summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/vpn_ipsec.xml.in')
-rw-r--r--interface-definitions/vpn_ipsec.xml.in1196
1 files changed, 1196 insertions, 0 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
new file mode 100644
index 000000000..44ca1c7a0
--- /dev/null
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -0,0 +1,1196 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="vpn">
+ <properties>
+ <help>Virtual Private Network (VPN)</help>
+ </properties>
+ <children>
+ <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
+ <properties>
+ <help>VPN IP security (IPsec) parameters</help>
+ <priority>901</priority>
+ </properties>
+ <children>
+ <node name="authentication">
+ <properties>
+ <help>Authentication</help>
+ </properties>
+ <children>
+ <tagNode name="psk">
+ <properties>
+ <help>Pre-shared key name</help>
+ </properties>
+ <children>
+ #include <include/dhcp-interface-multi.xml.i>
+ <leafNode name="id">
+ <properties>
+ <help>ID for authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ID used for authentication</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="secret">
+ <properties>
+ <help>IKE pre-shared secret key</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>IKE pre-shared secret key</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ <leafNode name="disable-uniqreqids">
+ <properties>
+ <help>Disable requirement for unique IDs in the Security Database</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <tagNode name="esp-group">
+ <properties>
+ <help>Encapsulating Security Payload (ESP) group name</help>
+ </properties>
+ <children>
+ <leafNode name="compression">
+ <properties>
+ <help>Enable ESP compression</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="lifetime">
+ <properties>
+ <help>Security Association time to expire</help>
+ <valueHelp>
+ <format>u32:30-86400</format>
+ <description>SA lifetime in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 30-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>3600</defaultValue>
+ </leafNode>
+ <leafNode name="life-bytes">
+ <properties>
+ <help>Security Association byte count to expire</help>
+ <valueHelp>
+ <format>u32:1024-26843545600000</format>
+ <description>SA life in bytes</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1024-26843545600000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="life-packets">
+ <properties>
+ <help>Security Association packet count to expire</help>
+ <valueHelp>
+ <format>u32:1000-26843545600000</format>
+ <description>SA life in packets</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1000-26843545600000"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="mode">
+ <properties>
+ <help>ESP mode</help>
+ <completionHelp>
+ <list>tunnel transport</list>
+ </completionHelp>
+ <valueHelp>
+ <format>tunnel</format>
+ <description>Tunnel mode</description>
+ </valueHelp>
+ <valueHelp>
+ <format>transport</format>
+ <description>Transport mode</description>
+ </valueHelp>
+ <constraint>
+ <regex>(tunnel|transport)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>tunnel</defaultValue>
+ </leafNode>
+ <leafNode name="pfs">
+ <properties>
+ <help>ESP Perfect Forward Secrecy</help>
+ <completionHelp>
+ <list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Inherit Diffie-Hellman group from the IKE group</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group1</format>
+ <description>Use Diffie-Hellman group 1 (modp768)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group2</format>
+ <description>Use Diffie-Hellman group 2 (modp1024)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group5</format>
+ <description>Use Diffie-Hellman group 5 (modp1536)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group14</format>
+ <description>Use Diffie-Hellman group 14 (modp2048)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group15</format>
+ <description>Use Diffie-Hellman group 15 (modp3072)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group16</format>
+ <description>Use Diffie-Hellman group 16 (modp4096)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group17</format>
+ <description>Use Diffie-Hellman group 17 (modp6144)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group18</format>
+ <description>Use Diffie-Hellman group 18 (modp8192)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group19</format>
+ <description>Use Diffie-Hellman group 19 (ecp256)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group20</format>
+ <description>Use Diffie-Hellman group 20 (ecp384)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group21</format>
+ <description>Use Diffie-Hellman group 21 (ecp521)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group22</format>
+ <description>Use Diffie-Hellman group 22 (modp1024s160)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group23</format>
