Updated site-to-site IPsec VPN documentation (#1653)

Added general theoretical IPsec documentation.
Changed site-to-site IPsec VPN documentation. Added steps for configuration.
Added documentation for troubleshooting site-to-site IPsec VPN.

12 files changed, 1383 insertions, 1094 deletions

diff --git a/docs/_static/images/ESP_AH.png b/docs/_static/images/ESP_AH.png
new file mode 100644
index 00000000..6075c3f4
--- /dev/null
+++ b/docs/_static/images/ESP_AH.png
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
deleted file mode 100644
index 6996f857..00000000
--- a/docs/_static/images/IPSec_close_action_settings.jpg
+++ /dev/null
diff --git a/docs/_static/images/IPSec_close_action_settings.png b/docs/_static/images/IPSec_close_action_settings.png
new file mode 100644
index 00000000..531643f7
--- /dev/null
+++ b/docs/_static/images/IPSec_close_action_settings.png
diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index e58eecbc..59f5af1e 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -146,7 +146,7 @@ NHRP protocol configuration
 IPSEC configuration
 ==============================
 
-* Please refer to the :ref:`ipsec` documentation for the individual IPSec
+* Please refer to the :ref:`ipsec_general` documentation for the individual IPSec
   related options.
 
 .. note:: NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action'
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index cf825a63..d0121abd 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -7,7 +7,7 @@ VPN
    :maxdepth: 1
    :includehidden:
 
-   ipsec
+   ipsec/index
    l2tp
    openconnect
    pptp
@@ -22,5 +22,3 @@ pages to sort
    :includehidden:
 
    dmvpn
-   site2site_ipsec
-   remoteaccess_ipsec
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
deleted file mode 100644
index 5e44312d..00000000
--- a/docs/configuration/vpn/ipsec.rst
+++ /dev/null
@@ -1,657 +0,0 @@
-.. _ipsec:
-
-#####
-IPsec
-#####
-
-:abbr:`GRE (Generic Routing Encapsulation)`, GRE/IPsec (or IPIP/IPsec,
-SIT/IPsec, or any other stateless tunnel protocol over IPsec) is the usual way
-to protect the traffic inside a tunnel.
-
-An advantage of this scheme is that you get a real interface with its own
-address, which makes it easier to setup static routes or use dynamic routing
-protocols without having to modify IPsec policies. The other advantage is that
-it greatly simplifies router to router communication, which can be tricky with
-plain IPsec because the external outgoing address of the router usually doesn't
-match the IPsec policy of a typical site-to-site setup and you would need to
-add special configuration for it, or adjust the source address of the outgoing
-traffic of your applications. GRE/IPsec has no such problem and is completely
-transparent for applications.
-
-GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
-easy to implement between VyOS and virtually any other router.
-
-For simplicity we'll assume that the protocol is GRE, it's not hard to guess
-what needs to be changed to make it work with a different protocol. We assume
-that IPsec will use pre-shared secret authentication and will use AES128/SHA1
-for the cipher and hash. Adjust this as necessary.
-
-.. NOTE:: VMware users should ensure that a VMXNET3 adapter is used. E1000
-  adapters have known issues with GRE processing.
-
-**************************************
-IKE (Internet Key Exchange) Attributes
-**************************************
-
-IKE performs mutual authentication between two parties and establishes
-an IKE security association (SA) that includes shared secret information
-that can be used to efficiently establish SAs for Encapsulating Security
-Payload (ESP) or Authentication Header (AH) and a set of cryptographic
-algorithms to be used by the SAs to protect the traffic that they carry.
-https://datatracker.ietf.org/doc/html/rfc5996
-
-In VyOS, IKE attributes are specified through IKE groups.
-Multiple proposals can be specified in a single group.
-
-VyOS IKE group has the next options:
-
-* ``close-action`` defines the action to take if the remote peer unexpectedly
-  closes a CHILD_SA:
-
- * ``none`` set action to none (default);
-
- * ``trap`` installs a trap policy for the CHILD_SA;
-
- * ``start`` tries to immediately re-create the CHILD_SA;
-
-* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
-  (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
-  INFORMATIONAL messages (IKEv2) are periodically sent in order to check the
-  liveliness of the IPsec peer:
-
- * ``action`` keep-alive failure action:
-
-  * ``trap``  installs a trap policy, which will catch matching traffic
-    and tries to re-negotiate the tunnel on-demand;
-
-  * ``clear`` closes the CHILD_SA and does not take further action (default);
-
-  * ``restart`` immediately tries to re-negotiate the CHILD_SA
-    under a fresh IKE_SA;
-
- * ``interval`` keep-alive interval in seconds <2-86400> (default 30);
-
- * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
-
-* ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate
-  the peer. In IKEv1, reauthentication is always done.
-  Setting this parameter enables remote host re-authentication during an IKE
-  rekey.
-
-* ``key-exchange`` which protocol should be used to initialize the connection
-  If not set both protocols are handled and connections will use IKEv2 when
-  initiating, but accept any protocol version when responding:
-
- * ``ikev1`` use IKEv1 for Key Exchange;
-
- * ``ikev2`` use IKEv2 for Key Exchange;
-
-* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
-
-* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
-  and enabled by default.
-
-* ``mode`` IKEv1 Phase 1 Mode Selection:
-
- * ``main`` use Main mode for Key Exchanges in the IKEv1 Protocol
-   (Recommended Default);
-
- * ``aggressive`` use Aggressive mode for Key Exchanges in the IKEv1 protocol
-   aggressive mode is much more insecure compared to Main mode;
-
-* ``proposal`` the list of proposals and their parameters:
-
- * ``dh-group`` dh-group;
-
- * ``encryption`` encryption algorithm;
-
- * ``hash`` hash algorithm.
-
- * ``prf`` pseudo-random function.
-
-***********************************************
-ESP (Encapsulating Security Payload) Attributes
-***********************************************
-
-ESP is used to provide confidentiality, data origin authentication,
-connectionless integrity, an anti-replay service (a form of partial sequence
-integrity), and limited traffic flow confidentiality.
-https://datatracker.ietf.org/doc/html/rfc4303
-
-In VyOS, ESP attributes are specified through ESP groups.
-Multiple proposals can be specified in a single group.
-
-VyOS ESP group has the next options:
-
-* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
-  allows compressing the content of IP packets.
-
-* ``life-bytes`` ESP life in bytes <1024-26843545600000>.
-  Number of bytes transmitted over an IPsec SA before it expires;
-
-* ``life-packets`` ESP life in packets <1000-26843545600000>.
-  Number of packets transmitted over an IPsec SA before it expires;
-
-* ``lifetime`` ESP lifetime in seconds <30-86400> (default 3600).
-  How long a particular instance of a connection (a set of
-  encryption/authentication keys for user packets) should last,
-  from successful negotiation to expiry;
-
-* ``mode`` the type of the connection:
-
- * ``tunnel`` tunnel mode (default);
-
- * ``transport`` transport mode;
-
-* ``pfs`` whether Perfect Forward Secrecy of keys is desired on the
-  connection's keying channel and defines a Diffie-Hellman group for PFS:
-
- * ``enable`` Inherit Diffie-Hellman group from IKE group (default);
-
- * ``disable`` Disable PFS;
-
- * ``< dh-group >`` defines a Diffie-Hellman group for PFS;
-
-* ``proposal`` ESP-group proposal with number <1-65535>:
-
- * ``encryption`` encryption algorithm (default 128 bit AES-CBC);
-
- * ``hash`` hash algorithm (default sha1).
-
- * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote
-   peer must re-key before expiration.
