diff options
Diffstat (limited to 'docs')
| m--------- | docs/_include/vyos-1x | 0 | ||||
| -rw-r--r-- | docs/changelog/1.4.rst | 13 | ||||
| -rw-r--r-- | docs/configuration/service/console-server.rst | 8 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 111 | ||||
| -rw-r--r-- | docs/documentation.rst | 2 | ||||
| -rw-r--r-- | docs/quick-start.rst | 4 | 
6 files changed, 73 insertions, 65 deletions
| diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject 877047b9d36f9a2ef029cc6f05c1467d1a0d6e3 +Subproject 8f2f6303229814c03494369c51cedd31703406e diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 1ebf838c..f981da3c 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,19 @@     _ext/releasenotes.py +2022-09-21 +========== + +* :vytask:`T4678` (feature): Rewrite service ipoe-server to get_config_dict +* :vytask:`T4703` (feature): accel-ppp: combine vlan-id and vlan-range into single CLI node + + +2022-09-20 +========== + +* :vytask:`T4693` (bug): ISIS segment routing was broken... + +  2022-09-17  ========== diff --git a/docs/configuration/service/console-server.rst b/docs/configuration/service/console-server.rst index dd2f5032..435c972c 100644 --- a/docs/configuration/service/console-server.rst +++ b/docs/configuration/service/console-server.rst @@ -35,6 +35,11 @@ second. This is also the default setting if none of those options are defined.    A user friendly description identifying the connected peripheral. +.. cfgcmd:: set service console-server <device> alias <string> + +  A user friendly alias for this connection. Can be used instead of the +  device name when connecting. +  .. cfgcmd:: set service console-server <device> parity [even | odd | none]    Set the parity option for the console. If unset this will default to none. @@ -106,3 +111,6 @@ Operation    .. hint:: The sequence ``^Ec?`` translates to: ``Ctrl+E c ?``. To quit       the session use: ``Ctrl+E c .`` + +  .. hint:: If ``alias`` is set, it can be used instead of the device when +     connecting. diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index fdcd3385..e72dbdd4 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -27,7 +27,8 @@ Each site-to-site peer has the next options:  * ``authentication`` - configure authentication between VyOS and a remote peer.    Suboptions: - * ``id`` - ID for the local VyOS router. If defined, during the authentication + * ``local-id`` - ID for the local VyOS router. If defined, during the +   authentication     it will be send to remote peer;   * ``mode`` - mode for authentication between VyOS and remote peer: @@ -96,21 +97,15 @@ Each site-to-site peer has the next options:  * ``dhcp-interface`` - use an IP address, received from DHCP for IPSec    connection with this peer, instead of ``local-address``; -* ``force-encapsulation`` - force encapsulation of ESP into UDP datagrams. +* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.    Useful in case if between local and remote side is firewall or NAT, which not    allows passing plain ESP packets between them;  * ``ike-group`` - IKE group to use for key exchanges;  * ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process. -  Can be used only with IKEv2: - - * ``yes`` - create a new IKE_SA from the scratch and try to recreate all -   IPsec SAs; - - * ``no`` - rekey without uninstalling the IPsec SAs; - - * ``inherit`` - use default behavior for the used IKE group. +  Can be used only with IKEv2. +  Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;  * ``local-address`` - local IP address for IPSec connection with this peer.    If defined ``any``, then an IP address which configured on interface with @@ -170,50 +165,46 @@ Example:  .. code-block:: none    # server config -  set vpn ipsec esp-group office-srv-esp compression 'disable'    set vpn ipsec esp-group office-srv-esp lifetime '1800'    set vpn ipsec esp-group office-srv-esp mode 'tunnel'    set vpn ipsec esp-group office-srv-esp pfs 'enable'    set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'    set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' -  set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'    set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'    set vpn ipsec ike-group office-srv-ike lifetime '3600'    set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'    set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'    set vpn ipsec interface 'eth1' -  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey' -  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike' -  set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3' -  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable' -  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable' -  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp' -  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24' -  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21' +  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey' +  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2' +  set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike' +  set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3' +  set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2' +  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp' +  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24' +  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'    # remote office config -  set vpn ipsec esp-group office-srv-esp compression 'disable'    set vpn ipsec esp-group office-srv-esp lifetime '1800'    set vpn ipsec esp-group office-srv-esp mode 'tunnel'    set vpn ipsec esp-group office-srv-esp pfs 'enable'    set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'    set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1' -  set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'    set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'    set vpn ipsec ike-group office-srv-ike lifetime '3600'    set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'    set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'    set vpn ipsec interface 'eth1' -  set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey' -  set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike' -  set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2' -  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable' -  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable' -  