From c9eaafd9f808aba8d29be73054e11d37577e539a Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 30 Dec 2023 23:25:20 +0100
Subject: T5474: establish common file name pattern for XML conf mode commands

We will use _ as CLI level divider. The XML definition filename and also
the Python helper should match the CLI node.

Example:
set interfaces ethernet -> interfaces_ethernet.xml.in
set interfaces bond -> interfaces_bond.xml.in
set service dhcp-server -> service_dhcp-server-xml.in

(cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465)
---
 interface-definitions/vpn_ipsec.xml.in | 1194 ++++++++++++++++++++++++++++++++
 1 file changed, 1194 insertions(+)
 create mode 100644 interface-definitions/vpn_ipsec.xml.in

(limited to 'interface-definitions/vpn_ipsec.xml.in')

diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
new file mode 100644
index 000000000..1847401b5
--- /dev/null
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -0,0 +1,1194 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="vpn">
+    <properties>
+      <help>Virtual Private Network (VPN)</help>
+    </properties>
+    <children>
+      <node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
+        <properties>
+          <help>VPN IP security (IPsec) parameters</help>
+          <priority>901</priority>
+        </properties>
+        <children>
+          <node name="authentication">
+            <properties>
+              <help>Authentication</help>
+            </properties>
+            <children>
+              <tagNode name="psk">
+                <properties>
+                  <help>Pre-shared key name</help>
+                </properties>
+                <children>
+                  #include <include/dhcp-interface-multi.xml.i>
+                  <leafNode name="id">
+                    <properties>
+                      <help>ID for authentication</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>ID used for authentication</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="secret">
+                    <properties>
+                      <help>IKE pre-shared secret key</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>IKE pre-shared secret key</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+          <leafNode name="disable-uniqreqids">
+            <properties>
+              <help>Disable requirement for unique IDs in the Security Database</help>
+              <valueless/>
+            </properties>
+          </leafNode>
+          <tagNode name="esp-group">
+            <properties>
+              <help>Encapsulating Security Payload (ESP) group name</help>
+            </properties>
+            <children>
+              <leafNode name="compression">
+                <properties>
+                  <help>Enable ESP compression</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="lifetime">
+                <properties>
+                  <help>Security Association time to expire</help>
+                  <valueHelp>
+                    <format>u32:30-86400</format>
+                    <description>SA lifetime in seconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 30-86400"/>
+                  </constraint>
+                </properties>
+                <defaultValue>3600</defaultValue>
+              </leafNode>
+              <leafNode name="life-bytes">
+                <properties>
+                  <help>Security Association byte count to expire</help>
+                  <valueHelp>
+                    <format>u32:1024-26843545600000</format>
+                    <description>SA life in bytes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1024-26843545600000"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="life-packets">
+                <properties>
+                  <help>Security Association packet count to expire</help>
+                  <valueHelp>
+                    <format>u32:1000-26843545600000</format>
+                    <description>SA life in packets</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1000-26843545600000"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="mode">
+                <properties>
+                  <help>ESP mode</help>
+                  <completionHelp>
+                    <list>tunnel transport</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>tunnel</format>
+                    <description>Tunnel mode</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>transport</format>
+                    <description>Transport mode</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(tunnel|transport)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>tunnel</defaultValue>
+              </leafNode>
+              <leafNode name="pfs">
+                <properties>
+                  <help>ESP Perfect Forward Secrecy</help>
+                  <completionHelp>
+                    <list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>enable</format>
+                    <description>Inherit Diffie-Hellman group from the IKE group</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group1</format>
+                    <description>Use Diffie-Hellman group 1 (modp768)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group2</format>
+                    <description>Use Diffie-Hellman group 2 (modp1024)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group5</format>
+                    <description>Use Diffie-Hellman group 5 (modp1536)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group14</format>
+                    <description>Use Diffie-Hellman group 14 (modp2048)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group15</format>
+                    <description>Use Diffie-Hellman group 15 (modp3072)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group16</format>
+                    <description>Use Diffie-Hellman group 16 (modp4096)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group17</format>
+                    <description>Use Diffie-Hellman group 17 (modp6144)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group18</format>
