summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/vpn_ipsec.xml.in')
-rw-r--r--interface-definitions/vpn_ipsec.xml.in249
1 files changed, 158 insertions, 91 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index e82249d44..555ba689f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -13,13 +13,13 @@
<children>
<leafNode name="disable-uniqreqids">
<properties>
- <help>Option to disable requirement for unique IDs in the Security Database</help>
+ <help>Disable requirement for unique IDs in the Security Database</help>
<valueless/>
</properties>
</leafNode>
<tagNode name="esp-group">
<properties>
- <help>Name of Encapsulating Security Payload (ESP) group</help>
+ <help>Encapsulated Security Payload (ESP) group name</help>
</properties>
<children>
<leafNode name="compression">
@@ -30,14 +30,14 @@
</completionHelp>
<valueHelp>
<format>disable</format>
- <description>Disable ESP compression (default)</description>
+ <description>Disable ESP compression</description>
</valueHelp>
<valueHelp>
<format>enable</format>
<description>Enable ESP compression</description>
</valueHelp>
<constraint>
- <regex>^(disable|enable)$</regex>
+ <regex>(disable|enable)</regex>
</constraint>
</properties>
<defaultValue>disable</defaultValue>
@@ -47,7 +47,7 @@
<help>ESP lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
- <description>ESP lifetime in seconds (default 3600)</description>
+ <description>ESP lifetime in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
@@ -55,6 +55,30 @@
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
+ <leafNode name="life-bytes">
+ <properties>
+ <help>ESP life in bytes</help>
+ <valueHelp>
+ <format>u32:1024-26843545600000</format>
+ <description>ESP life in bytes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1024-26843545600000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="life-packets">
+ <properties>
+ <help>ESP life in packets</help>
+ <valueHelp>
+ <format>u32:1000-26843545600000</format>
+ <description>ESP life in packets</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1000-26843545600000"/>
+ </constraint>
+ </properties>
+ </leafNode>
<leafNode name="mode">
<properties>
<help>ESP mode</help>
@@ -63,14 +87,14 @@
</completionHelp>
<valueHelp>
<format>tunnel</format>
- <description>Tunnel mode (default)</description>
+ <description>Tunnel mode</description>
</valueHelp>
<valueHelp>
<format>transport</format>
<description>Transport mode</description>
</valueHelp>
<constraint>
- <regex>^(tunnel|transport)$</regex>
+ <regex>(tunnel|transport)</regex>
</constraint>
</properties>
<defaultValue>tunnel</defaultValue>
@@ -83,7 +107,7 @@
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Inherit Diffie-Hellman group from IKE group - default</description>
+ <description>Inherit Diffie-Hellman group from the IKE group</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
@@ -178,17 +202,17 @@
<description>Disable PFS</description>
</valueHelp>
<constraint>
- <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
+ <regex>(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
- <help>ESP-group proposal [REQUIRED]</help>
+ <help>ESP group proposal [REQUIRED]</help>
<valueHelp>
<format>u32:1-65535</format>
- <description>ESP-group proposal number</description>
+ <description>ESP group proposal number</description>
</valueHelp>
</properties>
<children>
@@ -200,33 +224,29 @@
</tagNode>
<tagNode name="ike-group">
<properties>
- <help>Name of Internet Key Exchange (IKE) group</help>
+ <help>Internet Key Exchange (IKE) group name</help>
</properties>
<children>
<leafNode name="close-action">
<properties>
- <help>close-action_help</help>
+ <help>Action to take if a child SA is unexpectedly closed</help>
<completionHelp>
- <list>none hold clear restart</list>
+ <list>none hold restart</list>
</completionHelp>
<valueHelp>
<format>none</format>
- <description>Set action to none (default)</description>
+ <description>Do nothing</description>
</valueHelp>
<valueHelp>
<format>hold</format>
- <description>Set action to hold</description>
- </valueHelp>
- <valueHelp>
- <format>clear</format>
- <description>Set action to clear</description>
+ <description>Attempt to re-negotiate when matching traffic is seen</description>
</valueHelp>
<valueHelp>
<format>restart</format>
- <description>Set action to restart</description>
+ <description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
- <regex>^(none|hold|clear|restart)$</regex>
+ <regex>(none|hold|restart)</regex>
</constraint>
</properties>
</leafNode>
@@ -243,18 +263,18 @@
</completionHelp>
<valueHelp>
<format>hold</format>
- <description>Set action to hold (default)</description>
+ <description>Attempt to re-negotiate the connection when matching traffic is seen</description>
</valueHelp>
<valueHelp>
<format>clear</format>
- <description>Set action to clear</description>
+ <description>Remove the connection immediately</description>
