From efa25bc32dad395b8fdc8f62b0ed032fa653fa0d Mon Sep 17 00:00:00 2001 From: root Date: Thu, 27 Aug 2020 13:37:11 -0500 Subject: T2810: Docs for vpn anyconnect-server This documentation describes how to configure AnyConnect-Server on VyOS --- docs/vpn/anyconnect.rst | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ docs/vpn/index.rst | 1 + 2 files changed, 74 insertions(+) create mode 100644 docs/vpn/anyconnect.rst (limited to 'docs/vpn') diff --git a/docs/vpn/anyconnect.rst b/docs/vpn/anyconnect.rst new file mode 100644 index 00000000..0016cf46 --- /dev/null +++ b/docs/vpn/anyconnect.rst @@ -0,0 +1,73 @@ +.. _vpn-anyconnect: + +AnyConnect +----- + +Cisco AnyConnect-compatible server(based on great OpenConnect software) feature is available from this release. +Anyconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol. +The remote user will use the anyconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network. + +.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update. + + +Configuration +^^^^^^^^^^ + +SSL Certificates +---- + +We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. +The following command will create a self signed certificates and will be stored in the file path /config/auth + +.. code-block:: none + + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt + openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt + +We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. + +.. code-block:: none + + sudo certbot certonly --standalone --preferred-challenges http -d + +Server Configuration +------------------------- + +.. code-block:: none + + set vpn anyconnect authentication local-users username password + set vpn anyconnect authentication mode + set vpn anyconnect network-settings client-ip-settings subnet + set vpn anyconnect network-settings name-server
+ set vpn anyconnect network-settings name-server
+ set vpn anyconnect ssl ca-cert-file + set vpn anyconnect ssl cert-file + set vpn anyconnect ssl key-file + +Example +---- + +Use local user name "user4" with password "SecretPassword" +Client IP addresses will be provided from pool 100.64.0.0/24 +The Gateway IP Address must be in one of the router´s interfaces. + +.. code-block:: none + + set vpn anyconnect authentication local-users username user4 password 'SecretPassword' + set vpn anyconnect authentication mode 'local' + set vpn anyconnect network-settings client-ip-settings subnet '100.64.0.0/24' + set vpn anyconnect network-settings name-server '1.1.1.1' + set vpn anyconnect network-settings name-server '8.8.8.8' + set vpn anyconnect ssl ca-cert-file '/config/auth/fullchain.pem' + set vpn anyconnect ssl cert-file '/config/auth/cert.pem' + set vpn anyconnect ssl key-file '/config/auth/privkey.pem' + +Verification +---- + +.. code-block:: none + + vyos@RTR1:~$ show anyconnect-server sessions + interface username ip remote IP RX TX state uptime + ----------- ---------- ------------ ------------- -------- -------- --------- -------- + sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 42a90a3f..aea1ada2 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -15,3 +15,4 @@ VPN site2site_ipsec sstp wireguard + anyconnect -- cgit v1.2.3 From ca432e2ec6bf8c33c652aee9bc7bc0e2b4a4bd6a Mon Sep 17 00:00:00 2001 From: root Date: Thu, 27 Aug 2020 13:37:11 -0500 Subject: T2810: Docs for vpn anyconnect-server This documentation describes how to configure OpenConnect-Server on VyOS --- docs/vpn/anyconnect.rst | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ docs/vpn/index.rst | 1 + 2 files changed, 74 insertions(+) create mode 100644 docs/vpn/anyconnect.rst (limited to 'docs/vpn') diff --git a/docs/vpn/anyconnect.rst b/docs/vpn/anyconnect.rst new file mode 100644 index 00000000..64c3e49f --- /dev/null +++ b/docs/vpn/anyconnect.rst @@ -0,0 +1,73 @@ +.. _vpn-openconnect: + +OpenConnect +----- + +OpenConnect-compatible server feature is available from this release. +Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol. +The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network. + +.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update. + + +Configuration +^^^^^^^^^^ + +SSL Certificates +---- + +We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. +The following command will create a self signed certificates and will be stored in the file path /config/auth + +.. code-block:: none + + openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt + openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt + +We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let’s Encrypt — an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. + +.. code-block:: none + + sudo certbot certonly --standalone --preferred-challenges http -d + +Server Configuration +------------------------- + +.. code-block:: none + + set vpn openconnect authentication local-users username password + set vpn openconnect authentication mode + set vpn opneconnect network-settings client-ip-settings subnet + set vpn openconnect network-settings name-server
+ set vpn openconnect network-settings name-server
+ set vpn openconnect ssl ca-cert-file + set vpn openconnect ssl cert-file + set vpn openconnect ssl key-file + +Example +---- + +Use local user name "user4" with password "SecretPassword" +Client IP addresses will be provided from pool 100.64.0.0/24 +The Gateway IP Address must be in one of the router´s interfaces. + +.. code-block:: none + + set vpn openconnect authentication local-users username user4 password 'SecretPassword' + set vpn openconnect authentication mode 'local' + set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' + set vpn openconnect network-settings name-server '1.1.1.1' + set vpn openconnect network-settings name-server '8.8.8.8' + set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' + set vpn openconnect ssl cert-file '/config/auth/cert.pem' + set vpn openconnect ssl key-file '/config/auth/privkey.pem' + +Verification +---- + +.. code-block:: none + + vyos@RTR1:~$ show openconnect-server sessions + interface username ip remote IP RX TX state uptime + ----------- ---------- ------------ ------------- -------- -------- --------- -------- + sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 42a90a3f..aea1ada2 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -15,3 +15,4 @@ VPN site2site_ipsec sstp wireguard + anyconnect -- cgit v1.2.3 From 7334b4b9baec121569ad0e3015994fa1e10f167c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 13 Sep 2020 15:58:10 +0200 Subject: vpn: openconnect: fix TOC --- docs/vpn/anyconnect.rst | 78 ------------------------------------------------ docs/vpn/index.rst | 2 +- docs/vpn/openconnect.rst | 45 ++++++++++++++++++---------- 3 files changed, 31 insertions(+), 94 deletions(-) delete mode 100644 docs/vpn/anyconnect.rst (limited to 'docs/vpn') diff --git a/docs/vpn/anyconnect.rst b/docs/vpn/anyconnect.rst deleted file mode 100644 index e8945fbb..00000000 --- a/docs/vpn/anyconnect.rst +++ /dev/null @@ -1,78 +0,0 @@ -.. _vpn-openconnect: - -OpenConnect ------ - -OpenConnect-compatible server feature is available from this release. -Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol. -The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network. - - -.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update. - - -Configuration -^^^^^^^^^^ - -SSL Certificates ----- - -We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. -The following command will create a self signed certificates and will be stored in the file path /config/auth - -.. code-block:: none - - openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt - openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt - -We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let’s Encrypt — an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. - -.. code-block:: none - - sudo certbot certonly --standalone --preferred-challenges http -d - -Server Configuration -------------------------- - -.. code-block:: none - - set vpn openconnect authentication local-users username password - set vpn openconnect authentication mode - set vpn opneconnect network-settings client-ip-settings subnet - set vpn openconnect network-settings name-server
- set vpn openconnect network-settings name-server
- set vpn openconnect ssl ca-cert-file - set vpn openconnect ssl cert-file - set vpn openconnect ssl key-file - - -Example ----- - -Use local user name "user4" with password "SecretPassword" -Client IP addresses will be provided from pool 100.64.0.0/24 -The Gateway IP Address must be in one of the router´s interfaces. - -.. code-block:: none - - set vpn openconnect authentication local-users username user4 password 'SecretPassword' - set vpn openconnect authentication mode 'local' - set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' - set vpn openconnect network-settings name-server '1.1.1.1' - set vpn openconnect network-settings name-server '8.8.8.8' - set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' - set vpn openconnect ssl cert-file '/config/auth/cert.pem' - set vpn openconnect ssl key-file '/config/auth/privkey.pem' - - -Verification ----- - -.. code-block:: none - - - vyos@RTR1:~$ show openconnect-server sessions - - interface username ip remote IP RX TX state uptime - ----------- ---------- ------------ ------------- -------- -------- --------- -------- - sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 4441c003..9ba31ae6 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -15,4 +15,4 @@ VPN site2site_ipsec sstp wireguard - OpenConnect + openconnect diff --git a/docs/vpn/openconnect.rst b/docs/vpn/openconnect.rst index 9d6dd6da..a409ed9d 100644 --- a/docs/vpn/openconnect.rst +++ b/docs/vpn/openconnect.rst @@ -1,38 +1,51 @@ .. _vpn-openconnect: +########### OpenConnect ------ +########### OpenConnect-compatible server feature is available from this release. -Openconnect VPN supports SSL connection and offers full network access. SSL VPN network extension connects the end-user system to the corporate network with access controls based only on network layer information, such as destination IP address and port number. So, it provides safe communication for all types of device traffic across public networks and private networks, also encrypts the traffic