diff options
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/service/tftp-server.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 128 |
2 files changed, 136 insertions, 0 deletions
diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst index 11011144..0ca75efe 100644 --- a/docs/configuration/service/tftp-server.rst +++ b/docs/configuration/service/tftp-server.rst @@ -28,6 +28,14 @@ Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and IPv6 addresses can be given. There will be one TFTP server instances listening on each IP address. +.. cfgcmd:: set service tftp-server listen-address <address> vrf <name> + +.. stop_vyoslinter + +Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context + +.. start_vyoslinter + .. note:: Configuring a listen-address is essential for the service to work. .. cfgcmd:: set service tftp-server allow-upload diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index 50814b6e..590f6023 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -29,6 +29,134 @@ for the cipher and hash. Adjust this as necessary. .. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 adapters have known issues with GRE processing. +************************************** +IKE (Internet Key Exchange) Attributes +************************************** +IKE performs mutual authentication between two parties and establishes +an IKE security association (SA) that includes shared secret information +that can be used to efficiently establish SAs for Encapsulating Security +Payload (ESP) or Authentication Header (AH) and a set of cryptographic +algorithms to be used by the SAs to protect the traffic that they carry. +https://datatracker.ietf.org/doc/html/rfc5996 + +In VyOS, IKE attributes are specified through IKE groups. +Multiple proposals can be specified in a single group. + +VyOS IKE group has the next options: + +* ``close-action`` defines the action to take if the remote peer unexpectedly + closes a CHILD_SA: + + * ``none`` set action to none (default); + + * ``hold`` set action to hold; + + * ``clear`` set action to clear; + + * ``restart`` set action to restart; + +* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol + (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty + INFORMATIONAL messages (IKEv2) are periodically sent in order to check the + liveliness of the IPsec peer: + + * ``action`` keep-alive failure action: + + * ``hold`` set action to hold (default) + + * ``clear`` set action to clear; + + * ``restart`` set action to restart; + + * ``interval`` keep-alive interval in seconds <2-86400> (default 30); + + * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only + +* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate + the peer. In IKEv1, reauthentication is always done: + + * ``yes`` enable remote host re-authentication during an IKE rekey; + + * ``no`` disable remote host re-authenticaton during an IKE rekey; + +* ``key-exchange`` which protocol should be used to initialize the connection + If not set both protocols are handled and connections will use IKEv2 when + initiating, but accept any protocol version when responding: + + * ``ikev1`` use IKEv1 for Key Exchange; + + * ``ikev2`` use IKEv2 for Key Exchange; + +* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800); + +* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2: + + * ``enable`` enable MOBIKE (default for IKEv2); + + * ``disable`` disable MOBIKE; + +* ``mode`` IKEv1 Phase 1 Mode Selection: + + * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol + (Recommended Default); + + * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol + aggressive mode is much more insecure compared to Main mode; + +* ``proposal`` the list of proposals and their parameters: + + * ``dh-group`` dh-group; + + * ``encryption`` encryption algorithm; + + * ``hash`` hash algorithm. + +*********************************************** +ESP (Encapsulating Security Payload) Attributes +*********************************************** +ESP is used to provide confidentiality, data origin authentication, +connectionless integrity, an anti-replay service (a form of partial sequence +integrity), and limited traffic flow confidentiality. +https://datatracker.ietf.org/doc/html/rfc4303 + +In VyOS, ESP attributes are specified through ESP groups. +Multiple proposals can be specified in a single group. + +VyOS ESP group has the next options: + +* ``compression`` whether IPComp compression of content is proposed + on the connection: + + * ``disable`` disable IPComp compression (default); + + * ``enable`` enable IPComp compression; + +* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). + How long a particular instance of a connection (a set of + encryption/authentication keys for user packets) should last, + from successful negotiation to expiry; + +* ``mode`` the type of the connection: + + * ``tunnel`` tunnel mode (default); + + * ``transport`` transport mode; + +* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the + connection's keying channel and defines a Diffie-Hellman group for PFS: + + * ``enable`` Inherit Diffie-Hellman group from IKE group (default); + + * ``disable`` Disable PFS; + + * ``< dh-group >`` defines a Diffie-Hellman group for PFS; + +* ``proposal`` ESP-group proposal with number <1-65535>: + + * ``encryption`` encryption algorithm (default 128 bit AES-CBC); + + * ``hash`` hash algorithm (default sha1). + ************************* IPsec policy matching GRE ************************* |