summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
diff options
context:
space:
mode:
Diffstat (limited to 'interface-definitions/vpn_ipsec.xml.in')
-rw-r--r--interface-definitions/vpn_ipsec.xml.in157
1 files changed, 77 insertions, 80 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 164ba6618..0c2205410 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -13,13 +13,13 @@
<children>
<leafNode name="disable-uniqreqids">
<properties>
- <help>Option to disable requirement for unique IDs in the Security Database</help>
+ <help>Disable requirement for unique IDs in the Security Database</help>
<valueless/>
</properties>
</leafNode>
<tagNode name="esp-group">
<properties>
- <help>Name of Encapsulating Security Payload (ESP) group</help>
+ <help>Encapsulated Security Payload (ESP) group name</help>
</properties>
<children>
<leafNode name="compression">
@@ -47,7 +47,7 @@
<help>ESP lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
- <description>ESP lifetime in seconds (default 3600)</description>
+ <description>ESP lifetime in seconds (default: 3600)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
@@ -83,7 +83,7 @@
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>Inherit Diffie-Hellman group from IKE group - default</description>
+ <description>Inherit Diffie-Hellman group from the IKE group (default)</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
@@ -185,10 +185,10 @@
</leafNode>
<tagNode name="proposal">
<properties>
- <help>ESP-group proposal [REQUIRED]</help>
+ <help>ESP group proposal [REQUIRED]</help>
<valueHelp>
<format>u32:1-65535</format>
- <description>ESP-group proposal number</description>
+ <description>ESP group proposal number</description>
</valueHelp>
</properties>
<children>
@@ -200,30 +200,30 @@
</tagNode>
<tagNode name="ike-group">
<properties>
- <help>Name of Internet Key Exchange (IKE) group</help>
+ <help>Internet Key Exchange (IKE) group name</help>
</properties>
<children>
<leafNode name="close-action">
<properties>
- <help>close-action_help</help>
+ <help>Action to take if a child SA is unexpectedly closed</help>
<completionHelp>
<list>none hold clear restart</list>
</completionHelp>
<valueHelp>
<format>none</format>
- <description>Set action to none (default)</description>
+ <description>Do nothing (default)</description>
</valueHelp>
<valueHelp>
<format>hold</format>
- <description>Set action to hold</description>
+ <description>Attempt to re-negotiate when matching traffic is seen</description>
</valueHelp>
<valueHelp>
<format>clear</format>
- <description>Set action to clear</description>
+ <description>Remove the connection immediately</description>
</valueHelp>
<valueHelp>
<format>restart</format>
- <description>Set action to restart</description>
+ <description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
<regex>^(none|hold|clear|restart)$</regex>
@@ -243,15 +243,15 @@
</completionHelp>
<valueHelp>
<format>hold</format>
- <description>Set action to hold (default)</description>
+ <description>Attempt to re-negotiate the connection when matching traffic is seen (default)</description>
</valueHelp>
<valueHelp>
<format>clear</format>
- <description>Set action to clear</description>
+ <description>Remove the connection immediately</description>
</valueHelp>
<valueHelp>
<format>restart</format>
- <description>Set action to restart</description>
+ <description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
<regex>^(hold|clear|restart)$</regex>
@@ -263,7 +263,7 @@
<help>Keep-alive interval</help>
<valueHelp>
<format>u32:2-86400</format>
- <description>Keep-alive interval in seconds (default 30)</description>
+ <description>Keep-alive interval in seconds (default: 30)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
@@ -272,7 +272,7 @@
</leafNode>
<leafNode name="timeout">
<properties>
- <help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help>
+ <help>Dead Peer Detection keep-alive timeout (IKEv1 only)</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive timeout in seconds (default 120)</description>
@@ -296,7 +296,7 @@
</valueHelp>
<valueHelp>
<format>no</format>
- <description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description>
+ <description>Disable remote host re-authenticaton during an IKE rekey. (default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no)$</regex>
@@ -305,17 +305,17 @@
</leafNode>
<leafNode name="key-exchange">
<properties>
- <help>Key Exchange Version</help>
+ <help>IKE version</help>
<completionHelp>
<list>ikev1 ikev2</list>
</completionHelp>
<valueHelp>
<format>ikev1</format>
- <description>Use IKEv1 for Key Exchange [DEFAULT]</description>
+ <description>Use IKEv1 for key exchange [DEFAULT]</description>
</valueHelp>
<valueHelp>
<format>ikev2</format>
- <description>Use IKEv2 for Key Exchange</description>
+ <description>Use IKEv2 for key exchange</description>
</valueHelp>
<constraint>
<regex>^(ikev1|ikev2)$</regex>