with SSL protocol. -The remote user will use the openconnect client to connect to the router and will receive an IP address from a VPN pool, allowing full access to the network. +Openconnect VPN supports SSL connection and offers full network access. SSL VPN +network extension connects the end-user system to the corporate network with +access controls based only on network layer information, such as destination IP +address and port number. So, it provides safe communication for all types of +device traffic across public networks and private networks, also encrypts the +traffic with SSL protocol. +The remote user will use the openconnect client to connect to the router and +will receive an IP address from a VPN pool, allowing full access to the network. -.. note:: All certificates should be stored on VyOS under /config/auth. If certificates are not stored in the /config directory they will not be migrated during a software update. - +.. note:: All certificates should be stored on VyOS under /config/auth. If + certificates are not stored in the /config directory they will not be + migrated during a software update. +************* Configuration -^^^^^^^^^^ +************* SSL Certificates ----- +================ -We need to generate the certificate which authenticates users who attempt to access the network resource through the SSL VPN tunnels. -The following command will create a self signed certificates and will be stored in the file path /config/auth +We need to generate the certificate which authenticates users who attempt to +access the network resource through the SSL VPN tunnels. The following command +will create a self signed certificates and will be stored in the file path +`/config/auth`. .. code-block:: none openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt -We can also create the certificates using Cerbort which is an easy-to-use client that fetches a certificate from Let’s Encrypt — an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server. +We can also create the certificates using Cerbort which is an easy-to-use client +that fetches a certificate from Let's Encrypt an open certificate authority +launched by the EFF, Mozilla, and others and deploys it to a web server. .. code-block:: none sudo certbot certonly --standalone --preferred-challenges http -d Server Configuration -------------------------- +==================== .. code-block:: none @@ -46,8 +59,9 @@ Server Configuration set vpn openconnect ssl key-file +******* Example ----- +******* Use local user name "user4" with password "SecretPassword" Client IP addresses will be provided from pool 100.64.0.0/24 @@ -57,7 +71,7 @@ The Gateway IP Address must be in one of the router´s interfaces. set vpn openconnect authentication local-users username user4 password 'SecretPassword' set vpn openconnect authentication mode 'local' - set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' + set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24' set vpn openconnect network-settings name-server '1.1.1.1' set vpn openconnect network-settings name-server '8.8.8.8' set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem' @@ -65,13 +79,14 @@ The Gateway IP Address must be in one of the router´s interfaces. set vpn openconnect ssl key-file '/config/auth/privkey.pem' +************ Verification ----- +************ .. code-block:: none - vyos@RTR1:~$ show openconnect-server sessions + vyos@RTR1:~$ show openconnect-server sessions interface username ip remote IP RX TX state uptime ----------- ---------- ------------ ------------- -------- -------- --------- -------- -- cgit v1.2.3 From 910fa1ab3ac6a26959f0a2fb4915bf3c0791f720 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 14 Sep 2020 19:58:20 +0200 Subject: openvpn: fix WARNING: Title level inconsistent --- docs/vpn/openvpn.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/vpn') diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 159366dc..fd6a3a71 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -255,7 +255,7 @@ internally, so we need to create a route to the 10.23.0.0/20 network ourselves: set protocols static interface-route 10.23.0.0/20 next-hop-interface vtun10 Generate X.509 Certificate and Keys -*********************************** +----------------------------------- OpenVPN ships with a set of scripts called Easy-RSA that can generate the appropriate files needed for an OpenVPN setup using X.509 certificates. @@ -338,10 +338,10 @@ For example, Branch 1's router might have the following files: ca.crt branch1.crt branch1.key Client Authentication ---------------------- +===================== LDAP -**** +---- Enterprise installations usually ship a kind of directory service which is used to have a single password store for all employees. VyOS and OpenVPN support using @@ -380,7 +380,7 @@ The required config file may look like: Active Directory -**************** +^^^^^^^^^^^^^^^^ Despite the fact that AD is a superset of LDAP -- cgit v1.2.3 From 71f73a88a040a4d2e24e0e8d029f5067a4a7a94a Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 2 Oct 2020 17:56:53 +0200 Subject: sstp: T2953: adjust to new ppp-options CLI node --- docs/vpn/sstp.rst | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'docs/vpn') diff --git a/docs/vpn/sstp.rst b/docs/vpn/sstp.rst index de13b5ae..486f66e8 100644 --- a/docs/vpn/sstp.rst +++ b/docs/vpn/sstp.rst @@ -23,9 +23,11 @@ certificates as well as a private PKI is required. certificates are not stored in the ``/config`` directory they will not be migrated during a software update. +Certificates +============ -Self Signed CA and Certificates -=============================== +Self Signed CA +-------------- To generate the CA, the server private key and certificates the following commands can be used. @@ -152,23 +154,23 @@ SSL Certificates PPP Settings ------------ -.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-failure +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure Defines the maximum `` of unanswered echo requests. Upon reaching the value ``, the session will be reset. -.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-interval +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval If this option is specified and is greater than 0, then the PPP module will send LCP pings of the echo request every `` seconds. -.. cfgcmd:: set vpn sstp ppp-settings lcp-echo-timeout +.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout Specifies timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. -.. cfgcmd:: set vpn sstp ppp-settings mppe +.. cfgcmd:: set vpn sstp ppp-options mppe Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation preference. -- cgit v1.2.3 From d0a50a0383d25aa4c14f68e3763800c002d19017 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Oct 2020 20:41:05 +0200 Subject: sstp: adjust to latest CLI commands --- docs/vpn/sstp.rst | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'docs/vpn') diff --git a/docs/vpn/sstp.rst b/docs/vpn/sstp.rst index 486f66e8..e5567cb6 100644 --- a/docs/vpn/sstp.rst +++ b/docs/vpn/sstp.rst @@ -100,18 +100,18 @@ Configuration * **local**: All authentication queries are handled locally. -.. cfgcmd:: set vpn sstp network-settings client-ip-settings gateway-address +.. cfgcmd:: set vpn sstp gateway-address Specifies single `` IP address to be used as local address of PPP interfaces. -.. cfgcmd:: set vpn sstp network-settings client-ip-settings subnet +.. cfgcmd:: set vpn sstp client-ip-pool subnet Use `` as the IP pool for all connecting clients. -.. cfgcmd:: set vpn sstp network-settings client-ipv6-pool prefix
mask +.. cfgcmd:: set vpn sstp client-ipv6-pool prefix
mask Use this comand to set the IPv6 address pool from which an SSTP client will get an IPv6 prefix of your defined length (mask) to terminate the @@ -119,7 +119,7 @@ Configuration bit long, the default value is 64. -.. cfgcmd:: set vpn sstp network-settings client-ipv6-pool delegate
delegation-prefix +.. cfgcmd:: set vpn sstp client-ipv6-pool delegate
delegation-prefix Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You will have to set your IPv6 pool and the length of the @@ -128,7 +128,7 @@ Configuration delegation prefix can be set from 32 to 64 bit long. -.. cfgcmd:: set vpn sstp network-settings name-server
+.. cfgcmd:: set vpn sstp name-server
Connected client should use `
` as their DNS server. This command accepts both IPv4 and IPv6 addresses. Up to two nameservers @@ -271,15 +271,15 @@ Example .. code-block:: none - set vpn sstp authentication local-users username foo password 'bar' - set vpn sstp authentication mode 'local' - set vpn sstp network-settings client-ip-settings gateway-address '192.0.2.254' - set vpn sstp network-settings client-ip-settings subnet '192.0.2.0/25' - set vpn sstp network-settings name-server '10.0.0.1' - set vpn sstp network-settings name-server '10.0.0.2' - set vpn sstp ssl ca-cert-file '/config/auth/ca.crt' - set vpn sstp ssl cert-file '/config/auth/server.crt' - set vpn sstp ssl key-file '/config/auth/server.key' + set vpn sstp authentication local-users username vyos password vyos + set vpn sstp authentication mode local + set vpn sstp gateway-address 192.0.2.254 + set vpn sstp client-ip-pool subnet 192.0.2.0/25 + set vpn sstp name-server 10.0.0.1 + set vpn sstp name-server 10.0.0.2 + set vpn sstp ssl ca-cert-file /config/auth/ca.crt + set vpn sstp ssl cert-file /config/auth/server.crt + set vpn sstp ssl key-file /config/auth/server.key Testing SSTP ============ -- cgit v1.2.3 From d8cae2006095d55bcd7e4e1fcecf325da30f8420 Mon Sep 17 00:00:00 2001 From: currite Date: Wed, 28 Oct 2020 20:57:10 +0100 Subject: openvpn: add troubleshooting subsection --- docs/vpn/openvpn.rst | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'docs/vpn') diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index fd6a3a71..b9f5433b 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -542,4 +542,43 @@ Will add ``push "keepalive 1 10"`` to the generated OpenVPN config file. quotes. This is done through a hack on our config generator. You can pass quotes using the ``"`` statement. + +Troubleshooting +=============== + +VyOS provides some operational commands on OpenVPN. + +Check status +------------ + +The following commands let you check tunnel status. + +.. opcmd:: show openvpn client + + Use this command to check the tunnel status for OpenVPN client interfaces. + +.. opcmd:: show openvpn server + + Use this command to check the tunnel status for OpenVPN server interfaces. + +.. opcmd:: show openvpn site-to-site + + Use this command to check the tunnel status for OpenVPN site-to-site interfaces. + + +Reset OpenVPN +------------- + +The following commands let you reset OpenVPN for a specific client or interface. + +.. opcmd:: reset openvpn client + + Use this command to reset specified OpenVPN client. + +.. opcmd:: reset openvpn interface + + Uset this command to reset the OpenVPN process on a specific interface. + + + .. include:: ../common-references.rst -- cgit v1.2.3 From bf45f93b030284029014cba99b722253a29ccd6b Mon Sep 17 00:00:00 2001 From: currite <53279076+currite@users.noreply.github.com> Date: Wed, 28 Oct 2020 21:25:01 +0100 Subject: Update openvpn.rst --- docs/vpn/openvpn.