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp' -  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21' -  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24' +  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'SomePreSharedKey' +  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3' +  set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike' +  set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2' +  set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3' +  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp' +  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21' +  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'  Show status of new setup: @@ -292,30 +283,28 @@ Imagine the following topology    set interfaces vti vti10 address '10.0.0.2/31' -  set vpn ipsec esp-group ESP_DEFAULT compression 'disable'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' -  set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'    set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'    set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' -  set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' +  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'    set vpn ipsec interface 'eth0.201' -  set vpn ipsec site-to-site peer 172.18.202.10 authentication id '172.18.201.10' -  set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey' -  set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10' -  set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond' -  set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT' -  set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' -  set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10' -  set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10' -  set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT' +  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' +  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'secretkey' +  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' +  set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' +  set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' +  set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' +  set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' +  set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' +  set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'  **right** @@ -323,7 +312,6 @@ Imagine the following topology    set interfaces vti vti10 address '10.0.0.3/31' -  set vpn ipsec esp-group ESP_DEFAULT compression 'disable'    set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'    set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'    set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' @@ -332,31 +320,30 @@ Imagine the following topology    set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'    set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'    set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' -  set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'    set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'    set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' -  set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' +  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'    set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'    set vpn ipsec interface 'eth0.202' -  set vpn ipsec site-to-site peer 172.18.201.10 authentication id '172.18.202.10' -  set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret' -  set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 'secretkey' -  set vpn ipsec site-to-site peer 172.18.201.10 authentication remote-id '172.18.201.10' -  set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'initiate' -  set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'IKEv2_DEFAULT' -  set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit' -  set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' -  set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10' -  set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT' +  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' +  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' +  set vpn ipsec site-to-site peer OFFICE-A authentication pre-shared-secret 'secretkey' +  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' +  set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' +  set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' +  set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' +  set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' +  set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' +  set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'  Key Parameters: -* ``authentication id/remote-id`` - IKE identification is used for validation  -  of VPN peer devices during IKE negotiation. If you do not configure local/ -  remote-identity, the device uses the IPv4 or IPv6 address that corresponds  -  to the local/remote peer by default. +* ``authentication local-id/remote-id`` - IKE identification is used for +  validation of VPN peer devices during IKE negotiation. If you do not configure +  local/remote-identity, the device uses the IPv4 or IPv6 address that  +  corresponds to the local/remote peer by default.    In certain network setups (like ipsec interface with dynamic address, or     behind the NAT ), the IKE ID received from the peer does not match the IKE     gateway configured on the device. This can lead to a Phase 1 validation  diff --git a/docs/documentation.rst b/docs/documentation.rst index 1ecc170b..1d7e3402 100644 --- a/docs/documentation.rst +++ b/docs/documentation.rst @@ -392,7 +392,7 @@ All RST files must follow the same TOC Level syntax and have to start with  .. code-block::     ##### -   Titel +   Title     #####  Configuration mode pages diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 90bdfcb4..3548a7e1 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -168,8 +168,8 @@ Apply the firewall policies:  .. code-block:: none -  set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN' -  set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL' +  set firewall interface eth0 in name 'OUTSIDE-IN' +  set firewall interface eth0 local name 'OUTSIDE-LOCAL'  Commit changes, save the configuration, and exit configuration mode: | 