-
-***********************************************
-Options (Global IPsec settings) Attributes
-***********************************************
-
-* ``options``
-
- * ``disable-route-autoinstall`` Do not automatically install routes to remote
-    networks;
-
- * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
-    FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
-    Cisco brand devices allow negotiating a local traffic selector (from
-    strongSwan's point of view) that is not the assigned virtual IP address if
-    such an address is requested by strongSwan. Sending the Cisco FlexVPN
-    vendor ID prevents the peer from narrowing the initiator's local traffic
-    selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
-    instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
-    template but should also work for GRE encapsulation;
-
- * ``interface`` Interface Name to use. The name of the interface on which
-    virtual IP addresses should be installed. If not specified the addresses
-    will be installed on the outbound interface;
-
- * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma
-    separated list of virtual IPs to request in IKEv2 configuration payloads or
-    IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an
-    arbitrary address, specific addresses may be defined. The responder may
-    return a different address, or none at all. Define the ``virtual-address``
-    option to configure the IP address in a site-to-site hierarchy.
-
-*************************
-IPsec policy matching GRE
-*************************
-
-The first and arguably cleaner option is to make your IPsec policy match GRE
-packets between external addresses of your routers. This is the best option if
-both routers have static external addresses.
-
-Suppose the LEFT router has external address 192.0.2.10 on its eth0 interface,
-and the RIGHT router is 203.0.113.45
-
-On the LEFT:
-
-.. code-block:: none
-
-  # GRE tunnel
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 source-address 192.0.2.10
-  set interfaces tunnel tun0 remote 203.0.113.45
-  set interfaces tunnel tun0 address 10.10.10.1/30
-
-  ## IPsec
-  set vpn ipsec interface eth0
-
-  # Pre-shared-secret
-  set vpn ipsec authentication psk vyos id 192.0.2.10
-  set vpn ipsec authentication psk vyos id 203.0.113.45
-  set vpn ipsec authentication psk vyos secret MYSECRETKEY
-
-  # IKE group
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
-
-  # ESP group
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
-
-  # IPsec tunnel
-  set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
-  set vpn ipsec site-to-site peer right authentication remote-id 203.0.113.45
-
-  set vpn ipsec site-to-site peer right ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
-
-  set vpn ipsec site-to-site peer right local-address 192.0.2.10
-  set vpn ipsec site-to-site peer right remote-address 203.0.113.45
-
-  # This will match all GRE traffic to the peer
-  set vpn ipsec site-to-site peer right tunnel 1 protocol gre
-
-On the RIGHT, setup by analogy and swap local and remote addresses.
-
-
-Source tunnel from dummy interface
-==================================
-
-The scheme above doesn't work when one of the routers has a dynamic external
-address though. The classic workaround for this is to setup an address on a
-loopback interface and use it as a source address for the GRE tunnel, then setup
-an IPsec policy to match those loopback addresses.
-
-We assume that the LEFT router has static 192.0.2.10 address on eth0, and the
-RIGHT router has a dynamic address on eth0.
-
-The peer names RIGHT and LEFT are used as informational text.
-
-**Setting up the GRE tunnel**
-
-On the LEFT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.1/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.1/30
-  set interfaces tunnel tun0 source-address 192.168.99.1
-  set interfaces tunnel tun0 remote 192.168.99.2
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set interfaces dummy dum0 address 192.168.99.2/32
-
-  set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 address 10.10.10.2/30
-  set interfaces tunnel tun0 source-address 192.168.99.2
-  set interfaces tunnel tun0 remote 192.168.99.1
-
-**Setting up IPSec**
-
-However, now you need to make IPsec work with dynamic address on one side. The
-tricky part is that pre-shared secret authentication doesn't work with dynamic
-address, so we'll have to use RSA keys.
-
-First, on both routers run the operational command "generate pki key-pair
-install <key-pair name>". You may choose different length than 2048 of course.
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-LEFT
-  Enter private key type: [rsa, dsa, ec] (Default: rsa)
-  Enter private key bits: (Default: 2048)
-  Note: If you plan to use the generated key on this router, do not encrypt the private key.
-  Do you want to encrypt the private key with a passphrase? [y/N] N
-  Configure mode commands to install key pair:
-  Do you want to install the public key? [Y/n] Y
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-  Do you want to install the private key? [Y/n] Y
-  set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
-  [edit]
-
-Configuration commands for the private and public key will be displayed on the
-screen which needs to be set on the router first.
-Note the command with the public key
-(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
-Then do the same on the opposite router:
-
-.. code-block:: none
-
-  vyos@left# run generate pki key-pair install ipsec-RIGHT
-
-Note the command with the public key
-(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
-
-Now the noted public keys should be entered on the opposite routers.
-
-On the LEFT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
-
-On the RIGHT:
-
-.. code-block:: none
-
-  set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-
-Now you are ready to setup IPsec. You'll need to use an ID instead of address
-for the peer.
-
-On the LEFT (static address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer RIGHT authentication local-id LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication mode rsa
-  set vpn ipsec site-to-site peer RIGHT authentication rsa local-key ipsec-LEFT
-  set vpn ipsec site-to-site peer RIGHT authentication rsa remote-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer RIGHT authentication remote-id RIGHT
-  set vpn ipsec site-to-site peer RIGHT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer RIGHT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer RIGHT connection-type respond
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
-
-On the RIGHT (dynamic address):
-
-.. code-block:: none
-
-  set vpn ipsec interface eth0
-
-  set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-  set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-  set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-  set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-  set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-  set vpn ipsec site-to-site peer LEFT authentication local-id RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication mode rsa
-  set vpn ipsec site-to-site peer LEFT authentication rsa local-key ipsec-RIGHT
-  set vpn ipsec site-to-site peer LEFT authentication rsa remote-key ipsec-LEFT
-  set vpn ipsec site-to-site peer LEFT authentication remote-id LEFT
-  set vpn ipsec site-to-site peer LEFT connection-type initiate
-  set vpn ipsec site-to-site peer LEFT default-esp-group MyESPGroup
-  set vpn ipsec site-to-site peer LEFT ike-group MyIKEGroup
-  set vpn ipsec site-to-site peer LEFT local-address any
-  set vpn ipsec site-to-site peer LEFT remote-address 192.0.2.10
-  set vpn ipsec site-to-site peer LEFT tunnel 1 local prefix 192.168.99.2/32  # Additional loopback address on the local
-  set vpn ipsec site-to-site peer LEFT tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
-
-
-*******************************************
-IKEv2 IPSec road-warriors remote-access VPN
-*******************************************
-
-Internet Key Exchange version 2, IKEv2 for short, is a request/response
-protocol developed by both Cisco and Microsoft. It is used to establish and
-secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
-road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
-or remote-access/road-warrior mode, secures the server-side with another layer
-by using an x509 signed server certificate.
-
-Key exchange and payload encryption is still done using IKE and ESP proposals
-as known from IKEv1 but the connections are faster to establish, more reliable,
-and also support roaming from IP to IP (called MOBIKE which makes sure your
-connection does not drop when changing networks from e.g. WIFI to LTE and back).
-
-This feature closely works together with :ref:`pki` subsystem as you required
-a x509 certificate.
-
-Example
-=======
-
-This example uses CACert as certificate authority.
-
-.. code-block::
-
-  set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
-  set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
-
-After you obtain your server certificate you can import it from a file on the
-local filesystem, or paste it into the CLI. Please note that when entering the
-certificate manually you need to strip the ``-----BEGIN KEY-----`` and
-``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
-in a single line without line breaks (``\n``).
-
-To import it from the filesystem use:
-
-.. code-block::
-
-  import pki certificate <name> file /path/to/cert.pem
-
-In our example the certificate name is called vyos:
-
-.. code-block::
-
-  set pki certificate vyos certificate 'MIIE45s...'
-  set pki certificate vyos private key 'MIIEvgI...'
-
-After the PKI certs are all set up we can start configuring our IPSec/IKE
-proposals used for key-exchange end data encryption. The used encryption
-ciphers and integrity algorithms vary from operating system to operating
-system. The ones used in this post are validated to work on both Windows 10
-and iOS/iPadOS 14 to 17.
