summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/vpn_ipsec.xml.in')
-rw-r--r--interface-definitions/vpn_ipsec.xml.in303
1 files changed, 144 insertions, 159 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 147f351f2..b28c86ae6 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -11,18 +11,6 @@
<priority>901</priority>
</properties>
<children>
- <leafNode name="auto-update">
- <properties>
- <help>Set auto-update interval for IPsec daemon</help>
- <valueHelp>
- <format>u32:30-65535</format>
- <description>Auto-update interval (s)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 30-65535"/>
- </constraint>
- </properties>
- </leafNode>
<leafNode name="disable-uniqreqids">
<properties>
<help>Option to disable requirement for unique IDs in the Security Database</help>
@@ -52,6 +40,7 @@
<regex>^(disable|enable)$</regex>
</constraint>
</properties>
+ <defaultValue>disable</defaultValue>
</leafNode>
<leafNode name="lifetime">
<properties>
@@ -394,7 +383,6 @@
</properties>
<children>
<leafNode name="dh-group">
- <defaultValue>2</defaultValue>
<properties>
<help>dh-grouphelp</help>
<completionHelp>
@@ -492,6 +480,7 @@
<regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
</constraint>
</properties>
+ <defaultValue>2</defaultValue>
</leafNode>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
@@ -509,22 +498,15 @@
<help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
</properties>
</leafNode>
- <node name="ipsec-interfaces">
+ <leafNode name="interface">
<properties>
- <help>Interface to use for VPN [REQUIRED]</help>
+ <help>Onterface used for IPsec communication</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ <multi/>
</properties>
- <children>
- <leafNode name="interface">
- <properties>
- <help>IPsec interface [REQUIRED]</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
+ </leafNode>
<node name="log">
<properties>
<help>IPsec logging</help>
@@ -648,37 +630,6 @@
<valueless/>
</properties>
</leafNode>
- <node name="remote-access">
- <properties>
- <help>remote-access global options</help>
- </properties>
- <children>
- <node name="dhcp-pool">
- <properties>
- <help>DHCP pool options for remote-access</help>
- </properties>
- <children>
- <leafNode name="interface">
- <properties>
- <help>Interface with DHCP server to use</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="server">
- <properties>
- <help>DHCP server address</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address of the DHCP server</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
</children>
</node>
<tagNode name="profile">
@@ -704,15 +655,7 @@
</valueHelp>
</properties>
</leafNode>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>Pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
<node name="bind">
@@ -739,102 +682,161 @@
#include <include/ipsec/ike-group.xml.i>
</children>
</tagNode>
- <tagNode name="remote-access">
+ <node name="remote-access">
<properties>
- <help>Remote access IKEv2 VPN </help>
+ <help>IKEv2 remote access VPN</help>
</properties>
<children>
- <node name="authentication">
+ <tagNode name="connection">
<properties>
- <help>Authentication for remote access</help>
+ <help>IKEv2 VPN connection name</help>
</properties>
<children>
- #include <include/ipsec/authentication-id.xml.i>
- #include <include/ipsec/authentication-x509.xml.i>
- <leafNode name="client-mode">
+ <node name="authentication">
<properties>
- <help>Client authentication mode</help>
- <completionHelp>
- <list>eap-tls eap-mschapv2</list>
- </completionHelp>
- <valueHelp>
- <format>eap-tls</format>
- <description>EAP-TLS</description>
- </valueHelp>
+ <help>Authentication for remote access</help>
+ </properties>
+ <children>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
+ <leafNode name="client-mode">
+ <properties>
+ <help>Client authentication mode</help>
+ <completionHelp>
+ <list>eap-tls eap-mschapv2 eap-radius</list>
+ </completionHelp>
+ <valueHelp>
+ <format>eap-tls</format>
+ <description>Client uses EAP-TLS authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-mschapv2</format>
+ <description>Client uses EAP-MSCHAPv2 authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-radius</format>
+ <description>Client uses EAP-RADIUS authentication</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>eap-mschapv2</defaultValue>
+ </leafNode>
+ #include <include/auth-local-users.xml.i>
+ <leafNode name="server-mode">
+ <properties>
+ <help>Server authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret x509</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>pre-shared-secret_description</description>
+ </valueHelp>
+ <valueHelp>
+ <format>x509</format>
+ <description>x509_description</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(pre-shared-secret|x509)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>x509</defaultValue>
+ </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+ </children>
+ </node>
+ #include <include/generic-description.xml.i>
+ #include <include/generic-disable-node.xml.i>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
+ #include <include/ipsec/local-address.xml.i>