+                    <description>Use Diffie-Hellman group 18 (modp8192)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group19</format>
+                    <description>Use Diffie-Hellman group 19 (ecp256)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group20</format>
+                    <description>Use Diffie-Hellman group 20 (ecp384)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group21</format>
+                    <description>Use Diffie-Hellman group 21 (ecp521)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group22</format>
+                    <description>Use Diffie-Hellman group 22 (modp1024s160)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group23</format>
+                    <description>Use Diffie-Hellman group 23 (modp2048s224)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group24</format>
+                    <description>Use Diffie-Hellman group 24 (modp2048s256)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group25</format>
+                    <description>Use Diffie-Hellman group 25 (ecp192)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group26</format>
+                    <description>Use Diffie-Hellman group 26 (ecp224)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group27</format>
+                    <description>Use Diffie-Hellman group 27 (ecp224bp)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group28</format>
+                    <description>Use Diffie-Hellman group 28 (ecp256bp)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group29</format>
+                    <description>Use Diffie-Hellman group 29 (ecp384bp)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group30</format>
+                    <description>Use Diffie-Hellman group 30 (ecp512bp)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group31</format>
+                    <description>Use Diffie-Hellman group 31 (curve25519)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dh-group32</format>
+                    <description>Use Diffie-Hellman group 32 (curve448)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>disable</format>
+                    <description>Disable PFS</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>enable</defaultValue>
+              </leafNode>
+              <tagNode name="proposal">
+                <properties>
+                  <help>ESP group proposal</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>ESP group proposal number</description>
+                  </valueHelp>
+                </properties>
+                <children>
+                  #include <include/vpn-ipsec-encryption.xml.i>
+                  #include <include/vpn-ipsec-hash.xml.i>
+                </children>
+              </tagNode>
+            </children>
+          </tagNode>
+          <tagNode name="ike-group">
+            <properties>
+              <help>Internet Key Exchange (IKE) group name</help>
+            </properties>
+            <children>
+              <leafNode name="close-action">
+                <properties>
+                  <help>Action to take if a child SA is unexpectedly closed</help>
+                  <completionHelp>
+                    <list>none hold restart</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>none</format>
+                    <description>Do nothing</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>hold</format>
+                    <description>Attempt to re-negotiate when matching traffic is seen</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>restart</format>
+                    <description>Attempt to re-negotiate the connection immediately</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(none|hold|restart)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>none</defaultValue>
+              </leafNode>
+              <node name="dead-peer-detection">
+                <properties>
+                  <help>Dead Peer Detection (DPD)</help>
+                </properties>
+                <children>
+                  <leafNode name="action">
+                    <properties>
+                      <help>Keep-alive failure action</help>
+                      <completionHelp>
+                        <list>hold clear restart</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>hold</format>
+                        <description>Attempt to re-negotiate the connection when matching traffic is seen</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>clear</format>
+                        <description>Remove the connection immediately</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>restart</format>
+                        <description>Attempt to re-negotiate the connection immediately</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(hold|clear|restart)</regex>
+                      </constraint>
+                    </properties>
+                    <defaultValue>clear</defaultValue>
+                  </leafNode>
+                  <leafNode name="interval">
+                    <properties>
+                      <help>Keep-alive interval</help>
+                      <valueHelp>
+                        <format>u32:2-86400</format>
+                        <description>Keep-alive interval in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 2-86400"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>30</defaultValue>
+                  </leafNode>
+                  <leafNode name="timeout">
+                    <properties>
+                      <help>Dead Peer Detection keep-alive timeout (IKEv1 only)</help>
+                      <valueHelp>
+                        <format>u32:2-86400</format>
+                        <description>Keep-alive timeout in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 2-86400"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>120</defaultValue>
+                  </leafNode>
+                </children>
+              </node>
+              <leafNode name="ikev2-reauth">
+                <properties>
+                  <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="key-exchange">
+                <properties>
+                  <help>IKE version</help>