-
-.. code-block::
-
-  set vpn ipsec esp-group ESP-RW compression 'disable'
-  set vpn ipsec esp-group ESP-RW lifetime '3600'
-  set vpn ipsec esp-group ESP-RW pfs 'disable'
-  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
-
-  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
-  set vpn ipsec ike-group IKE-RW lifetime '7200'
-  set vpn ipsec ike-group IKE-RW mobike 'enable'
-  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
-  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
-  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
-
-Every connection/remote-access pool we configure also needs a pool where
-we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
-Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
-and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
-DNS nameservers down for our clients to use with their connection.
-
-.. code-block::
-
-  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
-  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
-  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
-  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
-
-VyOS supports multiple IKEv2 remote-access connections. Every connection can
-have its own dedicated IKE/ESP ciphers, certificates or local listen address
-for e.g. inbound load balancing.
-
-We configure a new connection named ``rw`` for road-warrior, that identifies
-itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate
-signed by the `CAcert_Class3_Root`` intermediate CA. We select our previously
-specified IKE/ESP groups and also link the IP address pool to draw addresses
-from.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication id '192.0.2.1'
-  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
-  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root'
-  set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos'
-  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
-  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
-  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
-  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
-
-VyOS also supports (currently) two different modes of authentication, local and
-RADIUS. To create a new local user named ``vyos`` with password ``vyos`` use the
-following commands.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
-  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
-
-If you feel better forwarding all authentication requests to your enterprises
-RADIUS server, use the commands below.
-
-.. code-block::
-
-  set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius'
-  set vpn ipsec remote-access radius server 192.0.2.2 key 'secret'
-
-Client Configuration
-====================
-
-Configuring VyOS to act as your IPSec access concentrator is one thing, but
-you probably need to setup your client connecting to the server so they can
-talk to the IPSec gateway.
-
-Microsoft Windows (10+)
------------------------
-
-Windows 10 does not allow a user to choose the integrity and encryption ciphers
-using the GUI and it uses some older proposals by default. A user can only
-change the proposals on the client side by configuring the IPSec connection
-profile via PowerShell.
-
-We generate a connection profile used by Windows clients that will connect to
-the "rw" connection on our VyOS server on the VPN servers IP address/fqdn
-`vpn.vyos.net`.
-
-.. note:: Microsoft Windows expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
-
-   ==== <snip> ====
-   Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
-   Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
-   ==== </snip> ====
-
-As both Microsoft Windows and Apple iOS/iPadOS only support a certain set of
-encryption ciphers and integrity algorithms we will validate the configured
-IKE/ESP proposals and only list the compatible ones to the user — if multiple
-are defined. If there are no matching proposals found — we can not generate a
-profile for you.
-
-When first connecting to the new VPN the user is prompted to enter proper
-credentials.
-
-Apple iOS/iPadOS (14.2+)
-------------------------
-
-Like on Microsoft Windows, Apple iOS/iPadOS out of the box does not expose
-all available VPN options via the device GUI.
-
-If you want, need, and should use more advanced encryption ciphers (default
-is still 3DES) you need to provision your device using a so-called "Device
-Profile". A profile is a simple text file containing XML nodes with a
-``.mobileconfig`` file extension that can be sent and opened on any device
-from an E-Mail.
-
-Profile generation happens from the operational level and is as simple as
-issuing the following command to create a profile to connect to the IKEv2
-access server at ``vpn.vyos.net`` with the configuration for the ``rw``
-remote-access connection group.
-
-.. note:: Apple iOS/iPadOS expects the server name to be also used in the
-  server's certificate common name, so it's best to use this DNS name for
-  your VPN connection.
-
-.. code-block::
-
-  vyos@vyos:~$ generate ipsec profile ios-remote-access rw remote vpn.vyos.net
-
-  ==== <snip> ====
-  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-  <plist version="1.0">
-  ...
-  </plist>
-  ==== </snip> ====
-
-In the end, an XML structure is generated which can be saved as
-``vyos.mobileconfig`` and sent to the device by E-Mail where it later can
-be imported.
-
-During profile import, the user is asked to enter its IPSec credentials
-(username and password) which is stored on the mobile.
-
-Operation Mode
-==============
-
-.. opcmd:: show vpn ike sa
-
-   Show all currently active IKE Security Associations.
-
-.. opcmd:: show vpn ike sa nat-traversal
-
-   Show all currently active IKE Security Associations (SA) that are using
-   NAT Traversal.
-
-.. opcmd:: show vpn ike sa peer <peer_name>
-
-   Show all currently active IKE Security Associations (SA) for a specific
-   peer.
-
-.. opcmd:: show vpn ike secrets
-
-   Show all the configured pre-shared secret keys.
-
-.. opcmd:: show vpn ike status
-
-   Show the detailed status information of IKE charon process.
-
-.. opcmd:: show vpn ipsec connections
-
-   Show details of all available VPN connections
-
-.. opcmd:: show vpn ipsec policy
-
-   Print out the list of existing crypto policies
-
-.. opcmd:: show vpn ipsec sa
-
-   Show all active IPsec Security Associations (SA)
-
-.. opcmd:: show vpn ipsec sa detail
-
-   Show a detailed information of all active IPsec Security Associations (SA)
-   in verbose format.
-
-.. opcmd:: show vpn ipsec state
-
-   Print out the list of existing in-kernel crypto state
-
-.. opcmd:: show vpn ipsec status
-
-   Show the status of running IPsec process and process ID.
-
-.. opcmd:: restart ipsec
-
-   Restart the IPsec VPN process and re-establishes the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site all
-
-   Reset all site-to-site IPSec VPN sessions. It terminates all active
-   child_sa and reinitiates the connection.
-
-.. opcmd:: reset vpn ipsec site-to-site peer <name>
-
-   Reset all tunnels for a given peer, can specify tunnel or vti interface.
-   It terminates a specific child_sa and reinitiates the connection.
-
-.. opcmd:: show log ipsec
-
-   Show logs for IPsec
diff --git a/docs/configuration/vpn/ipsec/index.rst b/docs/configuration/vpn/ipsec/index.rst
new file mode 100644
index 00000000..e454e2f6
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/index.rst
@@ -0,0 +1,21 @@
+#####
+IPsec
+#####
+
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+   ipsec_general
+   site2site_ipsec
+   remoteaccess_ipsec
+   troubleshooting_ipsec
+
+pages to sort
+
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
+
diff --git a/docs/configuration/vpn/ipsec/ipsec_general.rst b/docs/configuration/vpn/ipsec/ipsec_general.rst
new file mode 100644
index 00000000..18d974c9
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/ipsec_general.rst
@@ -0,0 +1,308 @@
+.. _ipsec_general:
+
+#########################
+IPsec General Information
+#########################
+
+***********************
+Information about IPsec
+***********************
+
+IPsec is the framework used to secure data.
+IPsec accomplishes these goals by providing authentication,
+encryption of IP network packets, key exchange, and key management.
+VyOS uses Strongswan package to implement IPsec.
+
+**Authentication Header (AH)** is defined in  :rfc:`4302`. It creates
+a hash using the IP header and data payload, and prepends it to the
+packet. This hash is used to validate that the data has not been
+changed during transfer over the network.
+
+**Encapsulating Security Payload (ESP)** is defined in :rfc:`4303`.
+It provides encryption and authentication of the data.
+
+
+There are two IPsec modes:
+    **IPsec Transport Mode**:
+        In transport mode, an IPSec header (AH or ESP) is inserted
+        between the IP header and the upper layer protocol header.
+
+    **IPsec Tunnel Mode:**
+        In tunnel mode, the original IP packet is encapsulated in
+        another IP datagram, and an IPsec header (AH or ESP) is
+        inserted between the outer and inner headers.
