diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/index.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/interfaces/openvpn-examples.rst | 21 | ||||
| -rw-r--r-- | docs/configuration/interfaces/vti.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/nat/nat64.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/nat/nat66.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/policy/examples.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/protocols/static.rst | 35 | ||||
| -rw-r--r-- | docs/configuration/service/snmp.rst | 3 | ||||
| -rw-r--r-- | docs/configuration/system/flow-accounting.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/system/sysctl.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/vpn/openconnect.rst | 20 | ||||
| -rw-r--r-- | docs/configuration/vpn/rsa-keys.rst | 16 |
13 files changed, 105 insertions, 31 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index a5b88839..79d59563 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -4,6 +4,9 @@ Firewall ######## +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + .. warning:: Due to a race condition that can lead to a failure during boot process, all interfaces are initialized before firewall is configured. This leads to a situation where the system is open to all traffic, and can be diff --git a/docs/configuration/interfaces/openvpn-examples.rst b/docs/configuration/interfaces/openvpn-examples.rst index 46409975..34cabddf 100644 --- a/docs/configuration/interfaces/openvpn-examples.rst +++ b/docs/configuration/interfaces/openvpn-examples.rst @@ -2,6 +2,9 @@ Site-to-site ============ +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + OpenVPN is popular for client-server setups, but its site-to-site mode is less common and often not supported by router appliances. Despite limited support, it is effective for quickly establishing tunnels between routers. @@ -29,9 +32,9 @@ In both cases, we will use the following settings: * The ``persistent-tunnel`` directive allows us to configure tunnel-related attributes, such as firewall policy, as we would on any standard network interface. -* If known, the remote router's IP address can be configured using the - ``remote-host`` directive. If unknown, it can be omitted. We assume the remote - router has a dynamic IP address. +* If known, the remote router's IP address can be configured using + the ``remote-host`` directive. If unknown, it can be omitted. + We assume the remote router has a dynamic IP address. .. figure:: /_static/images/openvpn_site2site_diagram.jpg @@ -87,11 +90,15 @@ You do **not** need to copy the certificate to the other router. Instead, retrieve its SHA-256 fingerprint. Since OpenVPN currently supports only SHA-256 fingerprints, use the following command: +.. stop_vyoslinter + .. code-block:: none vyos@vyos# run show pki certificate openvpn-local fingerprint sha256 5C:B8:09:64:8B:59:51:DC:F4:DF:2C:12:5C:B7:03:D1:68:94:D7:5B:62:C2:E1:83:79:F1:F0:68:B2:81:26:79 +.. start_vyoslinter + .. note:: Certificate names are arbitrary. While ``openvpn-local`` and ``openvpn-remote`` are used here, you may choose any names. @@ -456,7 +463,7 @@ Check the tunnel status: Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since ----------- ------------------ ----------- ---------------- ---------- ---------- ------------------- - client1 172.110.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 + client1 172.16.12.54:33166 10.23.1.10 172.18.201.10:1194 3.4 KB 3.4 KB 2024-06-11 12:07:25 @@ -639,7 +646,11 @@ below: } } -For a detailed example, refer to :doc:`OpenVPN with LDAP</configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. +.. stop_vyoslinter + +For a detailed example, refer to :doc:`OpenVPN with LDAP </configexamples/autotest/OpenVPN_with_LDAP/OpenVPN_with_LDAP>`. + +.. start_vyoslinter Multi-factor authentication =========================== diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 1704b9d1..9c2dc1eb 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -4,6 +4,9 @@ VTI - Virtual Tunnel Interface ############################## +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + Set Virtual Tunnel Interface .. code-block:: none diff --git a/docs/configuration/nat/nat64.rst b/docs/configuration/nat/nat64.rst index e8a3a0e6..8608da9f 100644 --- a/docs/configuration/nat/nat64.rst +++ b/docs/configuration/nat/nat64.rst @@ -4,6 +4,9 @@ NAT64 ##### +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + :abbr:`NAT64 (IPv6-to-IPv4 Prefix Translation)` is a critical component in modern networking, facilitating communication between IPv6 and IPv4 networks. This documentation outlines the setup, configuration, and usage of the NAT64 @@ -69,6 +72,8 @@ NAT64 client configuration: Test from the IPv6 only client: +.. stop_vyoslinter + .. code-block:: none vyos@r1:~$ ping 64:ff9b::192.0.2.1 count 2 @@ -79,3 +84,5 @@ Test from the IPv6 only client: --- 64:ff9b::192.0.2.