all work!
Thank you
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Jun 17 2024
Jun 14 2024
vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 153, in <module> cert_data = load_certificate(pki['certificate'][cert_name]['certificate']) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ KeyError: 'certificate' vyos@vyos:~$ show ver | match Version: Version: VyOS 1.5-rolling-202406130020 vyos@vyos:~$
Jun 12 2024
In upgrade process
Jun 10 2024
vyos@vyos:~$ dpkg -l | grep vyos-1x ii vyos-1x 1.5dev0-1669-g77cb661d8 amd64 VyOS configuration scripts and data ii vyos-1x-vmware 1.5dev0-1669-g77cb661d8 amd64 VyOS configuration scripts and data for VMware vyos@vyos:~$
Jun 9 2024
vyos@vyos# show vpn ipsec | commands set esp-group vpn lifetime '3600' set esp-group vpn pfs 'enable' set esp-group vpn proposal 10 encryption 'aes128gcm128' set esp-group vpn proposal 10 hash 'sha256' set ike-group vpn key-exchange 'ikev2' set ike-group vpn lifetime '7200' set ike-group vpn proposal 10 dh-group '14' set ike-group vpn proposal 10 encryption 'aes128gcm128' set ike-group vpn proposal 10 hash 'sha256' set interface 'eth0' set options virtual-ip set remote-access connection support authentication client-mode 'eap-mschapv2' set remote-access connection support authentication local-id 'ipsec.somedomain' set remote-access connection support authentication local-users username test password 'test' set remote-access connection support authentication server-mode 'x509' set remote-access connection support authentication x509 ca-certificate 'isrgrootx1' set remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3' set remote-access connection support authentication x509 certificate 'vpn2' set remote-access connection support description 'support remote access' set remote-access connection support esp-group 'vpn' set remote-access connection support ike-group 'vpn' set remote-access connection support local-address 'ip on eth0' set remote-access connection support pool 'support' set remote-access pool support name-server '1.1.1.1' set remote-access pool support name-server '9.9.9.9' set remote-access pool support prefix '192.168.120.64/27' [edit] vyos@vyos#
vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 154, in <module> cert = load_certificate(pki['certificate'][cert_name]['certificate']) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^ KeyError: 'certificate' vyos@vyos:~$ show ver Version: VyOS 1.5-rolling-202406060020 Release train: current Release flavor: generic
May 31 2024
May 30 2024
set resource-group username-group <my-users> username user01 password '09078081' set resource-group username-group <my-users> username user02 password 'fmndskl82' set service pppoe-server authentication local-users username-group 'my-users' set vpn l2tp remote-access authentication local-users username-group 'my-users' set vpn sstp authentication local-users username-group 'my-users' set vpn openconnect authentication local-users username-group 'my-users'
Looks like what I was talking about
In T6417#190336, @Viacheslav wrote:It is not clear why it should be ignored? If they should be ignored they must not be in the CLI at all.
Why not use RADIUS authentication for it?Do I get it wrong? Local RADIUS server seems like overhead here. Are we talking about the local “chap-secrets” file that can be reused by other daemons or RADIUS?
Clarify please the feature request.
Need a general place to store accounts for VPN; whether it is a local radius server or chap-secrets file(this option seems simpler and more correct) is not so important.
A separate radius server is another point of failure and a separate infrastructure object. Wants to have a boxed solution where everything is available at once
May 29 2024
In T6417#190277, @Viacheslav wrote:It probably cannot be a universal solution due to specific per-user options.
For example, for opencoonect, you can add otp if you want on a per-user basis and not do it for other users.vyos@r4# set vpn openconnect authentication local-users username foo Possible completions: disable Disable instance > otp 2FA OTP authentication parameters password Password used for authenticationAnother case specific client IP address or rate limit
vyos@r4# set vpn sstp authentication local-users username foo Possible completions: disable Disable instance password Password for authentication > rate-limit Upload/Download speed limits static-ip Static client IP address (default: *)Though it could be only for accel-ppp based configuration sstp/l2tp/pptp
specific per-user options can ignored if the protocol does not support them