summaryrefslogtreecommitdiff
path: root/templates/vpn/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'templates/vpn/ipsec')
-rw-r--r--templates/vpn/ipsec/copy-tos/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/compression/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/lifetime/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/mode/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/node.tag/encryption/node.def2
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/node.tag/hash/node.def2
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/pfs/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/proposal/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def4
-rw-r--r--templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/action/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/node.def1
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/lifetime/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/proposal/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def3
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def4
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def4
-rw-r--r--templates/vpn/ipsec/ipsec-interfaces/interface/node.def3
-rw-r--r--templates/vpn/ipsec/ipsec-interfaces/node.def1
-rw-r--r--templates/vpn/ipsec/logging/facility/node.def6
-rw-r--r--templates/vpn/ipsec/logging/level/node.def3
-rw-r--r--templates/vpn/ipsec/logging/log-modes/node.def4
-rw-r--r--templates/vpn/ipsec/logging/node.def1
-rw-r--r--templates/vpn/ipsec/nat-networks/allowed-network/node.def3
-rw-r--r--templates/vpn/ipsec/nat-networks/allowed-network/node.tag/exclude/node.def3
-rw-r--r--templates/vpn/ipsec/nat-networks/node.def1
-rw-r--r--templates/vpn/ipsec/nat-traversal/node.def3
-rw-r--r--templates/vpn/ipsec/node.def1
-rw-r--r--templates/vpn/ipsec/site-to-site/node.def1
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.def3
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def4
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/node.def1
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/pre-shared-secret/node.def3
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/rsa-key-name/node.def3
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def2
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/local-ip/node.def2
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.def3
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-nat-networks/node.def4
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-public-networks/node.def4
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def2
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def2
-rw-r--r--templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def2
47 files changed, 145 insertions, 0 deletions
diff --git a/templates/vpn/ipsec/copy-tos/node.def b/templates/vpn/ipsec/copy-tos/node.def
new file mode 100644
index 0000000..cf675c6
--- /dev/null
+++ b/templates/vpn/ipsec/copy-tos/node.def
@@ -0,0 +1,4 @@
+help: "copy TOS configuration"
+type: txt
+default: "disable"
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/esp-group/node.def b/templates/vpn/ipsec/esp-group/node.def
new file mode 100644
index 0000000..4aae745
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.def
@@ -0,0 +1,4 @@
+tag:
+type: txt
+help: "Encapsulating Security Payload configuration"
+syntax: pattern $(@) "^[-_a-zA-Z0-9.]+$" ; "invalid ESP group name \"$(@)\""
diff --git a/templates/vpn/ipsec/esp-group/node.tag/compression/node.def b/templates/vpn/ipsec/esp-group/node.tag/compression/node.def
new file mode 100644
index 0000000..81409ba
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/compression/node.def
@@ -0,0 +1,4 @@
+help: "ESP compression configuration"
+type: txt
+default: "disable"
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/lifetime/node.def b/templates/vpn/ipsec/esp-group/node.tag/lifetime/node.def
new file mode 100644
index 0000000..43bf9d3
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/lifetime/node.def
@@ -0,0 +1,4 @@
+help: "ESP lifetime configuration"
+type: u32
+default: 3600
+syntax: ($(@) >= 30 && $(@) <= 86400) ; "must be in the range 30 to 86400 seconds inclusive"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/mode/node.def b/templates/vpn/ipsec/esp-group/node.tag/mode/node.def
new file mode 100644
index 0000000..e288d81
