6 files changed, 1714 insertions, 377 deletions

diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index b6ee86af..172b3c64 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -32,10 +32,10 @@ for the cipher and hash. Adjust this as necessary.
 **************************************
 IKE (Internet Key Exchange) Attributes
 **************************************
-IKE performs mutual authentication between two parties and establishes 
-an IKE security association (SA) that includes shared secret information 
-that can be used to efficiently establish SAs for Encapsulating Security 
-Payload (ESP) or Authentication Header (AH) and a set of cryptographic 
+IKE performs mutual authentication between two parties and establishes
+an IKE security association (SA) that includes shared secret information
+that can be used to efficiently establish SAs for Encapsulating Security
+Payload (ESP) or Authentication Header (AH) and a set of cryptographic
 algorithms to be used by the SAs to protect the traffic that they carry.
 https://datatracker.ietf.org/doc/html/rfc5996
 
@@ -44,62 +44,64 @@ Multiple proposals can be specified in a single group.
 
 VyOS IKE group has the next options:
 
-* ``close-action`` defines the action to take if the remote peer unexpectedly 
+* ``close-action`` defines the action to take if the remote peer unexpectedly
   closes a CHILD_SA:
 
  * ``none`` set action to none (default);
- 
- * ``hold`` set action to hold;
- 
- * ``restart`` set action to restart;
- 
-* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol 
-  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty 
-  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the 
+
+ * ``trap`` installs a trap policy for the CHILD_SA;
+
+ * ``start`` tries to immediately re-create the CHILD_SA;
+
+* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
+  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
+  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
   liveliness of the IPsec peer:
-  
+
  * ``action`` keep-alive failure action:
- 
-  * ``hold`` set action to hold (default)
-  
-  * ``clear`` set action to clear;
-  
-  * ``restart`` set action to restart;
-  
+
+  * ``trap``  installs a trap policy, which will catch matching traffic
+    and tries to re-negotiate the tunnel on-demand;
+
+  * ``clear`` closes the CHILD_SA and does not take further action (default);
+
+  * ``restart`` immediately tries to re-negotiate the CHILD_SA
+    under a fresh IKE_SA;
+
  * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
- 
+
  * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
- 
-* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate 
+
+* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
   the peer. In IKEv1, reauthentication is always done.
-  Setting this parameter enables remote host re-authentication during an IKE 
+  Setting this parameter enables remote host re-authentication during an IKE
   rekey.
- 
+
 * ``key-exchange`` which protocol should be used to initialize the connection
-  If not set both protocols are handled and connections will use IKEv2 when 
+  If not set both protocols are handled and connections will use IKEv2 when
   initiating, but accept any protocol version when responding:
-  
+
  * ``ikev1`` use IKEv1 for Key Exchange;
- 
+
  * ``ikev2`` use IKEv2 for Key Exchange;
- 
+
 * ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
 
 * ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
   and enabled by default.
- 
+
 * ``mode`` IKEv1 Phase 1 Mode Selection:
 
- * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol 
+ * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
    (Recommended Default);
-   
- * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol 
+
+ * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
    aggressive mode is much more insecure compared to Main mode;
-   
+
 * ``proposal`` the list of proposals and their parameters:
 
  * ``dh-group`` dh-group;
- 
+
  * ``encryption`` encryption algorithm;
 
  * ``hash`` hash algorithm.
@@ -109,8 +111,9 @@ VyOS IKE group has the next options:
 ***********************************************
 ESP (Encapsulating Security Payload) Attributes
 ***********************************************
-ESP is used to provide confidentiality, data origin authentication, 
-connectionless integrity, an anti-replay service (a form of partial sequence 
+
+ESP is used to provide confidentiality, data origin authentication,
+connectionless integrity, an anti-replay service (a form of partial sequence
 integrity), and limited traffic flow confidentiality.
 https://datatracker.ietf.org/doc/html/rfc4303
 
@@ -120,26 +123,26 @@ Multiple proposals can be specified in a single group.
 VyOS ESP group has the next options:
 
 * ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
-  allows compressing the content of IP packets.  
- 
-* ``life-bytes`` ESP life in bytes <1024-26843545600000>. 
+  allows compressing the content of IP packets.
+
+* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
   Number of bytes transmitted over an IPsec SA before it expires;
-  
-* ``life-packets`` ESP life in packets <1000-26843545600000>. 
-  Number of packets transmitted over an IPsec SA before it expires;  
-  
-* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600). 
-  How long a particular instance of a connection (a set of 
-  encryption/authentication keys for user packets) should last, 
+
+* ``life-packets`` ESP life in packets <1000-26843545600000>.
+  Number of packets transmitted over an IPsec SA before it expires;
+
+* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
+  How long a particular instance of a connection (a set of
+  encryption/authentication keys for user packets) should last,
   from successful negotiation to expiry;
-  
+
 * ``mode`` the type of the connection:
- 
+
  * ``tunnel`` tunnel mode (default);
 
  * ``transport`` transport mode;
 
-* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the 
+* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
   connection's keying channel and defines a Diffie-Hellman group for PFS:
 
  * ``enable`` Inherit Diffie-Hellman group from IKE group (default);
@@ -153,20 +156,21 @@ VyOS ESP group has the next options:
  * ``encryption`` encryption algorithm (default 128 bit AES-CBC);
 
  * ``hash`` hash algorithm (default sha1).
- 
+
 ***********************************************
 Options (Global IPsec settings) Attributes
-*********************************************** 
+***********************************************
+
 * ``options``
 
  * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
- 
+
  * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
- 
+
  * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
- 
+
  * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy.
- 
+
 *************************
 IPsec policy matching GRE
 *************************
@@ -264,7 +268,7 @@ However, now you need to make IPsec work with dynamic address on one side. The
 tricky part is that pre-shared secret authentication doesn't work with dynamic
 address, so we'll have to use RSA keys.
 
-First, on both routers run the operational command "generate pki key-pair 
+First, on both routers run the operational command "generate pki key-pair
 install <key-pair name>". You may choose different length than 2048 of course.
 
 .. code-block:: none
@@ -281,18 +285,18 @@ install <key-pair name>". You may choose different length than 2048 of course.
   set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
   [edit]
 
-Configuration commands for the private and public key will be displayed on the 
+Configuration commands for the private and public key will be displayed on the
 screen which needs to be set on the router first.
-Note the command with the public key 
-(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'). 
+Note the command with the public key
+(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
 Then do the same on the opposite router:
 
 .. code-block:: none
 
   vyos@left# run generate pki key-pair install ipsec-RIGHT
 
-Note the command with the public key 
-(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'). 
+Note the command with the public key
+(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
 
 Now the noted public keys should be entered on the opposite routers.
 
