<?xml version="1.0"?>
<interfaceDefinition>
  <node name="vpn">
    <children>
      <node name="openconnect" owner="${vyos_conf_scripts_dir}/vpn_openconnect.py">
        <properties>
          <help>SSL VPN OpenConnect, AnyConnect compatible server</help>
          <priority>901</priority>
        </properties>
        <children>
          <node name="authentication">
            <properties>
              <help>Authentication for remote access SSL VPN Server</help>
            </properties>
            <children>
              <node name="mode">
                <properties>
                  <help>Authentication mode used by this server</help>
                </properties>
                <children>
                  <leafNode name="local">
                    <properties>
                      <help>Use local username/password configuration (OTP supported)</help>
                      <valueHelp>
                        <format>password</format>
                        <description>Password-only local authentication</description>
                      </valueHelp>
                      <valueHelp>
                        <format>otp</format>
                        <description>OTP-only local authentication</description>
                      </valueHelp>
                      <valueHelp>
                        <format>password-otp</format>
                        <description>Password (first) + OTP local authentication</description>
                      </valueHelp>
                      <constraint>
                        <regex>(password|otp|password-otp)</regex>
                      </constraint>
                      <constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage>
                      <completionHelp>
                        <list>otp password password-otp</list>
                      </completionHelp>
                    </properties>
                  </leafNode>
                  <leafNode name="radius">
                    <properties>
                      <help>Use RADIUS server for user autentication</help>
                      <valueless/>
                    </properties>
                  </leafNode>
                </children>
              </node>
              #include <include/auth-local-users.xml.i>
              #include <include/radius-server-ipv4.xml.i>
              <node name="radius">
                <children>
                  <leafNode name="timeout">
                    <properties>
                      <help>Session timeout</help>
                      <valueHelp>
                        <format>u32:1-240</format>
                        <description>Session timeout in seconds (default: 2)</description>
                      </valueHelp>
                      <constraint>
                        <validator name="numeric" argument="--range 1-240"/>
                      </constraint>
                      <constraintErrorMessage>Timeout must be between 1 and 240 seconds</constraintErrorMessage>
                    </properties>
                    <defaultValue>2</defaultValue>
                  </leafNode>
                </children>
              </node>
            </children>
          </node>
          <node name="listen-ports">
            <properties>
              <help>Specify custom ports to use for client connections</help>
            </properties>
            <children>
              <leafNode name="tcp">
                <properties>
                  <help>tcp port number to accept connections</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Numeric IP port</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>443</defaultValue>
              </leafNode>
              <leafNode name="udp">
                <properties>
                  <help>udp port number to accept connections</help>
                  <valueHelp>
                    <format>u32:1-65535</format>
                    <description>Numeric IP port</description>
                  </valueHelp>
                  <constraint>
                    <validator name="numeric" argument="--range 1-65535"/>
                  </constraint>
                </properties>
                <defaultValue>443</defaultValue>
              </leafNode>
            </children>
          </node>
          <node name="ssl">
            <properties>
              <help>SSL Certificate, SSL Key and CA</help>
            </properties>
            <children>
              #include <include/pki/ca-certificate.xml.i>
              #include <include/pki/certificate-key.xml.i>
            </children>
          </node>
          <node name="network-settings">
            <properties>
              <help>Network settings</help>
            </properties>
            <children>
              <leafNode name="push-route">
                <properties>
                  <help>Route to be pushed to the client</help>
                  <valueHelp>
                    <format>ipv4net</format>
                    <description>IPv4 network and prefix length</description>
                  </valueHelp>
                  <valueHelp>
                    <format>ipv6net</format>
                    <description>IPv6 network and prefix length</description>
                  </valueHelp>
                  <constraint>
                    <validator name="ip-prefix"/>
                  </constraint>
                  <multi/>
                </properties>
              </leafNode>
              <node name="client-ip-settings">
                <properties>
                  <help>Client IP pools settings</help>
                </properties>
                <children>
                  <leafNode name="subnet">
                    <properties>
                      <help>Client IP subnet (CIDR notation)</help>
                      <valueHelp>
                        <format>ipv4net</format>
                        <description>IPv4 address and prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv4-prefix"/>
                      </constraint>
                      <constraintErrorMessage>Not a valid CIDR formatted prefix</constraintErrorMessage>
                    </properties>
                  </leafNode>
                </children>
              </node>
              <node name="client-ipv6-pool">
                <properties>
                  <help>Pool of client IPv6 addresses</help>
                </properties>
                <children>
                  <leafNode name="prefix">
                    <properties>
                      <help>Pool of addresses used to assign to clients</help>
                      <valueHelp>
                        <format>ipv6net</format>
                        <description>IPv6 address and prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="ipv6-prefix"/>
                      </constraint>
                    </properties>
                  </leafNode>
                  <leafNode name="mask">
                    <properties>
                      <help>Prefix length used for individual client</help>
                      <valueHelp>
                        <format>u32:48-128</format>
                        <description>Client prefix length</description>
                      </valueHelp>
                      <constraint>
                        <validator name="numeric" argument="--range 48-128"/>
                      </constraint>
                    </properties>
                    <defaultValue>64</defaultValue>
                  </leafNode>
                </children>
              </node>
              #include <include/name-server-ipv4-ipv6.xml.i>
            </children>
          </node>
      </children>
    </node>
  </children>
</node>
</interfaceDefinition>