summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/dmvpn.rst5
-rw-r--r--docs/configuration/vpn/ipsec.rst67
-rw-r--r--docs/configuration/vpn/l2tp.rst4
-rw-r--r--docs/configuration/vpn/openconnect.rst41
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst156
-rw-r--r--docs/configuration/vpn/sstp.rst14
6 files changed, 163 insertions, 124 deletions
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index f2c7b162..66fc79da 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -218,7 +218,7 @@ Hub
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
- set vpn ipsec ipsec-interfaces interface 'eth0'
+ set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
@@ -278,6 +278,7 @@ spoke01-spoke04
ip nhrp registration timeout 75
tunnel source FastEthernet0/0
tunnel mode gre multipoint
+ tunnel protection ipsec profile DMVPN
tunnel key 1
!
interface FastEthernet0/0
@@ -327,7 +328,7 @@ VyOS can also run in DMVPN spoke mode.
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
- set vpn ipsec ipsec-interfaces interface 'eth0'
+ set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 693f3ec6..d6a4733c 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -111,6 +111,8 @@ VyOS IKE group has the next options:
* ``hash`` hash algorithm.
+ * ``prf`` pseudo-random function.
+
***********************************************
ESP (Encapsulating Security Payload) Attributes
***********************************************
@@ -166,7 +168,7 @@ VyOS ESP group has the next options:
***********************************************
Options (Global IPsec settings) Attributes
***********************************************
-* ``options`` IPsec settings:
+* ``options``
* ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
@@ -198,7 +200,7 @@ On the LEFT:
set interfaces tunnel tun0 address 10.10.10.1/30
## IPsec
- set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec interface eth0
# IKE group
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
@@ -210,16 +212,18 @@ On the LEFT:
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
# IPsec tunnel
- set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
- set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY
+ set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
+ set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY
+ set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
- set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup
- set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer right ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
- set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10
+ set vpn ipsec site-to-site peer right local-address 192.0.2.10
+ set vpn ipsec site-to-site peer right remote-address 203.0.113.45
# This will match all GRE traffic to the peer
- set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre
+ set vpn ipsec site-to-site peer right tunnel 1 protocol gre
On the RIGHT, setup by analogy and swap local and remote addresses.
@@ -235,6 +239,8 @@ an IPsec policy to match those loopback addresses.
We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
RIGHT router has a dynamic address on eth0.
+The peer names RIGHT and LEFT are used as informational text.
+
**Setting up the GRE tunnel**
On the LEFT:
@@ -325,17 +331,17 @@ On the LEFT (static address):
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
- set vpn ipsec site-to-site peer @RIGHT authentication id LEFT
- set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
- set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT
- set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT
- set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT
- set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
- set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
- set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
- set vpn ipsec site-to-site peer @RIGHT connection-type respond
- set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
- set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
+ set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
+ set vpn ipsec site-to-site peer RIGHT authentication mode rsa
+ set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
+ set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
+ set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
+ set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
+ set vpn ipsec site-to-site peer RIGHT connection-type respond
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
On the RIGHT (dynamic address):
@@ -350,14 +356,15 @@ On the RIGHT (dynamic address):
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
- set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT
- set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
- set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT
- set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT
- set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
- set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
- set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
- set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
- set vpn ipsec site-to-site peer 192.0.2.10 local-address any
- set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
- set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
+ set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
+ set vpn ipsec site-to-site peer LEFT authentication mode rsa
+ set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
+ set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
+ set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
+ set vpn ipsec site-to-site peer LEFT connection-type initiate
+ set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
+ set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
+ set vpn ipsec site-to-site peer LEFT local-address any
+ set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
+ set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
+ set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 411b7b5e..8dc34ee4 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -14,7 +14,7 @@ with native Windows and Mac VPN clients):
.. code-block:: none
- set vpn ipsec ipsec-interfaces interface eth0
+ set vpn ipsec interface eth0
set vpn l2tp remote-access outside-address 192.0.2.2
set vpn l2tp remote-access client-ip-pool start 192.168.255.2
@@ -24,7 +24,7 @@ with native Windows and Mac VPN clients):
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username test password 'test'
-In the example above an external IP of 192.0.2.2 is assumed.