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/vpn') diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index b9f5433b..c6934335 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -569,7 +569,7 @@ The following commands let you check tunnel status. Reset OpenVPN ------------- -The following commands let you reset OpenVPN for a specific client or interface. +The following commands let you reset OpenVPN. .. opcmd:: reset openvpn client -- cgit v1.2.3 From baf330c08cbfca1a29d3918586f708904acf2ca5 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 15 Nov 2020 14:09:56 +0100 Subject: dmvpn: improve blueprint with diagram and full configs --- docs/_static/images/blueprint-dmvpn.png | Bin 0 -> 41398 bytes docs/appendix/examples/dmvpn.rst | 159 ++++++++++++++++++++++++++------ docs/vpn/dmvpn.rst | 18 ++-- 3 files changed, 141 insertions(+), 36 deletions(-) create mode 100644 docs/_static/images/blueprint-dmvpn.png (limited to 'docs/vpn') diff --git a/docs/_static/images/blueprint-dmvpn.png b/docs/_static/images/blueprint-dmvpn.png new file mode 100644 index 00000000..04b7bd6f Binary files /dev/null and b/docs/_static/images/blueprint-dmvpn.png differ diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst index 44c08de4..08a51838 100644 --- a/docs/appendix/examples/dmvpn.rst +++ b/docs/appendix/examples/dmvpn.rst @@ -4,28 +4,49 @@ DMVPN Hub ######### -General infomration can be found in the :ref:`vpn-dmvpn` chapter. +******** +Overview +******** + +General information can be found in the :ref:`vpn-dmvpn` chapter. + +This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) as multiple +spokes. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`. + +.. figure:: /_static/images/blueprint-dmvpn.png + :alt: DMVPN network + +Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. + +The below referenced IP address `192.0.2.1` is used as example address +representing a global unicast address under which the HUB can be contacted by +each and every individual spoke. Configuration ============= -VyOS Hub --------- +Hub +--- .. code-block:: none + set interfaces ethernet eth0 address 192.0.2.1/24 + set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '203.0.113.44' + set interfaces tunnel tun100 local-ip '192.0.2.1' set interfaces tunnel tun100 multicast 'enable' set interfaces tunnel tun100 parameters ip key '1' - set protocols nhrp tunnel tun100 cisco-authentication + set protocols nhrp tunnel tun100 cisco-authentication 'secret' set protocols nhrp tunnel tun100 holding-time '300' set protocols nhrp tunnel tun100 multicast 'dynamic' set protocols nhrp tunnel tun100 redirect set protocols nhrp tunnel tun100 shortcut + set system host-name 'HUB' + set system time-zone 'UTC' + set vpn ipsec esp-group ESP-HUB compression 'disable' set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'tunnel' @@ -43,47 +64,82 @@ VyOS Hub set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' set vpn ipsec profile NHRPVPN bind tunnel 'tun100' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' -Cisco IOS Spoke ---------------- +Spoke +----- -This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and -VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux). +The individual spoke configurations only differ in the local IP address on the +``tun10`` interface. See the above diagram for the individual IP addresses. -.. code-block:: none - - Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3) - Technical Support: http://www.cisco.com/techsupport - Copyright (c) 1986-2014 by Cisco Systems, Inc. - Compiled Fri 12-Sep-14 10:45 by prod_rel_team - - ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1) - -Use this configuration on your Cisco device: +spoke01 +^^^^^^^ .. code-block:: none + Current configuration : 1773 bytes + ! + ! Last configuration change at 14:46:27 UTC Sun Nov 15 2020 + upgrade fpd auto + version 15.1 + service timestamps debug datetime msec + service timestamps log datetime msec + no service password-encryption + ! + hostname spoke01 + ! + boot-start-marker + boot-end-marker + ! + ! + ! + no aaa new-model + ! + ip source-route + ip cef + ! + ! + ! + ! + ! + no ipv6 cef + ! + multilink bundle-name authenticated + ! + ! + ! + ! + ! + ! + ! crypto pki token default removal timeout 0 + ! + ! + ! + redundancy + ! + ! + ! crypto keyring DMVPN - pre-shared-key address 198.51.100.2 key + pre-shared-key address 192.0.2.1 key secret ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 - ! crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 30 periodic crypto isakmp profile DMVPN keyring DMVPN - match identity address 203.0.113.44 255.255.255.255 + match identity address 192.0.2.1 255.255.255.255 + ! ! crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac mode transport @@ -93,17 +149,66 @@ Use this configuration on your Cisco device: set transform-set DMVPN-AES256 set isakmp-profile DMVPN ! + ! + ! + ! + ! + ! interface Tunnel10 description Tunnel to DMVPN HUB ip address 172.16.253.129 255.255.255.248 no ip redirects - ip nhrp authentication - ip nhrp map multicast 203.0.113.44 - ip nhrp map 172.16.253.134 203.0.113.44 + ip nhrp authentication secret + ip nhrp map 172.16.253.134 192.0.2.1 + ip nhrp map multicast 192.0.2.1 ip nhrp network-id 1 ip nhrp holdtime 600 ip nhrp nhs 172.16.253.134 ip nhrp registration timeout 75 - tunnel source Dialer1 + tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 1 + ! + interface FastEthernet0/0 + ip address dhcp + duplex half + ! + interface FastEthernet1/0 + no ip address + shutdown + duplex half + ! + ip forward-protocol nd + no ip http server + no ip http secure-server + ! + ! + ! + ! + ! + ! + ! + ! + ! + control-plane + ! + ! + ! + mgcp profile default + ! + ! + ! + gatekeeper + shutdown + ! + ! + line con 0 + stopbits 1 + line aux 0 + stopbits 1 + line vty 0 4 + login + transport input all + ! + end + diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index c4f53a72..9ca28b3c 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -1,17 +1,17 @@ .. _vpn-dmvpn: +##### DMVPN ------ +##### -**D** ynamic **M** ultipoint **V** irtual **P** rivate **N** etworking +:abbr:`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic +:abbr:`VPN (Virtual Private Network)` technology originally developed by Cisco. +While their implementation was somewhat proprietary, the underlying technologies +are actually standards based. The three technologies are: -DMVPN is a dynamic VPN technology originally developed by Cisco. While their -implementation was somewhat proprietary, the underlying technologies are -actually standards based. The three technologies are: - -* **NHRP** - NBMA Next Hop Resolution Protocol :rfc:`2332` -* **mGRE** - Multipoint Generic Routing Encapsulation / mGRE :rfc:`1702` -* **IPSec** - IP Security (too many RFCs to list, but start with :rfc:`4301`) +* :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332` +* :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702` +* :abbr:`IPSec (IP Security)` - too many RFCs to list, but start with :rfc:`4301` NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint registration, and endpoint discovery/lookup), mGRE provides the tunnel -- cgit v1.2.3 From 8a3147fca5aa6e1623a09d3ce120886463006418 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 15 Nov 2020 20:10:57 +0100 Subject: vpn: dmvpn: move example from blueprints to the dmvpn chapter --- docs/appendix/examples/dmvpn.rst | 173 ----------- docs/appendix/examples/index.rst | 2 - docs/vpn/dmvpn.rst | 654 +++++++++++++++++---------------------- docs/vpn/gre-ipsec.rst | 190 ------------ docs/vpn/index.rst | 4 +- docs/vpn/ipsec.rst | 191 ++++++++++++ 6 files changed, 480 insertions(+), 734 deletions(-) delete mode 100644 docs/appendix/examples/dmvpn.rst delete mode 100644 docs/vpn/gre-ipsec.rst create mode 100644 docs/vpn/ipsec.rst (limited to 'docs/vpn') diff --git a/docs/appendix/examples/dmvpn.rst b/docs/appendix/examples/dmvpn.rst deleted file mode 100644 index 05e7c73a..00000000 --- a/docs/appendix/examples/dmvpn.rst +++ /dev/null @@ -1,173 +0,0 @@ -.. _examples-dmvpn: - -######### -DMVPN Hub -######### - -******** -Overview -******** - -General information can be found in the :ref:`vpn-dmvpn` chapter. - -This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) as multiple -spokes. The lab was build using :abbr:`EVE-NG (Emulated Virtual Environment NG)`. - -.. figure:: /_static/images/blueprint-dmvpn.png - :alt: DMVPN network - -Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. - -The below referenced IP address `192.0.2.1` is used as example address -representing a global unicast address under which the HUB can be contacted by -each and every individual spoke. - -************* -Configuration -************* - -Hub -=== - -.. code-block:: none - - set interfaces ethernet eth0 address 192.0.2.1/24 - - set interfaces tunnel tun100 address '172.16.253.134/29' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 multicast 'dynamic' - set protocols nhrp tunnel tun100 redirect - set protocols nhrp tunnel tun100 shortcut - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - -Spoke -===== - -The individual spoke configurations only differ in the local IP address on the -``tun10`` interface. See the above diagram for the individual IP addresses. - -spoke01 -------- - -.. code-block:: none - - crypto keyring DMVPN - pre-shared-key address 192.0.2.1 key secret - ! - crypto isakmp policy 10 - encr aes 256 - authentication pre-share - group 2 - crypto isakmp invalid-spi-recovery - crypto isakmp keepalive 30 30 periodic - crypto isakmp profile DMVPN - keyring DMVPN - match identity address 192.0.2.1 255.255.255.255 - ! - crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac - mode transport - ! - crypto ipsec profile DMVPN - set security-association idle-time 720 - set transform-set DMVPN-AES256 - set isakmp-profile DMVPN - ! - interface Tunnel10 - description Tunnel to DMVPN HUB - ip address 172.16.253.129 255.255.255.248 - no ip redirects - ip nhrp authentication secret - ip nhrp map 172.16.253.134 192.0.2.1 - ip nhrp map multicast 192.0.2.1 - ip nhrp network-id 1 - ip nhrp holdtime 600 - ip nhrp nhs 172.16.253.134 - ip nhrp registration timeout 75 - tunnel source FastEthernet0/0 - tunnel mode gre multipoint - tunnel key 1 - ! - interface FastEthernet0/0 - ip address dhcp - duplex half - - -spoke05 -------- - -VyOS can also run in DMVPN spoke mode. - -.. code-block:: none - - set interfaces ethernet eth0 address 'dhcp' - - set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 dhcp-interface 'eth0' - set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 multicast 'enable' - set interfaces tunnel tun100 parameters ip key '1' - - set protocols nhrp tunnel tun100 cisco-authentication 'secret' - set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '92.0.2.1' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 register - set protocols nhrp tunnel tun100 multicast 'dynamic' - - set vpn ipsec esp-group ESP-HUB compression 'disable' - set vpn ipsec esp-group ESP-HUB lifetime '1800' - set vpn ipsec esp-group ESP-HUB mode 'tunnel' - set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' - set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' - set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' - set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' - set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' - set vpn ipsec ike-group IKE-HUB close-action 'none' - set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' - set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' - set vpn ipsec ike-group IKE-HUB lifetime '3600' - set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' - set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' - set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' - set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' - set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' - - set vpn ipsec ipsec-interfaces interface 'eth0' - - set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' - set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' - set vpn ipsec profile NHRPVPN bind tunnel 'tun100' - set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' - set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' - diff --git a/docs/appendix/examples/index.rst b/docs/appendix/examples/index.rst index 58251378..b2f7bfde 100644 --- a/docs/appendix/examples/index.rst +++ b/docs/appendix/examples/index.rst @@ -5,11 +5,9 @@ Configuration Blueprints This chapter contains various configuration examples: - .. toctree:: :maxdepth: 2 - dmvpn dhcp-relay-through-gre-bridge zone-policy bgp-ipv6-unnumbered diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index 9ca28b3c..1a6bdd64 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -6,8 +6,8 @@ DMVPN :abbr:`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic :abbr:`VPN (Virtual Private Network)` technology originally developed by Cisco. -While their implementation was somewhat proprietary, the underlying technologies -are actually standards based. The three technologies are: +While their implementation was somewhat proprietary, the underlying +technologies are actually standards based. The three technologies are: * :abbr:`NHRP (Next Hop Resolution Protocol)` :rfc:`2332` * :abbr:`mGRE (Multipoint Generic Routing Encapsulation)` :rfc:`1702` @@ -26,390 +26,310 @@ peers. complete solution also incorporates the use of a routing protocol. BGP is particularly well suited for use with DMVPN. -Baseline Configuration: - -**STEPS:** - -#. Create tunnel config (`interfaces tunnel`) -#. Create nhrp (`protocols nhrp`) -#. Create ipsec vpn (optional, but recommended for security) (`vpn ipsec`) - -The tunnel will be set to mGRE if for encapsulation `gre` is set, and no -`remote-ip` is set. If the public ip is provided by DHCP the tunnel `local-ip` -can be set to "0.0.0.0". If you do set the `remote-ip` directive at any point, the interface will need to be `delete`'d from the config and recreated without the `remote-ip` config ever being set. - .. figure:: ../_static/images/vpn_dmvpn_topology01.png :scale: 40 % :alt: Baseline DMVPN topology Baseline DMVPN topology -HUB Configuration -^^^^^^^^^^^^^^^^^ +************* +Configuration +************* -.. code-block:: none +* Please refer to the :ref:`tunnel-interface` documentation for the individual + tunnel related options. - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - holding-time - multicast dynamic - redirect - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -HUB Example Configuration: +* Please refer to the :ref:`ipsec` documentation for the individual IPSec + related options. -.. code-block:: none +.. cfgcmd:: set protocols nhrp tunnel cisco-authentication - set interfaces ethernet eth0 address '198.51.100.41/30' - set interfaces ethernet eth1 address '192.168.1.1/24' - set system host-name 'HUB' - - set interfaces tunnel tun0 address 10.0.0.1/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 198.51.100.41 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 holding-time 300 - set protocols nhrp tunnel tun0 multicast dynamic - set protocols nhrp tunnel tun0 redirect - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-HUB proposal 1 - set vpn ipsec ike-group IKE-HUB proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-HUB proposal 1 hash sha1 - set vpn ipsec ike-group IKE-HUB proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-HUB proposal 2 hash sha1 - set vpn ipsec ike-group IKE-HUB lifetime 3600 - set vpn ipsec esp-group ESP-HUB proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-HUB proposal 1 hash sha1 - set vpn ipsec esp-group ESP-HUB proposal 2 encryption 3des - set vpn ipsec esp-group ESP-HUB proposal 2 hash md5 - set vpn ipsec esp-group ESP-HUB lifetime 1800 - set vpn ipsec esp-group ESP-HUB pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-HUB - set vpn ipsec profile NHRPVPN ike-group IKE-HUB - - set protocols static route 0.0.0.0/0 next-hop 1.1.1.2 - set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 - set protocols static route 192.168.3.0/24 next-hop 10.0.0.3 - -HUB on AWS Configuration Specifics -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Setting this up on AWS will require a "Custom Protocol Rule" for protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console) - -SPOKE Configuration -^^^^^^^^^^^^^^^^^^^ - -SPOKE1 Configuration: + Enables Cisco style authentication on NHRP packets. This embeds the secret + plaintext password to the outgoing NHRP packets. Incoming NHRP packets on + this interface are discarded unless the secret password is present. Maximum + length of the secret is 8 characters. -.. code-block:: none +.. cfgcmd:: set protocols nhrp tunnel dynamic-map
+ nbma-domain-name + + Specifies that the :abbr:`NBMA (Non-broadcast multiple-access network)` + addresses of the next hop servers are defined in the domain name + nbma-domain-name. For each A record opennhrp creates a dynamic NHS entry. + + Each dynamic NHS will get a peer entry with the configured network address + and the discovered NBMA address. + + The first registration request is sent to the protocol broadcast address, and + the server's real protocol address is dynamically detected from the first + registration reply. + +.. cfgcmd:: set protocols nhrp tunnel holding-time + + Specifies the holding time for NHRP Registration Requests and Resolution + Replies sent from this interface or shortcut-target. The holdtime is specified + in seconds and defaults to two hours. + +.. cfgcmd:: set protocols nhrp tunnel map cisco + + If the statically mapped peer is running Cisco IOS, specify the cisco keyword. + It is used to fix statically the Registration Request ID so that a matching + Purge Request can be sent if NBMA address has changed. This is to work around + broken IOS which requires Purge Request ID to match the original Registration + Request ID. + +.. cfgcmd:: set protocols nhrp tunnel map nbma-address
+ + Creates static peer mapping of protocol-address to :abbr:`NBMA (Non-broadcast + multiple-access network)` address. + + If the IP prefix mask is present, it directs opennhrp to use this peer as a + next hop server when sending Resolution Requests matching this subnet. + + This is also known as the HUBs IP address or FQDN. + +.. cfgcmd:: set protocols nhrp tunnel map register + + The optional parameter register specifies that Registration Request should be + sent to this peer on startup. + + This option is required when running a DMVPN spoke. + +.. cfgcmd:: set protocols nhrp tunnel multicast + + Determines how opennhrp daemon should soft switch the multicast traffic. + Currently, multicast traffic is captured by opennhrp daemon using a packet + socket, and resent back to proper destinations. This means that multicast + packet sending is CPU intensive. + + Specfying nhs makes all multicast packets to be repeated to each statically + configured next hop. + + Synamic instructs to forward to all peers which we have a direct connection + with. Alternatively, you can specify the directive multiple times for each + protocol-address the multicast traffic should be sent to. + + .. warning:: It is very easy to misconfigure multicast repeating if you have + multiple NHSes. + +.. cfgcmd:: set protocols nhrp tunnel non-caching - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - map { - nbma-address - register - } - holding-time - multicast nhs - redirect - shortcut - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -SPOKE1 Example Configuration + Disables caching of peer information from forwarded NHRP Resolution Reply + packets. This can be used to reduce memory consumption on big NBMA subnets. + + .. note:: Currently does not do much as caching is not implemented. + +.. cfgcmd:: set protocols nhrp tunnel redirect + + Enable sending of Cisco style NHRP Traffic Indication packets. If this is + enabled and opennhrp detects a forwarded packet, it will send a message to + the original sender of the packet instructing it to create a direct connection + with the destination. This is basically a protocol independent equivalent of + ICMP redirect. + +.. cfgcmd:: set protocols nhrp tunnel shortcut + + Enable creation of shortcut routes. + + A received NHRP Traffic Indication will trigger the resolution and + establishment of a shortcut route. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-destination + + This instructs opennhrp to reply with authorative answers on NHRP Resolution + Requests destinied to addresses in this interface (instead of forwarding the + packets). This effectively allows the creation of shortcut routes to subnets + located on the interface. + + When specified, this should be the only keyword for the interface. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-target