+                  <completionHelp>
+                    <list>ikev1 ikev2</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>ikev1</format>
+                    <description>Use IKEv1 for key exchange</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ikev2</format>
+                    <description>Use IKEv2 for key exchange</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(ikev1|ikev2)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="lifetime">
+                <properties>
+                  <help>IKE lifetime</help>
+                  <valueHelp>
+                    <format>u32:0-86400</format>
+                    <description>IKE lifetime in seconds</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 0-86400"/>
+                  </constraint>
+                </properties>
+                <defaultValue>28800</defaultValue>
+              </leafNode>
+              <leafNode name="disable-mobike">
+                <properties>
+                  <help>Disable MOBIKE Support (IKEv2 only)</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="mode">
+                <properties>
+                  <help>IKEv1 phase 1 mode</help>
+                  <completionHelp>
+                    <list>main aggressive</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>main</format>
+                    <description>Use the main mode (recommended)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aggressive</format>
+                    <description>Use the aggressive mode (insecure, not recommended)</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(main|aggressive)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>main</defaultValue>
+              </leafNode>
+              <tagNode name="proposal">
+                <properties>
+                  <help>IKE proposal</help>
+                  <valueHelp>
+                    <format>u32:1-65535</format>
+                    <description>IKE group proposal</description>
+                  </valueHelp>
+                </properties>
+                <children>
+                  <leafNode name="dh-group">
+                    <properties>
+                      <help>dh-grouphelp</help>
+                      <completionHelp>
+                        <list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>1</format>
+                        <description>Diffie-Hellman group 1 (modp768)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>2</format>
+                        <description>Diffie-Hellman group 2 (modp1024)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>5</format>
+                        <description>Diffie-Hellman group 5 (modp1536)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>14</format>
+                        <description>Diffie-Hellman group 14 (modp2048)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>15</format>
+                        <description>Diffie-Hellman group 15 (modp3072)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>16</format>
+                        <description>Diffie-Hellman group 16 (modp4096)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>17</format>
+                        <description>Diffie-Hellman group 17 (modp6144)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>18</format>
+                        <description>Diffie-Hellman group 18 (modp8192)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>19</format>
+                        <description>Diffie-Hellman group 19 (ecp256)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>20</format>
+                        <description>Diffie-Hellman group 20 (ecp384)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>21</format>
+                        <description>Diffie-Hellman group 21 (ecp521)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>22</format>
+                        <description>Diffie-Hellman group 22 (modp1024s160)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>23</format>
+                        <description>Diffie-Hellman group 23 (modp2048s224)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>24</format>
+                        <description>Diffie-Hellman group 24 (modp2048s256)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>25</format>
+                        <description>Diffie-Hellman group 25 (ecp192)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>26</format>
+                        <description>Diffie-Hellman group 26 (ecp224)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>27</format>
+                        <description>Diffie-Hellman group 27 (ecp224bp)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>28</format>
+                        <description>Diffie-Hellman group 28 (ecp256bp)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>29</format>
+                        <description>Diffie-Hellman group 29 (ecp384bp)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>30</format>
+                        <description>Diffie-Hellman group 30 (ecp512bp)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>31</format>
+                        <description>Diffie-Hellman group 31 (curve25519)</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>32</format>
+                        <description>Diffie-Hellman group 32 (curve448)</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)</regex>
+                      </constraint>
+                    </properties>
+                    <defaultValue>2</defaultValue>
+                  </leafNode>
+                  <leafNode name="prf">
+                    <properties>
+                      <help>Pseudo-Random Functions</help>
+                      <completionHelp>
+                        <list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>prfmd5</format>
+                        <description>MD5 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha1</format>
+                        <description>SHA1 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfaesxcbc</format>
+                        <description>AES XCBC PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfaescmac</format>