+
+.. figure:: /_static/images/ESP_AH.png
+   :scale: 80 %
+   :alt: AH and ESP in Transport Mode and Tunnel Mode
+
+***************************
+IKE (Internet Key Exchange)
+***************************
+The default IPsec method for secure key negotiation is the Internet Key
+Exchange (IKE) protocol. IKE is designed to provide mutual authentication
+of systems, as well as to establish a shared secret key to create IPsec
+security associations. A security association (SA) includes all relevant
+attributes of the connection, including the cryptographic algorithm used,
+the IPsec mode, the encryption key, and other parameters related to the
+transmission of data over the VPN connection.
+
+IKEv1
+=====
+
+IKEv1 is the older version and is still used today. Nowadays, most
+manufacturers recommend using IKEv2 protocol.
+
+IKEv1 is described in the next RFCs: :rfc:`2409` (IKE), :rfc:`3407`
+(IPsec DOI), :rfc:`3947` (NAT-T), :rfc:`3948` (UDP Encapsulation
+of ESP Packets), :rfc:`3706` (DPD)
+
+IKEv1 operates in two phases to establish these IKE and IPsec SAs:
+    * **Phase 1** provides mutual authentication of the IKE peers and
+      establishment of the session key. This phase creates an IKE SA (a
+      security association for IKE) using a DH exchange, cookies, and an
+      ID exchange. Once an IKE SA is established, all IKE communication
+      between the initiator and responder is protected with encryption
+      and an integrity check that is authenticated. The purpose of IKE
+      phase 1 is to facilitate a secure channel between the peers so that
+      phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
+      Main and Aggressive.
+
+        * **Main Mode** is used for site-to-site VPN connections.
+        
+        * **Aggressive Mode** is used for remote access VPN connections.
+
+    * **Phase 2** provides for the negotiation and establishment of the
+      IPsec SAs using ESP or AH to protect IP data traffic.
+
+IKEv2
+=====
+
+IKEv2 is described in :rfc:`7296`. The biggest difference between IKEv1 and
+IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
+fewer messages are exchanged during the establishment of the VPN and
+additional security capabilities are available.
+
+
+IKE Authentication
+==================
+
+VyOS supports 3 authentication methods.
+    * **Pre-shared keys**: In this method, both peers of the IPsec
+      tunnel must have the same preshared keys.
+    * **Digital certificates**: PKI is used in this method.
+    * **RSA-keys**: If the RSA-keys method is used in your IKE policy,
+      you need to make sure each peer has the other peer’s public keys.
+
+*************************
+DPD (Dead Peer Detection)
+*************************
+
+This is a mechanism used to detect when a VPN peer is no longer active.
+This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
+DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
+are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
+every configured interval. The remote peer is considered unreachable
+if no response to these packets is received within the DPD timeout.
+In IKEv2, DPD sends messages every configured interval. If one request
+is not responded, Strongswan execute its retransmission algorithm with
+its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
+
+*****************
+Configuration IKE
+*****************
+
+IKE (Internet Key Exchange) Attributes
+======================================
+
+VyOS IKE group has the next options:
+
+.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
+
+  Defines the action to take if the remote peer unexpectedly
+  closes a CHILD_SA:
+
+ * **none** - Set action to none (default),
+ * **trap** - Installs a trap policy (IPsec policy without Security
+   Association) for the CHILD_SA and traffic matching these policies
+   will trigger acquire events that cause the daemon to establish the
+   required IKE/IPsec SAs.
+ * **start** - Tries to immediately re-create the CHILD_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
+
+  Whether rekeying of an IKE_SA should also reauthenticate
+  the peer. In IKEv1, reauthentication is always done.
+  Setting this parameter enables remote host re-authentication
+  during an IKE rekey.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
+
+  Which protocol should be used to initialize the connection
+  If not set both protocols are handled and connections will
+  use IKEv2 when initiating, but accept any protocol version
+  when responding:
+
+ * **ikev1** - Use IKEv1 for Key Exchange.
+ * **ikev2** - Use IKEv2 for Key Exchange.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
+
+  IKE lifetime in seconds <0-86400> (default 28800).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> mode
+
+  IKEv1 Phase 1 Mode Selection:
+
+ * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
+   (Recommended Default).
+ * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
+   protocol aggressive mode is much more insecure compared to Main mode.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
+
+  Dh-group. Default value is **2**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
+
+  Pseudo-random function.
+
+
+DPD (Dead Peer Detection) Configuration
+=======================================
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
+
+  Action to perform for this CHILD_SA on DPD timeout.
+
+  * **trap** - Installs a trap policy (IPsec policy without Security
+    Association), which will catch matching traffic and tries to
+    re-negotiate the tunnel on-demand.
+  * **clear** - Closes the CHILD_SA and does not take further action
+    (default).
+  * **restart** - Immediately tries to re-negotiate the CHILD_SA
+    under a fresh IKE_SA.
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
+
+  Keep-alive interval in seconds <2-86400> (default 30).
+
+.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
+
+  Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
+
+ESP (Encapsulating Security Payload) Attributes
+===============================================
+
+In VyOS, ESP attributes are specified through ESP groups.
+Multiple proposals can be specified in a single group.
+
+VyOS ESP group has the next options:
+
+.. cfgcmd:: set vpn ipsec esp-group <name> compression
+
+  Enables the  IPComp(IP Payload Compression) protocol which allows
+  compressing the content of IP packets.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
+
+  Do not locally initiate a re-key of the SA, remote peer must
+  re-key before expiration.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
+
+  ESP life in bytes <1024-26843545600000>. Number of bytes
+  transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
+
+  ESP life in packets <1000-26843545600000>.
+  Number of packets transmitted over an IPsec SA before it expires.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
+
+  ESP lifetime in seconds <30-86400> (default 3600).
+  How long a particular instance of a connection (a set of
+  encryption/authentication keys for user packets) should last,
+  from successful negotiation to expiry.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
+
+  The type of the connection:
+
+  * **tunnel** - Tunnel mode (default).
+  * **transport** - Transport mode.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
+
+  Whether Perfect Forward Secrecy of keys is desired on the
+  connection's keying channel and defines a Diffie-Hellman group for
+  PFS:
+
+ * **enable** - Inherit Diffie-Hellman group from IKE group (default).
+ * **disable** - Disable PFS.
+ * **<dh-group>** - Defines a Diffie-Hellman group for PFS.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
+
+  Encryption algorithm. Default value is **aes128**.
+
+.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
+
+  Hash algorithm. Default value is **sha1**.
+
+Global IPsec Settings
+=====================
+
+.. cfgcmd:: set vpn ipsec interface <name>
+
+  Interface name to restrict outbound IPsec policies. There is a possibility
+  to specify multiple interfaces. If an interfaces are not specified, IPsec
+  policies apply to all interfaces.
+
+
+.. cfgcmd:: set vpn ipsec log level <number>
+
+  Level of logging. Default value is **0**.
+
+.. cfgcmd:: set vpn ipsec log subsystem <name>
+
+  Subsystem of the daemon.
+
+Options
+=======
+
+.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
+
+  Do not automatically install routes to remote
+  networks.
+
+.. cfgcmd:: set vpn ipsec options flexvpn
+
+  Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
+  FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
+  Cisco brand devices allow negotiating a local traffic selector (from
+  strongSwan's point of view) that is not the assigned virtual IP address if
+  such an address is requested by strongSwan. Sending the Cisco FlexVPN
+  vendor ID prevents the peer from narrowing the initiator's local traffic
+  selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
+  instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
+  template but should also work for GRE encapsulation.
+
+.. cfgcmd:: set vpn ipsec options interface <name>
+
+  Interface Name to use. The name of the interface on which
+  virtual IP addresses should be installed. If not specified the addresses
+  will be installed on the outbound interface.
+
+.. cfgcmd:: set vpn ipsec options virtual-ip
+
+  Allows the installation of virtual-ip addresses.
diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst
index 9bc49979..9bc49979 100644
--- a/docs/configuration/vpn/remoteaccess_ipsec.rst
+++ b/docs/configuration/vpn/ipsec/remoteaccess_ipsec.rst
diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
new file mode 100644
index 00000000..80dfa423
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -0,0 +1,729 @@
+.. _size2site_ipsec:
+
+######################
+IPsec Site-to-Site VPN
+######################
+
+****************************
+IPsec Site-to-Site VPN Types
+****************************
+
+VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
+IPsec VPN.