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/mode/node.def
@@ -0,0 +1,4 @@
+help: "ESP mode configuration"
+type: txt
+default: "tunnel"
+syntax: $(@) in "tunnel", "transport"; "must be tunnel or transport"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/node.tag/encryption/node.def
new file mode 100644
index 0000000..66f7ebf
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/node.tag/encryption/node.def
@@ -0,0 +1,2 @@
+type: txt
+default:"aes128"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/node.tag/hash/node.def b/templates/vpn/ipsec/esp-group/node.tag/node.tag/hash/node.def
new file mode 100644
index 0000000..a4187e6
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/node.tag/hash/node.def
@@ -0,0 +1,2 @@
+type: txt
+default:"sha1"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def
new file mode 100644
index 0000000..f180a61
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def
@@ -0,0 +1,4 @@
+help: "ESP PFS configuration"
+type: txt
+default: "enable"
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.def
new file mode 100644
index 0000000..7fa4bdf
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.def
@@ -0,0 +1,4 @@
+tag:
+type: u32
+help: "Configure a esp-group proposal"
+syntax: ($(@) >= 1 && $(@) <= 65535) ; "must be in the range 1 to 65535 inclusive"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
new file mode 100644
index 0000000..f345008
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
@@ -0,0 +1,4 @@
+help: "Set encryption"
+type: txt
+default: "aes128"
+syntax: $(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def
new file mode 100644
index 0000000..7cdd3f4
--- /dev/null
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/hash/node.def
@@ -0,0 +1,4 @@
+help: "Set hash algorithm"
+type: txt
+default: "sha1"
+syntax: $(@) in "md5", "sha1"; "must be md5 or sha1"
diff --git a/templates/vpn/ipsec/ike-group/node.def b/templates/vpn/ipsec/ike-group/node.def
new file mode 100644
index 0000000..19dfb49
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.def
@@ -0,0 +1,4 @@
+tag:
+type: txt
+help: "Internet Key Exchange configuration"
+syntax: pattern $(@) "^[-_a-zA-Z0-9.]+$" ; "invalid IKE group name \"$(@)\""
diff --git a/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def
new file mode 100644
index 0000000..b462e61
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def
@@ -0,0 +1,4 @@
+help: "IKE aggressive-mode configuration"
+type: txt
+default: "disable"
+syntax: $(@) in "enable", "disable"; "enable or disable"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/action/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/action/node.def
new file mode 100644
index 0000000..fbc1aef
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/action/node.def
@@ -0,0 +1,4 @@
+help: "Set keep-alive failure action"
+type: txt
+default: "hold"
+syntax: $(@) in "hold", "clear", "restart"; "must be hold, or clear, or restart"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
new file mode 100644
index 0000000..241edf0
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
@@ -0,0 +1,4 @@
+help: "Set keep-alive interval"
+type: u32
+default: 30
+syntax: ($(@) >= 15 && $(@) <= 86400) ; "must be in the range 15 to 86400 seconds inclusive"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/node.def
new file mode 100644
index 0000000..a326d23
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/node.def
@@ -0,0 +1 @@
+help: "Configure DPD"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
new file mode 100644
index 0000000..8b46cbb
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
@@ -0,0 +1,4 @@
+help: "Set keep-alive timeout"
+type: u32
+default: 120
+syntax: ($(@) >= 30 && $(@) <= 86400) ; "must be in the range 30 to 86400 seconds inclusive"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/lifetime/node.def b/templates/vpn/ipsec/ike-group/node.tag/lifetime/node.def
new file mode 100644
index 0000000..2a1500a
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/lifetime/node.def
@@ -0,0 +1,4 @@
+help: "IKE lifetime configuration"
+type: u32
+default: 28800
+syntax: ($(@) >= 30 && $(@) <= 86400) ; "must be in the range 30 to 86400 seconds inclusive"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.def
new file mode 100644
index 0000000..b61a016
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.def