@@ -361,3 +365,205 @@ On the RIGHT (dynamic address):
   set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
   set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
   set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
+
+
+*******************************************
+IKEv2 IPSec road-warriors remote-access VPN
+*******************************************
+
+Internet Key Exchange version 2, IKEv2 for short, is a request/response
+protocol developed by both Cisco and Microsoft. It is used to establish
+and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
+road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
+or remote-access/road-warrior mode, secures the server-side with another layer
+by using an x509 signed server certificate.
+
+Key exchange and payload encryption is still done using IKE and ESP proposals
+as known from IKEv1 but the connections are faster to establish, more reliable,
+and also support roaming from IP to IP (called MOBIKE which makes sure your
+connection does not drop when changing networks from e.g. WIFI to LTE and back).
+
+This feature closely works together with :ref:`pki` subsystem as you required
+a x509 certificate.
+
+Example
+=======
+
+This example uses CACert as certificate authority.
+
+.. code-block::
+
+  set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
+  set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
+
+After you obtained your server certificate you can import it from a file
+on the local filesystem, or paste it into the CLI. Please note that
+when entering the certificate manually you need to strip the
+``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate
+or key needs to be presented in a single line without line breaks (``\n``).
+
+To import it from the filesystem use:
+
+.. code-block::
+
+  import pki certificate <name> file /path/to/cert.pem
+
+In our example the certificate name is called vyos:
+
+.. code-block::
+
+  set pki certificate vyos certificate 'MIIE45s...'
+  set pki certificate vyos private key 'MIIEvgI...'
+
+After the PKI certs are all set up we can start configuring our IPSec/IKE
+proposals used for key-exchange end data encryption. The used encryption
+ciphers and integrity algorithms vary from operating system to operating
+system. The ones used in this post are validated to work on both Windows 10
+and iOS/iPadOS 14 to 17.
+
+.. code-block::
+
+  set vpn ipsec esp-group ESP-RW compression 'disable'
+  set vpn ipsec esp-group ESP-RW lifetime '3600'
+  set vpn ipsec esp-group ESP-RW pfs 'disable'
+  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
+  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
+
+  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-RW lifetime '7200'
+  set vpn ipsec ike-group IKE-RW mobike 'enable'
+  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
+  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
+
+Every connection/remote-access pool we configure also needs a pool where
+we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
+Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
+and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
+DNS nameservers down to our clients used on their connection.
+
+.. code-block::
+
+  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
+  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
+  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
+  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
+
+VyOS supports multiple IKEv2 remote-access connections. Every connection can
+have its dedicated IKE/ESP ciphers, certificates or local listen address for
+e.g. inbound load balancing.
+
+We configure a new connection named ``rw`` for road-warrior, that identifies
+itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
+signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
+specified IKE/ESP groups and also link the IP address pool to draw addresses
+from.
+
+.. code-block::
+
+  set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
+  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
+  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
+  set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
+  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
+  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
+  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
+  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
+  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
+
+VyOS also supports (currently) two different modes of authentication, local and
+RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
+following commands.
+
+.. code-block::
+
+  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
+  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
+
+If you feel better forwarding all authentication requests to your enterprises
+RADIUS server, use the commands below.
+
+.. code-block::
+
+  set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
+  set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
+
+Client Configuration
+====================
+
+Configuring VyOS to act as your IPSec access concentrator is one thing, but
+you probably need to setup your client connecting to the server so they can
+talk to the IPSec gateway.
+
+Microsoft Windows (10+)
+-----------------------
+
+Windows 10 does not allow a user to choose the integrity and encryption ciphers
+using the GUI and it uses some older proposals by default. A user can only
+change the proposals on the client side by configuring the IPSec connection
+profile via PowerShell.
+
+We generate a connection profile used by Windows clients that will connect to
+the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
+`vpn.vyos.net`.
+
+.. note:: Microsoft Windows expects the server name to be also used in the
+  server's certificate common name, so it's best to use this DNS name for
+  your VPN connection.
+
+.. code-block::
+
+  vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
+
+   ==== <snip> ====
+   Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
+   Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
+   ==== </snip> ====
+
+As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
+encryption ciphers and integrity algorithms we will validate the configured
+IKE/ESP proposals and only list the compatible ones to the user — if multiple
+are defined. If there are no matching proposals found — we can not generate a
+profile for you.
+
+When first connecting to the new VPN the user is prompted to enter proper
+credentials.
+
+Apple iOS/iPadOS (14.2+)
+------------------------
+
+Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
+all available VPN options via the device GUI.
+
+If you want, need, and should use more advanced encryption ciphers (default
+is still 3DES) you need to provision your device using a so-called "Device
+Profile". A profile is a simple text file containing XML nodes with a
+``.mobileconfig`` file extension that can be sent and opened on any device
+from an E-Mail.
+
+Profile generation happens from the operational level and is as simple as
+issuing the following command to create a profile to connect to the IKEv2
+access server at ``vpn.vyos.net`` with the configuration for the ``rw``
+remote-access connection group.
+
+.. note:: Apple iOS/iPadOS expects the server name to be also used in the
+  server's certificate common name, so it's best to use this DNS name for
+  your VPN connection.
+
+.. code-block::
+
+  vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
+
+  ==== <snip> ====
+  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+  <plist version="1.0">
+  ...
+  </plist>
+  ==== </snip> ====
+
+In the end, an XML structure is generated which can be saved as
+``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
+be imported.
+
+During profile import, the user is asked to enter its IPSec credentials
+(username and password) which is stored on the mobile.
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 4a7657e7..f0c60ec1 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -1,30 +1,80 @@
 .. _l2tp:
 
+####
 L2TP
-----
+####
 
 VyOS utilizes accel-ppp_ to provide L2TP server functionality. It can be used
 with local authentication or a connected RADIUS server.
 
