diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 63 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 20 | 
2 files changed, 42 insertions, 41 deletions
| diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index d1ea7bbc..4721cbcd 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -166,7 +166,7 @@ VyOS ESP group has the next options:  ***********************************************  Options (Global IPsec settings) Attributes  ***********************************************  -* ``options`` IPsec settings: +* ``options``   * ``disable-route-autoinstall`` Do not automatically install routes to remote networks; @@ -210,16 +210,18 @@ On the LEFT:    set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'    # IPsec tunnel -  set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret -  set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY +  set vpn ipsec site-to-site peer right authentication mode pre-shared-secret +  set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY +  set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45 -  set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup -  set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup +  set vpn ipsec site-to-site peer right ike-group MyIKEGroup +  set vpn ipsec site-to-site peer right default-esp-group MyESPGroup -  set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 +  set vpn ipsec site-to-site peer right local-address 192.0.2.10 +  set vpn ipsec site-to-site peer right remote-address 203.0.113.45    # This will match all GRE traffic to the peer -  set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre +  set vpn ipsec site-to-site peer right tunnel 1 protocol gre  On the RIGHT, setup by analogy and swap local and remote addresses. @@ -235,6 +237,8 @@ an IPsec policy to match those loopback addresses.  We assume that the LEFT router has static 192.0.2.10 address on eth0, and the  RIGHT router has a dynamic address on eth0. +The peer names RIGHT and LEFT are used as informational text. +  **Setting up the GRE tunnel**  On the LEFT: @@ -325,17 +329,17 @@ On the LEFT (static address):    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128    set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 -  set vpn ipsec site-to-site peer @RIGHT authentication id LEFT -  set vpn ipsec site-to-site peer @RIGHT authentication mode rsa -  set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT -  set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT -  set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT -  set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup -  set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup -  set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 -  set vpn ipsec site-to-site peer @RIGHT connection-type respond -  set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local -  set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote +  set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT +  set vpn ipsec site-to-site peer RIGHT authentication mode rsa +  set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT +  set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT +  set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT +  set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup +  set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup +  set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10 +  set vpn ipsec site-to-site peer RIGHT connection-type respond +  set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local +  set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote  On the RIGHT (dynamic address): @@ -350,14 +354,15 @@ On the RIGHT (dynamic address):    set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128    set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 -  set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT -  set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa -  set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT -  set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT -  set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT -  set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate -  set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup -  set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup -  set vpn ipsec site-to-site peer 192.0.2.10 local-address any -  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local -  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote +  set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT +  set vpn ipsec site-to-site peer LEFT authentication mode rsa +  set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT +  set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT +  set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT +  set vpn ipsec site-to-site peer LEFT connection-type initiate +  set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup +  set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup +  set vpn ipsec site-to-site peer LEFT local-address any +  set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10 +  set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local +  set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index e72dbdd4..482c7130 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -8,19 +8,10 @@ to exchange encrypted information between them and VyOS itself or  connected/routed networks.  To configure site-to-site connection you need to add peers with the -``set vpn ipsec site-to-site`` command. +``set vpn ipsec site-to-site peer <name>`` command. -You can identify a remote peer with: - -* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used -  when a peer has a public static IP address; -* Hostname. This mode is similar to IP address, only you define DNS name instead -  of an IP. Could be used when a peer has a public IP address and DNS name, but -  an IP address could be changed from time to time; -* Remote ID of the peer. In this mode, there is no predefined remote address -  nor DNS name of the peer. This mode is useful when a peer doesn't have a -  publicly available IP address (NAT between it and VyOS), or IP address could -  be changed. +The peer name must be an alphanumeric and can have hypen or underscore as  +special characters. It is purely informational.   Each site-to-site peer has the next options: @@ -111,6 +102,11 @@ Each site-to-site peer has the next options:    If defined ``any``, then an IP address which configured on interface with    default route will be used; +* ``remote-address`` - remote IP address or hostname for IPSec connection. +  IPv4 or IPv6 address is used when a peer has a public static IP address. +  Hostname is a DNS name which could be used when a peer has a public IP  +  address and DNS name, but an IP address could be changed from time to time. +  * ``tunnel`` - define criteria for traffic to be matched for encrypting and send    it to a peer: | 