@@ -0,0 +1,4 @@
+tag:
+help: "Configure a ike-group proposal"
+type: u32
+syntax: ($(@) >= 1 && $(@) <= 65535) ; "must be in the range 1 to 65535 inclusive"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
new file mode 100644
index 0000000..58c800b
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
@@ -0,0 +1,3 @@
+help: "Set Diffie-Hellman key exchange"
+type: u32
+syntax: ($(@) == 2 || $(@) == 5); "must be 2 or 5"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
new file mode 100644
index 0000000..f345008
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
@@ -0,0 +1,4 @@
+help: "Set encryption"
+type: txt
+default: "aes128"
+syntax: $(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def
new file mode 100644
index 0000000..7cdd3f4
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/hash/node.def
@@ -0,0 +1,4 @@
+help: "Set hash algorithm"
+type: txt
+default: "sha1"
+syntax: $(@) in "md5", "sha1"; "must be md5 or sha1"
diff --git a/templates/vpn/ipsec/ipsec-interfaces/interface/node.def b/templates/vpn/ipsec/ipsec-interfaces/interface/node.def
new file mode 100644
index 0000000..c1c8d56
--- /dev/null
+++ b/templates/vpn/ipsec/ipsec-interfaces/interface/node.def
@@ -0,0 +1,3 @@
+multi:
+type: txt
+help: "ipsec interfaces"
diff --git a/templates/vpn/ipsec/ipsec-interfaces/node.def b/templates/vpn/ipsec/ipsec-interfaces/node.def
new file mode 100644
index 0000000..2fc83b8
--- /dev/null
+++ b/templates/vpn/ipsec/ipsec-interfaces/node.def
@@ -0,0 +1 @@
+help: "VPN interface configuration"
diff --git a/templates/vpn/ipsec/logging/facility/node.def b/templates/vpn/ipsec/logging/facility/node.def
new file mode 100644
index 0000000..7b12da1
--- /dev/null
+++ b/templates/vpn/ipsec/logging/facility/node.def
@@ -0,0 +1,6 @@
+type:txt
+syntax: $(@)in "daemon", "local0", "local1", "local2", "local3",\
+ "local4", "local5", "local6", "local7" ;"Value \"$(@)\" not in the list: daemon, local0, local1, local2, local3,\
+ local4, local5, local6, local7"
+help:"IKE lifetime configuration"
+
diff --git a/templates/vpn/ipsec/logging/level/node.def b/templates/vpn/ipsec/logging/level/node.def
new file mode 100644
index 0000000..287d9cc
--- /dev/null
+++ b/templates/vpn/ipsec/logging/level/node.def
@@ -0,0 +1,3 @@
+help: "Set log level"
+type:txt
+syntax: $(@) in "alert", "crit", "debug", "emerg", "err", "info", "notice", "warning"; "must be one of the following: crit, debug, emerg, err, info, notice, warning"
diff --git a/templates/vpn/ipsec/logging/log-modes/node.def b/templates/vpn/ipsec/logging/log-modes/node.def
new file mode 100644
index 0000000..4b89387
--- /dev/null
+++ b/templates/vpn/ipsec/logging/log-modes/node.def
@@ -0,0 +1,4 @@
+multi:
+help: "Set log mode"
+type:txt
+syntax: $(@) in "raw", "crypt", "parsing", "emitting", "control", "all", "private"; "must be one of the following: raw, crypt, parsing, emitting, control, all, private"
diff --git a/templates/vpn/ipsec/logging/node.def b/templates/vpn/ipsec/logging/node.def
new file mode 100644
index 0000000..1ca0fd3
--- /dev/null
+++ b/templates/vpn/ipsec/logging/node.def
@@ -0,0 +1 @@
+activate: "echo activating logging"
diff --git a/templates/vpn/ipsec/nat-networks/allowed-network/node.def b/templates/vpn/ipsec/nat-networks/allowed-network/node.def
new file mode 100644
index 0000000..3bc97e6
--- /dev/null
+++ b/templates/vpn/ipsec/nat-networks/allowed-network/node.def
@@ -0,0 +1,3 @@
+tag:
+type: ipv4net
+help: "NAT networks configuration"
diff --git a/templates/vpn/ipsec/nat-networks/allowed-network/node.tag/exclude/node.def b/templates/vpn/ipsec/nat-networks/allowed-network/node.tag/exclude/node.def
new file mode 100644
index 0000000..a20d924
--- /dev/null
+++ b/templates/vpn/ipsec/nat-networks/allowed-network/node.tag/exclude/node.def
@@ -0,0 +1,3 @@
+multi:
+type: ipv4net
+help: "NAT networks configuration"
diff --git a/templates/vpn/ipsec/nat-networks/node.def b/templates/vpn/ipsec/nat-networks/node.def
new file mode 100644
index 0000000..1d16a9c
--- /dev/null
+++ b/templates/vpn/ipsec/nat-networks/node.def
@@ -0,0 +1 @@
+help: "NAT networks configuration"
diff --git a/templates/vpn/ipsec/nat-traversal/node.def b/templates/vpn/ipsec/nat-traversal/node.def
new file mode 100644
index 0000000..ec08aa6
--- /dev/null
+++ b/templates/vpn/ipsec/nat-traversal/node.def
@@ -0,0 +1,3 @@
