summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/vpn_ipsec.xml.in')
-rw-r--r--interface-definitions/vpn_ipsec.xml.in693
1 files changed, 316 insertions, 377 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 426d7e71c..b28c86ae6 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,24 +1,16 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
+ <properties>
+ <help>Virtual Private Network (VPN)</help>
+ </properties>
<children>
- <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
+ <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
<properties>
<help>VPN IP security (IPsec) parameters</help>
+ <priority>901</priority>
</properties>
<children>
- <leafNode name="auto-update">
- <properties>
- <help>Set auto-update interval for IPsec daemon</help>
- <valueHelp>
- <format>u32:30-65535</format>
- <description>Auto-update interval (s)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 30-65535"/>
- </constraint>
- </properties>
- </leafNode>
<leafNode name="disable-uniqreqids">
<properties>
<help>Option to disable requirement for unique IDs in the Security Database</help>
@@ -48,6 +40,7 @@
<regex>^(disable|enable)$</regex>
</constraint>
</properties>
+ <defaultValue>disable</defaultValue>
</leafNode>
<leafNode name="lifetime">
<properties>
@@ -60,6 +53,7 @@
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
+ <defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="mode">
<properties>
@@ -79,6 +73,7 @@
<regex>^(tunnel|transport)$</regex>
</constraint>
</properties>
+ <defaultValue>tunnel</defaultValue>
</leafNode>
<leafNode name="pfs">
<properties>
@@ -88,95 +83,95 @@
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Enable PFS. Use ike-groups dh-group (default)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024) - default</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
- <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description>
+ <description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
- <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description>
+ <description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
- <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description>
+ <description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
- <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description>
+ <description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
- <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description>
+ <description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
- <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description>
+ <description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
- <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description>
+ <description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
- <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description>
+ <description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
- <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description>
+ <description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
- <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description>
+ <description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
- <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description>
+ <description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
- <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description>
+ <description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
- <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description>
+ <description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
- <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description>
+ <description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
- <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description>
+ <description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
- <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description>
+ <description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
- <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description>
+ <description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
- <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description>
+ <description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
- <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description>
+ <description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
- <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description>
+ <description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
- <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description>
+ <description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
- <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description>
+ <description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
@@ -186,6 +181,7 @@
<regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
</constraint>
</properties>
+ <defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
@@ -296,7 +292,7 @@
</completionHelp>
<valueHelp>
<format>yes</format>
- <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description>
+ <description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
@@ -337,6 +333,7 @@
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
+ <defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="mobike">
<properties>
@@ -483,6 +480,7 @@
<regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
</constraint>
</properties>
+ <defaultValue>2</defaultValue>
</leafNode>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
@@ -500,116 +498,118 @@
<help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
</properties>
</leafNode>
- <node name="ipsec-interfaces">
+ <leafNode name="interface">
<properties>
- <help>Interface to use for VPN [REQUIRED]</help>
+ <help>Onterface used for IPsec communication</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ <multi/>
</properties>
- <children>
- <leafNode name="interface">
- <properties>
- <help>IPsec interface [REQUIRED]</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="logging">
+ </leafNode>
+ <node name="log">
<properties>
<help>IPsec logging</help>
</properties>
<children>
- <leafNode name="log-level">
+ <leafNode name="level">
<properties>
<help>strongSwan Logger Level</help>
<valueHelp>
- <format>u32:0-2</format>
- <description>Logger Verbosity Level (default 0)</description>
+ <format>u32:0</format>
+ <description>Very basic auditing logs e.g. SA up/SA down (default)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1</format>
+ <description>Generic control flow with errors, a good default to see whats going on</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:2</format>
+ <description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2"/>
</constraint>
</properties>
+ <defaultValue>0</defaultValue>
</leafNode>
- <leafNode name="log-modes">
+ <leafNode name="subsystem">
<properties>
- <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help>
+ <help>Subsystem in the daemon the log comes from</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
<valueHelp>
<format>dmn</format>
- <description>Debug log option for strongSwan</description>
+ <description>Main daemon setup/cleanup/signal handling</description>
</valueHelp>
<valueHelp>
<format>mgr</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE_SA manager, handling synchronization for IKE_SA access</description>
</valueHelp>
<valueHelp>
<format>ike</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE_SA/ISAKMP SA</description>
</valueHelp>
<valueHelp>
<format>chd</format>
- <description>Debug log option for strongSwan</description>
+ <description>CHILD_SA/IPsec SA</description>
</valueHelp>
<valueHelp>
<format>job</format>
- <description>Debug log option for strongSwan</description>
+ <description>Jobs queuing/processing and thread pool management</description>
</valueHelp>
<valueHelp>
<format>cfg</format>
- <description>Debug log option for strongSwan</description>
+ <description>Configuration management and plugins</description>
</valueHelp>
<valueHelp>
<format>knl</format>
- <description>Debug log option for strongSwan</description>
+ <description>IPsec/Networking kernel interface</description>
</valueHelp>
<valueHelp>
<format>net</format>
- <description>Debug log option for strongSwan</description>
+ <description>IKE network communication</description>
</valueHelp>
<valueHelp>
<format>asn</format>
- <description>Debug log option for strongSwan</description>
+ <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
</valueHelp>
<valueHelp>
<format>enc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Packet encoding/decoding encryption/decryption operations</description>
</valueHelp>
<valueHelp>
<format>lib</format>
- <description>Debug log option for strongSwan</description>
+ <description>libstrongswan library messages</description>
</valueHelp>
<valueHelp>
<format>esp</format>
- <description>Debug log option for strongSwan</description>
+ <description>libipsec library messages</description>
</valueHelp>
<valueHelp>
<format>tls</format>
- <description>Debug log option for strongSwan</description>
+ <description> libtls library messages</description>
</valueHelp>
<valueHelp>
<format>tnc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Trusted Network Connect</description>
</valueHelp>
<valueHelp>
<format>imc</format>
- <description>Debug log option for strongSwan</description>
+ <description>Integrity Measurement Collector</description>
</valueHelp>
<valueHelp>
<format>imv</format>
- <description>Debug log option for strongSwan</description>
+ <description>Integrity Measurement Verifier</description>
</valueHelp>
<valueHelp>
<format>pts</format>
- <description>Debug log option for strongSwan</description>
+ <description> Platform Trust Service</description>
</valueHelp>
<valueHelp>
<format>any</format>
- <description>Debug log option for strongSwan</description>
+ <description>Any subsystem</description>
</valueHelp>
<constraint>
<regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
@@ -619,59 +619,6 @@
</leafNode>
</children>
</node>
- <node name="nat-networks">
- <properties>
- <help>Network Address Translation (NAT) networks</help>
- </properties>
- <children>
- <tagNode name="allowed-network">
- <properties>
- <help>NAT networks to allow</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to allow</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- </properties>
- <children>
- <leafNode name="exclude">
- <properties>
- <help>NAT networks to exclude from allowed-networks</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to exclude from allowed-networks</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
- <leafNode name="nat-traversal">
- <properties>
- <help>Network Address Translation (NAT) traversal</help>
- <completionHelp>
- <list>disable enable</list>
- </completionHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable NAT-T</description>
- </valueHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable NAT-T</description>
- </valueHelp>
- <constraint>
- <regex>^(disable|enable)$</regex>
- </constraint>
- </properties>
- </leafNode>
<node name="options">
<properties>
<help>Global IPsec settings</help>
@@ -690,69 +637,261 @@
<help>VPN IPSec Profile</help>
</properties>
<children>
+ #include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Authentication [REQUIRED]</help>
</properties>
<children>
- <node name="mode">
+ <leafNode name="mode">
<properties>
<help>Authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use pre shared secret key</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+ </children>
+ </node>
+ <node name="bind">
+ <properties>
+ <help>DMVPN crypto configuration</help>
+ </properties>
+ <children>
+ <leafNode name="tunnel">
+ <properties>
+ <help>Tunnel interface associated with this configuration profile</help>
+ <completionHelp>
+ <path>interfaces tunnel</path>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Associated interface to this configuration profile</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
+ </children>
+ </tagNode>
+ <node name="remote-access">