+ <description>Use Diffie-Hellman group 23 (modp2048s224)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group24</format>
+ <description>Use Diffie-Hellman group 24 (modp2048s256)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group25</format>
+ <description>Use Diffie-Hellman group 25 (ecp192)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group26</format>
+ <description>Use Diffie-Hellman group 26 (ecp224)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group27</format>
+ <description>Use Diffie-Hellman group 27 (ecp224bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group28</format>
+ <description>Use Diffie-Hellman group 28 (ecp256bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group29</format>
+ <description>Use Diffie-Hellman group 29 (ecp384bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group30</format>
+ <description>Use Diffie-Hellman group 30 (ecp512bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group31</format>
+ <description>Use Diffie-Hellman group 31 (curve25519)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dh-group32</format>
+ <description>Use Diffie-Hellman group 32 (curve448)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable PFS</description>
+ </valueHelp>
+ <constraint>
+ <regex>(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ <tagNode name="proposal">
+ <properties>
+ <help>ESP group proposal</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>ESP group proposal number</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/vpn-ipsec-encryption.xml.i>
+ #include <include/vpn-ipsec-hash.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ <tagNode name="ike-group">
+ <properties>
+ <help>Internet Key Exchange (IKE) group name</help>
+ </properties>
+ <children>
+ <leafNode name="close-action">
+ <properties>
+ <help>Action to take if a child SA is unexpectedly closed</help>
+ <completionHelp>
+ <list>none trap start</list>
+ </completionHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Do nothing</description>
+ </valueHelp>
+ <valueHelp>
+ <format>trap</format>
+ <description>Attempt to re-negotiate when matching traffic is seen</description>
+ </valueHelp>
+ <valueHelp>
+ <format>start</format>
+ <description>Attempt to re-negotiate the connection immediately</description>
+ </valueHelp>
+ <constraint>
+ <regex>(none|trap|start)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>none</defaultValue>
+ </leafNode>
+ <node name="dead-peer-detection">
+ <properties>
+ <help>Dead Peer Detection (DPD)</help>
+ </properties>
+ <children>
+ <leafNode name="action">
+ <properties>
+ <help>Keep-alive failure action</help>
+ <completionHelp>
+ <list>trap clear restart</list>
+ </completionHelp>
+ <valueHelp>
+ <format>trap</format>
+ <description>Attempt to re-negotiate the connection when matching traffic is seen</description>
+ </valueHelp>
+ <valueHelp>
+ <format>clear</format>
+ <description>Remove the connection immediately</description>
+ </valueHelp>
+ <valueHelp>
+ <format>restart</format>
+ <description>Attempt to re-negotiate the connection immediately</description>
+ </valueHelp>
+ <constraint>
+ <regex>(trap|clear|restart)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>clear</defaultValue>
+ </leafNode>
+ <leafNode name="interval">
+ <properties>
+ <help>Keep-alive interval</help>
+ <valueHelp>
+ <format>u32:2-86400</format>
+ <description>Keep-alive interval in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 2-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="timeout">
+ <properties>
+ <help>Dead Peer Detection keep-alive timeout (IKEv1 only)</help>
+ <valueHelp>
+ <format>u32:2-86400</format>
+ <description>Keep-alive timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 2-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>120</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="ikev2-reauth">
+ <properties>
+ <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="key-exchange">
+ <properties>
+ <help>IKE version</help>
+ <completionHelp>
+ <list>ikev1 ikev2</list>
+ </completionHelp>
+ <valueHelp>
+ <format>ikev1</format>
+ <description>Use IKEv1 for key exchange</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ikev2</format>
+ <description>Use IKEv2 for key exchange</description>
+ </valueHelp>
+ <constraint>
+ <regex>(ikev1|ikev2)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="lifetime">
+ <properties>
+ <help>IKE lifetime</help>
+ <valueHelp>
+ <format>u32:0-86400</format>
+ <description>IKE lifetime in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>28800</defaultValue>
+ </leafNode>
+ <leafNode name="disable-mobike">
+ <properties>
+ <help>Disable MOBIKE Support (IKEv2 only)</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="mode">
+ <properties>
+ <help>IKEv1 phase 1 mode</help>
+ <completionHelp>
+ <list>main aggressive</list>
+ </completionHelp>
+ <valueHelp>
+ <format>main</format>