+ + Defines an off-NBMA network prefix for which the GRE interface will act as a + gateway. This an alternative to defining local interfaces with + shortcut-destination flag. + +.. cfgcmd:: set protocols nhrp tunnel shortcut-target
+ holding-time + + Specifies the holding time for NHRP Registration Requests and Resolution + Replies sent from this interface or shortcut-target. The holdtime is specified + in seconds and defaults to two hours. + +******* +Example +******* + + +This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as +multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual +Environment NG)`. + +.. figure:: /_static/images/blueprint-dmvpn.png + :alt: DMVPN network + + DMVPN example network + +Each node (Hub and Spoke) uses an IP address from the network 172.16.253.128/29. + +The below referenced IP address `192.0.2.1` is used as example address +representing a global unicast address under which the HUB can be contacted by +each and every individual spoke. + +Configuration +============= + +Hub +--- .. code-block:: none - set interfaces ethernet eth0 address 'dhcp' - set interfaces ethernet eth1 address '192.168.2.1/24' - set system host-name 'SPOKE1' - - set interfaces tunnel tun0 address 10.0.0.2/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 0.0.0.0 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication 'SECRET' - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 - set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register' - set protocols nhrp tunnel tun0 multicast 'nhs' - set protocols nhrp tunnel tun0 'redirect' - set protocols nhrp tunnel tun0 'shortcut' - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-SPOKE proposal 1 - set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1 - set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1 - set vpn ipsec ike-group IKE-SPOKE lifetime 3600 - set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1 - set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des - set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5 - set vpn ipsec esp-group ESP-SPOKE lifetime 1800 - set vpn ipsec esp-group ESP-SPOKE pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE - set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE - - set protocols static route 192.168.1.0/24 next-hop 10.0.0.1 - set protocols static route 192.168.3.0/24 next-hop 10.0.0.3 - - -SPOKE2 Configuration + set interfaces ethernet eth0 address 192.0.2.1/24 + + set interfaces tunnel tun100 address '172.16.253.134/29' + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 local-ip '192.0.2.1' + set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 parameters ip key '1' + + set protocols nhrp tunnel tun100 cisco-authentication 'secret' + set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 multicast 'dynamic' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 shortcut + + set vpn ipsec esp-group ESP-HUB compression 'disable' + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' + set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' + set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' + set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + + set vpn ipsec ipsec-interfaces interface 'eth0' + + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + +.. note:: Setting this up on AWS will require a "Custom Protocol Rule" for + protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC + Network ACL, and secondly on the security group network ACL attached to the + EC2 instance. This has been tested as working for the official AMI image on + the AWS Marketplace. (Locate the correct VPC and security group by navigating + through the details pane below your EC2 instance in the AWS console). + +Spoke +----- + +The individual spoke configurations only differ in the local IP address on the +``tun10`` interface. See the above diagram for the individual IP addresses. + +spoke01-spoke04 +^^^^^^^^^^^^^^^ .. code-block:: none - interfaces - tunnel { - address - encapsulation gre - local-ip - multicast enable - description - parameters { - ip { - - } - } - } - } - protocols { - nhrp { - tunnel { - cisco-authentication - map { - nbma-address - register - } - holding-time - multicast nhs - redirect - shortcut - } - } - } - vpn { - ipsec { - esp-group { - lifetime <30-86400> - mode tunnel - pfs enable - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption 3des - hash md5 - } - } - ike-group { - key-exchange ikev1 - lifetime <30-86400> - proposal <1-65535> { - encryption aes256 - hash sha1 - } - proposal <1-65535> { - encryption aes128 - hash sha1 - } - } - ipsec-interfaces { - interface - } - profile { - authentication { - mode pre-shared-secret - pre-shared-secret - } - bind { - tunnel - } - esp-group - ike-group - } - } - } - -SPOKE2 Example Configuration + crypto keyring DMVPN + pre-shared-key address 192.0.2.1 key secret + ! + crypto isakmp policy 10 + encr aes 256 + authentication pre-share + group 2 + crypto isakmp invalid-spi-recovery + crypto isakmp keepalive 30 30 periodic + crypto isakmp profile DMVPN + keyring DMVPN + match identity address 192.0.2.1 255.255.255.255 + ! + crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac + mode transport + ! + crypto ipsec profile DMVPN + set security-association idle-time 720 + set transform-set DMVPN-AES256 + set isakmp-profile DMVPN + ! + interface Tunnel10 + ! individual spoke tunnel IP must change + ip address 172.16.253.129 255.255.255.248 + no ip redirects + ip nhrp authentication secret + ip nhrp map 172.16.253.134 192.0.2.1 + ip nhrp map multicast 192.0.2.1 + ip nhrp network-id 1 + ip nhrp holdtime 600 + ip nhrp nhs 172.16.253.134 + ip nhrp registration timeout 75 + tunnel source FastEthernet0/0 + tunnel mode gre multipoint + tunnel key 1 + ! + interface FastEthernet0/0 + ip address dhcp + duplex half + + +spoke05 +^^^^^^^ + +VyOS can also run in DMVPN spoke mode. .. code-block:: none set interfaces ethernet eth0 address 'dhcp' - set interfaces ethernet eth1 address '192.168.3.1/24' - set system host-name 'SPOKE2' - - set interfaces tunnel tun0 address 10.0.0.3/24 - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 0.0.0.0 - set interfaces tunnel tun0 multicast enable - set interfaces tunnel tun0 parameters ip key 1 - - set protocols nhrp tunnel tun0 cisco-authentication SECRET - set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41 - set protocols nhrp tunnel tun0 map 10.0.0.1/24 register - set protocols nhrp tunnel tun0 multicast nhs - set protocols nhrp tunnel tun0 redirect - set protocols nhrp tunnel tun0 shortcut - - set vpn ipsec ipsec-interfaces interface eth0 - set vpn ipsec ike-group IKE-SPOKE proposal 1 - set vpn ipsec ike-group IKE-SPOKE proposal 1 encryption aes256 - set vpn ipsec ike-group IKE-SPOKE proposal 1 hash sha1 - set vpn ipsec ike-group IKE-SPOKE proposal 2 encryption aes128 - set vpn ipsec ike-group IKE-SPOKE proposal 2 hash sha1 - set vpn ipsec ike-group IKE-SPOKE lifetime 3600 - set vpn ipsec esp-group ESP-SPOKE proposal 1 encryption aes256 - set vpn ipsec esp-group ESP-SPOKE proposal 1 hash sha1 - set vpn ipsec esp-group ESP-SPOKE proposal 2 encryption 3des - set vpn ipsec esp-group ESP-SPOKE proposal 2 hash md5 - set vpn ipsec esp-group ESP-SPOKE lifetime 1800 - set vpn ipsec esp-group ESP-SPOKE pfs dh-group2 - - set vpn ipsec profile NHRPVPN - set vpn ipsec profile NHRPVPN authentication mode pre-shared-secret - set vpn ipsec profile NHRPVPN authentication pre-shared-secret SECRET - set vpn ipsec profile NHRPVPN bind tunnel tun0 - set vpn ipsec profile NHRPVPN esp-group ESP-SPOKE - set vpn ipsec profile NHRPVPN ike-group IKE-SPOKE - - set protocols static route 192.168.1.0/24 next-hop 10.0.0.1 - set protocols static route 192.168.2.0/24 next-hop 10.0.0.2 + + set interfaces tunnel tun100 address '172.16.253.133/29' + set interfaces tunnel tun100 local-ip 0.0.0.0 + set interfaces tunnel tun100 encapsulation 'gre' + set interfaces tunnel tun100 multicast 'enable' + set interfaces tunnel tun100 parameters ip key '1' + + set protocols nhrp tunnel tun100 cisco-authentication 'secret' + set protocols nhrp tunnel tun100 holding-time '300' + set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '92.0.2.1' + set protocols nhrp tunnel tun100 map 172.16.253.134/29 register + set protocols nhrp tunnel tun100 multicast 'nhs' + set protocols nhrp tunnel tun100 redirect + set protocols nhrp tunnel tun100 shortcut + + set vpn ipsec esp-group ESP-HUB compression 'disable' + set vpn ipsec esp-group ESP-HUB lifetime '1800' + set vpn ipsec esp-group ESP-HUB mode 'tunnel' + set vpn ipsec esp-group ESP-HUB pfs 'dh-group2' + set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256' + set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1' + set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des' + set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5' + set vpn ipsec ike-group IKE-HUB close-action 