From b2bf1592189fb9298f2a68272418a132a73f37bf Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sat, 3 Jul 2021 15:52:26 +0200
Subject: ipsec: T1210: T1251: IKEv2 road-warrior support

set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
---
 interface-definitions/vpn_ipsec.xml.in | 53 ++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

(limited to 'interface-definitions')

diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index ff60bb82f..ef3b05e29 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -705,6 +705,59 @@
               #include <include/ipsec/ike-group.xml.i>
             </children>
           </tagNode>
+          <tagNode name="remote-access">
+            <properties>
+              <help>Remote access IKEv2 VPN </help>
+            </properties>
+            <children>
+              <node name="authentication">
+                <properties>
+                  <help>Authentication for remote access</help>
+                </properties>
+                <children>
+                  #include <include/ipsec/authentication-id.xml.i>
+                  #include <include/ipsec/authentication-x509.xml.i>
+                  <node name="local-users">
+                    <properties>
+                      <help>Local user authentication for PPPoE server</help>
+                    </properties>
+                    <children>
+                      <tagNode name="username">
+                        <properties>
+                          <help>User name for authentication</help>
+                        </properties>
+                        <children>
+                          #include <include/generic-disable-node.xml.i>
+                          <leafNode name="password">
+                            <properties>
+                              <help>Password for authentication</help>
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </tagNode>
+                    </children>
+                  </node>
+                </children>
+              </node>
+              #include <include/generic-description.xml.i>
+              #include <include/generic-disable-node.xml.i>
+              #include <include/ipsec/esp-group.xml.i>
+              #include <include/ipsec/ike-group.xml.i>
+              <leafNode name="timeout">
+                <properties>
+                  <help>Timeout to close connection if no data is transmitted</help>
+                  <valueHelp>
+                    <format>u32:10-86400</format>
+                    <description>Timeout in seconds (default 28800)</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 10-86400"/>
+                  </constraint>
+                </properties>
+                <defaultValue>28800</defaultValue>
+              </leafNode>
+            </children>
+          </tagNode>
           <node name="site-to-site">
             <properties>
               <help>Site-to-site VPN</help>
-- 
cgit v1.2.3