4 files changed, 107 insertions, 21 deletions
diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst
index afcc1767..8fad05ca 100644
--- a/docs/automation/vyos-api.rst
+++ b/docs/automation/vyos-api.rst
@@ -250,13 +250,14 @@ The ``generate`` endpoint run a ``generate`` command.
 .. code-block:: none
 
    curl -k --location --request POST 'https://vyos/generate' \
-   --form data='{"op": "generate", "path": ["wireguard", "default-keypair"]}' \
+   --form data='{"op": "generate", "path": ["pki", "wireguard", "key-pair"]}' \
    --form key='MY-HTTPS-API-PLAINTEXT-KEY'
 
    response:
    {
       "success": true,
-      "data": "",
+      "data": "Private key: CFZR2eyhoVZwk4n3JFPMJx3E145f1EYgDM+ubytXYVY=\n
+               Public key: jjtpPT8ycI1Q0bNtrWuxAkO4k88Xwzg5VHV9xGZ58lU=\n\n",
       "error": null
    }
 
diff --git a/docs/configuration/protocols/bgp.rst b/docs/configuration/protocols/bgp.rst
index 8fc69111..3c983aae 100644
--- a/docs/configuration/protocols/bgp.rst
+++ b/docs/configuration/protocols/bgp.rst
@@ -209,35 +209,35 @@ Defining Peers
 .. cfgcmd:: set protocols bgp neighbor <address|interface> local-role
    <role> [strict]
 
-   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to 
-   add route leak prevention, detection and mitigation. The local Role 
-   value is negotiated with the new BGP Role capability which has a 
-   built-in check of the corresponding value. In case of a mismatch the 
+   BGP roles are defined in RFC :rfc:`9234` and provide an easy way to
+   add route leak prevention, detection and mitigation. The local Role
+   value is negotiated with the new BGP Role capability which has a
+   built-in check of the corresponding value. In case of a mismatch the
    new OPEN Roles Mismatch Notification <2, 11> would be sent.
    The correct Role pairs are:
-   
+
    Provider - Customer
 
    Peer - Peer
 
    RS-Server - RS-Client
 
-   If :cfgcmd:`strict` is set the BGP session won’t become established 
-   until the BGP neighbor sets local Role on its side. This 
+   If :cfgcmd:`strict` is set the BGP session won’t become established
+   until the BGP neighbor sets local Role on its side. This
    configuration parameter is defined in RFC :rfc:`9234` and is used to
    enforce the corresponding configuration at your counter-parts side.
-   
-   Routes that are sent from provider, rs-server, or the peer local-role 
-   (or if received by customer, rs-client, or the peer local-role) will 
+
+   Routes that are sent from provider, rs-server, or the peer local-role
+   (or if received by customer, rs-client, or the peer local-role) will
    be marked with a new Only to Customer (OTC) attribute.
-   
+
    Routes with this attribute can only be sent to your neighbor if your
    local-role is provider or rs-server. Routes with this attribute can
-   be received only if your local-role is customer or rs-client. 
-   
+   be received only if your local-role is customer or rs-client.
+
    In case of peer-peer relationship routes can be received only if OTC
    value is equal to your neighbor AS number.
-   
+
    All these rules with OTC will help to detect and mitigate route leaks
    and happen automatically if local-role is set.
 
@@ -584,6 +584,12 @@ General Configuration
 Common parameters
 ^^^^^^^^^^^^^^^^^
 
+.. cfgcmd:: set protocols bgp parameters allow-martian-nexthop
+
+   When a peer receives a martian nexthop as part of the NLRI for a route
+   permit the nexthop to be used as such, instead of rejecting and resetting
+   the connection.
+
 .. cfgcmd:: set protocols bgp parameters router-id <id>
 
    This command specifies the router-ID. If router ID is not specified it will
@@ -598,6 +604,12 @@ Common parameters
    Path (both AS number and AS path length), Origin code, MED, IGP
    metric. Also, the next hop address for each path must be different.
 