+ <description>Use the main mode (recommended)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aggressive</format>
+ <description>Use the aggressive mode (insecure, not recommended)</description>
+ </valueHelp>
+ <constraint>
+ <regex>(main|aggressive)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>main</defaultValue>
+ </leafNode>
+ <tagNode name="proposal">
+ <properties>
+ <help>IKE proposal</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>IKE group proposal</description>
+ </valueHelp>
+ </properties>
+ <children>
+ <leafNode name="dh-group">
+ <properties>
+ <help>dh-grouphelp</help>
+ <completionHelp>
+ <list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
+ </completionHelp>
+ <valueHelp>
+ <format>1</format>
+ <description>Diffie-Hellman group 1 (modp768)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>2</format>
+ <description>Diffie-Hellman group 2 (modp1024)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>5</format>
+ <description>Diffie-Hellman group 5 (modp1536)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>14</format>
+ <description>Diffie-Hellman group 14 (modp2048)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>15</format>
+ <description>Diffie-Hellman group 15 (modp3072)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>16</format>
+ <description>Diffie-Hellman group 16 (modp4096)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>17</format>
+ <description>Diffie-Hellman group 17 (modp6144)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>18</format>
+ <description>Diffie-Hellman group 18 (modp8192)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>19</format>
+ <description>Diffie-Hellman group 19 (ecp256)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>20</format>
+ <description>Diffie-Hellman group 20 (ecp384)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>21</format>
+ <description>Diffie-Hellman group 21 (ecp521)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>22</format>
+ <description>Diffie-Hellman group 22 (modp1024s160)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>23</format>
+ <description>Diffie-Hellman group 23 (modp2048s224)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>24</format>
+ <description>Diffie-Hellman group 24 (modp2048s256)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>25</format>
+ <description>Diffie-Hellman group 25 (ecp192)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>26</format>
+ <description>Diffie-Hellman group 26 (ecp224)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>27</format>
+ <description>Diffie-Hellman group 27 (ecp224bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>28</format>
+ <description>Diffie-Hellman group 28 (ecp256bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>29</format>
+ <description>Diffie-Hellman group 29 (ecp384bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>30</format>
+ <description>Diffie-Hellman group 30 (ecp512bp)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>31</format>
+ <description>Diffie-Hellman group 31 (curve25519)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>32</format>
+ <description>Diffie-Hellman group 32 (curve448)</description>
+ </valueHelp>
+ <constraint>
+ <regex>(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>2</defaultValue>
+ </leafNode>
+ <leafNode name="prf">
+ <properties>
+ <help>Pseudo-Random Functions</help>
+ <completionHelp>
+ <list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list>
+ </completionHelp>
+ <valueHelp>
+ <format>prfmd5</format>
+ <description>MD5 PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfsha1</format>
+ <description>SHA1 PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfaesxcbc</format>
+ <description>AES XCBC PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfaescmac</format>
+ <description>AES CMAC PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfsha256</format>
+ <description>SHA2_256 PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfsha384</format>
+ <description>SHA2_384 PRF</description>
+ </valueHelp>
+ <valueHelp>
+ <format>prfsha512</format>
+ <description>SHA2_512 PRF</description>
+ </valueHelp>
+ <constraint>
+ <regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/vpn-ipsec-encryption.xml.i>
+ #include <include/vpn-ipsec-hash.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </tagNode>
+ #include <include/generic-interface-multi.xml.i>
+ <node name="log">
+ <properties>
+ <help>IPsec logging</help>
+ </properties>
+ <children>
+ <leafNode name="level">
+ <properties>
+ <help>Global IPsec logging Level</help>
+ <valueHelp>
+ <format>0</format>
+ <description>Very basic auditing logs (e.g., SA up/SA down)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>1</format>
+ <description>Generic control flow with errors, a good default to see whats going on</description>
+ </valueHelp>
+ <valueHelp>
+ <format>2</format>
