vyos · rebortg · Oct 26, 2023 · Oct 26, 2023
diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst
@@ -22,6 +22,7 @@ This chapter contains various configuration examples:
    segment-routing-isis
    nmp
    policy-based-ipsec-and-firewall
+   site-2-site-cisco
 
 
 Configuration Blueprints (autotest)

diff --git a/docs/configexamples/site-2-site-cisco.rst b/docs/configexamples/site-2-site-cisco.rst
@@ -0,0 +1,177 @@
+.. _examples-site-2-site-cisco:
+
+Site-to-Site IPSec VPN to Cisco using FlexVPN
+---------------------------------------------
+
+This guide shows a sample configuration for FlexVPN site-to-site Internet 
+Protocol Security (IPsec)/Generic Routing Encapsulation (GRE) tunnel.
+
+FlexVPN is a newer "solution" for deployment of VPNs and it utilizes IKEv2 as 
+the key exchange protocol. The result is a flexible and scalable VPN solution 
+that can be easily adapted to fit various network needs. It can also support a 
+variety of encryption methods, including AES and 3DES.
+
+The lab was built using EVE-NG.
+
+
+Configuration
+^^^^^^^^^^^^^^
+
+VyOS
+=====
+
+- GRE:
+
+.. code-block:: none
+
+  set interfaces tunnel tun1 encapsulation 'gre'
+  set interfaces tunnel tun1 ip adjust-mss '1336'
+  set interfaces tunnel tun1 mtu '1376'
+  set interfaces tunnel tun1 remote '10.1.1.6'
+  set interfaces tunnel tun1 source-address '88.2.2.1'
+
+
+- IPsec:
+
+.. code-block:: none
+
+  set vpn ipsec authentication psk vyos_cisco_l id 'vyos.net’
+  set vpn ipsec authentication psk vyos_cisco_l id 'cisco.hub.net'
+  set vpn ipsec authentication psk vyos_cisco_l secret 'secret'
+  set vpn ipsec esp-group e1 lifetime '3600'
+  set vpn ipsec esp-group e1 mode 'tunnel'
+  set vpn ipsec esp-group e1 pfs 'disable'
+  set vpn ipsec esp-group e1 proposal 1 encryption 'aes128'
+  set vpn ipsec esp-group e1 proposal 1 hash 'sha256'
+  set vpn ipsec ike-group i1 key-exchange 'ikev2'
+  set vpn ipsec ike-group i1 lifetime '28800'
+  set vpn ipsec ike-group i1 proposal 1 dh-group '5'
+  set vpn ipsec ike-group i1 proposal 1 encryption 'aes256'
+  set vpn ipsec ike-group i1 proposal 1 hash 'sha256'
+  set vpn ipsec interface 'eth2'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec options flexvpn
+  set vpn ipsec options interface 'tun1'
+  set vpn ipsec options virtual-ip
+  set vpn ipsec site-to-site peer cisco_hub authentication local-id 'vyos.net'
+  set vpn ipsec site-to-site peer cisco_hub authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer cisco_hub authentication remote-id 'cisco.hub.net'
+  set vpn ipsec site-to-site peer cisco_hub connection-type 'initiate'
+  set vpn ipsec site-to-site peer cisco_hub default-esp-group 'e1'
+  set vpn ipsec site-to-site peer cisco_hub ike-group 'i1'
+  set vpn ipsec site-to-site peer cisco_hub local-address '88.2.2.1'
+  set vpn ipsec site-to-site peer cisco_hub remote-address '10.1.1.6'
+  set vpn ipsec site-to-site peer cisco_hub tunnel 1 local prefix '88.2.2.1/32'
+  set vpn ipsec site-to-site peer cisco_hub tunnel 1 protocol 'gre'
+  set vpn ipsec site-to-site peer cisco_hub tunnel 1 remote prefix '10.1.1.6/32'
+  set vpn ipsec site-to-site peer cisco_hub virtual-address '0.0.0.0'
+
+
+Cisco
+=====
+.. code-block:: none
+
+  aaa new-model
+  !
+  !
+  aaa authorization network default local
+  !
+  crypto ikev2 name-mangler GET_DOMAIN
+   fqdn all
+   email all
+  !
+  !
+  crypto ikev2 authorization policy vyos
+   pool mypool
+   aaa attribute list mylist
+   route set interface
+   route accept any tag 100 distance 5
+  !
+  crypto ikev2 keyring mykeys
+   peer peer1
+    identity fqdn vyos.net
+    pre-shared-key local secret
+    pre-shared-key remote secret
+  crypto ikev2 profile my_profile
+   match identity remote fqdn vyos.net
+   identity local fqdn cisco.hub.net
+   authentication remote pre-share
+   authentication local pre-share
+   keyring local mykeys
+   dpd 10 3 periodic
+   aaa authorization group psk list local name-mangler GET_DOMAIN
