From ce090a4ced7fccce3fdc70142e22fa0009fae12b Mon Sep 17 00:00:00 2001
From: rebortg <github@ghlr.de>
Date: Sun, 6 Dec 2020 21:41:10 +0100
Subject: arrange examples

---
 docs/configexamples/azure-vpn-dual-bgp.rst | 155 +++++++++++++++++++++++++++++
 1 file changed, 155 insertions(+)
 create mode 100644 docs/configexamples/azure-vpn-dual-bgp.rst

(limited to 'docs/configexamples/azure-vpn-dual-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
new file mode 100644
index 00000000..13d4b5a2
--- /dev/null
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -0,0 +1,155 @@
+.. _examples-azure-vpn-dual-bgp:
+
+Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)
+----------------------------------------------------------------------
+
+This guide shows an example of a redundant (active-active) route-based IKEv2
+site-to-site VPN to Azure using VTI
+and BGP for dynamic routing updates.
+
+Prerequisites
+^^^^^^^^^^^^^
+
+- A pair of Azure VNet Gateways deployed in active-active
+  configuration with BGP enabled.
+
+- A local network gateway deployed in Azure representing
+  the Vyos device, matching the below Vyos settings except for
+  address space, which only requires the Vyos private IP, in
+  this example 10.10.0.5/32
+
+- A connection resource deployed in Azure linking the
+  Azure VNet gateway and the local network gateway representing
+  the Vyos device.
+
+Example
+^^^^^^^
+
++---------------------------------------+---------------------+
+| WAN Interface                         | eth0                |
++---------------------------------------+---------------------+
+| On-premises address space             | 10.10.0.0/16        |
++---------------------------------------+---------------------+
+| Azure address space                   |  10.0.0.0/16        |
++---------------------------------------+---------------------+
+| Vyos public IP                        | 198.51.100.3        |
++---------------------------------------+---------------------+
+| Vyos private IP                       | 10.10.0.5           |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 1 public IP        |  203.0.113.2        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway 2 public IP        |  203.0.113.3        |
++---------------------------------------+---------------------+
+| Azure VNet Gateway BGP IP             |  10.0.0.4,10.0.0.5  |
++---------------------------------------+---------------------+
+| Pre-shared key                        | ch00s3-4-s3cur3-psk |
++---------------------------------------+---------------------+
+| Vyos ASN                              | 64499               |
++---------------------------------------+---------------------+
+| Azure ASN                             | 65540               |
++---------------------------------------+---------------------+
+
+Vyos configuration
+^^^^^^^^^^^^^^^^^^
+
+- Configure the IKE and ESP settings to match a subset
+  of those supported by Azure:
+
+.. code-block:: none
+
+  set vpn ipsec esp-group AZURE compression 'disable'
+  set vpn ipsec esp-group AZURE lifetime '3600'
+  set vpn ipsec esp-group AZURE mode 'tunnel'
+  set vpn ipsec esp-group AZURE pfs 'dh-group2'
+  set vpn ipsec esp-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec esp-group AZURE proposal 1 hash 'sha1'
+
+  set vpn ipsec ike-group AZURE dead-peer-detection action 'restart'
+  set vpn ipsec ike-group AZURE dead-peer-detection interval '15'
+  set vpn ipsec ike-group AZURE dead-peer-detection timeout '30'
+  set vpn ipsec ike-group AZURE ikev2-reauth 'yes'
+  set vpn ipsec ike-group AZURE key-exchange 'ikev2'
+  set vpn ipsec ike-group AZURE lifetime '28800'
+  set vpn ipsec ike-group AZURE proposal 1 dh-group '2'
+  set vpn ipsec ike-group AZURE proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group AZURE proposal 1 hash 'sha1'
+
+- Enable IPsec on eth0
+
+.. code-block:: none
+
+  set vpn ipsec ipsec-interfaces interface 'eth0'
+
+- Configure two VTIs with a dummy IP address each
+
+.. code-block:: none
+
+  set interfaces vti vti1 address '10.10.1.5/32'
+  set interfaces vti vti1 description 'Azure Primary Tunnel'
+
+  set interfaces vti vti2 address '10.10.1.6/32'
+  set interfaces vti vti2 description 'Azure Secondary Tunnel'
+
+- Clamp the VTI's MSS to 1350 to avoid PMTU blackholes.
+
+.. code-block:: none
+
+  set firewall options interface vti1 adjust-mss 1350
+  set firewall options interface vti2 adjust-mss 1350
+
+- Configure the VPN tunnels
+
+.. code-block:: none
+
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti1'
+  set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'AZURE'
+
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication id '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication pre-shared-secret 'ch00s3-4-s3cur3-psk'
+  set vpn ipsec site-to-site peer 203.0.113.3 authentication remote-id '203.0.113.3'
+  set vpn ipsec site-to-site peer 203.0.113.3 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.3 description 'AZURE SECONDARY TUNNEL'
+  set vpn ipsec site-to-site peer 203.0.113.3 ike-group 'AZURE'
+  set vpn ipsec site-to-site peer 203.0.113.3 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer 203.0.113.3 local-address '10.10.0.5'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti bind 'vti2'
+  set vpn ipsec site-to-site peer 203.0.113.3 vti esp-group 'AZURE'
+
+- **Important**: Add an interface route to reach both Azure's BGP listeners
+
+.. code-block:: none
+
+  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+
+- Configure your BGP settings
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.4 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.4 timers keepalive '10'
+
+  set protocols bgp 64499 neighbor 10.0.0.5 remote-as '65540'
+  set protocols bgp 64499 neighbor 10.0.0.5 address-family ipv4-unicast soft-reconfiguration 'inbound'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers holdtime '30'
+  set protocols bgp 64499 neighbor 10.0.0.5 timers keepalive '10'
+
+- **Important**: Disable connected check, otherwise the routes learned
+  from Azure will not be imported into the routing table.
+
+.. code-block:: none
+
+  set protocols bgp 64499 neighbor 10.0.0.4 disable-connected-check
+  set protocols bgp 64499 neighbor 10.0.0.5 disable-connected-check
-- 
cgit v1.2.3