-L2TP over IPsec
-===============
-
-Example for configuring a simple L2TP over IPsec VPN for remote access (works
-with native Windows and Mac VPN clients):
+***********************
+Configuring L2TP Server
+***********************
 
 .. code-block:: none
 
-  set vpn ipsec interface eth0
-
-  set vpn l2tp remote-access outside-address 192.0.2.2
+  set vpn l2tp remote-access authentication mode local
+  set vpn l2tp remote-access authentication local-users username test password 'test'
   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
   set vpn l2tp remote-access default-pool 'L2TP-POOL'
+  set vpn l2tp remote-access outside-address 192.0.2.2
+  set vpn l2tp remote-access gateway-address 192.168.255.1
+
+
+.. cfgcmd:: set vpn l2tp remote-access authentication mode <local | radius>
+
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
+
+.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> password
+   <pass>
+
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
+
+.. cfgcmd:: set vpn l2tp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
+
+   Use this command to define the first IP address of a pool of
+   addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``,
+   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+   used there is possibility to set host/netmask.
+
+.. cfgcmd:: set vpn l2tp remote-access default-pool <POOL-NAME>
+
+   Use this command to define default address pool name.
+
+.. cfgcmd:: set vpn l2tp remote-access gateway-address <gateway>
+
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
+
+*****************
+Configuring IPsec
+*****************
+
+.. code-block:: none
+
+  set vpn ipsec interface eth0
   set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
   set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
-  set vpn l2tp remote-access authentication mode local
-  set vpn l2tp remote-access authentication local-users username test password 'test'
 
-In the above example, an external IP of 192.0.2.2 is assumed.
+
+.. cfgcmd:: set vpn ipsec interface <INTERFACE>
+
+   Use this command to define IPsec interface.
+
+.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode <pre-shared-secret | x509>
+
+   Set mode for IPsec authentication between VyOS and L2TP clients.
+
+.. cfgcmd:: set vpn l2tp remote-access ipsec-settings authentication mode <pre-shared-secret | x509>
+
+   Set predefined shared secret phrase.
+
 
 If a local firewall policy is in place on your external interface you will need
 to allow the ports below:
@@ -64,156 +114,150 @@ To allow VPN-clients access via your external address, a NAT rule is required:
   set nat source rule 110 source address '192.168.255.0/24'
   set nat source rule 110 translation address masquerade
 
+*********************************
+Configuring RADIUS authentication
+*********************************
 
-VPN-clients will request configuration parameters, optionally you can DNS
-parameter to the client.
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
 
 .. code-block:: none
 
-  set vpn l2tp remote-access name-server '198.51.100.8'
-  set vpn l2tp remote-access name-server '198.51.100.4'
-
-Established sessions can be viewed using the **show l2tp-server sessions** 
-operational command
+  set vpn l2tp remote-access authentication mode radius
 
-.. code-block:: none
+.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> key <secret>
 
-  vyos@vyos:~$ show l2tp-server sessions
-   ifname | username |      ip       | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
-  --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
-   l2tp0  | test     | 192.168.255.3 |     |        | 192.168.0.36 |            | active | 02:01:47 | 7.7 KiB  | 1.2 KiB
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
 
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
 
+.. code-block:: none
 
-LNS (L2TP Network Server)
-=========================
+  set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
+  set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
 
-LNS are often used to connect to a LAC (L2TP Access Concentrator).
+.. note:: Some RADIUS_ severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
 
-Below is an example to configure a LNS:
+RADIUS source address
+=====================
 
-.. code-block:: none
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
 
-  set vpn l2tp remote-access outside-address 192.0.2.2
-  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
-  set vpn l2tp remote-access default-pool 'L2TP-POOL'
-  set vpn l2tp remote-access lns shared-secret 'secret'
-  set vpn l2tp remote-access ccp-disable
-  set vpn l2tp remote-access authentication mode local
-  set vpn l2tp remote-access authentication local-users username test password 'test'
+.. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address>
 
-The example above uses 192.0.2.2 as external IP address. A LAC normally requires
-an authentication password, which is set in the example configuration to
-``lns shared-secret 'secret'``. This setup requires the Compression Control
-Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access
-ccp-disable`` accomplishes that.
+  Source IPv4 address used in all RADIUS server queires.
 
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
 
-Bandwidth Shaping
-=================
+RADIUS advanced options
+=======================
 
-Bandwidth rate limits can be set for local users or via RADIUS based attributes.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> port <port>
 
-Bandwidth Shaping for local users
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  Configure RADIUS `<server>` and its required port for authentication requests.
 
-The rate-limit is set in kbit/sec.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> fail-time <time>
 
-.. code-block:: none
+  Mark RADIUS server as offline for this given `<time>` in seconds.
 
-  set vpn l2tp remote-access outside-address 192.0.2.2
-  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
-  set vpn l2tp remote-access default-pool 'L2TP-POOL'
-  set vpn l2tp remote-access authentication mode local
-  set vpn l2tp remote-access authentication local-users username test password test
-  set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
-  set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
+.. cfgcmd:: set vpn l2tp remote-access authentication radius server <server> disable
 
-  vyos@vyos:~$ show l2tp-server sessions
-   ifname | username |      ip       | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
-  --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
-   l2tp0  | test     | 192.168.255.3 |     |        | 192.168.0.36 |            | active | 02:01:47 | 7.7 KiB  | 1.2 KiB
+  Temporary disable this RADIUS server.
 
+.. cfgcmd:: set vpn l2tp remote-access authentication radius acct-timeout <timeout>
 
-RADIUS authentication
-======================
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
 
-To enable RADIUS based authentication, the authentication mode needs to be
-changed within the configuration. Previous settings like the local users, still
-exists within the configuration, however they are not used if the mode has been
-changed from local to radius. Once changed back to local, it will use all local
-accounts again.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author server <address>
 
-.. code-block:: none
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
 
-  set vpn l2tp remote-access authentication mode <local|radius>
+.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author port <port>
 
-Since the RADIUS server would be a single point of failure, multiple RADIUS
-servers can be setup and will be used subsequentially.
+  Port for Dynamic Authorization Extension server (DM/CoA)
 
-.. code-block:: none
+.. cfgcmd:: set vpn l2tp remote-access authentication radius dynamic-author key <secret>
 
-  set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
-  set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
+  Secret for Dynamic Authorization Extension server (DM/CoA)
 
-.. note:: Some RADIUS_ severs use an access control list which allows or denies
-   queries, make sure to add your VyOS router to the allowed client list.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius max-try <number>
 
-RADIUS source address
-^^^^^^^^^^^^^^^^^^^^^
+  Maximum number of tries to send Access-Request/Accounting-Request queries
 
-If you are using OSPF as IGP, always the closest interface connected to the
-RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
-to a single source IP e.g. the loopback interface.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius timeout <timeout>
 
-.. code-block:: none
+  Timeout to wait response from server (seconds)
 
-  set vpn l2tp remote-access authentication radius source-address 10.0.0.3
+.. cfgcmd:: set vpn l2tp remote-access authentication radius nas-identifier <identifier>
 
-Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
-on this NAS.
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
 
-.. note:: The ``source-address`` must be configured on one of VyOS interface.
-   Best practice would be a loopback or dummy interface.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius nas-ip-address <address>
 
-RADIUS bandwidth shaping attribute
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
 
-To enable bandwidth shaping via RADIUS, the option rate-limit needs to be
-enabled.
+.. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address>
 
-.. code-block:: none
+  Source IPv4 address used in all RADIUS server queires.
 