</valueHelp>
<valueHelp>
<format>restart</format>
- <description>Set action to restart</description>
+ <description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
- <regex>^(hold|clear|restart)$</regex>
+ <regex>(hold|clear|restart)</regex>
</constraint>
</properties>
</leafNode>
@@ -263,30 +283,32 @@
<help>Keep-alive interval</help>
<valueHelp>
<format>u32:2-86400</format>
- <description>Keep-alive interval in seconds (default 30)</description>
+ <description>Keep-alive interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
+ <defaultValue>30</defaultValue>
</leafNode>
<leafNode name="timeout">
<properties>
- <help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help>
+ <help>Dead Peer Detection keep-alive timeout (IKEv1 only)</help>
<valueHelp>
<format>u32:2-86400</format>
- <description>Keep-alive timeout in seconds (default 120)</description>
+ <description>Keep-alive timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
+ <defaultValue>120</defaultValue>
</leafNode>
</children>
</node>
<leafNode name="ikev2-reauth">
<properties>
- <help>ikev2-reauth_help</help>
+ <help>Re-authentication of the remote peer during an IKE re-key - IKEv2 only</help>
<completionHelp>
<list>yes no</list>
</completionHelp>
@@ -296,29 +318,29 @@
</valueHelp>
<valueHelp>
<format>no</format>
- <description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description>
+ <description>Disable remote host re-authenticaton during an IKE rekey</description>
</valueHelp>
<constraint>
- <regex>^(yes|no)$</regex>
+ <regex>(yes|no)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="key-exchange">
<properties>
- <help>Key Exchange Version</help>
+ <help>IKE version</help>
<completionHelp>
<list>ikev1 ikev2</list>
</completionHelp>
<valueHelp>
<format>ikev1</format>
- <description>Use IKEv1 for Key Exchange [DEFAULT]</description>
+ <description>Use IKEv1 for key exchange</description>
</valueHelp>
<valueHelp>
<format>ikev2</format>
- <description>Use IKEv2 for Key Exchange</description>
+ <description>Use IKEv2 for key exchange</description>
</valueHelp>
<constraint>
- <regex>^(ikev1|ikev2)$</regex>
+ <regex>(ikev1|ikev2)</regex>
</constraint>
</properties>
</leafNode>
@@ -327,7 +349,7 @@
<help>IKE lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
- <description>IKE lifetime in seconds (default 28800)</description>
+ <description>IKE lifetime in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
@@ -337,48 +359,50 @@
</leafNode>
<leafNode name="mobike">
<properties>
- <help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help>
+ <help>Enable MOBIKE Support (IKEv2 only)</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Enable MOBIKE (default for IKEv2)</description>
+ <description>Enable MOBIKE</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable MOBIKE</description>
</valueHelp>
<constraint>
- <regex>^(enable|disable)$</regex>
+ <regex>(enable|disable)</regex>
</constraint>
</properties>
+ <defaultValue>enable</defaultValue>
</leafNode>
<leafNode name="mode">
<properties>
- <help>IKEv1 Phase 1 Mode Selection</help>
+ <help>IKEv1 phase 1 mode selection</help>
<completionHelp>
<list>main aggressive</list>
</completionHelp>
<valueHelp>
<format>main</format>
- <description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description>
+ <description>Use the main mode (recommended)</description>
</valueHelp>
<valueHelp>
<format>aggressive</format>
- <description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description>
+ <description>Use the aggressive mode (insecure, not recommended)</description>
</valueHelp>
<constraint>
- <regex>^(main|aggressive)$</regex>
+ <regex>(main|aggressive)</regex>
</constraint>
</properties>
+ <defaultValue>main</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
- <help>proposal_help</help>
+ <help>IKE proposal</help>
<valueHelp>
<format>u32:1-65535</format>
- <description>IKE-group proposal</description>
+ <description>IKE group proposal</description>
</valueHelp>
</properties>
<children>
@@ -477,7 +501,7 @@
<description>Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<constraint>
- <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
+ <regex>(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)</regex>
</constraint>
</properties>
<defaultValue>2</defaultValue>
@@ -490,12 +514,12 @@
</tagNode>
<leafNode name="include-ipsec-conf">
<properties>
- <help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help>
+ <help>Absolute path to specify a strongSwan config include file</help>
</properties>
</leafNode>
<leafNode name="include-ipsec-secrets">
<properties>
- <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
+ <help>Absolute path to a strongSwan secrets include file</help>
</properties>
</leafNode>
#include <include/generic-interface-multi.xml.i>
@@ -506,10 +530,10 @@
<children>
<leafNode name="level">
<properties>