+.. cfgcmd:: set protocols bgp parameters no-hard-administrative-reset
+
+   Do not send Hard Reset CEASE Notification for "Administrative Reset"
+   events. When set and Graceful Restart Notification capability is exchanged
+   between the peers, Graceful Restart procedures apply, and routes will be retained.
+
 .. cfgcmd:: set protocols bgp parameters log-neighbor-changes
 
    This command enable logging neighbor up/down changes and reset reason.
@@ -643,6 +655,16 @@ Common parameters
    compatibility with older versions of VyOS. With this option one can
    enable :rfc:`8212` functionality to operate.
 
+.. cfgcmd:: set protocols bgp parameters labeled-unicast <explicit-null |
+   ipv4-explicit-null | ipv6-explicit-null>
+
+   By default, locally advertised prefixes use the implicit-null label to
+   encode in the outgoing NLRI.
+
+   The following command uses the explicit-null label value for all the
+   BGP instances.
+
+
 Administrative Distance
 ^^^^^^^^^^^^^^^^^^^^^^^
 
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 4a7657e7..ce3b6711 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -98,7 +98,7 @@ Below is an example to configure a LNS:
   set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
   set vpn l2tp remote-access default-pool 'L2TP-POOL'
   set vpn l2tp remote-access lns shared-secret 'secret'
-  set vpn l2tp remote-access ccp-disable
+  set vpn l2tp remote-access ppp-options disable-ccp
   set vpn l2tp remote-access authentication mode local
   set vpn l2tp remote-access authentication local-users username test password 'test'
 
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index 2c5cef6d..a9def827 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -179,35 +179,98 @@ SSL Certificates
 PPP Settings
 ------------
 
+.. cfgcmd:: set vpn sstp ppp-options disable-ccp
+
+  Disable Compression Control Protocol (CCP).
+  CCP is enabled by default.
+
+.. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
+
+  Specifies number of interfaces to keep in cache. It means that don’t
+  destroy interface after corresponding session is destroyed, instead
+  place it to cache and use it later for new sessions repeatedly.
+  This should reduce kernel-level interface creation/deletion rate lack.
+  Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
+
+  Specifies IPv4 negotiation preference.
+
+  * **require** - Require IPv4 negotiation
+  * **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv4 only if client requests (Default value)
+  * **deny** - Do not negotiate IPv4
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6 <require | prefer | allow | deny>
+
+  Specifies IPv6 negotiation preference.
+
+  * **require** - Require IPv6 negotiation
+  * **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
+  * **allow** - Negotiate IPv6 only if client requests
+  * **deny** - Do not negotiate IPv6 (default value)
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
+
+  Accept peer interface identifier. By default is not defined.
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies fixed or random interface identifier for IPv6.
+  By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+
+.. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
+
+  Specifies peer interface identifier for IPv6. By default is fixed.
+
+  * **random** - Random interface identifier for IPv6
+  * **x:x:x:x** - Specify interface identifier for IPv6
+  * **ipv4-addr** - Calculate interface identifier from IPv4 address.
+  * **calling-sid** - Calculate interface identifier from calling-station-id.
+
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-failure <number>
 
   Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-  value `<number>`, the session will be reset.
+  value `<number>`, the session will be reset. Default value is **3**.
 
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
 
   If this option is specified and is greater than 0, then the PPP module will
   send LCP pings of the echo request every `<interval>` seconds.
+  Default value is **30**.
 
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
 
   Specifies timeout in seconds to wait for any peer activity. If this option
   specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-  is not used.
+  is not used. Default value is **0**.
+
+.. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
+
+  Defines minimum acceptable MTU. If client will try to negotiate less then
+  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  Default value is **100**.
 
 .. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
 
-  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotioation
+  Specifies :abbr:`MPPE (Microsoft Point-to-Point Encryption)` negotiation
   preference.
 
   * **require** - ask client for mppe, if it rejects drop connection
-  * **prefer** - ask client for mppe, if it rejects don't fail
+  * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
   * **deny** - deny mppe
 
   Default behavior - don't ask client for mppe, but allow it if client wants.
   Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
   attribute.
 
+.. cfgcmd:: set vpn sstp ppp-options mru <number>
+
+  Defines preferred MRU. By default is not defined.
+
 
 RADIUS
 ------