+
+Policy-based VPN
+================
+
+Policy-based VPN is based on static configured policies. Each policy creates
+individual IPSec SA. Traffic matches these SAs encrypted and directed to the
+remote peer.
+
+Route-Based VPN
+===============
+
+Route-based VPN is based on secure traffic passing over Virtual Tunnel
+Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
+
+******************************
+Configuration Site-to-Site VPN
+******************************
+
+Requirements and Prerequisites for Site-to-Site VPN
+===================================================
+
+**Negotiated parameters that need to match**
+
+Phase 1
+ * IKE version
+ * Authentication
+ * Encryption
+ * Hashing
+ * PRF
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+Phase 2
+ * Encryption
+ * Hashing
+ * PFS
+ * Mode (tunnel or transport)
+ * Lifetime
+
+ .. note:: Strongswan recommends to use the same lifetime value on both peers
+
+ * Remote and Local networks in SA must be compatible on both peers
+
+Configuration Steps for Site-to-Site VPN
+========================================
+
+The next example shows the configuration one of the router participating in
+IPsec VPN.
+
+Tunnel information:
+    * Phase 1:
+        * encryption: AES256
+        * hash: SHA256
+        * PRF: SHA256
+        * DH: 14
+        * lifetime: 28800
+    * Phase 2:
+        * IPsec mode: tunnel
+        * encryption: AES256
+        * hash: SHA256
+        * PFS: inherited from DH Phase 1
+        * lifetime: 3600
+    * If Policy based VPN is used
+        * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
+    * If Route based VPN is used
+        * IP of the VTI interface is 10.0.0.1/30
+
+.. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
+
+**1. Configure ike-group (IKE Phase 1)**
+
+.. code-block:: none
+
+    set vpn ipsec ike-group IKE close-action 'start'
+    set vpn ipsec ike-group IKE key-exchange 'ikev1'
+    set vpn ipsec ike-group IKE lifetime '28800'
+    set vpn ipsec ike-group IKE proposal 10 dh-group '14'
+    set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
+    set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
+    set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
+
+**2. Configure ESP-group (IKE Phase 2)**
+
+.. code-block:: none
+
+    set vpn ipsec esp-group ESP lifetime '3600'
+    set vpn ipsec esp-group ESP mode 'tunnel'
+    set vpn ipsec esp-group ESP pfs 'enable'
+    set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
+    set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
+
+**3. Specify interface facing to the protected destination.**
+
+.. code-block:: none
+
+    set vpn ipsec interface eth0
+
+**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
+    set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
+    set vpn ipsec authentication psk PSK-KEY secret 'vyos'
+
+To set base64 secret encode plaintext password to base64 and set secret-type
+
+.. code-block:: none
+
+    echo -n "vyos" | base64
+    dnlvcw==
+
+.. code-block:: none
+
+    set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
+    set vpn ipsec authentication psk PSK-KEY secret-type base64
+
+
+**5. Configure peer and apply IKE-group and esp-group to peer.**
+
+.. code-block:: none
+
+    set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+    set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
+    set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
+    set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
+    set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
+    set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
+    set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
+
+    Peer selects the key from step 4 according to local-id/remote-id pair.
+
+**6. Depends to vpn type (route-based vpn or policy-based vpn).**
+
+   **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
+
+    .. code-block:: none
+
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
+        set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
+
+   **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
+
+    .. code-block:: none
+
+        set interfaces vti vti1 address 10.0.0.1/30
+        set vpn ipsec site-to-site peer PEER1 vti bind vti1
+        set vpn ipsec options disable-route-autoinstall
+
+    Create routing between local networks via VTI interface using dynamic or
+    static routing.
+
+    .. code-block:: none
+
+        set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
+
+Initiator and Responder Connection Types
+========================================
+
+In Site-to-Site IPsec VPN it is recommended that one peer should be an
+initiator and the other - the responder. The initiator actively establishes
+the VPN tunnel. The responder passively waits for the remote peer to
+establish the VPN tunnel. Depends on selected role it is recommended
+select proper values for close-action and DPD action.
+
+The result of wrong value selection can be unstable work of the VPN.
+ * Duplicate CHILD SA creation.
+ * None of the VPN sides initiates the tunnel establishment.
+
+Below flow-chart could be a quick reference for the close-action
+combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_close_action_settings.png
+
+Similar combinations are applicable for the dead-peer-detection.
+
+Detailed Configuration Commands
+===============================
+
+PSK Key Authentication
+----------------------
+
+.. cfgcmd:: set vpn ipsec authentication psk <name> dhcp-interface
+
+  ID for authentication generated from DHCP address
+  dynamically.
+
+.. cfgcmd:: set vpn ipsec authentication psk id <id>
+
+  static ID's for authentication. In general local and remote
+  address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret <secret>
+
+  A predefined shared secret used in configured mode
+  ``pre-shared-secret``. Base64-encoded secrets are allowed if
+  `secret-type base64` is configured.
+
+.. cfgcmd:: set vpn ipsec authentication psk secret-type <type>
+
+  Specifies the secret type:
+
+  * **plaintext** - Plain text type (default value).
+  * **base64** - Base64 type.
+
+Peer Configuration
+------------------
+
+Peer Authentication Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication mode <mode>
+
+  Mode for authentication between VyOS and remote peer:
+
+  * **pre-shared-secret** - Use predefined shared secret phrase.
+  * **rsa** - Use simple shared RSA key.
+  * **x509** - Use certificates infrastructure for authentication.
+
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication local-id <id>
+
+  ID for the local VyOS router. If defined, during the authentication
+  it will be send to remote peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication remote-id <id>
+
+  ID for remote peer, instead of using peer name or
+  address. Useful in case if the remote peer is behind NAT
+  or if ``mode x509`` is used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>
+
+  Name of PKI key-pair with local private key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>
+
+  Name of PKI key-pair with remote public key.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>
+
+  Local private key passphrase.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>
+
+  Use local ID from x509 certificate. Cannot be used when
+  ``id`` is defined.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>
+
+  Name of CA certificate in PKI configuration. Using for authenticating
+  remote peer in x509 mode.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>
+
+  Name of certificate in PKI configuration, which will be used
+  for authenticating local router on remote peer.
+
+.. cfgcmd:: set vpn ipsec authentication x509 passphrase <passphrase>
+
+  Private key passphrase, if needed.
+
+Global Peer Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> connection-type <type>
+
+  Operational mode defines how to handle this connection process.
+
+  * **initiate** - does initial connection to remote peer immediately
+    after configuring and after boot. In this mode the connection will
+    not be restarted in case of disconnection, therefore should be used
+    only together with DPD or another session tracking methods.
+  * **respond** - does not try to initiate a connection to a remote
+    peer. In this mode, the IPsec session will be established only
+    after initiation from a remote peer. Could be useful when there
+    is no direct connectivity to the peer due to firewall or NAT in
+    the middle of the local and remote side.
+  * **none** - loads the connection only, which then can be manually
+    initiated or used as a responder configuration.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
+
+  Name of ESP group to use by default for traffic encryption.
+  Might be overwritten by individual settings for tunnel or VTI
+  interface binding.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> description <description>
+
+  Description for this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> dhcp-interface <interface>
+
+  Specify the interface which IP address, received from DHCP for IPSec
+  connection with this peer, will be used as ``local-address``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> force-udp-encapsulation
+
+  Force encapsulation of ESP into UDP datagrams. Useful in case if
+  between local and remote side is firewall or NAT, which not
+  allows passing plain ESP packets between them.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> ike-group <name>
+
+  Name of IKE group to use for key exchanges.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> local-address <address>
+
+  Local IP address for IPsec connection with this peer.