@@ -327,7 +327,7 @@
<help>IKE lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
- <description>IKE lifetime in seconds (default 28800)</description>
+ <description>IKE lifetime in seconds (default: 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
@@ -337,7 +337,7 @@
</leafNode>
<leafNode name="mobike">
<properties>
- <help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help>
+ <help>Enable MOBIKE Support (IKEv2 only)</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
@@ -356,17 +356,17 @@
</leafNode>
<leafNode name="mode">
<properties>
- <help>IKEv1 Phase 1 Mode Selection</help>
+ <help>IKEv1 phase 1 mode selection</help>
<completionHelp>
<list>main aggressive</list>
</completionHelp>
<valueHelp>
<format>main</format>
- <description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description>
+ <description>Use the main mode (recommended, default)</description>
</valueHelp>
<valueHelp>
<format>aggressive</format>
- <description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description>
+ <description>Use the aggressive mode (insecure, not recommended)</description>
</valueHelp>
<constraint>
<regex>^(main|aggressive)$</regex>
@@ -375,10 +375,10 @@
</leafNode>
<tagNode name="proposal">
<properties>
- <help>proposal_help</help>
+ <help>IKE proposal</help>
<valueHelp>
<format>u32:1-65535</format>
- <description>IKE-group proposal</description>
+ <description>IKE group proposal</description>
</valueHelp>
</properties>
<children>
@@ -490,23 +490,15 @@
</tagNode>
<leafNode name="include-ipsec-conf">
<properties>
- <help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help>
+ <help>Absolute path to specify a strongSwan config include file</help>
</properties>
</leafNode>
<leafNode name="include-ipsec-secrets">
<properties>
- <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
- </properties>
- </leafNode>
- <leafNode name="interface">
- <properties>
- <help>Onterface used for IPsec communication</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- <multi/>
+ <help>Absolute path to a strongSwan secrets include file</help>
</properties>
</leafNode>
+ #include <include/generic-interface-multi.xml.i>
<node name="log">
<properties>
<help>IPsec logging</help>
@@ -514,17 +506,17 @@
<children>
<leafNode name="level">
<properties>
- <help>strongSwan Logger Level</help>
+ <help>strongSwan logging Level</help>
<valueHelp>
- <format>u32:0</format>
+ <format>0</format>
<description>Very basic auditing logs e.g. SA up/SA down (default)</description>
</valueHelp>
<valueHelp>
- <format>u32:1</format>
+ <format>1</format>
<description>Generic control flow with errors, a good default to see whats going on</description>
</valueHelp>
<valueHelp>
- <format>u32:2</format>
+ <format>2</format>
<description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
@@ -535,7 +527,7 @@
</leafNode>
<leafNode name="subsystem">
<properties>
- <help>Subsystem in the daemon the log comes from</help>
+ <help>Subsystem logging levels</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
@@ -634,7 +626,7 @@
</node>
<tagNode name="profile">
<properties>
- <help>VPN IPSec Profile</help>
+ <help>VPN IPSec profile</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
@@ -651,7 +643,7 @@
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
- <description>Use pre shared secret key</description>
+ <description>Use a pre-shared secret key</description>
</valueHelp>
</properties>
</leafNode>
@@ -665,13 +657,13 @@
<children>
<leafNode name="tunnel">
<properties>
- <help>Tunnel interface associated with this configuration profile</help>
+ <help>Tunnel interface associated with this profile</help>
<completionHelp>
<path>interfaces tunnel</path>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Associated interface to this configuration profile</description>
+ <description>Associated interface to this profile</description>
</valueHelp>
<multi/>
</properties>
@@ -707,15 +699,15 @@
</completionHelp>
<valueHelp>
<format>eap-tls</format>
- <description>Client uses EAP-TLS authentication</description>
+ <description>Use EAP-TLS authentication</description>
</valueHelp>
<valueHelp>
<format>eap-mschapv2</format>
- <description>Client uses EAP-MSCHAPv2 authentication</description>
+ <description>Use EAP-MSCHAPv2 authentication</description>
</valueHelp>
<valueHelp>
<format>eap-radius</format>
- <description>Client uses EAP-RADIUS authentication</description>
+ <description>Use EAP-RADIUS authentication</description>
</valueHelp>
<constraint>
<regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex>
@@ -732,11 +724,11 @@
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
- <description>pre-shared-secret_description</description>
+ <description>Use a pre-shared secret key</description>
</valueHelp>
<valueHelp>
<format>x509</format>
- <description>x509_description</description>
+ <description>Use x.509 certificate</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|x509)$</regex>