+In the above example, an external IP of 192.0.2.2 is assumed.
If a local firewall policy is in place on your external interface you will need
to allow the ports below:
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 7a279472..1b4d4b4c 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -48,7 +48,7 @@ Server Configuration
set vpn openconnect authentication local-users username <user> password <pass>
set vpn openconnect authentication mode <local password|radius>
- set vpn opneconnect network-settings client-ip-settings subnet <subnet>
+ set vpn openconnect network-settings client-ip-settings subnet <subnet>
set vpn openconnect network-settings name-server <address>
set vpn openconnect network-settings name-server <address>
set vpn openconnect ssl ca-certificate <pki-ca-name>
@@ -56,7 +56,7 @@ Server Configuration
set vpn openconnect ssl passphrase <pki-password>
2FA OTP support
-====================
+===============
Instead of password only authentication, 2FA password
authentication + OTP key can be used. Alternatively, OTP authentication only,
@@ -215,3 +215,40 @@ and then the OTP key.
.. warning:: When using Time-based one-time password (TOTP) (OTP HOTP-time),
be sure that the time on the server and the
OTP token generator are synchronized by NTP
+
+To display the configured OTP user settings, use the command:
+
+.. code-block:: none
+
+ show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri>
+
+Configuring RADIUS accounting
+=============================
+
+OpenConnect can be configured to send accounting information to a
+RADIUS server to capture user session data such as time of
+connect/disconnect, data transferred, and so on.
+
+Configure an accounting server and enable accounting with:
+
+.. code-block:: none
+
+ set vpn openconnect accounting mode radius
+ set vpn openconnect accounting radius server 172.20.20.10
+ set vpn openconnect accounting radius server 172.20.20.10 port 1813
+ set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret
+
+.. warning:: The RADIUS accounting feature must be used with the OpenConnect
+ authentication mode RADIUS. It cannot be used with local authentication.
+ You must configure the OpenConnect authentication mode to "radius".
+
+An example of the data captured by a FREERADIUS server with sql accounting:
+
+.. code-block:: none
+
+ mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct;
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
+ | username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start |
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
+ | test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 |
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 2fa59dc1..68f6c48b 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -8,26 +8,18 @@ to exchange encrypted information between them and VyOS itself or
connected/routed networks.
To configure site-to-site connection you need to add peers with the
-``set vpn ipsec site-to-site`` command.
+``set vpn ipsec site-to-site peer <name>`` command.
-You can identify a remote peer with:
-
-* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used
- when a peer has a public static IP address;
-* Hostname. This mode is similar to IP address, only you define DNS name instead
- of an IP. Could be used when a peer has a public IP address and DNS name, but
- an IP address could be changed from time to time;
-* Remote ID of the peer. In this mode, there is no predefined remote address
- nor DNS name of the peer. This mode is useful when a peer doesn't have a
- publicly available IP address (NAT between it and VyOS), or IP address could
- be changed.
+The peer name must be an alphanumeric and can have hypen or underscore as
+special characters. It is purely informational.
Each site-to-site peer has the next options:
* ``authentication`` - configure authentication between VyOS and a remote peer.
Suboptions:
- * ``id`` - ID for the local VyOS router. If defined, during the authentication
+ * ``local-id`` - ID for the local VyOS router. If defined, during the
+ authentication
it will be send to remote peer;
* ``mode`` - mode for authentication between VyOS and remote peer:
@@ -96,26 +88,25 @@ Each site-to-site peer has the next options:
* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
connection with this peer, instead of ``local-address``;
-* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams.
+* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
Useful in case if between local and remote side is firewall or NAT, which not
allows passing plain ESP packets between them;
* ``ike-group`` - IKE group to use for key exchanges;
* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
- Can be used only with IKEv2:
-
- * ``yes`` - create a new IKE_SA from the scratch and try to recreate all
- IPsec SAs;
-
- * ``no`` - rekey without uninstalling the IPsec SAs;
-
- * ``inherit`` - use default behavior for the used IKE group.
+ Can be used only with IKEv2.
+ Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
* ``local-address`` - local IP address for IPSec connection with this peer.
If defined ``any``, then an IP address which configured on interface with
default route will be used;
+* ``remote-address`` - remote IP address or hostname for IPSec connection.