+ <description>More detailed debugging control flow</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-2"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ <leafNode name="subsystem">
+ <properties>
+ <help>Subsystem logging levels</help>
+ <completionHelp>
+ <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
+ </completionHelp>
+ <valueHelp>
+ <format>dmn</format>
+ <description>Main daemon setup/cleanup/signal handling</description>
+ </valueHelp>
+ <valueHelp>
+ <format>mgr</format>
+ <description>IKE_SA manager, handling synchronization for IKE_SA access</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ike</format>
+ <description>IKE_SA/ISAKMP SA</description>
+ </valueHelp>
+ <valueHelp>
+ <format>chd</format>
+ <description>CHILD_SA/IPsec SA</description>
+ </valueHelp>
+ <valueHelp>
+ <format>job</format>
+ <description>Jobs queuing/processing and thread pool management</description>
+ </valueHelp>
+ <valueHelp>
+ <format>cfg</format>
+ <description>Configuration management and plugins</description>
+ </valueHelp>
+ <valueHelp>
+ <format>knl</format>
+ <description>IPsec/Networking kernel interface</description>
+ </valueHelp>
+ <valueHelp>
+ <format>net</format>
+ <description>IKE network communication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>asn</format>
+ <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
+ </valueHelp>
+ <valueHelp>
+ <format>enc</format>
+ <description>Packet encoding/decoding encryption/decryption operations</description>
+ </valueHelp>
+ <valueHelp>
+ <format>lib</format>
+ <description>libstrongswan library messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>esp</format>
+ <description>libipsec library messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tls</format>
+ <description> libtls library messages</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tnc</format>
+ <description>Trusted Network Connect</description>
+ </valueHelp>
+ <valueHelp>
+ <format>imc</format>
+ <description>Integrity Measurement Collector</description>
+ </valueHelp>
+ <valueHelp>
+ <format>imv</format>
+ <description>Integrity Measurement Verifier</description>
+ </valueHelp>
+ <valueHelp>
+ <format>pts</format>
+ <description> Platform Trust Service</description>
+ </valueHelp>
+ <valueHelp>
+ <format>any</format>
+ <description>Any subsystem</description>
+ </valueHelp>
+ <constraint>
+ <regex>(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="options">
+ <properties>
+ <help>Global IPsec settings</help>
+ </properties>
+ <children>
+ <leafNode name="disable-route-autoinstall">
+ <properties>
+ <help>Do not automatically install routes to remote networks</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="flexvpn">
+ <properties>
+ <help>Allow FlexVPN vendor ID payload (IKEv2 only)</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/generic-interface.xml.i>
+ <leafNode name="virtual-ip">
+ <properties>
+ <help>Allow install virtual-ip addresses</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <tagNode name="profile">
+ <properties>
+ <help>VPN IPsec profile</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Profile name</description>
+ </valueHelp>
+ <constraint>
+ <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
+ </constraint>
+ <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ <node name="authentication">
+ <properties>
+ <help>Authentication</help>
+ </properties>
+ <children>
+ <leafNode name="mode">
+ <properties>
+ <help>Authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use a pre-shared secret key</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+ </children>
+ </node>
+ <node name="bind">
+ <properties>
+ <help>DMVPN tunnel configuration</help>
+ </properties>
+ <children>
+ <leafNode name="tunnel">
+ <properties>
+ <help>Tunnel interface associated with this profile</help>
+ <completionHelp>
+ <path>interfaces tunnel</path>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Associated interface to this profile</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
+ </children>
+ </tagNode>
+ <node name="remote-access">
+ <properties>
+ <help>IKEv2 remote access VPN</help>
+ </properties>
+ <children>
+ <tagNode name="connection">
+ <properties>
+ <help>IKEv2 VPN connection name</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Connection name</description>
+ </valueHelp>
+ <constraint>
+ <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
+ </constraint>
+ <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
+ </properties>
+ <children>
+ <node name="authentication">
+ <properties>
+ <help>Authentication for remote access</help>
+ </properties>
+ <children>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
+ <leafNode name="client-mode">
+ <properties>
+ <help>Client authentication mode</help>
+ <completionHelp>
+ <list>x509 eap-tls eap-mschapv2 eap-radius</list>
+ </completionHelp>
+ <valueHelp>
+ <format>x509</format>