@@ -762,7 +754,7 @@
</valueHelp>
<valueHelp>
<format>u32:1-86400</format>
- <description>Timeout in seconds (default 28800)</description>
+ <description>Timeout in seconds (default: 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-86400"/>
@@ -772,14 +764,14 @@
</leafNode>
<leafNode name="pool">
<properties>
- <help>Pool name used for IP address assignments</help>
+ <help>IP address pool</help>
<completionHelp>
<path>vpn ipsec remote-access pool</path>
<list>dhcp radius</list>
</completionHelp>
<valueHelp>
<format>txt</format>
- <description>Name of predefined IP pool</description>
+ <description>Predefined IP pool name</description>
</valueHelp>
<valueHelp>
<format>dhcp</format>
@@ -794,17 +786,17 @@
</leafNode>
<leafNode name="unique">
<properties>
- <help>Connection uniqueness policy to enforce</help>
+ <help>Connection uniqueness enforcement policy</help>
<completionHelp>
<list>never keep replace</list>
</completionHelp>
<valueHelp>
<format>never</format>
- <description>Never enforce connection uniqueness policy</description>
+ <description>Never enforce connection uniqueness</description>
</valueHelp>
<valueHelp>
<format>keep</format>
- <description>Rejects new connection attempts if the same user already has an active connection</description>
+ <description>Reject new connection attempts if the same user already has an active connection</description>
</valueHelp>
<valueHelp>
<format>replace</format>
@@ -819,17 +811,10 @@
</tagNode>
<node name="dhcp">
<properties>
- <help>DHCP pool options for remote-access</help>
+ <help>DHCP pool options for remote access</help>
</properties>
<children>
- <leafNode name="interface">
- <properties>
- <help>Interface with DHCP server to use</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- </properties>
- </leafNode>
+ #include <include/generic-interface.xml.i>
<leafNode name="server">
<properties>
<help>DHCP server address</help>
@@ -846,7 +831,7 @@
</node>
<tagNode name="pool">
<properties>
- <help>IP address pool for remote-access users</help>
+ <help>IP address pool for remote access users</help>
</properties>
<children>
<leafNode name="exclude">
@@ -943,15 +928,15 @@
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
- <description>pre-shared-secret_description</description>
+ <description>Use pre-shared secret key</description>
</valueHelp>
<valueHelp>
<format>rsa</format>
- <description>rsa_description</description>
+ <description>Use RSA key</description>
</valueHelp>
<valueHelp>
<format>x509</format>
- <description>x509_description</description>
+ <description>Use x.509 certificate</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|rsa|x509)$</regex>
@@ -984,11 +969,11 @@
</completionHelp>
<valueHelp>
<format>initiate</format>
- <description>initiate_description</description>
+ <description>Bring the connection up immediately</description>
</valueHelp>
<valueHelp>
<format>respond</format>
- <description>respond_description</description>
+ <description>Bring the connection up only if traffic is detected</description>
</valueHelp>
<constraint>
<regex>^(initiate|respond)$</regex>
@@ -1007,17 +992,17 @@
#include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
- <help>Force UDP Encapsulation for ESP Payloads</help>
+ <help>Force UDP Encapsulation for ESP payloads</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
- <description>This endpoint will force UDP encapsulation for this peer</description>
+ <description>Force UDP encapsulation</description>
</valueHelp>
<valueHelp>
<format>disable</format>
- <description>This endpoint will not force UDP encapsulation for this peer</description>
+ <description>Do not force UDP encapsulation</description>
</valueHelp>
<constraint>
<regex>^(enable|disable)$</regex>
@@ -1027,7 +1012,7 @@
#include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
- <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
+ <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
<completionHelp>
<list>yes no inherit</list>
</completionHelp>
@@ -1041,7 +1026,7 @@
</valueHelp>
<valueHelp>
<format>inherit</format>
- <description>Inherit the reauth configuration form your IKE-group (Default)</description>
+ <description>Inherit the reauth configuration form your IKE-group (default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no|inherit)$</regex>
@@ -1062,9 +1047,21 @@
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ip-protocol.xml.i>
+ <leafNode name="priority">
+ <properties>
+ <help>Priority for IPSec policy (lowest value more preferable)</help>
+ <valueHelp>
+ <format>u32:1-100</format>
+ <description>Priority for IPSec policy (lowest value more preferable)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-100"/>
+ </constraint>
+ </properties>
+ </leafNode>
<node name="remote">
<properties>
- <help>Remote parameters for interesting traffic</help>
+ <help>Match remote addresses</help>
</properties>
<children>
#include <include/port-number.xml.i>