-  set vpn l2tp remote-access authentication radius rate-limit enable
+.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit attribute <attribute>
 
-The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may
-also redefine it.
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is `Filter-Id`.
 
-.. code-block:: none
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
 
-  set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
+.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit enable
 
-.. note:: If you set a custom RADIUS attribute you must define it on both
-   dictionaries at RADIUS server and client, which is the vyos router in our
-   example.
+  Enables bandwidth shaping via RADIUS.
 
-The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``
+.. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit vendor
 
-RADIUS advanced features
-^^^^^^^^^^^^^^^^^^^^^^^^
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
 
 Received RADIUS attributes have a higher priority than parameters defined within
 the CLI configuration, refer to the explanation below.
 
 Allocation clients ip addresses by RADIUS
-*****************************************
+=========================================
 
 If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
-address will be allocated to the client and the option ip-pool within the CLI
+address will be allocated to the client and the option ``default-pool`` within the CLI
 config is being ignored.
 
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
 Renaming clients interfaces by RADIUS
-*************************************
+=====================================
 
 If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
 renamed.
@@ -221,6 +265,301 @@ renamed.
 .. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
    characters, otherwise the interface won't be renamed.
 
+*************************************
+Configuring LNS (L2TP Network Server)
+*************************************
+
+LNS are often used to connect to a LAC (L2TP Access Concentrator).
+
+.. cfgcmd:: set vpn l2tp remote-access lns host-name <hostname>
+
+  Sent to the client (LAC) in the Host-Name attribute
+
+.. cfgcmd:: set vpn l2tp remote-access lns shared-secret <secret>
+
+   Tunnel password used to authenticate the client (LAC)
+
+To explain the usage of LNS follow our blueprint :ref:`examples-lac-lns`.
+
+****
+IPv6
+****
+.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an l2tp client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  l2tp endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+.. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  l2tp. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn l2tp remote-access default-ipv6-pool <IPv6-POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.
+
+.. code-block:: none
+
+  set vpn l2tp remote-access ppp-options ipv6 allow
+  set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set vpn l2tp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set vpn l2tp remote-access default-ipv6-pool IPv6-POOL
+
+IPv6 Advanced Options
+=====================
+.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set vpn l2tp remote-access extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn l2tp remote-access authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn l2tp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset. Default value is **3**.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+.. cfgcmd:: set vpn l2tp remote-access ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
+Global Advanced options
+=======================
+
+.. cfgcmd:: set vpn l2tp remote-access description <description>
+
+  Set description.
+
+.. cfgcmd::  set vpn l2tp remote-access limits burst <value>
+
+  Burst count
+
+.. cfgcmd:: set vpn l2tp remote-access limits connection-limit <value>
+
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
+
+.. cfgcmd:: set vpn l2tp remote-access limits timeout <value>
+
+  Timeout in seconds
+
+.. cfgcmd:: set vpn l2tp remote-access mtu
+
+  Maximum Transmission Unit (MTU) (default: **1436**)
+
+.. cfgcmd:: set vpn l2tp remote-access max-concurrent-sessions
+
+  Maximum number of concurrent session start attempts
+
+.. cfgcmd:: set vpn l2tp remote-access name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+.. cfgcmd:: set vpn l2tp remote-access shaper fwmark <1-2147483647>
+
+  Match firewall mark value
+
+.. cfgcmd:: set vpn l2tp remote-access snmp master-agent
+
+  Enable SNMP
+
+.. cfgcmd:: set vpn l2tp remote-access wins-server <address>
+
+  Windows Internet Name Service (WINS) servers propagated to client
+
+**********
+Monitoring
+**********
+
+.. code-block:: none
+
+  vyos@vyos:~$ show l2tp-server sessions
+   ifname | username |      ip       | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+  --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
+   l2tp0  | test     | 192.168.255.3 |     |        | 192.168.0.36 |            | active | 02:01:47 | 7.7 KiB  | 1.2 KiB
+
+.. code-block:: none
+
+    vyos@vyos:~$ show l2tp-server statistics
+     uptime: 0.02:49:49
+    cpu: 0%
+    mem(rss/virt): 5920/100892 kB
+    core:
+      mempool_allocated: 133202
+      mempool_available: 131770
+      thread_count: 1
+      thread_active: 1
+      context_count: 5
+      context_sleeping: 0
+      context_pending: 0
+      md_handler_count: 3
+      md_handler_pending: 0
+      timer_count: 0
+      timer_pending: 0
+    sessions:
+      starting: 0
+      active: 0
+      finishing: 0
+    l2tp:
+      tunnels:
+        starting: 0
+        active: 0
+        finishing: 0
+      sessions (control channels):
+        starting: 0
+        active: 0
+        finishing: 0
+      sessions (data channels):
+        starting: 0
+        active: 0
+        finishing: 0
+
 
 .. _`Google Public DNS`: https://developers.google.com/speed/public-dns
 .. _Quad9: https://quad9.net
@@ -230,3 +569,5 @@ renamed.
 .. _FreeRADIUS: https://freeradius.org
 .. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
 .. _accel-ppp: https://accel-ppp.org/
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 1cc197e9..845d9196 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -165,6 +165,13 @@ Simple setup with one user added and password authentication:
   set vpn openconnect ssl ca-certificate 'ca-ocserv'
   set vpn openconnect ssl certificate 'srv-ocserv'
 
+To enable the HTTP security headers in the configuration file, use the command:
+
+.. code-block:: none
+
+  set vpn openconnect http-security-headers
+
+
 Adding a 2FA with an OTP-key
 ============================
 
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
index fe536eec..2a5e7731 100644
--- a/docs/configuration/vpn/pptp.rst
+++ b/docs/configuration/vpn/pptp.rst
@@ -1,52 +1,552 @@
 .. _pptp:
 
+###########
 PPTP-Server
------------
+###########
 
 The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only
 for backwards compatibility. PPTP has many well known security issues and you 
 should use one of the many other new VPN implementations.
 