+ IPv4 or IPv6 address is used when a peer has a public static IP address.
+ Hostname is a DNS name which could be used when a peer has a public IP
+ address and DNS name, but an IP address could be changed from time to time.
+
* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
it to a peer:
@@ -170,50 +161,46 @@ Example:
.. code-block:: none
# server config
- set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
- set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
- set vpn ipsec ipsec-interfaces interface 'eth1'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey'
- set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike'
- set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3'
- set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
- set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
- set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp'
- set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24'
- set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21'
+ set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
+ set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
+ set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
+ set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
+ set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
# remote office config
- set vpn ipsec esp-group office-srv-esp compression 'disable'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
- set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
- set vpn ipsec ipsec-interfaces interface 'eth1'
- set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey'
- set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike'
- set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2'
- set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable'
- set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable'
- set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp'
- set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21'
- set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24'
+ set vpn ipsec interface 'eth1'
+ set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey'
+ set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
+ set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
+ set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
+ set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
+ set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
+ set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
+ set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
Show status of new setup:
@@ -292,30 +279,28 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.2/31'
- set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
- set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ipsec-interfaces interface 'eth0.201'
- set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10'
- set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
- set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
- set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond'
- set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10'
- set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
- set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
+ set vpn ipsec interface 'eth0.201'
+ set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
+ set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
+ set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
+ set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10'
+ set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
+ set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'
+ set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'
**right**
@@ -323,7 +308,6 @@ Imagine the following topology
set interfaces vti vti10 address '10.0.0.3/31'
- set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
@@ -332,31 +316,30 @@ Imagine the following topology
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
- set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
- set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
+ set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
- set vpn ipsec ipsec-interfaces interface 'eth0.202'
- set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10'
- set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
- set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey'
- set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10'
- set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate'
- set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT'
- set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
- set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
- set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
- set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+ set vpn ipsec interface 'eth0.202'
+ set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
+ set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
+ set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey'
+ set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
+ set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
+ set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
+ set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
+ set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
+ set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'
+ set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'
Key Parameters:
-* ``authentication id/remote-id`` - IKE identification is used for validation
- of VPN peer devices during IKE negotiation. If you do not configure local/
- remote-identity, the device uses the IPv4 or IPv6 address that corresponds
- to the local/remote peer by default.
+* ``authentication local-id/remote-id`` - IKE identification is used for
+ validation of VPN peer devices during IKE negotiation. If you do not configure
+ local/remote-identity, the device uses the IPv4 or IPv6 address that
+ corresponds to the local/remote peer by default.
In certain network setups (like ipsec interface with dynamic address, or
behind the NAT ), the IKE ID received from the peer does not match the IKE
gateway configured on the device. This can lead to a Phase 1 validation
@@ -370,7 +353,7 @@ Key Parameters:
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
- are periodically sent in order to check the liveliness of theIPsec peer. The
+ are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
@@ -384,6 +367,15 @@ Key Parameters:
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
- For a responder, close-action or dead-peer-detection must not be enabled.
- For an initiator DPD with `restart` action, and `close-action 'restart'`
- is recommended in IKE profile.
+ When the close-action option is set on the peers, the connection-type
+ of each peer has to considered carefully. For example, if the option is set
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_close_action_settings.jpg
+
+ Similar combinations are applicable for the dead-peer-detection.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index 3600681f..f3e062fe 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -1,8 +1,8 @@
.. _sstp:
-####
-SSTP
-####
+###########
+SSTP Server
+###########
:abbr:`SSTP (Secure Socket Tunneling Protocol)` is a form of :abbr:`VPN
(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
@@ -111,6 +111,11 @@ Configuration
interfaces.
+.. cfgcmd:: set vpn sstp port <port>
+
+ Specifies the port `<port>` that the SSTP port will listen on (default 443).
+
+
.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
Use `<subnet>` as the IP pool for all connecting clients.
@@ -153,9 +158,6 @@ SSL Certificates
Path to `<file>` pointing to the servers certificate (public portion).
-.. cfgcmd:: set vpn sstp ssl key-file <file>
-
- Path to `<file>` pointing to the servers certificate (private portion).
PPP Settings
------------
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-01 21:53:56 +0000