'none' + set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no' + set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1' + set vpn ipsec ike-group IKE-HUB lifetime '3600' + set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256' + set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1' + set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2' + set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128' + set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1' + + set vpn ipsec ipsec-interfaces interface 'eth0' + + set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' + set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' + set vpn ipsec profile NHRPVPN bind tunnel 'tun100' + set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' + set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB' + + diff --git a/docs/vpn/gre-ipsec.rst b/docs/vpn/gre-ipsec.rst deleted file mode 100644 index 6d4bf1d0..00000000 --- a/docs/vpn/gre-ipsec.rst +++ /dev/null @@ -1,190 +0,0 @@ -.. _gre-ipsec: - -GRE/IPsec ---------- - -Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any -other stateless tunnel protocol over IPsec) is the usual way to protect the -traffic inside a tunnel. - -An advantage of this scheme is that you get a real interface with its own -address, which makes it easier to setup static routes or use dynamic routing -protocols without having to modify IPsec policies. The other advantage is that -it greatly simplifies router to router communication, which can be tricky with -plain IPsec because the external outgoing address of the router usually doesn't -match the IPsec policy of typical site-to-site setup and you need to add special -configuration for it, or adjust the source address for outgoing traffic of your -applications. GRE/IPsec has no such problem and is completely transparent for -the applications. - -GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme -easy to implement between VyOS and virtually any other router. - -For simplicity we'll assume that the protocol is GRE, it's not hard to guess -what needs to be changed to make it work with a different protocol. We assume -that IPsec will use pre-shared secret authentication and will use AES128/SHA1 -for the cipher and hash. Adjust this as necessary. - -.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters - have known issue with GRE processing - -IPsec policy matching GRE -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The first and arguably cleaner option is to make your IPsec policy match GRE -packets between external addresses of your routers. This is the best option if -both routers have static external addresses. - -Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, -and the RIGHT router is 203.0.113.45 - -On the LEFT: - -.. code-block:: none - - # GRE tunnel - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 local-ip 192.0.2.10 - set interfaces tunnel tun0 remote-ip 203.0.113.45 - set interfaces tunnel tun0 address 10.10.10.1/30 - - ## IPsec - set vpn ipsec ipsec-interfaces interface eth0 - - # IKE group - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' - set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' - - # ESP group - set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' - set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' - - # IPsec tunnel - set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret - set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY - - set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup - - set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 - - # This will match all GRE traffic to the peer - set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre - -On the RIGHT, setup by analogy and swap local and remote addresses. - - -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The scheme above doesn't work when one of the routers has a dynamic external -address though. The classic workaround for this is to setup an address on a -loopback interface and use it as a source address for the GRE tunnel, then setup -an IPsec policy to match those loopback addresses. - -We assume that the LEFT router has static 192.0.2.10 address on eth0, and the -RIGHT router has a dynamic address on eth0. - -**Setting up the GRE tunnel** - -On the LEFT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.1/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.1/30 - set interfaces tunnel tun0 local-ip 192.168.99.1 - set interfaces tunnel tun0 remote-ip 192.168.99.2 - -On the RIGHT: - -.. code-block:: none - - set interfaces loopback lo address 192.168.99.2/32 - - set interfaces tunnel tun0 encapsulation gre - set interfaces tunnel tun0 address 10.10.10.2/30 - set interfaces tunnel tun0 local-ip 192.168.99.2 - set interfaces tunnel tun0 remote-ip 192.168.99.1 - -**Setting up IPSec** - -However, now you need to make IPsec work with dynamic address on one side. The -tricky part is that pre-shared secret authentication doesn't work with dynamic -address, so we'll have to use RSA keys. - -First, on both routers run the operational command "generate vpn rsa-key bits -2048". You may choose different length than 2048 of course. - -.. code-block:: none - - vyos@left# run generate vpn rsa-key bits 2048 - Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key - - Your new local RSA key has been generated - The public portion of the key is: - - 0sAQO2335[long string here] - -Then on the opposite router, add the RSA key to your config. - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE - -Now you are ready to setup IPsec. You'll need to use an ID instead of address -for the peer on the dynamic side. - -On the LEFT (static address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name RIGHT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer @RIGHT authentication mode rsa - set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT - set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup - set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup - set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 - set vpn ipsec site-to-site peer @RIGHT connection-type respond - set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote - - -On the RIGHT (dynamic address): - -.. code-block:: none - - set vpn rsa-keys rsa-key-name LEFT rsa-key - - set vpn ipsec ipsec-interfaces interface eth0 - - set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 - set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 - - set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 - set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 - set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 - - set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT - set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa - set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT - set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT - set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate - set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup - set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup - set vpn ipsec site-to-site peer 192.0.2.10 local-address any - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local - set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst index 9ba31ae6..c208b3c0 100644 --- a/docs/vpn/index.rst +++ b/docs/vpn/index.rst @@ -8,11 +8,11 @@ VPN :maxdepth: 2 dmvpn - gre-ipsec + ipsec l2tp + openconnect openvpn pptp site2site_ipsec sstp wireguard - openconnect diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst new file mode 100644 index 00000000..8b0ad3b3 --- /dev/null +++ b/docs/vpn/ipsec.rst @@ -0,0 +1,191 @@ +.. _ipsec: + +##### +IPsec +##### + +Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any +other stateless tunnel protocol over IPsec) is the usual way to protect the +traffic inside a tunnel. + +An advantage of this scheme is that you get a real interface with its own +address, which makes it easier to setup static routes or use dynamic routing +protocols without having to modify IPsec policies. The other advantage is that +it greatly simplifies router to router communication, which can be tricky with +plain IPsec because the external outgoing address of the router usually doesn't +match the IPsec policy of typical site-to-site setup and you need to add special +configuration for it, or adjust the source address for outgoing traffic of your +applications. GRE/IPsec has no such problem and is completely transparent for +the applications. + +GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme +easy to implement between VyOS and virtually any other router. + +For simplicity we'll assume that the protocol is GRE, it's not hard to guess +what needs to be changed to make it work with a different protocol. We assume +that IPsec will use pre-shared secret authentication and will use AES128/SHA1 +for the cipher and hash. Adjust this as necessary. + +.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters + have known issue with GRE processing + +IPsec policy matching GRE +^^^^^^^^^^^^^^^^^^^^^^^^^ + +The first and arguably cleaner option is to make your IPsec policy match GRE +packets between external addresses of your routers. This is the best option if +both routers have static external addresses. + +Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface, +and the RIGHT router is 203.0.113.45 + +On the LEFT: + +.. code-block:: none + + # GRE tunnel + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 local-ip 192.0.2.10 + set interfaces tunnel tun0 remote-ip 203.0.113.45 + set interfaces tunnel tun0 address 10.10.10.1/30 + + ## IPsec + set vpn ipsec ipsec-interfaces interface eth0 + + # IKE group + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' + set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' + + # ESP group + set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' + set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' + + # IPsec tunnel + set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret + set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY + + set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup + set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup + + set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10 + + # This will match all GRE traffic to the peer + set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre + +On the RIGHT, setup by analogy and swap local and remote addresses. + + +Source tunnel from loopbacks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The scheme above doesn't work when one of the routers has a dynamic external +address though. The classic workaround for this is to setup an address on a +loopback interface and use it as a source address for the GRE tunnel, then setup +an IPsec policy to match those loopback addresses. + +We assume that the LEFT router has static 192.0.2.10 address on eth0, and the +RIGHT router has a dynamic address on eth0. + +**Setting up the GRE tunnel** + +On the LEFT: + +.. code-block:: none + + set interfaces loopback lo address 192.168.99.1/32 + + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 address 10.10.10.1/30 + set interfaces tunnel tun0 local-ip 192.168.99.1 + set interfaces tunnel tun0 remote-ip 192.168.99.2 + +On the RIGHT: + +.. code-block:: none + + set interfaces loopback lo address 192.168.99.2/32 + + set interfaces tunnel tun0 encapsulation gre + set interfaces tunnel tun0 address 10.10.10.2/30 + set interfaces tunnel tun0 local-ip 192.168.99.2 + set interfaces tunnel tun0 remote-ip 192.168.99.1 + +**Setting up IPSec** + +However, now you need to make IPsec work with dynamic address on one side. The +tricky part is that pre-shared secret authentication doesn't work with dynamic +address, so we'll have to use RSA keys. + +First, on both routers run the operational command "generate vpn rsa-key bits +2048". You may choose different length than 2048 of course. + +.. code-block:: none + + vyos@left# run generate vpn rsa-key bits 2048 + Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key + + Your new local RSA key has been generated + The public portion of the key is: + + 0sAQO2335[long string here] + +Then on the opposite router, add the RSA key to your config. + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key KEYGOESHERE + +Now you are ready to setup IPsec. You'll need to use an ID instead of address +for the peer on the dynamic side. + +On the LEFT (static address): + +.. code-block:: none + + set vpn rsa-keys rsa-key-name RIGHT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer @RIGHT authentication mode rsa + set vpn ipsec site-to-site peer @RIGHT authentication rsa-key-name RIGHT + set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup + set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup + set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10 + set vpn ipsec site-to-site peer @RIGHT connection-type respond + set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote + + +On the RIGHT (dynamic address): + +.. code-block:: none + + set vpn rsa-keys rsa-key-name LEFT rsa-key + + set vpn ipsec ipsec-interfaces interface eth0 + + set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128 + set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1 + + set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2 + set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128 + set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1 + + set vpn ipsec site-to-site peer 192.0.2.10 authentication id @RIGHT + set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa + set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa-key-name LEFT + set vpn ipsec site-to-site peer 192.0.2.10 remote-id @LEFT + set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate + set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup + set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup + set vpn ipsec site-to-site peer 192.0.2.10 local-address any + set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local + set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote -- cgit v1.2.3 From c405bc37679b21fd21b9c68d4b77ce22f92447ae Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 16 Nov 2020 08:03:39 +0100 Subject: ipsec: fix toc level --- docs/vpn/ipsec.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'docs/vpn') diff --git a/docs/vpn/ipsec.rst b/docs/vpn/ipsec.rst index 8b0ad3b3..647f3753 100644 --- a/docs/vpn/ipsec.rst +++ b/docs/vpn/ipsec.rst @@ -4,9 +4,9 @@ IPsec ##### -Generic Routing Encapsulation (GRE), GRE/IPsec (or IPIP/IPsec, SIT/IPsec, or any -other stateless tunnel protocol over IPsec) is the usual way to protect the -traffic inside a tunnel. +:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec, +SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way +to protect the traffic inside a tunnel. An advantage of this scheme is that you get a real interface with its own address, which makes it easier to setup static routes or use dynamic routing @@ -26,11 +26,12 @@ what needs to be changed to make it work with a different protocol. We assume that IPsec will use pre-shared secret authentication and will use AES128/SHA1 for the cipher and hash. Adjust this as necessary. -.. NOTE:: VMware users should ensure that VMXNET3 adapters used, e1000 adapters - have known issue with GRE processing +.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000 + adapters have known issues with GRE processing. +************************* IPsec policy matching GRE -^^^^^^^^^^^^^^^^^^^^^^^^^ +************************* The first and arguably cleaner option is to make your IPsec policy match GRE packets between external addresses of your routers. This is the best option if -- cgit v1.2.3 From f5bd1461748b232c085891a21e28d97db6feddc7 Mon Sep 17 00:00:00 2001 From: Eshenko Dmitriy Date: Thu, 26 Nov 2020 11:54:37 +0300 Subject: dmvpn: Fix wrong nbma-address on Spoke --- docs/vpn/dmvpn.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/vpn') diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst index 1a6bdd64..5100b92f 100644 --- a/docs/vpn/dmvpn.rst +++ b/docs/vpn/dmvpn.rst @@ -299,7 +299,7 @@ VyOS can also run in DMVPN spoke mode. set protocols nhrp tunnel tun100 cisco-authentication 'secret' set protocols nhrp tunnel tun100 holding-time '300' - set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '92.0.2.1' + set protocols nhrp tunnel tun100 map 172.16.253.134/29 nbma-address '192.0.2.1' set protocols nhrp tunnel tun100 map 172.16.253.134/29 register set protocols nhrp tunnel tun100 multicast 'nhs' set protocols nhrp tunnel tun100 redirect -- cgit v1.2.3 From 4abded8025a47990e58cd0a5fe9b96e38f4a3715 Mon Sep 17 00:00:00 2001 From: rebortg Date: Sun, 29 Nov 2020 21:52:28 +0100 Subject: arrange: interfaces --- Pipfile | 16 + docs/configuration/interfaces/bonding.rst | 560 +++++++++++++++++++++ docs/configuration/interfaces/bridge.rst | 270 ++++++++++ docs/configuration/interfaces/dummy.rst | 79 +++ docs/configuration/interfaces/ethernet.rst | 226 +++++++++ docs/configuration/interfaces/geneve.rst | 61 +++ docs/configuration/interfaces/index.rst | 28 ++ docs/configuration/interfaces/l2tpv3.rst | 192 +++++++ docs/configuration/interfaces/loopback.rst | 71 +++ docs/configuration/interfaces/macsec.rst | 191 +++++++ docs/configuration/interfaces/openvpn.rst | 584 ++++++++++++++++++++++ docs/configuration/interfaces/pppoe.rst | 307 ++++++++++++ docs/configuration/interfaces/pseudo-ethernet.rst | 65 +++ docs/configuration/interfaces/tunnel.rst | 216 ++++++++ docs/configuration/interfaces/vti.rst | 22 + docs/configuration/interfaces/vxlan.rst | 295 +++++++++++ docs/configuration/interfaces/wireguard.rst | 265 ++++++++++ docs/configuration/interfaces/wireless.rst | 573 +++++++++++++++++++++ docs/configuration/interfaces/wirelessmodem.rst | 128 +++++ docs/interfaces/bond.rst | 560 --------------------- docs/interfaces/bridge.rst | 270 ---------- docs/interfaces/dummy.rst | 79 --- docs/interfaces/ethernet.rst | 226 --------- docs/interfaces/geneve.rst | 61 --- docs/interfaces/l2tpv3.rst | 192 ------- docs/interfaces/loopback.rst | 71 --- docs/interfaces/macsec.rst | 191 ------- docs/interfaces/pppoe.rst | 307 ------------ docs/interfaces/pseudo-ethernet.rst | 65 --- docs/interfaces/tunnel.rst | 235 --------- docs/interfaces/vxlan.rst | 295 ----------- docs/interfaces/wireless.rst | 573 --------------------- docs/interfaces/wirelessmodem.rst | 128 ----- docs/vpn/openvpn.rst | 584 ---------------------- docs/vpn/wireguard.rst | 265 ---------- 35 files changed, 4149 insertions(+), 4102 deletions(-) create mode 100644 Pipfile create mode 100644 docs/configuration/interfaces/bonding.rst create mode 100644 docs/configuration/interfaces/bridge.rst create mode 100644 docs/configuration/interfaces/dummy.rst create mode 100644 docs/configuration/interfaces/ethernet.rst create mode 100644 docs/configuration/interfaces/geneve.rst create mode 100644 docs/configuration/interfaces/index.rst create mode 100644 docs/configuration/interfaces/l2tpv3.rst create mode 100644 docs/configuration/interfaces/loopback.rst create mode 100644 docs/configuration/interfaces/macsec.rst create mode 100644 docs/configuration/interfaces/openvpn.rst create mode 100644 docs/configuration/interfaces/pppoe.rst create mode 100644 docs/configuration/interfaces/pseudo-ethernet.rst create mode 100644 docs/configuration/interfaces/tunnel.rst create mode 100644 docs/configuration/interfaces/vti.rst create mode 100644 docs/configuration/interfaces/vxlan.rst create mode 100644 docs/configuration/interfaces/wireguard.rst create mode 100644 docs/configuration/interfaces/wireless.rst create mode 100644 docs/configuration/interfaces/wirelessmodem.rst delete mode 100644 docs/interfaces/bond.rst delete mode 100644 docs/interfaces/bridge.rst delete mode 100644 docs/interfaces/dummy.rst delete mode 100644 docs/interfaces/ethernet.rst delete mode 100644 docs/interfaces/geneve.rst delete mode 100644 docs/interfaces/l2tpv3.rst delete mode 100644 docs/interfaces/loopback.rst delete mode 100644 docs/interfaces/macsec.rst delete mode 100644 docs/interfaces/pppoe.rst delete mode 100644 docs/interfaces/pseudo-ethernet.rst delete mode 100644 docs/interfaces/tunnel.rst delete mode 100644 docs/interfaces/vxlan.rst delete mode 100644 docs/interfaces/wireless.rst delete mode 100644 docs/interfaces/wirelessmodem.rst delete mode 100644 docs/vpn/openvpn.rst delete mode 100644 docs/vpn/wireguard.rst (limited to 'docs/vpn') diff --git a/Pipfile