+                        <description>AES CMAC PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha256</format>
+                        <description>SHA2_256 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha384</format>
+                        <description>SHA2_384 PRF</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>prfsha512</format>
+                        <description>SHA2_512 PRF</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  #include <include/vpn-ipsec-encryption.xml.i>
+                  #include <include/vpn-ipsec-hash.xml.i>
+                </children>
+              </tagNode>
+            </children>
+          </tagNode>
+          #include <include/generic-interface-multi.xml.i>
+          <node name="log">
+            <properties>
+              <help>IPsec logging</help>
+            </properties>
+            <children>
+              <leafNode name="level">
+                <properties>
+                  <help>Global IPsec logging Level</help>
+                  <valueHelp>
+                    <format>0</format>
+                    <description>Very basic auditing logs (e.g., SA up/SA down)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>1</format>
+                    <description>Generic control flow with errors, a good default to see whats going on</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>2</format>
+                    <description>More detailed debugging control flow</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 0-2"/>
+                  </constraint>
+                </properties>
+                <defaultValue>0</defaultValue>
+              </leafNode>
+              <leafNode name="subsystem">
+                <properties>
+                  <help>Subsystem logging levels</help>
+                  <completionHelp>
+                    <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>dmn</format>
+                    <description>Main daemon setup/cleanup/signal handling</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>mgr</format>
+                    <description>IKE_SA manager, handling synchronization for IKE_SA access</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ike</format>
+                    <description>IKE_SA/ISAKMP SA</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>chd</format>
+                    <description>CHILD_SA/IPsec SA</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>job</format>
+                    <description>Jobs queuing/processing and thread pool management</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>cfg</format>
+                    <description>Configuration management and plugins</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>knl</format>
+                    <description>IPsec/Networking kernel interface</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>net</format>
+                    <description>IKE network communication</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>asn</format>
+                    <description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>enc</format>
+                    <description>Packet encoding/decoding encryption/decryption operations</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>lib</format>
+                    <description>libstrongswan library messages</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>esp</format>
+                    <description>libipsec library messages</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>tls</format>
+                    <description> libtls library messages</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>tnc</format>
+                    <description>Trusted Network Connect</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>imc</format>
+                    <description>Integrity Measurement Collector</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>imv</format>
+                    <description>Integrity Measurement Verifier</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>pts</format>
+                    <description> Platform Trust Service</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>any</format>
+                    <description>Any subsystem</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)</regex>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <node name="options">
+            <properties>
+              <help>Global IPsec settings</help>
+            </properties>
+            <children>
+              <leafNode name="disable-route-autoinstall">
+                <properties>
+                  <help>Do not automatically install routes to remote networks</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="flexvpn">
+                <properties>
+                  <help>Allow FlexVPN vendor ID payload (IKEv2 only)</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              #include <include/generic-interface.xml.i>
+              <leafNode name="virtual-ip">
+                <properties>
+                  <help>Allow install virtual-ip addresses</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
+          <tagNode name="profile">
+            <properties>
+              <help>VPN IPsec profile</help>
+              <valueHelp>
+                <format>txt</format>
+                <description>Profile name</description>
+              </valueHelp>
+              <constraint>
+                <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
+              </constraint>
+              <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
+            </properties>
+            <children>
+              #include <include/generic-disable-node.xml.i>
+              <node name="authentication">
+                <properties>
+                  <help>Authentication</help>
+                </properties>
+                <children>
+                  <leafNode name="mode">
+                    <properties>
+                      <help>Authentication mode</help>
+                      <completionHelp>
+                        <list>pre-shared-secret</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>pre-shared-secret</format>