+   aaa authorization user psk cached
+   virtual-template 1
+  !
+  !
+  !
+  crypto ipsec transform-set TSET esp-aes esp-sha256-hmac
+   mode tunnel
+  !
+  !
+  crypto ipsec profile my-ipsec-profile
+   set transform-set TSET
+   set ikev2-profile my_profile
+  !
+  interface Virtual-Template1 type tunnel
+   no ip address
+   ip mtu 1376
+   ip nhrp network-id 1
+   ip nhrp shortcut virtual-template 1
+   ip tcp adjust-mss 1336
+   tunnel path-mtu-discovery
+   tunnel protection ipsec profile my-ipsec-profile
+   !
+   ip local pool my_pool 172.16.122.1 172.16.122.254
+
+
+Since the tunnel is a point-to-point GRE tunnel, it behaves like any other 
+point-to-point interface (for example: serial, dialer), and it is possible to 
+run any Interior Gateway Protocol (IGP)/Exterior Gateway Protocol (EGP) over 
+the link in order to exchange routing information
+
+Verification
+^^^^^^^^^^^^
+
+.. code-block:: none
+
+  vyos@vyos$ show interfaces
+  Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
+  Interface        IP Address                        S/L  Description
+  ---------        ----------                        ---  -----------
+  eth0             -                                 u/u
+  eth1             -                                 u/u
+  eth2             88.2.2.1/24                       u/u
+  eth3             172.16.1.2/24                     u/u
+  lo               127.0.0.1/8                       u/u
+                   ::1/128
+  tun1             172.16.122.2/32                   u/u
+
+  vyos@vyos:~$ show vpn ipsec sa
+  Connection          State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID              Proposal
+  ------------------  -------  --------  --------------  ----------------  ----------------  ---------------------  -----------------------------
+  cisco_hub-tunnel-1  up       44m17s    35K/31K         382/367           10.1.1.6          cisco.hub.net  AES_CBC_128/HMAC_SHA2_256_128
+
+
+  Hub#sh crypto ikev2 sa detailed
+   IPv4 Crypto IKEv2  SA
+
+  Tunnel-id Local                 Remote                fvrf/ivrf            Status
+  5         10.1.1.6/4500         88.2.2.1/4500         none/none               READY
+        Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
+        Life/Active Time: 86400/2694 sec
+        CE id: 0, Session-id: 2
+        Status Description: Negotiation done
+        Local spi: C94EE2DC92A60C47       Remote spi: 9AF0EF151BECF14C
+        Local id: cisco.hub.net
+        Remote id: vyos.net
+        Local req msg id:  269            Remote req msg id:  0
+        Local next msg id: 269            Remote next msg id: 0
+        Local req queued:  269            Remote req queued:  0
+        Local window:      5              Remote window:      1
+        DPD configured for 10 seconds, retry 3
+        Fragmentation not configured.
+        Extended Authentication not configured.
+        NAT-T is not detected
+        Cisco Trust Security SGT is disabled
+        Assigned host addr: 172.16.122.2
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
@@ -159,13 +159,13 @@
 *********************************************** 
 * ``options``
 
  * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
 
- * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
+ * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
 
  * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
 
- * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.
+ * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy.
 
 *************************
 IPsec policy matching GRE

diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
@@ -149,6 +149,10 @@ Each site-to-site peer has the next options:
  * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
    interface.
 
+* ``virtual-address`` - Defines a virtual IP address which is requested by the 
+  initiator and one or several IPv4 and/or IPv6 addresses are assigned from 
+  multiple pools by the responder. 
+
 Examples:
 ------------------