Merge pull request #888 from srividya0208/newformat

Modified the documentation as per the new format/syntax
2025-10-26 08:41:46 +01:00 · 2022-11-15 20:49:03 +01:00 · 2022-11-15 20:49:03 +01:00 · f2cf8417aa
commit f2cf8417aa
parent e8bb46536e ac70a57fd1
2 changed files with 42 additions and 41 deletions
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@ -166,7 +166,7 @@ VyOS ESP group has the next options:
 ***********************************************
 Options (Global IPsec settings) Attributes
 *********************************************** 
-* ``options`` IPsec settings:
+* ``options``

 * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
 
@ -210,16 +210,18 @@ On the LEFT:
  set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'

  # IPsec tunnel
-  set vpn ipsec site-to-site peer 203.0.113.45 authentication mode pre-shared-secret
-  set vpn ipsec site-to-site peer 203.0.113.45 authentication pre-shared-secret MYSECRETKEY
+  set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
+  set vpn ipsec site-to-site peer right authentication pre-shared-secret MYSECRETKEY
+  set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45

-  set vpn ipsec site-to-site peer 203.0.113.45 ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer 203.0.113.45 default-esp-group MyESPGroup
+  set vpn ipsec site-to-site peer right ike-group MyIKEGroup
+  set vpn ipsec site-to-site peer right default-esp-group MyESPGroup

-  set vpn ipsec site-to-site peer 203.0.113.45 local-address 192.0.2.10
+  set vpn ipsec site-to-site peer right local-address 192.0.2.10
+  set vpn ipsec site-to-site peer right remote-address 203.0.113.45

  # This will match all GRE traffic to the peer
-  set vpn ipsec site-to-site peer 203.0.113.45 tunnel 1 protocol gre
+  set vpn ipsec site-to-site peer right tunnel 1 protocol gre

 On the RIGHT, setup by analogy and swap local and remote addresses.

@ -235,6 +237,8 @@ an IPsec policy to match those loopback addresses.
 We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
 RIGHT router has a dynamic address on eth0.

+The peer names RIGHT and LEFT are used as informational text.
+
 **Setting up the GRE tunnel**

 On the LEFT:
@ -325,17 +329,17 @@ On the LEFT (static address):
  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

-  set vpn ipsec site-to-site peer @RIGHT authentication id LEFT
-  set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
-  set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT
-  set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT
-  set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer @RIGHT connection-type respond
-  set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
+  set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
+  set vpn ipsec site-to-site peer RIGHT authentication mode rsa
+  set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
+  set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
+  set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
+  set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
+  set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
+  set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
+  set vpn ipsec site-to-site peer RIGHT connection-type respond
+  set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
+  set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote

 On the RIGHT (dynamic address):

@ -350,14 +354,15 @@ On the RIGHT (dynamic address):
  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1

-  set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT
-  set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
-  set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT
-  set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
-  set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
-  set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer 192.0.2.10 local-address any
-  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
+  set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
+  set vpn ipsec site-to-site peer LEFT authentication mode rsa
+  set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
+  set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
+  set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
+  set vpn ipsec site-to-site peer LEFT connection-type initiate
+  set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
+  set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
+  set vpn ipsec site-to-site peer LEFT local-address any
+  set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
+  set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
+  set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@ -8,19 +8,10 @@ to exchange encrypted information between them and VyOS itself or
 connected/routed networks.

 To configure site-to-site connection you need to add peers with the
-``set vpn ipsec site-to-site`` command.
+``set vpn ipsec site-to-site peer <name>`` command.

-You can identify a remote peer with:
-
-* IPv4 or IPv6 address. This mode is easiest for configuration and mostly used
-  when a peer has a public static IP address;
-* Hostname. This mode is similar to IP address, only you define DNS name instead
-  of an IP. Could be used when a peer has a public IP address and DNS name, but
-  an IP address could be changed from time to time;
-* Remote ID of the peer. In this mode, there is no predefined remote address
-  nor DNS name of the peer. This mode is useful when a peer doesn't have a
-  publicly available IP address (NAT between it and VyOS), or IP address could
-  be changed.
+The peer name must be an alphanumeric and can have hypen or underscore as 
+special characters. It is purely informational. 

 Each site-to-site peer has the next options:

@ -111,6 +102,11 @@ Each site-to-site peer has the next options:
  If defined ``any``, then an IP address which configured on interface with
  default route will be used;

+* ``remote-address`` - remote IP address or hostname for IPSec connection.
+  IPv4 or IPv6 address is used when a peer has a public static IP address.
+  Hostname is a DNS name which could be used when a peer has a public IP 
+  address and DNS name, but an IP address could be changed from time to time.
+
 * ``tunnel`` - define criteria for traffic to be matched for encrypting and send
  it to a peer: