.
+ * **local**: All authentication queries are handled locally.
+
+
+.. cfgcmd:: set vpn sstp gateway-address <gateway>
+
+ Specifies single `<gateway>` IP address to be used as local address of PPP
+ interfaces.
+
+
+.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
+
+ Use `<subnet>` as the IP pool for all connecting clients.
+
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
+
+ Use this comand to set the IPv6 address pool from which an SSTP client
+ will get an IPv6 prefix of your defined length (mask) to terminate the
+ SSTP endpoint at their side. The mask length can be set from 48 to 128
+ bit long, the default value is 64.
+
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix
+ <number-of-bits>
+
+ Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+ SSTP. You will have to set your IPv6 pool and the length of the
+ delegation prefix. From the defined IPv6 pool you will be handing out
+ networks of the defined length (delegation-prefix). The length of the
+ delegation prefix can be set from 32 to 64 bit long.
+
+
+.. cfgcmd:: set vpn sstp name-server <address>
+
+ Connected client should use `<address>` as their DNS server. This
+ command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+ can be configured for IPv4, up to three for IPv6.
+
+Maximum number of IPv4 nameservers
+
+SSL Certificates
+----------------
+
+.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+
+ Path to `<file>` pointing to the certificate authority certificate.
+
+.. cfgcmd:: set vpn sstp ssl cert-file <file>
+
+ Path to `<file>` pointing to the servers certificate (public portion).
+
+.. cfgcmd:: set vpn sstp ssl key-file <file>
+
+ Path to `<file>` pointing to the servers certificate (private portion).
+
+PPP Settings
+------------
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
+
+ Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+ value `<number>`, the session will be reset.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
+
+ If this option is specified and is greater than 0, then the PPP module will
+ send LCP pings of the echo request every `<interval>` seconds.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
+
+ Specifies timeout in seconds to wait for any peer activity. If this option
+ specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+ is not used.
+
+.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
+
+ Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+ preference.
+
+ * **require** - ask client for mppe, if it rejects drop connection
+ * **prefer** - ask client for mppe, if it rejects don't fail
+ * **deny** - deny mppe
+
+ Default behavior - don't ask client for mppe, but allow it if client wants.
+ Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+ attribute.
+
+
+RADIUS
+------
+
+Server
+^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
+
+ Configure RADIUS `<server>` and its required port for authentication requests.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
+
+ Configure RADIUS `<server>` and its required shared `<secret>` for
+ communicating with the RADIUS server.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
+
+ Mark RADIUS server as offline for this given `<time>` in seconds.
+
+.. cfgcmd:: set vpn sstp authentication radius server <server> disable
+
+ Temporary disable this RADIUS server.
+
+Options
+^^^^^^^
+
+.. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
+
+ Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author server <address>
+
+ Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author port <port>
+
+ Port for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius dynamic-author key <secret>
+
+ Secret for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn sstp authentication radius max-try <number>
+
+ Maximum number of tries to send Access-Request/Accounting-Request queries
+
+.. cfgcmd:: set vpn sstp authentication radius timeout <timeout>
+
+ Timeout to wait response from server (seconds)
+
+.. cfgcmd:: set vpn sstp authentication radius nas-identifier <identifier>
+
+ Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+ in DM/CoA requests.
+
+.. cfgcmd:: set vpn sstp authentication radius nas-ip-address <address>
+
+ Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+ in DM/CoA requests. Also DM/CoA server will bind to that address.
+
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
+
+ Source IPv4 address used in all RADIUS server queires.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit attribute <attribute>
+
+ Specifies which RADIUS server attribute contains the rate limit information.
+ The default attribute is `Filter-Id`.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit enable
+
+ Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
+
+ Specifies the vendor dictionary, dictionary needs to be in
+ /usr/share/accel-ppp/radius.
+
+
+Example
+=======
+
+* Use local user `foo` with password `bar`
+* Client IP addresses will be provided from pool `192.0.2.0/25`
+
+.. code-block:: none
+
+ set vpn sstp authentication local-users username vyos password vyos
+ set vpn sstp authentication mode local
+ set vpn sstp gateway-address 192.0.2.254
+ set vpn sstp client-ip-pool subnet 192.0.2.0/25
+ set vpn sstp name-server 10.0.0.1
+ set vpn sstp name-server 10.0.0.2
+ set vpn sstp ssl ca-cert-file /config/auth/ca.crt
+ set vpn sstp ssl cert-file /config/auth/server.crt
+ set vpn sstp ssl key-file /config/auth/server.key
+
+Testing SSTP
+============
+
+Once you have setup your SSTP server there comes the time to do some basic
+testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
+PPP configuration/peer file.
+
+The following PPP configuration tests MSCHAP-v2:
+
+.. code-block:: none
+
+ $ cat /etc/ppp/peers/vyos
+ usepeerdns
+ #require-mppe
+ #require-pap
+ require-mschap-v2
+ noauth
+ lock
+ refuse-pap
+ refuse-eap
+ refuse-chap
+ refuse-mschap
+ #refuse-mschap-v2
+ nobsdcomp
+ nodeflate
+ debug
+
+
+You can now "dial" the peer with the follwoing command: ``sstpc --log-level 4
+--log-stderr --user vyos --password vyos vpn.example.com -- call vyos``.
+
+A connection attempt will be shown as:
+
+.. code-block:: none
+
+ $ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos
+
+ Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1
+ Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com
+ Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message
+ Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14)
+ Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1):
+ Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6
+ Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48)
+ Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1):
+ Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40
+ Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation
+ Mar 22 13:29:15 sstpc[12344]: Sending Connected Message
+ Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112)
+ Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1):
+ Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104
+ Mar 22 13:29:15 sstpc[12344]: Connection Established
+
+ $ ip addr show ppp0
+ 164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
+ link/ppp promiscuity 0
+ inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
+ valid_lft forever preferred_lft forever
+
+
+
+.. _sstpc: https://github.com/reliablehosting/sstp-client
+
+.. include:: /_include/common-references.txt
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-06 12:07:55 +0000