- <help>strongSwan Logger Level</help>
+ <help>strongSwan logging Level</help>
<valueHelp>
<format>0</format>
- <description>Very basic auditing logs e.g. SA up/SA down (default)</description>
+ <description>Very basic auditing logs e.g. SA up/SA down</description>
</valueHelp>
<valueHelp>
<format>1</format>
@@ -527,7 +551,7 @@
</leafNode>
<leafNode name="subsystem">
<properties>
- <help>Subsystem in the daemon the log comes from</help>
+ <help>Subsystem logging levels</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
@@ -604,7 +628,7 @@
<description>Any subsystem</description>
</valueHelp>
<constraint>
- <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
+ <regex>(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)</regex>
</constraint>
<multi/>
</properties>
@@ -622,11 +646,24 @@
<valueless/>
</properties>
</leafNode>
+ <leafNode name="flexvpn">
+ <properties>
+ <help>Allow FlexVPN vendor ID payload (IKEv2 only)</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/generic-interface.xml.i>
+ <leafNode name="virtual-ip">
+ <properties>
+ <help>Allow install virtual-ip addresses</help>
+ <valueless/>
+ </properties>
+ </leafNode>
</children>
</node>
<tagNode name="profile">
<properties>
- <help>VPN IPSec Profile</help>
+ <help>VPN IPSec profile</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
@@ -643,7 +680,7 @@
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
- <description>Use pre shared secret key</description>
+ <description>Use a pre-shared secret key</description>
</valueHelp>
</properties>
</leafNode>
@@ -657,13 +694,13 @@
<children>
<leafNode name="tunnel">
<properties>
- <help>Tunnel interface associated with this configuration profile</help>
+ <help>Tunnel interface associated with this profile</help>
<completionHelp>
<path>interfaces tunnel</path>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Associated interface to this configuration profile</description>
+ <description>Associated interface to this profile</description>
</valueHelp>
<multi/>
</properties>
@@ -699,18 +736,18 @@
</completionHelp>
<valueHelp>
<format>eap-tls</format>
- <description>Client uses EAP-TLS authentication</description>
+ <description>Use EAP-TLS authentication</description>
</valueHelp>
<valueHelp>
<format>eap-mschapv2</format>
- <description>Client uses EAP-MSCHAPv2 authentication</description>
+ <description>Use EAP-MSCHAPv2 authentication</description>
</valueHelp>
<valueHelp>
<format>eap-radius</format>
- <description>Client uses EAP-RADIUS authentication</description>
+ <description>Use EAP-RADIUS authentication</description>
</valueHelp>
<constraint>
- <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex>
+ <regex>(eap-tls|eap-mschapv2|eap-radius)</regex>
</constraint>
</properties>
<defaultValue>eap-mschapv2</defaultValue>
@@ -724,14 +761,14 @@
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
- <description>Authentication pre-shared-secret</description>
+ <description>Use a pre-shared secret key</description>
</valueHelp>
<valueHelp>
<format>x509</format>
- <description>Authentication x509</description>
+ <description>Use x.509 certificate</description>
</valueHelp>
<constraint>
- <regex>^(pre-shared-secret|x509)$</regex>
+ <regex>(pre-shared-secret|x509)</regex>
</constraint>
</properties>
<defaultValue>x509</defaultValue>
@@ -754,7 +791,7 @@
</valueHelp>
<valueHelp>
<format>u32:1-86400</format>
- <description>Timeout in seconds (default 28800)</description>
+ <description>Timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-86400"/>
@@ -764,14 +801,14 @@
</leafNode>
<leafNode name="pool">
<properties>
- <help>Pool name used for IP address assignments</help>
+ <help>IP address pool</help>
<completionHelp>
<path>vpn ipsec remote-access pool</path>
<list>dhcp radius</list>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Name of predefined IP pool</description>
+ <description>Predefined IP pool name</description>
</valueHelp>
<valueHelp>
<format>dhcp</format>
@@ -786,24 +823,24 @@
</leafNode>
<leafNode name="unique">
<properties>
- <help>Connection uniqueness policy to enforce</help>
+ <help>Connection uniqueness enforcement policy</help>
<completionHelp>
<list>never keep replace</list>
</completionHelp>
<valueHelp>
<format>never</format>
- <description>Never enforce connection uniqueness policy</description>
+ <description>Never enforce connection uniqueness</description>
</valueHelp>
<valueHelp>
<format>keep</format>
- <description>Rejects new connection attempts if the same user already has an active connection</description>
+ <description>Reject new connection attempts if the same user already has an active connection</description>
</valueHelp>
<valueHelp>
<format>replace</format>
<description>Delete any existing connection if a new one for the same user gets established</description>
</valueHelp>
<constraint>
- <regex>^(never|keep|replace)$</regex>