-As per default and if not otherwise defined, mschap-v2 is being used for
-authentication and mppe 128-bit (stateless) for encryption. If no
-gateway-address is set within the configuration, the lowest IP out of the /24
-client-ip-pool is being used. For instance, in the example below it would be
-192.168.0.1.
-
-server example
-^^^^^^^^^^^^^^
+***********************
+Configuring PPTP Server
+***********************
 
 .. code-block:: none
 
+  set vpn pptp remote-access authentication mode local
   set vpn pptp remote-access authentication local-users username test password 'test'
-  set vpn pptp remote-access authentication mode 'local'
-  set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15
+  set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254
   set vpn pptp remote-access default-pool 'PPTP-POOL'
-  set vpn pptp remote-access gateway-address '10.100.100.1'
-  set vpn pptp remote-access outside-address '10.1.1.120'
+  set vpn pptp remote-access outside-address 192.0.2.2
+  set vpn pptp remote-access gateway-address 192.168.255.1
+
+
+.. cfgcmd:: set vpn pptp remote-access authentication mode <local | radius>
+
+  Set authentication backend. The configured authentication backend is used
+  for all queries.
+
+  * **radius**: All authentication queries are handled by a configured RADIUS
+    server.
+  * **local**: All authentication queries are handled locally.
+  * **noauth**: Authentication disabled.
+
+.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> password
+   <pass>
+
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
+
+.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
+
+   Use this command to define the first IP address of a pool of
+   addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``,
+   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+   used there is possibility to set host/netmask.
+
+.. cfgcmd:: set vpn pptp remote-access default-pool <POOL-NAME>
+
+   Use this command to define default address pool name.
+
+.. cfgcmd:: set vpn pptp remote-access gateway-address <gateway>
+
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
+
+*********************************
+Configuring RADIUS authentication
+*********************************
+
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
+
+.. code-block:: none
+
+  set vpn pptp remote-access authentication mode radius
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> key <secret>
+
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
+
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
+
+.. code-block:: none
+
+  set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo'
+  set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo'
+
+.. note:: Some RADIUS severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
+
+RADIUS source address
+=====================
+
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. You can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
+
+RADIUS advanced options
+=======================
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> port <port>
+
+  Configure RADIUS `<server>` and its required port for authentication requests.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> fail-time <time>
+
+  Mark RADIUS server as offline for this given `<time>` in seconds.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius server <server> disable
+
+  Temporary disable this RADIUS server.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius acct-timeout <timeout>
+
+  Timeout to wait reply for Interim-Update packets. (default 3 seconds)
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author server <address>
+
+  Specifies IP address for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author port <port>
+
+  Port for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius dynamic-author key <secret>
+
+  Secret for Dynamic Authorization Extension server (DM/CoA)
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius max-try <number>
+
+  Maximum number of tries to send Access-Request/Accounting-Request queries
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius timeout <timeout>
+
+  Timeout to wait response from server (seconds)
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius nas-identifier <identifier>
+
+  Value to send to RADIUS server in NAS-Identifier attribute and to be matched
+  in DM/CoA requests.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius nas-ip-address <address>
+
+  Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
+  in DM/CoA requests. Also DM/CoA server will bind to that address.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius source-address <address>
+
+  Source IPv4 address used in all RADIUS server queires.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit attribute <attribute>
+
+  Specifies which RADIUS server attribute contains the rate limit information.
+  The default attribute is `Filter-Id`.
+
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit enable
+
+  Enables bandwidth shaping via RADIUS.
+
+.. cfgcmd:: set vpn pptp remote-access authentication radius rate-limit vendor
+
+  Specifies the vendor dictionary, dictionary needs to be in
+  /usr/share/accel-ppp/radius.
+
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+=========================================
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
+
+****
+IPv6
+****
+.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an PPTP client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  PPTP endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+.. cfgcmd:: set vpn pptp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  PPTP. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn pptp remote-access default-ipv6-pool <IPv6-POOL-NAME>
 
+   Use this command to define default IPv6 address pool name.
 
-client example (debian 9)
-^^^^^^^^^^^^^^^^^^^^^^^^^
+.. code-block:: none
+
+  set vpn pptp remote-access ppp-options ipv6 allow
+  set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set vpn pptp remote-access client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set vpn pptp remote-access default-ipv6-pool IPv6-POOL
+
+IPv6 Advanced Options
+=====================
+.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn pptp remote-access extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn pptp remote-access extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn pptp remote-access extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set vpn pptp remote-access extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn pptp remote-access authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn pptp remote-access authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn pptp remote-access client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
 
-Install the client software via apt and execute pptpsetup to generate the
-configuration.
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
 
+.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset. Default value is **3**.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+.. cfgcmd:: set vpn pptp remote-access ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
+Global Advanced options
+=======================
+
+.. cfgcmd:: set vpn pptp remote-access description <description>
+
+  Set description.
+
+.. cfgcmd::  set vpn pptp remote-access limits burst <value>
+
+  Burst count
+
+.. cfgcmd:: set vpn pptp remote-access limits connection-limit <value>
+
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
+
+.. cfgcmd:: set vpn pptp remote-access limits timeout <value>
+
+  Timeout in seconds
+
+.. cfgcmd:: set vpn pptp remote-access mtu
+
+  Maximum Transmission Unit (MTU) (default: **1436**)
+
+.. cfgcmd:: set vpn pptp remote-access max-concurrent-sessions
+
+  Maximum number of concurrent session start attempts
+
+.. cfgcmd:: set vpn pptp remote-access name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+.. cfgcmd:: set vpn pptp remote-access shaper fwmark <1-2147483647>
+
+  Match firewall mark value
+
+.. cfgcmd:: set vpn pptp remote-access snmp master-agent
+
+  Enable SNMP
+
+.. cfgcmd:: set vpn pptp remote-access wins-server <address>
+
+  Windows Internet Name Service (WINS) servers propagated to client
+
+**********
+Monitoring
+**********
+
+.. opcmd:: show pptp-server sessions
+
+   Use this command to locally check the active sessions in the PPTP
+   server.
 
 .. code-block:: none
 
-  apt-get install pptp-linux
-  pptpsetup --create TESTTUNNEL --server 10.1.1.120 --username test --password test --encrypt
-  pon TESTTUNNEL
+    vyos@vyos:~$ show pptp-server sessions
+     ifname | username |    ip    | ip6 | ip6-dp |   calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+    --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
+     pptp0  | test     | 10.0.0.2 |     |        | 192.168.10.100 |            | active | 00:01:26 | 6.9 KiB  | 220 B
 
-The command pon TESTUNNEL establishes the PPTP tunnel to the remote system.
+.. code-block:: none
 
+    vyos@vyos:~$ show pptp-server statistics
+     uptime: 0.00:04:52
+    cpu: 0%
+    mem(rss/virt): 5504/100176 kB
+    core:
+      mempool_allocated: 152007
+      mempool_available: 149007
+      thread_count: 1
+      thread_active: 1
+      context_count: 6
+      context_sleeping: 0
+      context_pending: 0
+      md_handler_count: 6
+      md_handler_pending: 0
+      timer_count: 2
+      timer_pending: 0
+    sessions:
+      starting: 0
+      active: 1
+      finishing: 0
+    pptp:
+      starting: 0
+      active: 1
 