+ #include <include/ipsec/local-traffic-selector.xml.i>
+ <leafNode name="timeout">
+ <properties>
+ <help>Timeout to close connection if no data is transmitted</help>
<valueHelp>
- <format>eap-mschapv2</format>
- <description>EAP-MSCHAPv2</description>
+ <format>u32:10-86400</format>
+ <description>Timeout in seconds (default 28800)</description>
</valueHelp>
<constraint>
- <regex>^(eap-tls|eap-mschapv2)$</regex>
+ <validator name="numeric" argument="--range 10-86400"/>
</constraint>
</properties>
- <defaultValue>eap-mschapv2</defaultValue>
+ <defaultValue>28800</defaultValue>
</leafNode>
- <node name="local-users">
+ <leafNode name="pool">
<properties>
- <help>Local user authentication for PPPoE server</help>
+ <help>Pool name used for IP address assignments</help>
+ <completionHelp>
+ <path>vpn ipsec remote-access pool</path>
+ <list>dhcp</list>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Pool name</description>
+ </valueHelp>
+ <multi/>
</properties>
- <children>
- <tagNode name="username">
- <properties>
- <help>User name for authentication</help>
- </properties>
- <children>
- #include <include/generic-disable-node.xml.i>
- <leafNode name="password">
- <properties>
- <help>Password for authentication</help>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
- <leafNode name="server-mode">
+ </leafNode>
+ <leafNode name="unique">
<properties>
- <help>Server authentication mode</help>
+ <help>Connection uniqueness policy to enforce</help>
<completionHelp>
- <list>pre-shared-secret x509</list>
+ <list>never keep replace</list>
</completionHelp>
<valueHelp>
- <format>pre-shared-secret</format>
- <description>pre-shared-secret_description</description>
+ <format>never</format>
+ <description>Never enforce connection uniqueness policy</description>
</valueHelp>
<valueHelp>
- <format>x509</format>
- <description>x509_description</description>
+ <format>keep</format>
+ <description>Rejects new connection attempts if the same user already has an active connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>replace</format>
+ <description>Delete any existing connection if a new one for the same user gets established</description>
</valueHelp>
<constraint>
- <regex>^(pre-shared-secret|x509)$</regex>
+ <regex>^(never|keep|replace)$</regex>
</constraint>
</properties>
- <defaultValue>x509</defaultValue>
</leafNode>
- <leafNode name="pre-shared-secret">
+ </children>
+ </tagNode>
+ <node name="dhcp">
+ <properties>
+ <help>DHCP pool options for remote-access</help>
+ </properties>
+ <children>
+ <leafNode name="interface">
+ <properties>
+ <help>Interface with DHCP server to use</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="server">
<properties>
- <help>Pre-shared-secret used for server authentication</help>
+ <help>DHCP server address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>DHCP server IPv4 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
</properties>
</leafNode>
</children>
</node>
- #include <include/generic-description.xml.i>
- #include <include/generic-disable-node.xml.i>
- #include <include/ipsec/esp-group.xml.i>
- #include <include/ipsec/ike-group.xml.i>
- #include <include/ipsec/local-address.xml.i>
- #include <include/ipsec/local-traffic-selector.xml.i>
- <node name="pool">
+ <tagNode name="pool">
<properties>
<help>IP address pool for remote-access users</help>
</properties>
<children>
- <leafNode name="dhcp-enable">
- <properties>
- <help>Enable DHCP pool for clients on this connection</help>
- <valueless/>
- </properties>
- </leafNode>
<leafNode name="exclude">
<properties>
<help>Local IPv4 or IPv6 pool prefix exclusions</help>
@@ -873,22 +875,20 @@
<!-- Include Accel-PPP definition here, maybe time for a rename? -->
#include <include/accel-ppp/name-server.xml.i>
</children>
+ </tagNode>
+ #include <include/radius-server-ipv4.xml.i>
+ <node name="radius">
+ <children>
+ #include <include/radius-nas-identifier.xml.i>
+ <tagNode name="server">
+ <children>
+ #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
+ </children>
+ </tagNode>
+ </children>
</node>
- <leafNode name="timeout">
- <properties>
- <help>Timeout to close connection if no data is transmitted</help>
- <valueHelp>
- <format>u32:10-86400</format>
- <description>Timeout in seconds (default 28800)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 10-86400"/>
- </constraint>
- </properties>
- <defaultValue>28800</defaultValue>
- </leafNode>
</children>
- </tagNode>
+ </node>
<node name="site-to-site">
<properties>
<help>Site-to-site VPN</help>
@@ -947,15 +947,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>Pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
<leafNode name="remote-id">
<properties>
<help>ID for remote authentication</help>
@@ -1001,14 +993,7 @@
</properties>
</leafNode>
#include <include/generic-description.xml.i>
- <leafNode name="dhcp-interface">
- <properties>
- <help>DHCP interface to listen on</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
<help>Force UDP Encapsulation for ESP Payloads</help>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 21:54:50 +0000