+  If defined ``any``, then an IP address which configured on interface with
+  default route will be used.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> remote-address <address>
+
+  Remote IP address or hostname for IPsec connection. IPv4 or IPv6
+  address is used when a peer has a public static IP address. Hostname
+  is a DNS name which could be used when a peer has a public IP
+  address and DNS name, but an IP address could be changed from time
+  to time.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> replay-window <size>
+
+  IPsec replay window to configure for CHILD_SAs
+  (default: 32), a value of 0 disables IPsec replay protection.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> virtual-address <address>
+
+  Defines a virtual IP address which is requested by the initiator and
+  one or several IPv4 and/or IPv6 addresses are assigned from multiple
+  pools by the responder. The wildcard addresses 0.0.0.0 and ::
+  request an arbitrary address, specific addresses may be defined.
+
+CHILD SAs Configuration Commands
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Policy-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+Every configured tunnel under peer configuration is a new CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> disable
+
+  Disable this tunnel.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> esp-group <name>
+
+  Specify ESP group for this CHILD SA.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> priority <number>
+
+  Priority for policy-based IPsec VPN tunnels (lowest value more
+  preferable).
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> protocol <name>
+
+  Define the protocol for match traffic, which should be encrypted and
+  send to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local prefix <network>
+
+  IP network at the local side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> local port <number>
+
+  Local port number. Have effect only when used together with
+  ``prefix``.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote prefix <network>
+
+  IP network at the remote side.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> tunnel <number> remote port <number>
+
+  Remote port number. Have effect only when used together with
+  ``prefix``.
+
+Route-Based CHILD SAs Configuration Commands
+"""""""""""""""""""""""""""""""""""""""""""""
+
+To configure route-based VPN it is enough to create vti interface and
+bind it to the peer. Any traffic, which will be send to VTI interface
+will be encrypted and send to this peer. Using VTI makes IPsec
+configuration much flexible and easier in complex situation, and
+allows to dynamically add/delete remote networks, reachable via a
+peer, as in this mode router don't need to create additional SA/policy
+for each remote network.
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall.
+
+.. code-block:: none
+
+  set vpn ipsec options disable-route-autoinstall
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti bind <interface>
+
+  VTI interface to bind to this peer.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti esp-group <name>
+
+  ESP group for encrypt traffic, passed this VTI interface.
+
+Traffic-selectors parameters for traffic that should pass via vti
+interface.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector local prefix <network>
+
+  Local prefix for interesting traffic.
+
+.. cfgcmd:: set vpn ipsec site-to-site peer <name> vti traffic-selector remote prefix <network>
+
+  Remote prefix for interesting traffic.
+
+IPsec Op-mode Commands
+======================
+
+.. opcmd:: show vpn ike sa
+
+  Shows active IKE SAs information.
+
+.. opcmd:: show vpn ike secrets
+
+  Shows configured authentication keys.
+
+.. opcmd:: show vpn ike status
+
+  Shows Strongswan daemon status.
+
+.. opcmd:: show vpn ipsec connections
+
+  Shows summary status of all configured IKE and IPsec SAs.
+
+.. opcmd:: show vpn ipsec sa [detail]
+
+  Shows active IPsec SAs information.
+
+.. opcmd:: show vpn ipsec status
+
+  Shows status of IPsec process.
+
+.. opcmd:: show vpn ipsec policy
+
+  Shows the in-kernel crypto policies.
+
+.. opcmd:: show vpn ipsec state
+
+  Shows the in-kernel crypto state.
+
+.. opcmd:: show log ipsec
+
+  Shows IPsec logs.
+
+.. opcmd:: reset vpn ipsec site-to-site all
+
+  Clear all ipsec connection and reinitiate them if VyOS is configured
+  as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name>
+
+  Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
+  configured as initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> tunnel <number>
+
+  Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
+  initiator.
+
+.. opcmd:: reset vpn ipsec site-to-site peer <name> vti <number>
+
+  Clear IPsec SA which is map to vti interface of this peer and
+  reinitiate it if VyOS is configured as initiator.
+
+.. opcmd:: restart ipsec
+
+  Restart Strongswan daemon.
+
+*********
+Examples:
+*********
+
+Policy-Based VPN Example
+========================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
+  set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
+  set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
+
+
+Show status of policy-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     1254    25633
+
+
+  vyos@srv-gw0:~$ show vpn ipsec sa
+  Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  --------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-tunnel-0  up       20m42s    0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection      State    Type    Remote address    Local TS        Remote TS       Local id    Remote id    Proposal
+  --------------  -------  ------  ----------------  --------------  --------------  ----------  -----------  ----------------------------------
+  PEER1           up       IKEv1   10.0.1.2          -               -               10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-tunnel-0  up       IPsec   10.0.1.2          192.168.1.0/24  192.168.0.0/24  10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+
+If there is SNAT rules on eth0, need to add exclude rule
+
+.. code-block:: none
+
+  # PEER1 side
+  set nat source rule 10 destination address '192.168.1.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.0.0/24'
+
+  # PEER2 side
+  set nat source rule 10 destination address '192.168.0.0/24'
+  set nat source rule 10 'exclude'
+  set nat source rule 10 outbound-interface name 'eth0'
+  set nat source rule 10 source address '192.168.1.0/24'
+
+
+Route-Based VPN Example
+=======================
+
+**PEER1:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.1.2/30`
+* 'vti0' interface IP: `10.100.100.1/30`
+* `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
+* Role: Initiator
+
+**PEER2:**
+
+* WAN interface on `eth0`
+* `eth0` interface IP: `10.0.2.2/30`
+* 'vti0' interface IP: `10.100.100.2/30`
+* `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
+* Role: Responder
+
+.. code-block:: none
+
+  # PEER1
+  set interfaces dummy dum0 address '192.168.0.1/32'
+  set interfaces ethernet eth0 address '10.0.1.2/30'
+  set interfaces vti vti0 address '10.100.100.1/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
+  set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'start'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime  '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
+  set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
+
+
+  # PEER2
+  set interfaces dummy dum0 address '192.168.1.1/32'
+  set interfaces ethernet eth0 address '10.0.2.2/30'
+  set interfaces vti vti0 address '10.100.100.2/30'
+  set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
+  set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
+  set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
+  set vpn ipsec authentication psk AUTH-PSK secret 'test'
+  set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
+  set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
+  set vpn ipsec ike-group IKE-GROUP close-action 'none'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
+  set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-GROUP lifetime '28800'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
+  set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
+  set vpn ipsec interface 'eth0'
+  set vpn ipsec options disable-route-autoinstall
+  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
+  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
+  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
+  set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
+  set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
+
+Show status of route-based IPsec VPN setup:
+
+.. code-block:: none
+
+  vyos@PEER2:~$ show vpn ike sa
+  Peer ID / IP                            Local ID / IP
+  ------------                            -------------
+  10.0.1.2 10.0.1.2                       10.0.2.2 10.0.2.2
+
+      State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+      -----  ------  -------      ----          ---------      -----  ------  ------
+      up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_2048      no     404     27650
+
+  vyos@PEER2:~$ show vpn ipsec sa
+  Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+  ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+  PEER1-vti     up       3m28s     0B/0B           0/0               10.0.1.2          10.0.1.2     AES_CBC_256/HMAC_SHA1_96/MODP_2048
+
+  vyos@PEER2:~$ show vpn ipsec connections
+  Connection    State    Type    Remote address    Local TS    Remote TS    Local id    Remote id    Proposal
+  ------------  -------  ------  ----------------  ----------  -----------  ----------  -----------  ----------------------------------
+  PEER1         up       IKEv2   10.0.1.2          -           -            10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+  PEER1-vti     up       IPsec   10.0.1.2          0.0.0.0/0   0.0.0.0/0    10.0.2.2    10.0.1.2     AES_CBC/256/HMAC_SHA1_96/MODP_2048
+                                                 ::/0        ::/0
diff --git a/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
new file mode 100644
index 00000000..fdeb347d
--- /dev/null
+++ b/docs/configuration/vpn/ipsec/troubleshooting_ipsec.rst
@@ -0,0 +1,323 @@
+.. _troubleshooting_ipsec:
+
+######################################
+Troubleshooting Site-to-Site VPN IPsec
+######################################
+
+************
+Introduction
+************
+
+This document describes the methodology to monitor and troubleshoot
+Site-to-Site VPN IPsec.