+                        <description>Use a pre-shared secret key</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                  #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+                </children>
+              </node>
+              <node name="bind">
+                <properties>
+                  <help>DMVPN tunnel configuration</help>
+                </properties>
+                <children>
+                  <leafNode name="tunnel">
+                    <properties>
+                      <help>Tunnel interface associated with this profile</help>
+                      <completionHelp>
+                        <path>interfaces tunnel</path>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Associated interface to this profile</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              #include <include/ipsec/esp-group.xml.i>
+              #include <include/ipsec/ike-group.xml.i>
+            </children>
+          </tagNode>
+          <node name="remote-access">
+            <properties>
+              <help>IKEv2 remote access VPN</help>
+            </properties>
+            <children>
+              <tagNode name="connection">
+                <properties>
+                  <help>IKEv2 VPN connection name</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Connection name</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
+                  </constraint>
+                  <constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
+                </properties>
+                <children>
+                  <node name="authentication">
+                    <properties>
+                      <help>Authentication for remote access</help>
+                    </properties>
+                    <children>
+                      #include <include/ipsec/authentication-id.xml.i>
+                      #include <include/ipsec/authentication-x509.xml.i>
+                      <leafNode name="client-mode">
+                        <properties>
+                          <help>Client authentication mode</help>
+                          <completionHelp>
+                            <list>x509 eap-tls eap-mschapv2 eap-radius</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>x509</format>
+                            <description>Use IPsec x.509 certificate authentication</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>eap-tls</format>
+                            <description>Use EAP-TLS authentication</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>eap-mschapv2</format>
+                            <description>Use EAP-MSCHAPv2 authentication</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>eap-radius</format>
+                            <description>Use EAP-RADIUS authentication</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>(x509|eap-tls|eap-mschapv2|eap-radius)</regex>
+                          </constraint>
+                        </properties>
+                        <defaultValue>eap-mschapv2</defaultValue>
+                      </leafNode>
+                      #include <include/auth-local-users.xml.i>
+                      <leafNode name="server-mode">
+                        <properties>
+                          <help>Server authentication mode</help>
+                          <completionHelp>
+                            <list>pre-shared-secret x509</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>pre-shared-secret</format>
+                            <description>Use a pre-shared secret key</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>x509</format>
+                            <description>Use x.509 certificate</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>(pre-shared-secret|x509)</regex>
+                          </constraint>
+                        </properties>
+                        <defaultValue>x509</defaultValue>
+                      </leafNode>
+                      #include <include/ipsec/authentication-pre-shared-secret.xml.i>
+                    </children>
+                  </node>
+                  #include <include/generic-description.xml.i>
+                  #include <include/generic-disable-node.xml.i>
+                  #include <include/ipsec/esp-group.xml.i>
+                  #include <include/ipsec/ike-group.xml.i>
+                  #include <include/ipsec/local-address.xml.i>
+                  #include <include/ipsec/local-traffic-selector.xml.i>
+                  <leafNode name="timeout">
+                    <properties>
+                      <help>Timeout to close connection if no data is transmitted</help>
+                      <valueHelp>
+                        <format>u32:0</format>
+                        <description>Disable inactivity checks</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>u32:1-86400</format>
+                        <description>Timeout in seconds</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 0-86400"/>
+                      </constraint>
+                    </properties>
+                    <defaultValue>28800</defaultValue>
+                  </leafNode>
+                  <leafNode name="pool">
+                    <properties>
+                      <help>IP address pool</help>
+                      <completionHelp>
+                        <path>vpn ipsec remote-access pool</path>
+                        <list>dhcp radius</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Predefined IP pool name</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>dhcp</format>
+                        <description>Forward requests for virtual IP addresses to a DHCP server</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>radius</format>
+                        <description>Forward requests for virtual IP addresses to a RADIUS server</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="unique">
+                    <properties>
+                      <help>Connection uniqueness enforcement policy</help>
+                      <completionHelp>