b/Pipfile new file mode 100644 index 00000000..423092c4 --- /dev/null +++ b/Pipfile @@ -0,0 +1,16 @@ +[[source]] +url = "https://pypi.org/simple" +verify_ssl = true +name = "pypi" + +[packages] +sphinx-rtd-theme = "*" +docutils = "*" +lxml = "*" +sphinx-notfound-page = "*" +Sphinx = ">=1.4.3" + +[dev-packages] + +[requires] +python_version = "3.9" diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst new file mode 100644 index 00000000..7faddd6f --- /dev/null +++ b/docs/configuration/interfaces/bonding.rst @@ -0,0 +1,560 @@ +.. _bond-interface: + +####################### +Bond / Link Aggregation +####################### + +The bonding interface provides a method for aggregating multiple network +interfaces into a single logical "bonded" interface, or LAG, or ether-channel, +or port-channel. The behavior of the bonded interfaces depends upon the mode; +generally speaking, modes provide either hot standby or load balancing services. +Additionally, link integrity monitoring may be performed. + +************* +Configuration +************* + +Common interface configuration +============================== + +.. cmdinclude:: ../_include/interface-common-with-dhcp.txt + :var0: bond + :var1: bond0 + +Member Interfaces +================= + +.. cfgcmd:: set interfaces bonding member interface + + Enslave `` interface to bond ``. + +Bond options +============ + +.. cfgcmd:: set interfaces bonding mode <802.3ad | active-backup | + broadcast | round-robin | transmit-load-balance | adaptive-load-balance | + xor-hash> + + Specifies one of the bonding policies. The default is 802.3ad. Possible + values are: + + * ``802.3ad`` - IEEE 802.3ad Dynamic link aggregation. Creates aggregation + groups that share the same speed and duplex settings. Utilizes all slaves + in the active aggregator according to the 802.3ad specification. + + Slave selection for outgoing traffic is done according to the transmit + hash policy, which may be changed from the default simple XOR policy via + the :cfgcmd:`hash-policy` option, documented below. + + .. note:: Not all transmit policies may be 802.3ad compliant, particularly + in regards to the packet mis-ordering requirements of section 43.2.4 + of the 802.3ad standard. + + * ``active-backup`` - Active-backup policy: Only one slave in the bond is + active. A different slave becomes active if, and only if, the active slave + fails. The bond's MAC address is externally visible on only one port + (network adapter) to avoid confusing the switch. + + When a failover occurs in active-backup mode, bonding will issue one or + more gratuitous ARPs on the newly active slave. One gratuitous ARP is + issued for the bonding master interface and each VLAN interfaces + configured above it, provided that the interface has at least one IP + address configured. Gratuitous ARPs issued for VLAN interfaces are tagged + with the appropriate VLAN id. + + This mode provides fault tolerance. The :cfgcmd:`primary` option, + documented below, affects the behavior of this mode. + + * ``broadcast`` - Broadcast policy: transmits everything on all slave + interfaces. + + This mode provides fault tolerance. + + * ``round-robin`` - Round-robin policy: Transmit packets in sequential + order from the first available slave through the last. + + This mode provides load balancing and fault tolerance. + + * ``transmit-load-balance`` - Adaptive transmit load balancing: channel + bonding that does not require any special switch support. + + Incoming traffic is received by the current slave. If the receiving slave + fails, another slave takes over the MAC address of the failed receiving + slave. + + * ``adaptive-load-balance`` - Adaptive load balancing: includes + transmit-load-balance plus receive load balancing for IPV4 traffic, and + does not require any special switch support. The receive load balancing + is achieved by ARP negotiation. The bonding driver intercepts the ARP + Replies sent by the local system on their way out and overwrites the + source hardware address with the unique hardware address of one of the + slaves in the bond such that different peers use different hardware + addresses for the server. + + Receive traffic from connections created by the server is also balanced. + When the local system sends an ARP Request the bonding driver copies and + saves the peer's IP information from the ARP packet. When the ARP Reply + arrives from the peer, its hardware address is retrieved and the bonding + driver initiates an ARP reply to this peer assigning it to one of the + slaves in the bond. A problematic outcome of using ARP negotiation for + balancing is that each time that an ARP request is broadcast it uses the + hardware address of the bond. Hence, peers learn the hardware address + of the bond and the balancing of receive traffic collapses to the current + slave. This is handled by sending updates (ARP Replies) to all the peers + with their individually assigned hardware address such that the traffic + is redistributed. Receive traffic is also redistributed when a new slave + is added to the bond and when an inactive slave is re-activated. The + receive load is distributed sequentially (round robin) among the group + of highest speed slaves in the bond. + + When a link is reconnected or a new slave joins the bond the receive + traffic is redistributed among all active slaves in the bond by initiating + ARP Replies with the selected MAC address to each of the clients. The + updelay parameter (detailed below) must be set to a value equal or greater + than the switch's forwarding delay so that the ARP Replies sent to the + peers will not be blocked by the switch. + + * ``xor-hash`` - XOR policy: Transmit based on the selected transmit + hash policy. The default policy is a simple [(source MAC address XOR'd + with destination MAC address XOR packet type ID) modulo slave count]. + Alternate transmit policies may be selected via the :cfgcmd:`hash-policy` + option, described below. + + This mode provides load balancing and fault tolerance. + +.. cfgcmd:: set interfaces bonding min-links <0-16> + + Specifies the minimum number of links that must be active before asserting + carrier. It is similar to the Cisco EtherChannel min-links feature. This + allows setting the minimum number of member ports that must be up (link-up + state) before marking the bond device as up (carrier on). This is useful for + situations where higher level services such as clustering want to ensure a + minimum number of low bandwidth links are active before switchover. + + This option only affects 802.3ad mode. + + The default value is 0. This will cause carrier to be asserted (for 802.3ad + mode) whenever there is an active aggregator, regardless of the number of + available links in that aggregator. + + .. note:: Because an aggregator cannot be active without at least one + available link, setting this option to 0 or to 1 has the exact same + effect. + +.. cfgcmd:: set interfaces bonding hash-policy + + * **layer2** - Uses XOR of hardware MAC addresses and packet type ID field + to generate the hash. The formula is + + .. code-block:: none + + hash = source MAC XOR destination MAC XOR packet type ID + slave number = hash modulo slave count + + This algorithm will place all traffic to a particular network peer on + the same slave. + + This algorithm is 802.3ad compliant. + + * **layer2+3** - This policy uses a combination of layer2 and layer3 + protocol information to generate the hash. Uses XOR of hardware MAC + addresses and IP addresses to generate the hash. The formula is: + + .. code-block:: none + + hash = source MAC XOR destination MAC XOR packet type ID + hash = hash XOR source IP XOR destination IP + hash = hash XOR (hash RSHIFT 16) + hash = hash XOR (hash RSHIFT 8) + + And then hash is reduced modulo slave count. + + If the protocol is IPv6 then the source and destination addresses are + first hashed using ipv6_addr_hash. + + This algorithm will place all traffic to a particular network peer on the + same slave. For non-IP traffic, the formula is the same as for the layer2 + transmit hash policy. + + This policy is intended to provide a more balanced distribution of traffic + than layer2 alone, especially in environments where a layer3 gateway + device is required to reach most destinations. + + This algorithm is 802.3ad compliant. + + * **layer3+4** - This policy uses upper layer protocol information, when + available, to generate the hash. This allows for traffic to a particular + network peer to span multiple slaves, although a single connection will + not span multiple slaves. + + The formula for unfragmented TCP and UDP packets is + + .. code-block:: none + + hash = source port, destination port (as in the header) + hash = hash XOR source IP XOR destination IP + hash = hash XOR (hash RSHIFT 16) + hash = hash XOR (hash RSHIFT 8) + + And then hash is reduced modulo slave count. + + If the protocol is IPv6 then the source and destination addresses are + first hashed using ipv6_addr_hash. + + For fragmented TCP or UDP packets and all other IPv4 and IPv6 protocol + traffic, the source and destination port information is omitted. For + non-IP traffic, the formula is the same as for the layer2 transmit hash + policy. + + This algorithm is not fully 802.3ad compliant. A single TCP or UDP + conversation containing both fragmented and unfragmented packets will see + packets striped across two interfaces. This may result in out of order + delivery. Most traffic types will not meet this criteria, as TCP rarely + fragments traffic, and most UDP traffic is not involved in extended + conversations. Other implementations of 802.3ad may or may not tolerate + this noncompliance. + +.. cfgcmd:: set interfaces bonding primary + + An `` specifying which slave is the primary device. The specified + device will always be the active slave while it is available. Only when the + primary is off-line will alternate devices be used. This is useful when one + slave is preferred over another, e.g., when one slave has higher throughput + than another. + + The primary option is only valid for active-backup, transmit-load-balance, + and adaptive-load-balance mode. + +.. cfgcmd:: set interfaces bonding arp-monitor interval