+
+Steps for troubleshooting problems with Site-to-Site VPN IPsec:
+ 1. Ping the remote site through the tunnel using the source and
+    destination IPs included in the policy.
+ 2. Check connectivity between the routers using the ping command
+    (if ICMP traffic is allowed).
+ 3. Check the IKE SAs' statuses.
+ 4. Check the IPsec SAs' statuses.
+ 5. Check logs to view debug messages.
+
+**********************
+Checking IKE SA Status
+**********************
+
+The next command shows IKE SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     162     27023
+
+This command shows the next information:
+ - IKE SA status.
+ - Selected IKE version.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - NAT-T.
+ - ID and IP of both peers.
+ - A-Time: established time, L-Time: time for next rekeying.
+
+**************************
+IPsec SA (CHILD SA) Status
+**************************
+
+The next commands show IPsec SAs' statuses.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ -------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
+ PEER-tunnel-1  up       16m30s    168B/168B       2/2               192.168.1.2       192.168.1.2  AES_CBC_128/HMAC_SHA1_96/MODP_2048
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa detail
+ PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
+   local  '192.168.0.1' @ 192.168.0.1[4500]
+   remote '192.168.1.2' @ 192.168.1.2[4500]
+   AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+   established 4054s ago, rekeying in 23131s
+   PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
+     installed 1065s ago, rekeying in 1998s, expires in 2535s
+     in  c5821882,    168 bytes,     2 packets,    81s ago
+     out c433406a,    168 bytes,     2 packets,    81s ago
+     local  10.0.0.0/24
+     remote 10.0.1.0/24
+
+These commands show the next information:
+ - IPsec SA status.
+ - Uptime and time for the next rekeing.
+ - Amount of transferred data.
+ - Remote and local ID and IP.
+ - Selected Encryption, Hash and Diffie-Hellman Group.
+ - Mode (tunnel or transport).
+ - Remote and local prefixes which are use for policy.
+
+There is a possibility to view the summarized information of SAs' status
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec connections
+ Connection     State    Type    Remote address    Local TS     Remote TS    Local id     Remote id    Proposal
+ -------------  -------  ------  ----------------  -----------  -----------  -----------  -----------  ----------------------------------
+ PEER           up       IKEv2   192.168.1.2       -            -            192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+ PEER-tunnel-1  up       IPsec   192.168.1.2       10.0.0.0/24  10.0.1.0/24  192.168.0.1  192.168.1.2  AES_CBC/128/HMAC_SHA1_96/MODP_2048
+
+**************************
+Viewing Logs for Debugging
+**************************
+
+If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
+using logs ``show log ipsec``
+
+The next example of the successful IPsec connection initialization.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show log ipsec
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
+ Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
+ Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
+ Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+ Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
+
+************************
+Troubleshooting Examples
+************************
+
+IKE PROPOSAL are Different
+==========================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder Side:
+
+.. code-block:: none
+
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
+ Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
+ Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
+ Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
+ Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
+
+The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
+On the Responder side there is concrete information where is mismatch.
+Encryption **AES_CBC_128** is configured in IKE policy on the responder 
+but **AES_CBC_256** is configured on the initiator side.
+
+PSK Secret Mismatch
+===================
+
+In this situation, IKE SAs can be down or not active.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+
+The problem is in IKE phase (Phase 1). The next step is checking debug logs.
+
+Responder:
+
+.. code-block:: none
+
+ Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
+ Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
+ Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
+ Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
+
+The notification **AUTHENTICATION_FAILED** means that the authentication
+is failed. There is a reason to check PSK on both side.
+
+ESP Proposal Mismatch
+=====================
+
+The output of **show** commands shows us that IKE SA is established but
+IPSec SA is not.
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ike sa
+ Peer ID / IP                            Local ID / IP
+ ------------                            -------------
+ 192.168.1.2 192.168.1.2                 192.168.0.1 192.168.0.1
+
+     State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
+     -----  ------  -------      ----          ---------      -----  ------  ------
+     up     IKEv2   AES_CBC_128  HMAC_SHA1_96  MODP_2048      no     158     26817
+
+.. code-block:: none
+
+ vyos@vyos:~$ show vpn ipsec sa
+ Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
+ ------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
+
+The next step is checking debug logs.
+
+Initiator side:
+
+.. code-block:: none
+
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
+ Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
+ Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
+ Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
+ Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
+ Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
+ Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
+ Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
+ Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
+
+There are messages: **NO_PROPOSAL_CHOSEN** and
+**failed to establish CHILD_SA** which refers that the problem is in
+the IPsec(ESP) proposal mismatch.
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
+ Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
+ Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
+
+Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
+is configured on the initiator side.
+
+Prefixes in Policies Mismatch
+=============================
+
+As in previous situation, IKE SA is in up state but IPsec SA is not up.
+According to logs we can see **TS_UNACCEPTABLE** notification. It means
+that prefixes (traffic selectors) mismatch on both sides
+
+Initiator:
+
+.. code-block:: none
+
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
+ Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
+ Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
+
+The reason of this problem is showed on the responder side.
+
+.. code-block:: none
+
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
+ Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
+ Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+ Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
+
+Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
+responder side.
+
+
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
deleted file mode 100644
index 400aff29..00000000
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ /dev/null
@@ -1,433 +0,0 @@
-.. _size2site_ipsec:
-
-Site-to-Site
-============
-
-Site-to-site mode provides a way to add remote peers, which could be configured
-to exchange encrypted information between them and VyOS itself or
-connected/routed networks.
-
-To configure site-to-site connection you need to add peers with the
-``set vpn ipsec site-to-site peer <name>`` command.
-
-The peer name must be an alphanumeric and can have hypen or underscore as
-special characters. It is purely informational.
-
-Each site-to-site peer has the next options:
-
-* ``authentication`` - configure authentication between VyOS and a remote peer.
-  If pre-shared-secret mode is used, the secret key must be defined in 
-  ``set vpn ipsec authentication`` and suboptions:
-
- * ``psk`` - Preshared secret key name:
-
-  * ``dhcp-interface`` - ID for authentication generated from DHCP address
-    dynamically;
-  * ``id`` - static ID's for authentication. In general local and remote
-    address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
-  * ``secret`` - a predefined shared secret used in configured mode
-    ``pre-shared-secret``. Base64-encoded secrets are allowed if
-    `secret-type base64` is configured;
-  * ``secret-type`` - specifies the secret type, either ``plaintext`` or
-    ``base64``. Default to ``plaintext``;
-
-
- * ``local-id`` - ID for the local VyOS router. If defined, during the
-   authentication
-   it will be send to remote peer;
-
- * ``mode`` - mode for authentication between VyOS and remote peer:
-
-  * ``pre-shared-secret`` - use predefined shared secret phrase;
-
-  * ``rsa`` - use simple shared RSA key.
-
-  * ``x509`` - use certificates infrastructure for authentication.
-
- * ``remote-id`` - define an ID for remote peer, instead of using peer name or
-   address. Useful in case if the remote peer is behind NAT or if ``mode x509``
-   is used;
-
- * ``rsa`` - options for RSA authentication mode:
-
-  * ``local-key`` - name of PKI key-pair with local private key
-
-  * ``remote-key`` - name of PKI key-pair with remote public key
-
-  * ``passphrase`` - local private key passphrase
-
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
-
- * ``x509`` - options for x509 authentication mode:
-
-  * ``ca-certificate`` - CA certificate in PKI configuration. Using for 
-    authenticating remote peer;
-
-  * ``certificate`` - certificate file in PKI configuration, which will be used
-    for authenticating local router on remote peer;
-
-  * ``passphrase`` - private key passphrase, if needed.
