Merge branch 'vyos:master' into patch-2

4 files changed, 113 insertions, 20 deletions

diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst
index ccddcd92..bb67653e 100644
--- a/docs/configuration/protocols/ospf.rst
+++ b/docs/configuration/protocols/ospf.rst
@@ -37,12 +37,12 @@ starts when the first ospf enabled interface is configured.
    This command is also used to enable the OSPF process. The area number can be
    specified in decimal notation in the range from 0 to 4294967295. Or it
    can be specified in dotted decimal notation similar to ip address.
-   
+
    Prefix length in interface must be equal or bigger (i.e. smaller network) than
    prefix length in network statement. For example statement above doesn't enable
    ospf on interface with address 192.168.1.1/23, but it does on interface with
    address 192.168.1.129/25.
-   
+
    In some cases it may be more convenient to enable OSPF on a per interface/subnet
    basis :cfgcmd:`set protocols ospf interface <interface> area <x.x.x.x | x>`
 
@@ -145,12 +145,16 @@ Optional
 
    This command should NOT be set normally.
 
-.. cfgcmd:: set protocols ospf passive-interface <interface>
+.. cfgcmd:: set protocols ospf interface <interface> passive [disable]
 
    This command specifies interface as passive. Passive interface advertises
    its address, but does not run the OSPF protocol (adjacencies are not formed
    and hello packets are not generated).
 
+   The optional `disable` option allows to exclude interface from passive state.
+   This command is used if the command :cfgcmd:`passive-interface default` was
+   configured.
+
 .. cfgcmd:: set protocols ospf passive-interface default
 
    This command specifies all interfaces as passive by default. Because this
@@ -158,11 +162,6 @@ Optional
    interfaces where router adjacencies are expected need to be configured
    with the :cfgcmd:`passive-interface-exclude` command.
 
-.. cfgcmd:: set protocols ospf passive-interface-exclude <interface>
-
-   This command allows exclude interface from passive state. This command is
-   used if the command :cfgcmd:`passive-interface default` was configured.
-
 .. cfgcmd:: set protocols ospf refresh timers <seconds>
 
    The router automatically updates link-state information with its neighbors.
@@ -549,12 +548,12 @@ Operational Mode Commands
    This command displays the neighbors information in a detailed form for a
    neighbor whose IP address is specified.
 
-.. opcmd:: show ip ospf neighbor <intname>
+.. opcmd:: show ip ospf neighbor <interface>
 
    This command displays the neighbors status for a neighbor on the specified
    interface.
 
-.. opcmd:: show ip ospf interface [<intname>]
+.. opcmd:: show ip ospf interface [<interface>]
 
    This command displays state and configuration of OSPF the specified
    interface, or all interfaces if no interface is given.
@@ -754,6 +753,8 @@ address and the node 1 sending the default route:
   set policy route-map CONNECT rule 10 match interface lo
 
 
+.. _routing-ospfv3:
+
 *************
 OSPFv3 (IPv6)
 *************
@@ -826,20 +827,20 @@ Area Configuration
 Interface Configuration
 -----------------------
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> ipv6 cost <number>
+.. cfgcmd:: set protocols ospfv3 interface <interface> ipv6 cost <number>
 
    This command sets link cost for the specified interface. The cost value is
    set to router-LSA’s metric field and used for SPF calculation. The cost
    range is 1 to 65535.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> dead-interval <number>
+.. cfgcmd:: set protocols ospfv3 interface <interface> dead-interval <number>
 
    Set number of seconds for router Dead Interval timer value used for Wait
    Timer and Inactivity Timer. This value must be the same for all routers
    attached to a common network. The default value is 40 seconds. The
    interval range is 1 to 65535.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> hello-interval
+.. cfgcmd:: set protocols ospfv3 interface <interface> hello-interval
    <number>
 
    Set number of seconds for Hello Interval timer value. Setting this value,
@@ -848,14 +849,14 @@ Interface Configuration
    common network. The default value is 10 seconds. The interval range is 1
    to 65535.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> mtu-ignore
+.. cfgcmd:: set protocols ospfv3 interface <interface> mtu-ignore
 
    This command disables check of the MTU value in the OSPF DBD packets.
    Thus, use of this command allows the OSPF adjacency to reach the FULL
    state even though there is an interface MTU mismatch between two OSPF
    routers.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> network <type>
+.. cfgcmd:: set protocols ospfv3 interface <interface> network <type>
 
    This command allows to specify the distribution type for the network
    connected to this interface:
@@ -863,20 +864,20 @@ Interface Configuration
    **broadcast** – broadcast IP addresses distribution.
    **point-to-point** – address distribution in point-to-point networks.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> priority <number>
+.. cfgcmd:: set protocols ospfv3 interface <interface> priority <number>
 
    This command sets Router Priority integer value. The router with the
    highest priority will be more eligible to become Designated Router.
    Setting the value to 0, makes the router ineligible to become Designated
    Router. The default value is 1. The interval range is 0 to 255.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> passive
+.. cfgcmd:: set protocols ospfv3 interface <interface> passive
 
    This command specifies interface as passive. Passive interface advertises
    its address, but does not run the OSPF protocol (adjacencies are not formed
    and hello packets are not generated).
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> retransmit-interval
+.. cfgcmd:: set protocols ospfv3 interface <interface> retransmit-interval
    <number>
 
    This command sets number of seconds for RxmtInterval timer value. This
@@ -884,7 +885,7 @@ Interface Configuration
    Request packets if acknowledge was not received. The default value is 5
    seconds. The interval range is 3 to 65535.
 