+                        <list>never keep replace</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>never</format>
+                        <description>Never enforce connection uniqueness</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>keep</format>
+                        <description>Reject new connection attempts if the same user already has an active connection</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>replace</format>
+                        <description>Delete any existing connection if a new one for the same user gets established</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(never|keep|replace)</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </tagNode>
+              <node name="dhcp">
+                <properties>
+                  <help>DHCP pool options for remote access</help>
+                </properties>
+                <children>
+                  #include <include/generic-interface.xml.i>
+                  <leafNode name="server">
+                    <properties>
+                      <help>DHCP server address</help>
+                      <valueHelp>
+                        <format>ipv4</format>
+                        <description>DHCP server IPv4 address</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv4-address"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <tagNode name="pool">
+                <properties>
+                  <help>IP address pool for remote access users</help>
+                </properties>
+                <children>
+                  <leafNode name="exclude">
+                    <properties>
+                      <help>Local IPv4 or IPv6 pool prefix exclusions</help>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>Local IPv4 pool prefix exclusion</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>Local IPv6 pool prefix exclusion</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv4-prefix"/>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>Local IPv4 or IPv6 pool prefix</help>
+                      <valueHelp>
+                        <format>ipv4net</format>
+                        <description>Local IPv4 pool prefix</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>Local IPv6 pool prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv4-prefix"/>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  #include <include/name-server-ipv4-ipv6.xml.i>
+                </children>
+              </tagNode>
+              #include <include/radius-auth-server-ipv4.xml.i>
+              <node name="radius">
+                <children>
+                  #include <include/radius-nas-identifier.xml.i>
+                  #include <include/radius-timeout.xml.i>
+                  <tagNode name="server">
+                    <children>
+                      #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
+                    </children>
+                 </tagNode>
+                </children>
+              </node>
+            </children>
+          </node>
+          <node name="site-to-site">
+            <properties>
+              <help>Site-to-site VPN</help>
+            </properties>
+            <children>
+              <tagNode name="peer">
+                <properties>
+                  <help>Connection name of the peer</help>
+                  <valueHelp>
+                    <format>txt</format>
+                    <description>Connection name of the peer</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>[-_a-zA-Z0-9|@]+</regex>
+                  </constraint>
+                  <constraintErrorMessage>Peer connection name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
+                </properties>
+                <children>
+                  #include <include/generic-disable-node.xml.i>
+                  <node name="authentication">
+                    <properties>
+                      <help>Peer authentication</help>
+                    </properties>
+                    <children>
+                      #include <include/ipsec/authentication-id.xml.i>
+                      #include <include/ipsec/authentication-rsa.xml.i>
+                      #include <include/ipsec/authentication-x509.xml.i>
+                      <leafNode name="mode">
+                        <properties>
+                          <help>Authentication mode</help>
+                          <completionHelp>
+                            <list>pre-shared-secret rsa x509</list>
+                          </completionHelp>
+                          <valueHelp>
+                            <format>pre-shared-secret</format>
+                            <description>Use pre-shared secret key</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>rsa</format>
+                            <description>Use RSA key</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>x509</format>
+                            <description>Use x.509 certificate</description>
+                          </valueHelp>
+                          <constraint>
+                            <regex>(pre-shared-secret|rsa|x509)</regex>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <leafNode name="remote-id">
+                        <properties>
+                          <help>ID for remote authentication</help>
+                          <valueHelp>
+                            <format>txt</format>
+                            <description>ID used for peer authentication</description>
+                          </valueHelp>
+                        </properties>
+                        <defaultValue>%any</defaultValue>
+                      </leafNode>
+                      <leafNode name="use-x509-id">
+                        <properties>
+                          <help>Use certificate common name as ID</help>
+                          <valueless/>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </node>
+                  <leafNode name="connection-type">
+                    <properties>
+                      <help>Connection type</help>
+                      <completionHelp>