+ <description>Use IPsec x.509 certificate authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-tls</format>
+ <description>Use EAP-TLS authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-mschapv2</format>
+ <description>Use EAP-MSCHAPv2 authentication</description>
+ </valueHelp>
+ <valueHelp>
+ <format>eap-radius</format>
+ <description>Use EAP-RADIUS authentication</description>
+ </valueHelp>
+ <constraint>
+ <regex>(x509|eap-tls|eap-mschapv2|eap-radius)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>eap-mschapv2</defaultValue>
+ </leafNode>
+ #include <include/auth-local-users.xml.i>
+ <leafNode name="server-mode">
+ <properties>
+ <help>Server authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret x509</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use a pre-shared secret key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>x509</format>
+ <description>Use x.509 certificate</description>
+ </valueHelp>
+ <constraint>
+ <regex>(pre-shared-secret|x509)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>x509</defaultValue>
+ </leafNode>
+ #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+ </children>
+ </node>
+ #include <include/generic-description.xml.i>
+ #include <include/generic-disable-node.xml.i>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/ike-group.xml.i>
+ #include <include/ipsec/local-address.xml.i>
+ #include <include/ipsec/local-traffic-selector.xml.i>
+ #include <include/ipsec/replay-window.xml.i>
+ <leafNode name="timeout">
+ <properties>
+ <help>Timeout to close connection if no data is transmitted</help>
+ <valueHelp>
+ <format>u32:0</format>
+ <description>Disable inactivity checks</description>
+ </valueHelp>
+ <valueHelp>
+ <format>u32:1-86400</format>
+ <description>Timeout in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-86400"/>
+ </constraint>
+ </properties>
+ <defaultValue>28800</defaultValue>
+ </leafNode>
+ <leafNode name="pool">
+ <properties>
+ <help>IP address pool</help>
+ <completionHelp>
+ <path>vpn ipsec remote-access pool</path>
+ <list>dhcp radius</list>
+ </completionHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Predefined IP pool name</description>
+ </valueHelp>
+ <valueHelp>
+ <format>dhcp</format>
+ <description>Forward requests for virtual IP addresses to a DHCP server</description>
+ </valueHelp>
+ <valueHelp>
+ <format>radius</format>
+ <description>Forward requests for virtual IP addresses to a RADIUS server</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="unique">
+ <properties>
+ <help>Connection uniqueness enforcement policy</help>
+ <completionHelp>
+ <list>never keep replace</list>
+ </completionHelp>
+ <valueHelp>
+ <format>never</format>
+ <description>Never enforce connection uniqueness</description>
+ </valueHelp>
+ <valueHelp>
+ <format>keep</format>
+ <description>Reject new connection attempts if the same user already has an active connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>replace</format>
+ <description>Delete any existing connection if a new one for the same user gets established</description>
+ </valueHelp>
+ <constraint>
+ <regex>(never|keep|replace)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <node name="dhcp">
+ <properties>
+ <help>DHCP pool options for remote access</help>
+ </properties>
+ <children>
+ #include <include/generic-interface.xml.i>
+ <leafNode name="server">
+ <properties>
+ <help>DHCP server address</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>DHCP server IPv4 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <tagNode name="pool">
+ <properties>
+ <help>IP address pool for remote access users</help>
+ </properties>
+ <children>
+ <leafNode name="exclude">
+ <properties>
+ <help>Local IPv4 or IPv6 pool prefix exclusions</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Local IPv4 pool prefix exclusion</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Local IPv6 pool prefix exclusion</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="prefix">
+ <properties>
+ <help>Local IPv4 or IPv6 pool prefix</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Local IPv4 pool prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Local IPv6 pool prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/name-server-ipv4-ipv6.xml.i>
+ </children>
+ </tagNode>
+ #include <include/radius-auth-server-ipv4.xml.i>
+ <node name="radius">
+ <children>
+ #include <include/radius-nas-identifier.xml.i>
+ #include <include/radius-timeout.xml.i>
+ <tagNode name="server">
+ <children>
+ #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ <node name="site-to-site">
+ <properties>
+ <help>Site-to-site VPN</help>
+ </properties>
+ <children>
+ <tagNode name="peer">
+ <properties>
+ <help>Connection name of the peer</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Connection name of the peer</description>
+ </valueHelp>
+ <constraint>
+ <regex>[-_a-zA-Z0-9|@]+</regex>
+ </constraint>
