16 files changed, 55 insertions, 27 deletions

diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
index 0e8fd2d..ba66828 100644
--- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,10 +1,10 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
 val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
 val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
+val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
index 4fdebe9..e6175c9 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def
@@ -1,5 +1,5 @@
 help: Keep-alive interval
-type: u32 
+type: u32
 default: 30
-syntax:expression: ($VAR(@) >= 15 && $VAR(@) <= 86400) ; "must be between 15-86400 seconds"
-val_help: u32:15-86400; Keep-alive interval in seconds (default 30)
+syntax:expression: ($VAR(@) >= 2 && $VAR(@) <= 86400) ; "must be between 2-86400 seconds"
+val_help: u32:2-86400; Keep-alive interval in seconds (default 30)
diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
index 939be1c..3378cb5 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
@@ -1,7 +1,5 @@
 help: Keep-alive timeout
-type: u32 
+type: u32
 default: 120
-syntax:expression: ($VAR(@) >= 30 && $VAR(@) <= 86400) ; "must be between 30-86400 seconds"
-val_help: u32:30-86400; Keep-alive timeout in seconds (default 120)
-
-
+syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must be between 10-86400 seconds"
+val_help: u32:10-86400; Keep-alive timeout in seconds (default 120)
diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
new file mode 100644
index 0000000..2b67dad
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def
@@ -0,0 +1,5 @@
+help: IKEv1 Phase 1 Mode Selection 
+type: txt
+syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive"
+val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)
+val_help: aggressive; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
index 307dc09..32deb66 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def
@@ -1,5 +1,6 @@
 help: Diffie-Hellman (DH) key exchange group
 type: u32
+default: 2
 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26"
 val_help: 2; DH group 2 (modp1024)
 val_help: 5; DH group 5 (modp1536)
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
index 0e8fd2d..ba66828 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
@@ -1,10 +1,10 @@
 help: Encryption algorithm
 type: txt
 default: "aes128"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
-syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
 val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
 val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
+val_help: chacha20poly1305; ChaCha20-Poly1305 encryption
diff --git a/templates/vpn/ipsec/include-ipsec-conf/node.def b/templates/vpn/ipsec/include-ipsec-conf/node.def
new file mode 100644
index 0000000..fc82a45
--- /dev/null
+++ b/templates/vpn/ipsec/include-ipsec-conf/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file.
diff --git a/templates/vpn/ipsec/include-ipsec-secrets/node.def b/templates/vpn/ipsec/include-ipsec-secrets/node.def
new file mode 100644
index 0000000..37b73e1
--- /dev/null
+++ b/templates/vpn/ipsec/include-ipsec-secrets/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.
diff --git a/templates/vpn/ipsec/logging/log-level/node.def b/templates/vpn/ipsec/logging/log-level/node.def
new file mode 100644
index 0000000..54cf698
--- /dev/null
+++ b/templates/vpn/ipsec/logging/log-level/node.def
@@ -0,0 +1,5 @@
+help: strongSwan Logger Level
+type: u32
+default: 1
+syntax:expression: ($VAR(@) >= 0 && $VAR(@) <= 2) ; "must be between levels 0-2"
+val_help: u32:0-2; Logger Verbosity Level (default 0)
diff --git a/templates/vpn/ipsec/logging/log-modes/node.def b/templates/vpn/ipsec/logging/log-modes/node.def
index f0dd9f4..5662a4e 100644
--- a/templates/vpn/ipsec/logging/log-modes/node.def
+++ b/templates/vpn/ipsec/logging/log-modes/node.def
@@ -1,11 +1,21 @@
 multi:
-help: Log mode
+help: Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation
 type: txt
-syntax:expression: $VAR(@) in "raw", "crypt", "parsing", "emitting", "control", "all", "private" ; "must be one of the following: raw, crypt, parsing, emitting, control, all, private"
-val_help: raw; Debug log option for pluto
-val_help: crypt; Debug log option for pluto
-val_help: parsing; Debug log option for pluto
-val_help: emitting; Debug log option for pluto
-val_help: control; Debug log option for pluto
-val_help: all; Debug log option for pluto
-val_help: private; Debug log option for pluto
+syntax:expression: $VAR(@) in "dmn", "mgr", "ike", "chd", "job", "cfg", "knl", "net", "asn", "enc", "lib", "esp", "tls", "tnc", "imc", "imv", "pts" ; "must be one of the following: dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts"
+val_help: dmn; Debug log option for strongSwan
+val_help: mgr; Debug log option for strongSwan
+val_help: ike; Debug log option for strongSwan
+val_help: chd; Debug log option for strongSwan
+val_help: job; Debug log option for strongSwan
+val_help: cfg; Debug log option for strongSwan
+val_help: knl; Debug log option for strongSwan
+val_help: net; Debug log option for strongSwan
+val_help: asn; Debug log option for strongSwan
+val_help: enc; Debug log option for strongSwan
+val_help: lib; Debug log option for strongSwan
+val_help: esp; Debug log option for strongSwan
+val_help: tls; Debug log option for strongSwan
+val_help: tnc; Debug log option for strongSwan
+val_help: imc; Debug log option for strongSwan
+val_help: imv; Debug log option for strongSwan
+val_help: pts; Debug log option for strongSwan
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
index f754c32..d389bab 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
@@ -1,4 +1,4 @@
 help: Defult ESP group name
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec esp-group
+allowed: cli-shell-api listNodes vpn ipsec esp-group
 
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
index a25e076..026b175 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
@@ -2,6 +2,6 @@ type: txt
 help: DHCP interface to listen on
 allowed:
          local -a array ;
-         array=( /var/lib/dhcp3/eth* /var/lib/dhcp3/br* /var/lib/dhcp3/bond* ) ;
+         array=( /var/lib/dhcp/eth* /var/lib/dhcp/br* /var/lib/dhcp/bond* ) ;
          echo  -n ${array[@]##*/}
 
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
new file mode 100644
index 0000000..bc71729
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
@@ -0,0 +1,6 @@
+help: Force UDP Encapsulation for ESP Payloads 
+type: txt 
+syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable"
+val_help: enable; This endpoint will force UDP encapsulation for this peer 
+val_help: disable; This endpoint will not force UDP encapsulation for this peer
+
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
index 343f1fb..146805c 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
@@ -1,3 +1,3 @@
 help: Internet Key Exchange (IKE) group name [REQUIRED]
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec ike-group
+allowed: cli-shell-api listNodes vpn ipsec ike-group
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
index d773b96..16300c5 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
@@ -1,3 +1,3 @@
 help: ESP group name 
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec esp-group
+allowed: cli-shell-api listNodes vpn ipsec esp-group
diff --git a/templates/vpn/node.def b/templates/vpn/node.def
index 7c6b56a..ae2d6a9 100644
--- a/templates/vpn/node.def
+++ b/templates/vpn/node.def
@@ -2,8 +2,7 @@ priority: 900
 help: Virtual Private Network (VPN)
 end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1
     sudo /opt/vyatta/sbin/dmvpn-config.pl \
-              --config_file='/etc/dmvpn.conf' \
-              --secrets_file='/etc/dmvpn.secrets' \
+              --config_file='/etc/swanctl/swanctl.conf' \
               --init_script='/etc/init.d/ipsec' || exit 1
     sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1
     sudo /opt/vyatta/sbin/vpn-config.pl \