+ <properties>
+ <help>IKEv2 remote access VPN</help>
+ </properties>
+ <children>
+ <tagNode name="connection">
+ <properties>
+ <help>IKEv2 VPN connection name</help>
+ </properties>
+ <children>
+ <node name="authentication">
+ <properties>
+ <help>Authentication for remote access</help>
</properties>
<children>
- <leafNode name="pre-shared-secret">
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
+ <leafNode name="client-mode">
<properties>
- <help>Use pre-shared secret key</help>
- <valueless/>
+ <help>Client authentication mode</help>
+ <completionHelp>
+ <list>eap-tls eap-mschapv2 eap-radius</list>
+ </completionHelp>
+ <valueHelp>
+ <format>eap-tls</format>
+ <description>Client uses EAP-TLS authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-mschapv2</format>
+ <description>Client uses EAP-MSCHAPv2 authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-radius</format>
+ <description>Client uses EAP-RADIUS authentication</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex>
+ </constraint>
</properties>
+ <defaultValue>eap-mschapv2</defaultValue>
</leafNode>
+ #include <include/auth-local-users.xml.i>
+ <leafNode name="server-mode">
+ <properties>
+ <help>Server authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret x509</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>pre-shared-secret_description</description>
+ </valueHelp>
+ <valueHelp>
+ <format>x509</format>
+ <description>x509_description</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(pre-shared-secret|x509)$</regex>
+ </constraint>
+ </properties>
+ <defaultValue>x509</defaultValue>
+ </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
- <leafNode name="pre-shared-secret">
+ #include <include/generic-description.xml.i>
+ #include <include/generic-disable-node.xml.i>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
+ #include <include/ipsec/local-address.xml.i>
+ #include <include/ipsec/local-traffic-selector.xml.i>
+ <leafNode name="timeout">
<properties>
- <help>Pre-shared secret key</help>
+ <help>Timeout to close connection if no data is transmitted</help>
+ <valueHelp>
+ <format>u32:10-86400</format>
+ <description>Timeout in seconds (default 28800)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 10-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>28800</defaultValue>
+ </leafNode>
+ <leafNode name="pool">
+ <properties>
+ <help>Pool name used for IP address assignments</help>
+ <completionHelp>
+ <path>vpn ipsec remote-access pool</path>
+ <list>dhcp</list>
+ </completionHelp>
<valueHelp>
<format>txt</format>
- <description>Pre-shared secret key</description>
+ <description>Pool name</description>
</valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="unique">
+ <properties>
+ <help>Connection uniqueness policy to enforce</help>
+ <completionHelp>
+ <list>never keep replace</list>
+ </completionHelp>
+ <valueHelp>
+ <format>never</format>
+ <description>Never enforce connection uniqueness policy</description>
+ </valueHelp>
+ <valueHelp>
+ <format>keep</format>
+ <description>Rejects new connection attempts if the same user already has an active connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>replace</format>
+ <description>Delete any existing connection if a new one for the same user gets established</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(never|keep|replace)$</regex>
+ </constraint>
</properties>
</leafNode>
</children>
- </node>
- <node name="bind">
+ </tagNode>
+ <node name="dhcp">
<properties>
- <help>DMVPN crypto configuration</help>
+ <help>DHCP pool options for remote-access</help>
</properties>
<children>
- <leafNode name="bind_child">
+ <leafNode name="interface">
<properties>
- <help>bind_child_help</help>
- <valueless/>
+ <help>Interface with DHCP server to use</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="server">
+ <properties>
+ <help>DHCP server address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>DHCP server IPv4 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
</properties>
</leafNode>
</children>
</node>
- <leafNode name="esp-group">
+ <tagNode name="pool">
<properties>
- <help>Esp group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
+ <help>IP address pool for remote-access users</help>
</properties>
- </leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>Ike group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ <children>
+ <leafNode name="exclude">
+ <properties>
+ <help>Local IPv4 or IPv6 pool prefix exclusions</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Local IPv4 pool prefix exclusion</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Local IPv6 pool prefix exclusion</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix">
+ <properties>
+ <help>Local IPv4 or IPv6 pool prefix</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Local IPv4 pool prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Local IPv6 pool prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <!-- Include Accel-PPP definition here, maybe time for a rename? -->
+ #include <include/accel-ppp/name-server.xml.i>
+ </children>
+ </tagNode>
+ #include <include/radius-server-ipv4.xml.i>
+ <node name="radius">
+ <children>
+ #include <include/radius-nas-identifier.xml.i>
+ <tagNode name="server">
+ <children>
+ #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
</children>
- </tagNode>
+ </node>
<node name="site-to-site">
<properties>
- <help>Site to site VPN</help>
+ <help>Site-to-site VPN</help>
</properties>
<children>
<tagNode name="peer">
@@ -776,20 +915,15 @@
</valueHelp>
</properties>
<children>
+ #include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Peer authentication [REQUIRED]</help>
</properties>
<children>
- <leafNode name="id">
- <properties>
- <help>ID for peer authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for peer authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-rsa.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
@@ -813,15 +947,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>Pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