+ <constraintErrorMessage>Peer connection name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ <node name="authentication">
+ <properties>
+ <help>Peer authentication</help>
+ </properties>
+ <children>
+ #include <include/ipsec/authentication-id.xml.i>
+ #include <include/ipsec/authentication-rsa.xml.i>
+ #include <include/ipsec/authentication-x509.xml.i>
+ <leafNode name="mode">
+ <properties>
+ <help>Authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret rsa x509</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use pre-shared secret key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>rsa</format>
+ <description>Use RSA key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>x509</format>
+ <description>Use x.509 certificate</description>
+ </valueHelp>
+ <constraint>
+ <regex>(pre-shared-secret|rsa|x509)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="remote-id">
+ <properties>
+ <help>ID for remote authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ID used for peer authentication</description>
+ </valueHelp>
+ </properties>
+ <defaultValue>%any</defaultValue>
+ </leafNode>
+ <leafNode name="use-x509-id">
+ <properties>
+ <help>Use certificate common name as ID</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="connection-type">
+ <properties>
+ <help>Connection type</help>
+ <completionHelp>
+ <list>initiate respond none</list>
+ </completionHelp>
+ <valueHelp>
+ <format>initiate</format>
+ <description>Bring the connection up immediately</description>
+ </valueHelp>
+ <valueHelp>
+ <format>respond</format>
+ <description>Wait for the peer to initiate the connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Load the connection only</description>
+ </valueHelp>
+ <constraint>
+ <regex>(initiate|respond|none)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="default-esp-group">
+ <properties>
+ <help>Defult ESP group name</help>
+ <completionHelp>
+ <path>vpn ipsec esp-group</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ #include <include/generic-description.xml.i>
+ #include <include/dhcp-interface.xml.i>
+ <leafNode name="force-udp-encapsulation">
+ <properties>
+ <help>Force UDP encapsulation</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/ipsec/ike-group.xml.i>
+ <leafNode name="ikev2-reauth">
+ <properties>
+ <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
+ <completionHelp>
+ <list>yes no inherit</list>
+ </completionHelp>
+ <valueHelp>
+ <format>yes</format>
+ <description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
+ </valueHelp>
+ <valueHelp>
+ <format>no</format>
+ <description>Disable remote host re-authenticaton during an IKE re-key.</description>
+ </valueHelp>
+ <valueHelp>
+ <format>inherit</format>
+ <description>Inherit the reauth configuration form your IKE-group</description>
+ </valueHelp>
+ <constraint>
+ <regex>(yes|no|inherit)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/ipsec/local-address.xml.i>
+ #include <include/ipsec/remote-address.xml.i>
+ #include <include/ipsec/replay-window.xml.i>
+ <tagNode name="tunnel">
+ <properties>
+ <help>Peer tunnel</help>
+ <valueHelp>
+ <format>u32</format>
+ <description>Peer tunnel</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ #include <include/ipsec/esp-group.xml.i>
+ #include <include/ipsec/local-traffic-selector.xml.i>
+ #include <include/ip-protocol.xml.i>
+ <leafNode name="priority">
+ <properties>
+ <help>Priority for IPsec policy (lowest value more preferable)</help>
+ <valueHelp>
+ <format>u32:1-100</format>
+ <description>Priority for IPsec policy (lowest value more preferable)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="remote">
+ <properties>
+ <help>Match remote addresses</help>
+ </properties>
+ <children>
+ #include <include/port-number.xml.i>
+ <leafNode name="prefix">
+ <properties>
+ <help>Remote IPv4 or IPv6 prefix</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>Remote IPv4 prefix</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Remote IPv6 prefix</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv4-prefix"/>
+ <validator name="ipv6-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ <leafNode name="virtual-address">
+ <properties>
+ <help>Initiator request virtual-address from peer</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Request IPv4 address from peer</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Request IPv6 address from peer</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <node name="vti">
+ <properties>
+ <help>Virtual tunnel interface</help>
+ </properties>
+ <children>
+ <leafNode name="bind">
+ <properties>
+ <help>VTI tunnel interface associated with this configuration</help>
+ <completionHelp>
+ <path>interfaces vti</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ #include <include/ipsec/esp-group.xml.i>
+ </children>
+ </node>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>