From 0ae01b4a1c6e6376b2db498618c65801a809e826 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 5 Feb 2021 22:53:53 +0100
Subject: vrf: static: T2450: adjust to new CLI syntax

---
 docs/configexamples/azure-vpn-bgp.rst              |  2 +-
 docs/configexamples/azure-vpn-dual-bgp.rst         |  4 ++--
 .../dhcp-relay-through-gre-bridge.rst              |  4 ++--
 docs/configexamples/tunnelbroker-ipv6.rst          |  2 +-
 docs/configuration/interfaces/openvpn.rst          |  6 ++---
 docs/configuration/interfaces/pppoe.rst            |  4 ++--
 docs/configuration/interfaces/wireguard.rst        |  4 ++--
 docs/configuration/protocols/static.rst            | 12 +++++-----
 docs/configuration/vrf/index.rst                   | 28 +++++++++++-----------
 9 files changed, 33 insertions(+), 33 deletions(-)

(limited to 'docs/configexamples/azure-vpn-dual-bgp.rst')

diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
index 265e28c7..1d61b3b8 100644
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@@ -114,7 +114,7 @@ Vyos configuration
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
+  set protocols static route 10.0.0.4/32 interface vti1
 
 - Configure your BGP settings
 
diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
index 13d4b5a2..0a48156c 100644
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -129,8 +129,8 @@ Vyos configuration
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.4/32 next-hop-interface vti1
-  set protocols static interface-route 10.0.0.5/32 next-hop-interface vti2
+  set protocols static route 10.0.0.4/32 interface vti1
+  set protocols static route 10.0.0.5/32 interface vti2
 