<leafNode name="remote-id">
<properties>
<help>ID for remote authentication</help>
@@ -831,60 +957,12 @@
</valueHelp>
</properties>
</leafNode>
- <leafNode name="rsa-key-name">
- <properties>
- <help>RSA key name</help>
- </properties>
- </leafNode>
<leafNode name="use-x509-id">
<properties>
<help>Use certificate common name as ID</help>
<valueless/>
</properties>
</leafNode>
- <node name="x509">
- <properties>
- <help>X.509 certificate</help>
- </properties>
- <children>
- #include <include/certificate.xml.i>
- #include <include/certificate-ca.xml.i>
- <leafNode name="crl-file">
- <properties>
- <help>File containing the X.509 Certificate Revocation List (CRL)</help>
- <valueHelp>
- <format>txt</format>
- <description>File in /config/auth</description>
- </valueHelp>
- </properties>
- </leafNode>
- <node name="key">
- <properties>
- <help>Key file and password to open it</help>
- </properties>
- <children>
- <leafNode name="file">
- <properties>
- <help>File containing the private key for the X.509 certificate for this host</help>
- <valueHelp>
- <format>txt</format>
- <description>File in /config/auth</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="password">
- <properties>
- <help>Password that protects the private key</help>
- <valueHelp>
- <format>txt</format>
- <description>Password that protects the private key</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
</children>
</node>
<leafNode name="connection-type">
@@ -909,20 +987,13 @@
<leafNode name="default-esp-group">
<properties>
<help>Defult ESP group name</help>
+ <completionHelp>
+ <path>vpn ipsec esp-group</path>
+ </completionHelp>
</properties>
</leafNode>
- <leafNode name="description">
- <properties>
- <help>VPN peer description</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="dhcp-interface">
- <properties>
- <help>DHCP interface to listen on</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/generic-description.xml.i>
+ #include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
<help>Force UDP Encapsulation for ESP Payloads</help>
@@ -942,14 +1013,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>Internet Key Exchange (IKE) group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
@@ -973,31 +1037,7 @@
</constraint>
</properties>
</leafNode>
- <leafNode name="local-address">
- <properties>
- <help>IPv4 or IPv6 address of a local interface to use for VPN</help>
- <completionHelp>
- <list>any</list>
- </completionHelp>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address of a local interface for VPN</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>IPv6 address of a local interface for VPN</description>
- </valueHelp>
- <valueHelp>
- <format>any</format>
- <description>Allow any IPv4 address present on the system to be used for VPN</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-address"/>
- <validator name="ipv6-address"/>
- <regex>^(any)$</regex>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/ipsec/local-address.xml.i>
<tagNode name="tunnel">
<properties>
<help>Peer tunnel [REQUIRED]</help>
@@ -1007,114 +1047,16 @@
</valueHelp>
</properties>
<children>
- <leafNode name="allow-nat-networks">
- <properties>
- <help>Option to allow NAT networks</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable NAT networks</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable NAT networks (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="allow-public-networks">
- <properties>
- <help>Option to allow public networks</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable public networks</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable public networks (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
#include <include/generic-disable-node.xml.i>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- <node name="local">
- <properties>
- <help>Local parameters for interesting traffic</help>
- </properties>
- <children>
- <leafNode name="port">
- <properties>
- <help>Any TCP or UDP port</help>
- <valueHelp>
- <format>port name</format>
- <description>Named port (any name in /etc/services, e.g., http)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Numbered port</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="prefix">
- <properties>
- <help>Local IPv4 or IPv6 prefix</help>
- <valueHelp>
- <format>ipv4</format>
- <description>Local IPv4 prefix</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>Local IPv6 prefix</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- <validator name="ipv6-prefix"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- <leafNode name="protocol">
- <properties>
- <help>Protocol to encrypt</help>
- <valueless/>
- </properties>
- </leafNode>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/local-traffic-selector.xml.i>
+ #include <include/ip-protocol.xml.i>
<node name="remote">
<properties>
<help>Remote parameters for interesting traffic</help>
</properties>
<children>
- <leafNode name="port">
- <properties>
- <help>Any TCP or UDP port</help>
- <valueHelp>
- <format>port name</format>
- <description>Named port (any name in /etc/services, e.g., http)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Numbered port</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/port-number.xml.i>
<leafNode name="prefix">
<properties>
<help>Remote IPv4 or IPv6 prefix</help>
@@ -1130,6 +1072,7 @@
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
+ <multi/>
</properties>
</leafNode>
</children>
@@ -1143,17 +1086,13 @@
<children>
<leafNode name="bind">
<properties>
- <help>VTI tunnel interface associated with this configuration [REQUIRED]</help>
- </properties>
- </leafNode>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name [REQUIRED]</help>
+ <help>VTI tunnel interface associated with this configuration</help>
<completionHelp>
- <path>vpn ipsec esp-group</path>
+ <path>interfaces vti</path>
</completionHelp>
</properties>
</leafNode>
+ #include <include/ipsec/esp-group.xml.i>
</children>
</node>
</children>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-18 23:29:37 +0000