+help: "NAT traversal configuration"
+type: txt
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/node.def b/templates/vpn/ipsec/node.def
new file mode 100644
index 0000000..5e1bd73
--- /dev/null
+++ b/templates/vpn/ipsec/node.def
@@ -0,0 +1 @@
+help: "VPN IP security configuration"
diff --git a/templates/vpn/ipsec/site-to-site/node.def b/templates/vpn/ipsec/site-to-site/node.def
new file mode 100644
index 0000000..a36d2ae
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/node.def
@@ -0,0 +1 @@
+help: "Configure site to site VPN"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.def b/templates/vpn/ipsec/site-to-site/peer/node.def
new file mode 100644
index 0000000..ae179bd
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.def
@@ -0,0 +1,3 @@
+tag:
+type: ipv4
+help: "Configure VPN peers"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def
new file mode 100644
index 0000000..5412926
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def
@@ -0,0 +1,4 @@
+help: "Configure authentication mode"
+type: txt
+default: "pre-shared-secret"
+syntax: $(@) in "pre-shared-secret", "rsa"; "must be pre-shared-secret or rsa"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/node.def
new file mode 100644
index 0000000..78540d6
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/node.def
@@ -0,0 +1 @@
+help: "Configure peer authentication"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/pre-shared-secret/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/pre-shared-secret/node.def
new file mode 100644
index 0000000..db096e4
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/pre-shared-secret/node.def
@@ -0,0 +1,3 @@
+help: "Set pre-shared secret key"
+type: txt
+syntax: pattern $(@) "^[-_a-zA-Z0-9.]+$" ; "invalid pre-shared secret key \"$(@)\""
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/rsa-key-name/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/rsa-key-name/node.def
new file mode 100644
index 0000000..c048fe8
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/rsa-key-name/node.def
@@ -0,0 +1,3 @@
+help: "Set RSA key name"
+type: txt
+syntax: pattern $(@) "^[-_a-zA-Z0-9.]+$" ; "invalid RSA key name \"$(@)\""
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
new file mode 100644
index 0000000..d70c5ca
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
@@ -0,0 +1,2 @@
+help: "Set IKE group name"
+type: txt
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/local-ip/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/local-ip/node.def
new file mode 100644
index 0000000..967cf73
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/local-ip/node.def
@@ -0,0 +1,2 @@
+help: "Set local interface address"
+type: ipv4
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.def
new file mode 100644
index 0000000..943122f
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.def
@@ -0,0 +1,3 @@
+tag:
+type: u32
+help: "Configure peer tunnel"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-nat-networks/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-nat-networks/node.def
new file mode 100644
index 0000000..b8e6454
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-nat-networks/node.def
@@ -0,0 +1,4 @@
+help: "Set NAT networks"
+type: txt
+default: "disable"
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-public-networks/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-public-networks/node.def
new file mode 100644
index 0000000..7c18e68
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/allow-public-networks/node.def
@@ -0,0 +1,4 @@
+help: "Set public networks"
+type: txt
+default: "disable"
+syntax: $(@) in "enable", "disable"; "must be enable or disable"
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
new file mode 100644
index 0000000..478139e
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
@@ -0,0 +1,2 @@
+help: "Set ESP group name"
+type: txt
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def
new file mode 100644
index 0000000..3e9d176
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/local-subnet/node.def
@@ -0,0 +1,2 @@
+help: "Set local subnet"
+type: ipv4net
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def
new file mode 100644
index 0000000..b3653e7
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/remote-subnet/node.def
@@ -0,0 +1,2 @@
+help: "Set remote subnet"
+type: ipv4net