 - Configure your BGP settings
 
diff --git a/docs/configexamples/dhcp-relay-through-gre-bridge.rst b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
index 0db5fa0a..afa4d854 100644
--- a/docs/configexamples/dhcp-relay-through-gre-bridge.rst
+++ b/docs/configexamples/dhcp-relay-through-gre-bridge.rst
@@ -29,7 +29,7 @@ DHCP Server
    set protocols ospf area 0 network '192.168.3.0/24'
    set protocols ospf area 0 network '10.0.2.0/24'
    set protocols ospf parameters router-id '192.168.3.3'
-   set protocols static interface-route 10.0.1.2/32 next-hop-interface tun100
+   set protocols static route 10.0.1.2/32 interface tun100
    set service dhcp-server shared-network-name asdf authoritative
    set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 start '192.168.3.30'
    set service dhcp-server shared-network-name asdf subnet 192.168.3.0/24 range 0 stop '192.168.3.40'
@@ -70,7 +70,7 @@ DHCP Relay
    set protocols ospf area 0 network '192.168.0.0/24'
    set protocols ospf area 0 network '10.100.100.0/24'
    set protocols ospf parameters router-id '10.100.100.1'
-   set protocols static interface-route 192.168.3.3/32 next-hop-interface tun100
+   set protocols static route 192.168.3.3/32 interface tun100
    set service dhcp-relay interface 'eth0'
    set service dhcp-relay interface 'tun100'
    set service dhcp-relay server '192.168.3.3'
diff --git a/docs/configexamples/tunnelbroker-ipv6.rst b/docs/configexamples/tunnelbroker-ipv6.rst
index b6f1cc07..1df814dc 100644
--- a/docs/configexamples/tunnelbroker-ipv6.rst
+++ b/docs/configexamples/tunnelbroker-ipv6.rst
@@ -35,7 +35,7 @@ tunnel information page.
   set interfaces tunnel tun0 mtu '1472'
   set interfaces tunnel tun0 multicast 'disable'
   set interfaces tunnel tun0 remote-ip Server_IPv4_from_Tunnelbroker  # This is the IP of the Tunnelbroker server
-  set protocols static interface-route6 ::/0 next-hop-interface tun0  # Tell all traffic to go over this tunnel
+  set protocols static route6 ::/0 interface tun0  # Tell all traffic to go over this tunnel
   commit
 
 If your WAN connection is over PPPoE, you may need to set the MTU on the above
diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst
index 2c273b34..8b32743f 100644
--- a/docs/configuration/interfaces/openvpn.rst
+++ b/docs/configuration/interfaces/openvpn.rst
@@ -159,13 +159,13 @@ Local Configuration:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
+  set protocols static route 10.1.0.0/16 interface vtun1
 
 Remote Configuration:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
+  set protocols static route 10.0.0.0/16 interface vtun1
 
 Firewall policy can also be applied to the tunnel interface for `local`, `in`,
 and `out` directions and function identically to ethernet interfaces.
@@ -253,7 +253,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves:
 
 .. code-block:: none
 
-  set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10
+  set protocols static route 10.23.0.0/20 interface vtun10
 
 Generate X.509 Certificate and Keys
 -----------------------------------
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index 0fdbba42..1bbccc0c 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -130,7 +130,7 @@ PPPoE options
 
 .. note:: In all modes except 'none', all default routes using this interface
    will be removed when the interface is torn down - even manually installed
-   static interface-routes.
+   static routes.
 