+                        <list>initiate respond none</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>initiate</format>
+                        <description>Bring the connection up immediately</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>respond</format>
+                        <description>Wait for the peer to initiate the connection</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>none</format>
+                        <description>Load the connection only</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(initiate|respond|none)</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="default-esp-group">
+                    <properties>
+                      <help>Defult ESP group name</help>
+                      <completionHelp>
+                        <path>vpn ipsec esp-group</path>
+                      </completionHelp>
+                    </properties>
+                  </leafNode>
+                  #include <include/generic-description.xml.i>
+                  #include <include/dhcp-interface.xml.i>
+                  <leafNode name="force-udp-encapsulation">
+                    <properties>
+                      <help>Force UDP encapsulation</help>
+                      <valueless/>
+                    </properties>
+                  </leafNode>
+                  #include <include/ipsec/ike-group.xml.i>
+                  <leafNode name="ikev2-reauth">
+                    <properties>
+                      <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
+                      <completionHelp>
+                        <list>yes no inherit</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>yes</format>
+                        <description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>no</format>
+                        <description>Disable remote host re-authenticaton during an IKE re-key.</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>inherit</format>
+                        <description>Inherit the reauth configuration form your IKE-group</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(yes|no|inherit)</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  #include <include/ipsec/local-address.xml.i>
+                  #include <include/ipsec/remote-address.xml.i>
+                  <tagNode name="tunnel">
+                    <properties>
+                      <help>Peer tunnel</help>
+                      <valueHelp>
+                        <format>u32</format>
+                        <description>Peer tunnel</description>
+                      </valueHelp>
+                    </properties>
+                    <children>
+                      #include <include/generic-disable-node.xml.i>
+                      #include <include/ipsec/esp-group.xml.i>
+                      #include <include/ipsec/local-traffic-selector.xml.i>
+                      #include <include/ip-protocol.xml.i>
+                      <leafNode name="priority">
+                        <properties>
+                          <help>Priority for IPsec policy (lowest value more preferable)</help>
+                          <valueHelp>
+                            <format>u32:1-100</format>
+                            <description>Priority for IPsec policy (lowest value more preferable)</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="numeric" argument="--range 1-100"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                      <node name="remote">
+                        <properties>
+                          <help>Match remote addresses</help>
+                        </properties>
+                        <children>
+                          #include <include/port-number.xml.i>
+                          <leafNode name="prefix">
+                            <properties>
+                              <help>Remote IPv4 or IPv6 prefix</help>
+                              <valueHelp>
+                                <format>ipv4net</format>
+                                <description>Remote IPv4 prefix</description>
+                              </valueHelp>
+                              <valueHelp>
+                                <format>ipv6net</format>
+                                <description>Remote IPv6 prefix</description>
+                              </valueHelp>
+                              <constraint>
+                                <validator name="ipv4-prefix"/>
+                                <validator name="ipv6-prefix"/>
+                              </constraint>
+                              <multi/>
+                            </properties>
+                          </leafNode>
+                        </children>
+                      </node>
+                    </children>
+                  </tagNode>
+                  <leafNode name="virtual-address">
+                    <properties>
+                      <help>Initiator request virtual-address from peer</help>
+                      <valueHelp>
+                        <format>ipv4</format>
+                        <description>Request IPv4 address from peer</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6</format>
+                        <description>Request IPv6 address from peer</description>
+                      </valueHelp>
+                      <multi/>
+                    </properties>
+                  </leafNode>
+                  <node name="vti">
+                    <properties>
+                      <help>Virtual tunnel interface</help>
+                    </properties>
+                    <children>
+                      <leafNode name="bind">
+                        <properties>
+                          <help>VTI tunnel interface associated with this configuration</help>
+                          <completionHelp>
+                            <path>interfaces vti</path>
+                          </completionHelp>
+                        </properties>
+                      </leafNode>
+                      #include <include/ipsec/esp-group.xml.i>
+                    </children>
+                  </node>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3