-All tunnel sessions can be checked via:
+***************
+Troubleshooting
+***************
 
 .. code-block:: none
 
-  run sh pptp-server sessions
-   ifname | username | calling-sid |      ip      | type | comp | state  |  uptime
-  --------+----------+-------------+--------------+------+------+--------+----------
-   ppp0   | test     | 10.1.1.99   | 192.168.0.10 | pptp | mppe | active | 00:00:58
+    vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0
+
+    Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>]
+    Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100)
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9]
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started
+    Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0'
+    Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started
+
+.. _accel-ppp: https://accel-ppp.org/
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 23df1b76..ab0f623f 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -16,7 +16,8 @@ special characters. It is purely informational.
 Each site-to-site peer has the next options:
 
 * ``authentication`` - configure authentication between VyOS and a remote peer.
-  Suboptions:
+  If pre-shared-secret mode is used, the secret key must be defined in 
+  ``set vpn ipsec authentication`` and suboptions:
 
  * ``psk`` - Preshared secret key name:
 
@@ -36,8 +37,7 @@ Each site-to-site peer has the next options:
 
   * ``pre-shared-secret`` - use predefined shared secret phrase;
 
-  * ``rsa`` - use simple shared RSA key. The key must be defined in the
-    ``set vpn rsa-keys`` section;
+  * ``rsa`` - use simple shared RSA key.
 
   * ``x509`` - use certificates infrastructure for authentication.
 
@@ -45,29 +45,26 @@ Each site-to-site peer has the next options:
    address. Useful in case if the remote peer is behind NAT or if ``mode x509``
    is used;
 
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
-   in the ``set vpn rsa-keys`` section;
+ * ``rsa`` - options for RSA authentication mode:
 
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
+  * ``local-key`` - name of PKI key-pair with local private key
 
- * ``x509`` - options for x509 authentication mode:
+  * ``remote-key`` - name of PKI key-pair with remote public key
 
-  * ``ca-cert-file`` - CA certificate file. Using for authenticating
-    remote peer;
+  * ``passphrase`` - local private key passphrase
 
-  * ``cert-file`` - certificate file, which will be used for authenticating
-    local router on remote peer;
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+   ``id`` is defined;
 
-  * ``crl-file`` - file with the Certificate Revocation List. Using to check if
-    a certificate for the remote peer is valid or revoked;
+ * ``x509`` - options for x509 authentication mode:
 
-  * ``key`` - a private key, which will be used for authenticating local router
-    on remote peer:
+  * ``ca-certificate`` - CA certificate in PKI configuration. Using for 
+    authenticating remote peer;
 
-   * ``file`` - path to the key file;
+  * ``certificate`` - certificate file in PKI configuration, which will be used
+    for authenticating local router on remote peer;
 
-   * ``password`` - passphrase private key, if needed.
+  * ``passphrase`` - private key passphrase, if needed.
 
 * ``connection-type`` - how to handle this connection process. Possible
   variants:
@@ -113,6 +110,9 @@ Each site-to-site peer has the next options:
   Hostname is a DNS name which could be used when a peer has a public IP
   address and DNS name, but an IP address could be changed from time to time.
 
+* ``replay-window`` - IPsec replay window to configure for this CHILD_SA 
+  (default: 32), a value of 0 disables IPsec replay protection
+
 * ``tunnel`` - define criteria for traffic to be matched for encrypting and send
   it to a peer:
 
@@ -127,6 +127,9 @@ Each site-to-site peer has the next options:
 
   * ``prefix`` - IP network at local side.
 
+ * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value 
+   more preferable)
+
  * ``protocol`` - define the protocol for match traffic, which should be
    encrypted and send to this peer;
 
@@ -317,7 +320,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -357,7 +360,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -397,18 +400,18 @@ Key Parameters:
   routes installed in the default table 220 for site-to-site ipsec.
   It is mostly used with VTI configuration.
 
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
   notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
   are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, hold, and restart all activate DPD and determine the action to
+  values clear, trap, and restart all activate DPD and determine the action to
   perform on a timeout.
   With ``clear`` the connection is closed with no further actions taken.
-  ``hold`` installs a trap policy, which will catch matching traffic and tries
+  ``trap`` installs a trap policy, which will catch matching traffic and tries
   to re-negotiate the connection on demand.
   ``restart`` will immediately trigger an attempt to re-negotiate the
   connection.
 
-* ``close-action = none | clear | hold | restart`` - defines the action to take
+* ``close-action = none | clear | trap | start`` - defines the action to take
   if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
   values). A closeaction should not be used if the peer uses reauthentication or
   uniqueids.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index d9bb4353..3749eb7b 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -19,81 +19,34 @@ local and RADIUS authentication.
 As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
 certificates as well as a private PKI is required.
 
-.. note:: All certificates should be stored on VyOS under ``/config/auth``. If
-  certificates are not stored in the ``/config`` directory they will not be
-  migrated during a software update.
+***********************
+Configuring SSTP Server
+***********************
 
 Certificates
 ============
 
-Self Signed CA
---------------
-
-To generate the CA, the server private key and certificates the following
-commands can be used.
+Using our documentation chapter - :ref:`pki` generate and install CA and Server certificate
 
 .. code-block:: none
 
-  vyos@vyos:~$ mkdir -p /config/user-data/sstp
-  vyos@vyos:~$ openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/user-data/sstp/server.key -out /config/user-data/sstp/server.crt
-
-  Generating a 4096 bit RSA private key
-  .........................++
-  ...............................................................++
-  writing new private key to 'server.key'
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
-
-  vyos@vyos:~$ openssl req -new -x509 -key /config/user-data/sstp/server.key -out /config/user-data/sstp/ca.crt
-  [...]
-  Country Name (2 letter code) [AU]:
-  State or Province Name (full name) [Some-State]:
-  Locality Name (eg, city) []:
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-  Organizational Unit Name (eg, section) []:
-  Common Name (e.g. server FQDN or YOUR name) []:
-  Email Address []:
+    vyos@vyos:~$ generate pki ca install CA
+
+.. code-block:: none
 