+ <regex>(never|keep|replace)</regex>
</constraint>
</properties>
</leafNode>
@@ -811,7 +848,7 @@
</tagNode>
<node name="dhcp">
<properties>
- <help>DHCP pool options for remote-access</help>
+ <help>DHCP pool options for remote access</help>
</properties>
<children>
#include <include/generic-interface.xml.i>
@@ -831,18 +868,18 @@
</node>
<tagNode name="pool">
<properties>
- <help>IP address pool for remote-access users</help>
+ <help>IP address pool for remote access users</help>
</properties>
<children>
<leafNode name="exclude">
<properties>
<help>Local IPv4 or IPv6 pool prefix exclusions</help>
<valueHelp>
- <format>ipv4</format>
+ <format>ipv4net</format>
<description>Local IPv4 pool prefix exclusion</description>
</valueHelp>
<valueHelp>
- <format>ipv6</format>
+ <format>ipv6net</format>
<description>Local IPv6 pool prefix exclusion</description>
</valueHelp>
<constraint>
@@ -856,11 +893,11 @@
<properties>
<help>Local IPv4 or IPv6 pool prefix</help>
<valueHelp>
- <format>ipv4</format>
+ <format>ipv4net</format>
<description>Local IPv4 pool prefix</description>
</valueHelp>
<valueHelp>
- <format>ipv6</format>
+ <format>ipv6net</format>
<description>Local IPv6 pool prefix</description>
</valueHelp>
<constraint>
@@ -936,10 +973,10 @@
</valueHelp>
<valueHelp>
<format>x509</format>
- <description>Use X.509 certificate</description>
+ <description>Use x.509 certificate</description>
</valueHelp>
<constraint>
- <regex>^(pre-shared-secret|rsa|x509)$</regex>
+ <regex>(pre-shared-secret|rsa|x509)</regex>
</constraint>
</properties>
</leafNode>
@@ -965,7 +1002,7 @@
<properties>
<help>Connection type</help>
<completionHelp>
- <list>initiate respond</list>
+ <list>initiate respond none</list>
</completionHelp>
<valueHelp>
<format>initiate</format>
@@ -975,8 +1012,12 @@
<format>respond</format>
<description>Bring the connection up only if traffic is detected</description>
</valueHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Load the connection only</description>
+ </valueHelp>
<constraint>
- <regex>^(initiate|respond)$</regex>
+ <regex>(initiate|respond|none)</regex>
</constraint>
</properties>
</leafNode>
@@ -992,27 +1033,27 @@
#include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
- <help>Force UDP Encapsulation for ESP Payloads</help>
+ <help>Force UDP Encapsulation for ESP payloads</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>This endpoint will force UDP encapsulation for this peer</description>
+ <description>Force UDP encapsulation</description>
</valueHelp>
<valueHelp>
<format>disable</format>
- <description>This endpoint will not force UDP encapsulation for this peer</description>
+ <description>Do not force UDP encapsulation</description>
</valueHelp>
<constraint>
- <regex>^(enable|disable)$</regex>
+ <regex>(enable|disable)</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
- <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
+ <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
<completionHelp>
<list>yes no inherit</list>
</completionHelp>
@@ -1026,10 +1067,10 @@
</valueHelp>
<valueHelp>
<format>inherit</format>
- <description>Inherit the reauth configuration form your IKE-group (Default)</description>
+ <description>Inherit the reauth configuration form your IKE-group</description>
</valueHelp>
<constraint>
- <regex>^(yes|no|inherit)$</regex>
+ <regex>(yes|no|inherit)</regex>
</constraint>
</properties>
</leafNode>
@@ -1047,9 +1088,21 @@
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ip-protocol.xml.i>
+ <leafNode name="priority">
+ <properties>
+ <help>Priority for IPSec policy (lowest value more preferable)</help>
+ <valueHelp>
+ <format>u32:1-100</format>
+ <description>Priority for IPSec policy (lowest value more preferable)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100"/>
+ </constraint>
+ </properties>
+ </leafNode>
<node name="remote">
<properties>
- <help>Remote parameters for interesting traffic</help>
+ <help>Match remote addresses</help>
</properties>
<children>
#include <include/port-number.xml.i>
@@ -1057,11 +1110,11 @@
<properties>
<help>Remote IPv4 or IPv6 prefix</help>
<valueHelp>
- <format>ipv4</format>
+ <format>ipv4net</format>
<description>Remote IPv4 prefix</description>
</valueHelp>
<valueHelp>
- <format>ipv6</format>
+ <format>ipv6net</format>
<description>Remote IPv6 prefix</description>
</valueHelp>
<constraint>
@@ -1075,6 +1128,20 @@
</node>
</children>
</tagNode>
+ <leafNode name="virtual-address">
+ <properties>
+ <help>Initiator request virtual-address from peer</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Request IPv4 address from peer</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Request IPv6 address from peer</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
<node name="vti">
<properties>
<help>Virtual tunnel interface [REQUIRED]</help>
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-01 00:45:25 +0000