-.. cfgcmd:: set protocols ospfv3 interface <intname> transmit-delay
+.. cfgcmd:: set protocols ospfv3 interface <interface> transmit-delay
    <number>
 
    This command sets number of seconds for InfTransDelay value. It allows to
@@ -927,7 +928,7 @@ Operational Mode Commands
 
    This command displays the neighbor DR choice information.
 
-.. opcmd:: show ipv6 ospfv3 interface [prefix]|[<intname> [prefix]]
+.. opcmd:: show ipv6 ospfv3 interface [prefix]|[<interface> [prefix]]
 
    This command displays state and configuration of OSPF the specified
    interface, or all interfaces if no interface is given. Whith the argument
diff --git a/docs/configuration/service/tftp-server.rst b/docs/configuration/service/tftp-server.rst
index 11011144..0ca75efe 100644
--- a/docs/configuration/service/tftp-server.rst
+++ b/docs/configuration/service/tftp-server.rst
@@ -28,6 +28,14 @@ Configure the IPv4 or IPv6 listen address of the TFTP server. Multiple IPv4 and
 IPv6 addresses can be given. There will be one TFTP server instances listening
 on each IP address.
 
+.. cfgcmd:: set service tftp-server listen-address <address> vrf <name>
+
+.. stop_vyoslinter
+
+Additional option to run TFTP server in the :abbr:`VRF (Virtual Routing and Forwarding)` context
+
+.. start_vyoslinter
+
 .. note:: Configuring a listen-address is essential for the service to work.
 
 .. cfgcmd:: set service tftp-server allow-upload
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 50814b6e..29dc5a0e 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -29,6 +29,88 @@ for the cipher and hash. Adjust this as necessary.
 .. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
   adapters have known issues with GRE processing.
 
+**************************************
+IKE (Internet Key Exchange) Attributes
+**************************************
+IKE performs mutual authentication between two parties and establishes 
+an IKE security association (SA) that includes shared secret information 
+that can be used to efficiently establish SAs for Encapsulating Security 
+Payload (ESP) or Authentication Header (AH) and a set of cryptographic 
+algorithms to be used by the SAs to protect the traffic that they carry.
+https://datatracker.ietf.org/doc/html/rfc5996
+
+In VyOS, IKE attributes are specified through IKE groups.
+Multiple proposals can be specified in a single group.
+
+VyOS IKE group has the next options:
+
+* ``close-action`` defines the action to take if the remote peer unexpectedly 
+  closes a CHILD_SA:
+
+ * ``none`` set action to none (default);
+ 
+ * ``hold`` set action to hold;
+ 
+ * ``clear`` set action to clear;
+ 
+ * ``restart`` set action to restart;
+ 
+* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol 
+  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty 
+  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the 
+  liveliness of the IPsec peer:
+  
+ * ``action`` keep-alive failure action:
+ 
+  * ``hold`` set action to hold (default)
+  
+  * ``clear`` set action to clear;
+  
+  * ``restart`` set action to restart;
+  
+ * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
+ 
+ * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
+ 
+* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate 
+  the peer. In IKEv1, reauthentication is always done:
+  
+ * ``yes`` enable remote host re-authentication during an IKE rekey;
+ 
+ * ``no`` disable remote host re-authenticaton during an IKE rekey;
+ 
+* ``key-exchange`` which protocol should be used to initialize the connection
+  If not set both protocols are handled and connections will use IKEv2 when 
+  initiating, but accept any protocol version when responding:
+  
+ * ``ikev1`` use IKEv1 for Key Exchange;
+ 
+ * ``ikev2`` use IKEv2 for Key Exchange;
+ 
+* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800);
+
+* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2:
+
+ * ``enable`` enable MOBIKE (default for IKEv2);
+ 
+ * ``disable`` disable MOBIKE;
+ 
+* ``mode`` IKEv1 Phase 1 Mode Selection:
+
+ * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol 
+   (Recommended Default);
+   
+ * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol 
+   aggressive mode is much more insecure compared to Main mode;
+   
+* ``proposal`` the list of proposals and their parameters:
+
+ * ``dh-group`` dh-group;
+ 
+ * ``encryption`` encryption algorithm;
+
+ * ``hash`` hash algorithm.
+
 *************************
 IPsec policy matching GRE
 *************************
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index 05904209..90d99c56 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -62,6 +62,7 @@ Currently dynamic routing is supported for the following protocols:
 - :ref:`routing-bgp`
 - :ref:`routing-isis`
 - :ref:`routing-ospf`
+- :ref:`routing-ospfv3`
 - :ref:`routing-static`
 
 The CLI configuration is same as mentioned in above articles. The only
@@ -77,6 +78,7 @@ routing protocol inside a given vrf:
 - :ref:`routing-bgp`: ``set vrf name <name> protocols bgp ...``
 - :ref:`routing-isis`: ``set vrf name <name> protocols isis ...``
 - :ref:`routing-ospf`: ``set vrf name <name> protocols ospf ...``
+- :ref:`routing-ospfv3`: ``set vrf name <name> protocols ospfv3 ...``
 - :ref:`routing-static`: ``set vrf name <name> protocols static ...``
 
 Operation