 .. cfgcmd:: set interfaces pppoe <interface> idle-timeout <time>
 
@@ -251,7 +251,7 @@ Requirements:
   default gateway you receive from your DSL ISP to the routing table if you
   have no other WAN connections. If you wish to use a dual WAN connection,
   change the ``default-route`` option to ``force``.  You could also install
-  a static interface-route and set the ``default-route`` option to ``none``.
+  a static route and set the ``default-route`` option to ``none``.
 * With the ``name-server`` option set to ``none``, VyOS will ignore the
   nameservers your ISP sens you and thus you can fully rely on the ones you
   have configured statically.
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index c4dfbee7..852ff520 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -78,7 +78,7 @@ one.
   set interfaces wireguard wg01 peer to-wg02 port '12345'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'XMrlPykaxhdAAiSjhtPlvi30NVkvLQliQuKP7AI7CyI='
   set interfaces wireguard wg01 port '12345'
-  set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01
+  set protocols static route 10.2.0.0/24 interface wg01
 
 The last step is to define an interface route for 10.2.0.0/24 to get
 through the WireGuard interface `wg01`. Multiple IPs or networks can be
@@ -113,7 +113,7 @@ the public key, which needs to be shared with the peer.
   set interfaces wireguard wg01 peer to-wg02 port '12345'
   set interfaces wireguard wg01 peer to-wg02 pubkey 'u41jO3OF73Gq1WARMMFG7tOfk7+r8o8AzPxJ1FZRhzk='
   set interfaces wireguard wg01 port '12345'
-  set protocols static interface-route 10.1.0.0/24 next-hop-interface wg01
+  set protocols static route 10.1.0.0/24 interface wg01
 
 Assure that your firewall rules allow the traffic, in which case you
 have a working VPN using WireGuard
diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst
index 42c0c4b7..723db727 100644
--- a/docs/configuration/protocols/static.rst
+++ b/docs/configuration/protocols/static.rst
@@ -63,19 +63,19 @@ Static Routes
 Interface Routes
 ================
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv4
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface> disable
 
    Disables interface-based IPv4 static route.
 
-.. cfgcmd:: set protocols static interface-route <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route <subnet> interface
    <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
@@ -83,19 +83,19 @@ Interface Routes
 
    Range is 1 to 255, default is 1.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv6
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface> disable
 
    Disables interface-based IPv6 static route.
 
-.. cfgcmd:: set protocols static interface-route6 <subnet> next-hop-interface
+.. cfgcmd:: set protocols static route6 <subnet> interface
    <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index a311fcc0..244784de 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -119,7 +119,7 @@ Leaking
 """""""
 
 .. cfgcmd:: set protocols vrf <name> static route <subnet> next-hop <address>
-   next-hop-vrf <default | vrf-name>
+   vrf <default | vrf-name>
 
    Use this command if you have shared services or routes that should be shared
    between multiple VRF instances. This will add an IPv4 route to VRF `<name>`
@@ -127,7 +127,7 @@ Leaking
    a different VRF or leak it into the default VRF.
 
 .. cfgcmd:: set protocols vrf <name> static route6 <subnet> next-hop <address>
-   next-hop-vrf <default | vrf-name>
+   vrf <default | vrf-name>
 
    Use this command if you have shared services or routes that should be shared
    between multiple VRF instances. This will add an IPv6 route to VRF `<name>`
@@ -138,40 +138,40 @@ Leaking
 Interface Routes
 """"""""""""""""
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface>
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv4
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface> disable
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface> disable
 
    Disables interface-based IPv4 static route.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route <subnet>
-   next-hop-interface <interface> distance <distance>
+.. cfgcmd:: set protocols vrf <name> static route <subnet>
+   interface <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
    distance are elected prior those with a higher distance.
 
    Range is 1 to 255, default is 1.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface>
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface>
 
    Allows you to configure the next-hop interface for an interface-based IPv6
    static route. `<interface>` will be the next-hop interface where trafic is
    routed for the given `<subnet>`.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface> disable
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface> disable
 
    Disables interface-based IPv6 static route.
 
-.. cfgcmd:: set protocols vrf <name> static interface-route6 <subnet>
-   next-hop-interface <interface> distance <distance>
+.. cfgcmd:: set protocols vrf <name> static route6 <subnet>
+   interface <interface> distance <distance>
 
    Defines next-hop distance for this route, routes with smaller administrative
    distance are elected prior those with a higher distance.
-- 
cgit v1.2.3