summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/l2tp.rst6
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst47
2 files changed, 50 insertions, 3 deletions
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 0df5080c..3418b66c 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -26,7 +26,7 @@ with native Windows and Mac VPN clients):
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
-In the example above an external IP of 192.0.2.2 is assumed.
+In the above example, an external IP of 192.0.2.2 is assumed.
If a local firewall policy is in place on your external interface you will need
to allow the ports below:
@@ -162,7 +162,7 @@ servers can be setup and will be used subsequentially.
RADIUS source address
^^^^^^^^^^^^^^^^^^^^^
-If you are using OSPF as IGP always the closets interface connected to the
+If you are using OSPF as IGP, always the closest interface connected to the
RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
to a single source IP e.g. the loopback interface.
@@ -174,7 +174,7 @@ Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
on this NAS.
.. note:: The ``source-address`` must be configured on one of VyOS interface.
- Best proctice would be a loopback or dummy interface.
+ Best practice would be a loopback or dummy interface.
RADIUS bandwidth shaping attribute
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index e81c5c3b..879f8dfa 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -344,3 +344,50 @@ Imagine the following topology
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+Key Parameters:
+
+* ``authentication local-id/remote-id`` - IKE identification is used for
+ validation of VPN peer devices during IKE negotiation. If you do not configure
+ local/remote-identity, the device uses the IPv4 or IPv6 address that
+ corresponds to the local/remote peer by default.
+ In certain network setups (like ipsec interface with dynamic address, or
+ behind the NAT ), the IKE ID received from the peer does not match the IKE
+ gateway configured on the device. This can lead to a Phase 1 validation
+ failure.
+ So, make sure to configure the local/remote id explicitly and ensure that the
+ IKE ID is the same as the remote-identity configured on the peer device.
+
+* ``disable-route-autoinstall`` - This option when configured disables the
+ routes installed in the default table 220 for site-to-site ipsec.
+ It is mostly used with VTI configuration.
+
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+ notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
+ are periodically sent in order to check the liveliness of the IPsec peer. The
+ values clear, hold, and restart all activate DPD and determine the action to
+ perform on a timeout.
+ With ``clear`` the connection is closed with no further actions taken.
+ ``hold`` installs a trap policy, which will catch matching traffic and tries
+ to re-negotiate the connection on demand.
+ ``restart`` will immediately trigger an attempt to re-negotiate the
+ connection.
+
+* ``close-action = none | clear | hold | restart`` - defines the action to take
+ if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
+ values). A closeaction should not be used if the peer uses reauthentication or
+ uniqueids.
+
+ When the close-action option is set on the peers, the connection-type
+ of each peer has to considered carefully. For example, if the option is set
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_close_action_settings.jpg
+
+ Similar combinations are applicable for the dead-peer-detection.
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-03 11:17:01 +0000