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1023ms rtt min/avg/max/mdev = 0.351/0.362/0.373/0.011 ms + +.. start_vyoslinter diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 42f63fc9..d7d8e8be 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -4,6 +4,9 @@ NAT66(NPTv6) ############ +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + :abbr:`NPTv6 (IPv6-to-IPv6 Network Prefix Translation)` is an address translation technology based on IPv6 networks, used to convert an IPv6 address prefix in an IPv6 message into another IPv6 address prefix. @@ -151,8 +154,9 @@ R2: set service router-advert interface br1 prefix ::/0 -Use the following topology to translate internal user local addresses (``fc::/7``) -to DHCPv6-PD provided prefixes from an ISP connected to a VyOS HA pair. +Use the following topology to translate internal user local addresses +(``fc::/7``) to DHCPv6-PD provided prefixes from an ISP connected to +a VyOS HA pair. .. figure:: /_static/images/vyos_1_5_nat66_dhcpv6_wdummy.png :alt: VyOS NAT66 DHCPv6 using a dummy interface diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index d822d839..11c1d625 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -2,6 +2,9 @@ BGP Example ########### +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + **Policy definition:** .. code-block:: none diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst index 3e3eb47b..e9016abc 100644 --- a/docs/configuration/protocols/static.rst +++ b/docs/configuration/protocols/static.rst @@ -70,10 +70,12 @@ IPv4 BFD Configure a static route for `<subnet>` using gateway `<address>` and use the gateway address as BFD peer destination address. -.. cfgcmd:: set protocols static route <subnet> next-hop <address> bfd profile <profile> +.. cfgcmd:: set protocols static route <subnet> next-hop <address> + bfd profile <profile> - Configure a static route for `<subnet>` using gateway `<address>` and use the - gateway address as BFD peer destination address with BFD profile `<profile>`. + Configure a static route for `<subnet>` using gateway `<address>` + and use the gateway address as BFD peer destination address with + BFD profile `<profile>`. .. cfgcmd:: set protocols static route <subnet> next-hop <address> bfd multi-hop source-address <source-address> @@ -153,10 +155,12 @@ IPv6 Unicast Routes .. note:: Routes with a distance of 255 are effectively disabled and not installed into the kernel. -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> segments <segments> +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> + segments <segments> - It is possible to specify a static route for ipv6 prefixes using an SRv6 segments - instruction. The `/` separator can be used to specify multiple segment instructions. + It is possible to specify a static route for ipv6 prefixes using + an SRv6 segments instruction. The `/` separator can be used to + specify multiple segment instructions. Example: @@ -202,8 +206,9 @@ IPv6 Interface Routes .. cfgcmd:: set protocols static route6 <subnet> interface <interface> segments <segments> - It is possible to specify a static route for ipv6 prefixes using an SRv6 segments - instruction. The `/` separator can be used to specify multiple segment instructions. + It is possible to specify a static route for ipv6 prefixes using + an SRv6 segments instruction. The `/` separator can be used to + specify multiple segment instructions. Example: @@ -219,13 +224,15 @@ IPv6 BFD Configure a static route for `<subnet>` using gateway `<address>` and use the gateway address as BFD peer destination address. -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> bfd profile <profile> +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> + bfd profile <profile> - Configure a static route for `<subnet>` using gateway `<address>` and use the - gateway address as BFD peer destination address with BFD profile `<profile>`. + Configure a static route for `<subnet>` using gateway `<address>` + and use the gateway address as BFD peer destination address with + BFD profile `<profile>`. -.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> bfd multi-hop - source-address <source> +.. cfgcmd:: set protocols static route6 <subnet> next-hop <address> + bfd multi-hop source-address <source> Configure a static route for `<subnet>` using gateway `<address>` and use the gateway address as BFD peer destination address with source address @@ -271,7 +278,5 @@ IPv6 Blackhole Routes Alternate Routing Tables ************************ -TBD - Alternate routing tables are used with policy based routing by utilizing :ref:`vrf`. diff --git a/docs/configuration/service/snmp.rst b/docs/configuration/service/snmp.rst index b444ab85..9e91cc50 100644 --- a/docs/configuration/service/snmp.rst +++ b/docs/configuration/service/snmp.rst @@ -4,6 +4,9 @@ SNMP #### +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + :abbr:`SNMP (Simple Network Management Protocol)` is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. diff --git a/docs/configuration/system/flow-accounting.rst b/docs/configuration/system/flow-accounting.rst index a339df75..cb18839a 100644 --- a/docs/configuration/system/flow-accounting.rst +++ b/docs/configuration/system/flow-accounting.rst @@ -84,7 +84,9 @@ CLI command. You may disable using the local in-memory table with the command: .. cfgcmd:: set system flow-accounting syslog-facility <facility> - TBD + Configure the syslog facility used for flow-accounting log messages. + Available facilities follow standard syslog conventions (e.g., + ``daemon``, ``local0`` through ``local7``). Flow Export ----------- diff --git a/docs/configuration/system/sysctl.rst b/docs/configuration/system/sysctl.rst index 06e15031..d1398822 100644 --- a/docs/configuration/system/sysctl.rst +++ b/docs/configuration/system/sysctl.rst @@ -4,6 +4,12 @@ Sysctl ###### +.. note:: This page is a stub and needs expansion. + Contributions welcome via the + VyOS `documentation repository`_. + +.. _documentation repository: https://github.com/vyos/vyos-documentation + This chapeter describes how to configure kernel parameters at runtime. ``sysctl`` is used to modify kernel parameters at runtime. The parameters diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst index fdeb347d..8494f0ea 100644 --- a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst +++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst @@ -4,6 +4,9 @@ Troubleshooting Site-to-Site VPN IPsec ###################################### +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + ************ Introduction ************ @@ -286,8 +289,8 @@ The reason of this problem is showed on the responder side. Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA -Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256** -is configured on the initiator side. +Encryption **AES_CBC_128** is configured in IKE policy on the +responder but **AES_CBC_256** is configured on the initiator side. Prefixes in Policies Mismatch ============================= diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 11824e50..d5c76e3e 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -4,6 +4,9 @@ OpenConnect ########### +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + OpenConnect-compatible server feature has been available since Equuleus (1.3). Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with @@ -81,9 +84,22 @@ For generating an OTP key in VyOS, you can use the CLI command User Certificate Authentication =============================== -You can configure users to be authenticated by certificate by setting the authentication mode to certificate, and defining what field (by OID) in the certificate will be used to identify the username. Two pre-defined shortcuts for Common Name (OID 2.5.4.3) and User ID (OID 0.9.2342.19200300.100.1.1) have been provide as cn or uid. Otherwise a specific OID value must be provided. +You can configure users to be authenticated by certificate by setting +the authentication mode to certificate, and defining what field (by OID) +in the certificate will be used to identify the username. Two pre-defined + +.. stop_vyoslinter + +shortcuts for Common Name (OID 2.5.4.3) and User ID +(OID 0.9.2342.19200300.100.1.1) have been provided as cn or uid. -The user's certificate must be signed by the certificate authority defined in the configuration for it to be validated for authentication. +.. start_vyoslinter + +Otherwise a specific OID value must be provided. + +The user's certificate must be signed by the certificate authority +defined in the configuration for it to be validated for +authentication. .. code-block:: none diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst index 0508522f..ce9aa720 100644 --- a/docs/configuration/vpn/rsa-keys.rst +++ b/docs/configuration/vpn/rsa-keys.rst @@ -2,6 +2,10 @@ ######## RSA-Keys ######## + +.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd + directives for command coverage tracking. + RSA can be used for services such as key exchanges and for encryption purposes. To make IPSec work with dynamic address on one/both sides, we will have to use RSA keys for authentication. They are very fast and easy to setup. @@ -51,10 +55,14 @@ On the RIGHT: Now you are ready to setup IPsec. The key points: -1. Since both routers do not know their effective public addresses, we set the local-address of the peer to "any". -2. On the initiator, we set the peer address to its public address, but on the responder we only set the id. -3. On the initiator, we need to set the remote-id option so that it can identify IKE traffic from the responder correctly. -4. On the responder, we need to set the local id so that initiator can know who's talking to it for the point #3 to work. +1. Since both routers do not know their effective public addresses, + we set the local-address of the peer to "any". +2. On the initiator, we set the peer address to its public address, + but on the responder we only set the id. +3. On the initiator, we need to set the remote-id option so that it + can identify IKE traffic from the responder correctly. +4. On the responder, we need to set the local id so that initiator + can know who's talking to it for the point #3 to work. On the LEFT (static address): |