+    vyos@vyos:~$ generate pki certificate sign CA install Server
 
 Configuration
 =============
+.. code-block:: none
 
-.. cfgcmd:: set vpn sstp authentication local-users username <user> password
-   <pass>
-
-  Create `<user>` for local authentication on this system. The users password
-  will be set to `<pass>`.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
-
-  Disable `<user>` account.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
-   <address>
-
-  Assign static IP address to `<user>` account.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   download <bandwidth>
-
-  Download bandwidth limit in kbit/s for `<user>`.
-
-.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
-   upload <bandwidth>
-
-  Upload bandwidth limit in kbit/s for `<user>`.
-
-.. cfgcmd:: set vpn sstp authentication protocols
-   <pap | chap | mschap | mschap-v2>
-
-  Require the peer to authenticate itself using one of the following protocols:
-  pap, chap, mschap, mschap-v2.
+    set vpn sstp authentication local-users username test password 'test'
+    set vpn sstp authentication mode 'local'
+    set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100'
+    set vpn sstp default-pool 'SSTP-POOL'
+    set vpn sstp gateway-address '10.0.0.1'
+    set vpn sstp ssl ca-certificate 'CA1'
+    set vpn sstp ssl certificate 'Server'
 
 .. cfgcmd:: set vpn sstp authentication mode <local | radius>
 
@@ -104,17 +57,11 @@ Configuration
     server.
   * **local**: All authentication queries are handled locally.
 
+.. cfgcmd:: set vpn sstp authentication local-users username <user> password
+   <pass>
 
-.. cfgcmd:: set vpn sstp gateway-address <gateway>
-
-  Specifies single `<gateway>` IP address to be used as local address of PPP
-  interfaces.
-
-
-.. cfgcmd:: set vpn sstp port <port>
-
-  Specifies the port `<port>` that the SSTP port will listen on (default 443).
-
+  Create `<user>` for local authentication on this system. The users password
+  will be set to `<pass>`.
 
 .. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
 
@@ -123,101 +70,75 @@ Configuration
    it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
    used there is possibility to set host/netmask.
 
-.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
-
-   Use this command to define the next address pool name.
-
 .. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
 
    Use this command to define default address pool name.
 
+.. cfgcmd:: set vpn sstp gateway-address <gateway>
 
-.. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
-
-  Use this comand to set the IPv6 address pool from which an SSTP client
-  will get an IPv6 prefix of your defined length (mask) to terminate the
-  SSTP endpoint at their side. The mask length can be set from 48 to 128
-  bit long, the default value is 64.
-
-
-.. cfgcmd:: set vpn sstp client-ipv6-pool delegate <address> delegation-prefix
-   <number-of-bits>
-
-  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-  SSTP. You will have to set your IPv6 pool and the length of the
-  delegation prefix. From the defined IPv6 pool you will be handing out
-  networks of the defined length (delegation-prefix). The length of the
-  delegation prefix can be set from 32 to 64 bit long.
-
-
-.. cfgcmd:: set vpn sstp name-server <address>
-
-  Connected client should use `<address>` as their DNS server. This
-  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
-  can be configured for IPv4, up to three for IPv6.
-
-Maximum number of IPv4 nameservers
+  Specifies single `<gateway>` IP address to be used as local address of PPP
+  interfaces.
 
-SSL Certificates
-----------------
+.. cfgcmd:: set vpn sstp ssl ca-certificate <file>
 
-.. cfgcmd:: set vpn sstp ssl ca-cert-file <file>
+  Name of installed certificate authority certificate.
 
-  Path to `<file>` pointing to the certificate authority certificate.
+.. cfgcmd:: set vpn sstp ssl certificate <file>
 
-.. cfgcmd:: set vpn sstp ssl cert-file <file>
+  Name of installed server certificate.
 
-  Path to `<file>` pointing to the servers certificate (public portion).
+*********************************
+Configuring RADIUS authentication
+*********************************
 
+To enable RADIUS based authentication, the authentication mode needs to be
+changed within the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
 
-PPP Settings
-------------
+.. code-block:: none
 
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
+  set vpn sstp authentication mode radius
 
-  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-  value `<number>`, the session will be reset.
+.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
 
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
+  Configure RADIUS `<server>` and its required shared `<secret>` for
+  communicating with the RADIUS server.
 
-  If this option is specified and is greater than 0, then the PPP module will
-  send LCP pings of the echo request every `<interval>` seconds.
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+For example:
 
-.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
+.. code-block:: none
 
-  Specifies timeout in seconds to wait for any peer activity. If this option
-  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-  is not used.
+  set vpn sstp authentication radius server 10.0.0.1 key 'foo'
+  set vpn sstp authentication radius server 10.0.0.2 key 'foo'
 
-.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
+.. note:: Some RADIUS severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
 
-  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
-  preference.
+RADIUS source address
+=====================
 
-  * **require** - ask client for mppe, if it rejects drop connection
-  * **prefer** - ask client for mppe, if it rejects don't fail
-  * **deny** - deny mppe
+If you are using OSPF as IGP, always the closest interface connected to the
+RADIUS server is used. You can bind all outgoing RADIUS requests
+to a single source IP e.g. the loopback interface.
 
-  Default behavior - don't ask client for mppe, but allow it if client wants.
-  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
-  attribute.
+.. cfgcmd:: set vpn sstp authentication radius source-address <address>
 
+  Source IPv4 address used in all RADIUS server queires.
 
-RADIUS
-------
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best practice would be a loopback or dummy interface.
 
-Server
-^^^^^^
+RADIUS advanced options
+=======================
 
 .. cfgcmd:: set vpn sstp authentication radius server <server> port <port>
 
   Configure RADIUS `<server>` and its required port for authentication requests.
 
-.. cfgcmd:: set vpn sstp authentication radius server <server> key <secret>
-
-  Configure RADIUS `<server>` and its required shared `<secret>` for
-  communicating with the RADIUS server.
-
 .. cfgcmd:: set vpn sstp authentication radius server <server> fail-time <time>
 
   Mark RADIUS server as offline for this given `<time>` in seconds.
@@ -226,9 +147,6 @@ Server
 
   Temporary disable this RADIUS server.
 
-Options
-^^^^^^^
-
 .. cfgcmd:: set vpn sstp authentication radius acct-timeout <timeout>
 
   Timeout to wait reply for Interim-Update packets. (default 3 seconds)
@@ -272,6 +190,9 @@ Options
   Specifies which RADIUS server attribute contains the rate limit information.
   The default attribute is `Filter-Id`.
 
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client.
+
 .. cfgcmd:: set vpn sstp authentication radius rate-limit enable
 
   Enables bandwidth shaping via RADIUS.
@@ -281,33 +202,285 @@ Options
   Specifies the vendor dictionary, dictionary needs to be in
   /usr/share/accel-ppp/radius.
 
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+=========================================
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ``default-pool`` within the CLI
+config is being ignored.
+
+If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+from a predefined IP pool whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+whose name equals the attribute value.
+
+.. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
+          RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
+
+User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+Define it in your RADIUS server.
+
+Renaming clients interfaces by RADIUS
+=====================================
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
 
-Example
-=======
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
 
-* Use local user `foo` with password `bar`
-* Client IP addresses will be provided from pool `192.0.2.0/25`
+
+****
+IPv6
+****
+.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
+   mask <number-of-bits>
+
+  Use this comand to set the IPv6 address pool from which an SSTP client
+  will get an IPv6 prefix of your defined length (mask) to terminate the
+  SSTP endpoint at their side. The mask length can be set from 48 to 128
+  bit long, the default value is 64.
+
+.. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
+   delegation-prefix <number-of-bits>
+
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  SSTP. You will have to set your IPv6 pool and the length of the
+  delegation prefix. From the defined IPv6 pool you will be handing out
+  networks of the defined length (delegation-prefix). The length of the
+  delegation prefix can be set from 32 to 64 bit long.
+
+.. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
+
+   Use this command to define default IPv6 address pool name.
 
 .. code-block:: none
 
-  set vpn sstp authentication local-users username vyos password vyos
-  set vpn sstp authentication mode local
-  set vpn sstp gateway-address 192.0.2.254
-  set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
-  set vpn sstp default-pool 'SSTP-POOL'
-  set vpn sstp name-server 10.0.0.1
-  set vpn sstp name-server 10.0.0.2
-  set vpn sstp ssl ca-cert-file /config/auth/ca.crt
-  set vpn sstp ssl cert-file /config/auth/server.crt
-  set vpn sstp ssl key-file /config/auth/server.key
-
-Testing SSTP
-============
+  set vpn sstp ppp-options ipv6 allow
+  set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
+  set vpn sstp client-ipv6-pool IPV6-POOL prefix '2001:db8:8002::/48' mask '64'
+  set vpn sstp default-ipv6-pool IPv6-POOL
+
+IPv6 Advanced Options
+=====================
+.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
+*********
+Scripting
+*********
+
+.. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script>
+
+  Script to run when session interface changed by RADIUS CoA handling
+
+.. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script>
+
+  Script to run when session interface going to terminate
+
+.. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script>
+
+  Script to run before session interface comes up
+
+.. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script>
+
+  Script to run when session interface is completely configured and started
+
+****************
+Advanced Options
+****************
+
+Authentication Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> disable
+
+  Disable `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
+   <address>
+
+  Assign static IP address to `<user>` account.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   download <bandwidth>
+
+  Download bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
+   upload <bandwidth>
+
+  Upload bandwidth limit in kbit/s for `<user>`.
+
+.. cfgcmd:: set vpn sstp authentication protocols
+   <pap | chap | mschap | mschap-v2>
+
+  Require the peer to authenticate itself using one of the following protocols:
+  pap, chap, mschap, mschap-v2.
+
+Client IP Pool Advanced Options
+===============================
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+PPP Advanced Options
+====================
+
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
+
+  Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
+  value `<number>`, the session will be reset. Default value is **3**.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
+
+  If this option is specified and is greater than 0, then the PPP module will
+  send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
+
+.. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
+
+  Specifies timeout in seconds to wait for any peer activity. If this option
+  specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
+
+.. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
+
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
+  preference.
+
+  * **require** - ask client for mppe, if it rejects drop connection
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
+  * **deny** - deny mppe
+
+  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  attribute.
+
+.. cfgcmd:: set vpn sstp ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
+Global Advanced options
+=======================
+
+.. cfgcmd:: set vpn sstp description <description>
+
+  Set description.
+
+.. cfgcmd::  set vpn sstp limits burst <value>
+
+  Burst count
+
+.. cfgcmd:: set vpn sstp limits connection-limit <value>
+
+  Acceptable rate of connections (e.g. 1/min, 60/sec)
+
+.. cfgcmd:: set vpn sstp limits timeout <value>
+
+  Timeout in seconds
+
+.. cfgcmd:: set vpn sstp mtu
+
+  Maximum Transmission Unit (MTU) (default: **1500**)
+
+.. cfgcmd:: set vpn sstp max-concurrent-sessions
+
+  Maximum number of concurrent session start attempts
+
+.. cfgcmd:: set vpn sstp name-server <address>
+
+  Connected client should use `<address>` as their DNS server. This
+  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  can be configured for IPv4, up to three for IPv6.
+
+.. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647>
+
+  Match firewall mark value
+
+.. cfgcmd:: set vpn sstp snmp master-agent
+
+  Enable SNMP
+
+.. cfgcmd:: set vpn sstp wins-server <address>
+
+  Windows Internet Name Service (WINS) servers propagated to client
+
+***********************
+Configuring SSTP client
+***********************
 
 Once you have setup your SSTP server there comes the time to do some basic
 testing. The Linux client used for testing is called sstpc_. sstpc_ requires a
 PPP configuration/peer file.
 
+If you use a self-signed certificate, do not forget to install CA on the client side.
+
 The following PPP configuration tests MSCHAP-v2:
 
 .. code-block:: none
@@ -360,8 +533,115 @@ A connection attempt will be shown as:
        inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
           valid_lft forever preferred_lft forever
 
+**********
+Monitoring
+**********
 
+.. opcmd:: show sstp-server sessions
 
-.. _sstpc: https://github.com/reliablehosting/sstp-client
+   Use this command to locally check the active sessions in the SSTP
+   server.
+
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server sessions
+     ifname | username |    ip    | ip6 | ip6-dp |   calling-sid  | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+    --------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
+     sstp0  | test     | 10.0.0.2 |     |        | 192.168.10.100 |            | active | 00:15:46 | 16.3 KiB | 210 B
 
+.. code-block:: none
+
+    vyos@vyos:~$ show sstp-server statistics
+     uptime: 0.01:21:54
+    cpu: 0%
+    mem(rss/virt): 6688/100464 kB
+    core:
+      mempool_allocated: 149420
+      mempool_available: 146092
+      thread_count: 1
+      thread_active: 1
+      context_count: 6
+      context_sleeping: 0
+      context_pending: 0
+      md_handler_count: 7
+      md_handler_pending: 0
+      timer_count: 2
+      timer_pending: 0
+    sessions:
+      starting: 0
+      active: 1
+      finishing: 0
+    sstp:
+      starting: 0
+      active: 1
+
+***************
+Troubleshooting
+***************
+
+.. code-block:: none
+
+    vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0
+
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting
+    Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>]
+    Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852)
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9]
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started
+    Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0'
+    Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started
+
+.. _sstpc: https://github.com/reliablehosting/sstp-client
+.. _dictionary: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
+.. _`ACCEL-PPP attribute`: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
 .. include:: /_include/common-references.txt