-
-* ``connection-type`` - how to handle this connection process. Possible
-  variants:
-
- * ``initiate`` - does initial connection to remote peer immediately after
-   configuring and after boot. In this mode the connection will not be restarted
-   in case of disconnection, therefore should be used only together with DPD or
-   another session tracking methods;
-
- * ``respond`` - does not try to initiate a connection to a remote peer. In this
-   mode, the IPSec session will be established only after initiation from a
-   remote peer. Could be useful when there is no direct connectivity to the
-   peer due to firewall or NAT in the middle of the local and remote side.
-
- * ``none`` - loads the connection only, which then can be manually initiated or
-   used as a responder configuration.
-
-* ``default-esp-group`` - ESP group to use by default for traffic encryption.
-  Might be overwritten by individual settings for tunnel or VTI interface
-  binding;
-
-* ``description`` - description for this peer;
-
-* ``dhcp-interface`` - use an IP address, received from DHCP for IPSec
-  connection with this peer, instead of ``local-address``;
-
-* ``force-udp-encapsulation`` - force encapsulation of ESP into UDP datagrams.
-  Useful in case if between local and remote side is firewall or NAT, which not
-  allows passing plain ESP packets between them;
-
-* ``ike-group`` - IKE group to use for key exchanges;
-
-* ``ikev2-reauth`` - reauthenticate remote peer during the rekeying process.
-  Can be used only with IKEv2.
-  Create a new IKE_SA from the scratch and try to recreate all IPsec SAs;
-
-* ``local-address`` - local IP address for IPSec connection with this peer.
-  If defined ``any``, then an IP address which configured on interface with
-  default route will be used;
-
-* ``remote-address`` - remote IP address or hostname for IPSec connection.
-  IPv4 or IPv6 address is used when a peer has a public static IP address.
-  Hostname is a DNS name which could be used when a peer has a public IP
-  address and DNS name, but an IP address could be changed from time to time.
-
-* ``replay-window`` - IPsec replay window to configure for this CHILD_SA 
-  (default: 32), a value of 0 disables IPsec replay protection
-
-* ``tunnel`` - define criteria for traffic to be matched for encrypting and send
-  it to a peer:
-
- * ``disable`` - disable this tunnel;
-
- * ``esp-group`` - define ESP group for encrypt traffic, defined by this tunnel;
-
- * ``local`` - define a local source for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at local side.
-
- * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value 
-   more preferable)
-
- * ``protocol`` - define the protocol for match traffic, which should be
-   encrypted and send to this peer;
-
- * ``remote`` - define the remote destination for match traffic, which should be
-   encrypted and send to this peer:
-
-  * ``port`` - define port. Have effect only when used together with ``prefix``;
-
-  * ``prefix`` - IP network at remote side.
-
-* ``vti`` - use a VTI interface for traffic encryption. Any traffic, which will
-  be send to VTI interface will be encrypted and send to this peer. Using VTI
-  makes IPSec configuration much flexible and easier in complex situation, and
-  allows to dynamically add/delete remote networks, reachable via a peer, as in
-  this mode router don't need to create additional SA/policy for each remote
-  network:
-
- * ``bind`` - select a VTI interface to bind to this peer;
-
- * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
-   interface.
-
-* ``virtual-address`` - Defines a virtual IP address which is requested by the
-  initiator and one or several IPv4 and/or IPv6 addresses are assigned from
-  multiple pools by the responder.
-
-Examples:
-------------------
-
-IKEv1
-^^^^^
-
-Example:
-
-* WAN interface on `eth1`
-* left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
-  there is no client or server roles)
-* left local_ip: `198.51.100.3` # server side WAN IP
-* right subnet: `10.0.0.0/24` site2,remote office side
-* right local_ip: `203.0.113.2` # remote office side WAN IP
-
-.. code-block:: none
-
-  # server config
-  set vpn ipsec authentication psk OFFICE-B id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-B id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
-  set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'
-
-  # remote office config
-  set vpn ipsec authentication psk OFFICE-A id '198.51.100.3'
-  set vpn ipsec authentication psk OFFICE-A id '203.0.113.2'
-  set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
-  set vpn ipsec esp-group office-srv-esp lifetime '1800'
-  set vpn ipsec esp-group office-srv-esp mode 'tunnel'
-  set vpn ipsec esp-group office-srv-esp pfs 'enable'
-  set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
-  set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
-  set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
-  set vpn ipsec ike-group office-srv-ike lifetime '3600'
-  set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
-  set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
-  set vpn ipsec interface 'eth1'
-  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer OFFICE-A local-address '203.0.113.2'
-  set vpn ipsec site-to-site peer OFFICE-A remote-address '198.51.100.3'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.0.0/21'
-  set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.0.0/24'
-
-Show status of new setup:
-
-.. code-block:: none
-
-  vyos@srv-gw0:~$ show vpn ike sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-     -----  -------  ----    -------  -----  ------  ------
-     up     aes256   sha1    5        no     734     3600
-
-  vyos@srv-gw0:~$ show vpn ipsec sa
-  Peer ID / IP                            Local ID / IP
-  ------------                            -------------
-  203.0.113.2                                 198.51.100.3
-     Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
-     ------  -----  -------------  -------  ----    -----  ------  ------  -----
-     0       up     7.5M/230.6K    aes256   sha1    no     567     1800    all
-
-If there is SNAT rules on eth1, need to add exclude rule
-
-.. code-block:: none
-
-  # server side
-  set nat source rule 10 destination address '10.0.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '192.168.0.0/24'
-
-  # remote office side
-  set nat source rule 10 destination address '192.168.0.0/24'
-  set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface name 'eth1'
-  set nat source rule 10 source address '10.0.0.0/24'
-
-To allow traffic to pass through to clients, you need to add the following
-rules. (if you used the default configuration at the top of this page)
-
-.. code-block:: none
-
-  # server side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '10.0.0.0/24'
-
-  # remote office side
-  set firewall name OUTSIDE-LOCAL rule 32 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 32 source address '192.168.0.0/24'
-
-IKEv2
-^^^^^
-
-Example:
-
-* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
-* left public_ip:172.18.201.10
-* right local_ip: 172.18.202.10 # right side WAN IP
-
-Imagine the following topology
-
-.. figure:: /_static/images/vpn_s2s_ikev2_c.png
-   :scale: 50 %
-   :alt: IPSec IKEv2 site2site VPN
-
-   IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
-
-**LEFT:**
-* WAN interface on `eth0.201`
-* `eth0.201` interface IP: `172.18.201.10/24`
-* `vti10` interface IP: `10.0.0.2/31`
-* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
-
-**RIGHT:**
-* WAN interface on `eth0.202`
-* `eth0.201` interface IP: `172.18.202.10/24`
-* `vti10` interface IP: `10.0.0.3/31`
-* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
-
-.. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
-   gives you additional information for using /31 subnets on point-to-point
-   links.
-
-**LEFT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
-  set interfaces dummy dum0 address '10.0.11.1/24'
-  set interfaces vti vti10 address '10.0.0.2/31'
-
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.201'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
-
-**RIGHT**
-
-.. code-block:: none
-
-  set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
-  set interfaces dummy dum0 address '10.0.12.1/24'
-  set interfaces vti vti10 address '10.0.0.3/31'
-
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
-  set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
-  set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
-  set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
-  set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
-  set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
-  set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
-  set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec interface 'eth0.202'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
-  set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
-
-  set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
-
-Key Parameters:
-
-* ``authentication local-id/remote-id`` - IKE identification is used for
-  validation of VPN peer devices during IKE negotiation. If you do not configure
-  local/remote-identity, the device uses the IPv4 or IPv6 address that
-  corresponds to the local/remote peer by default.
-  In certain network setups (like ipsec interface with dynamic address, or
-  behind the NAT ), the IKE ID received from the peer does not match the IKE
-  gateway configured on the device. This can lead to a Phase 1 validation
-  failure.
-  So, make sure to configure the local/remote id explicitly and ensure that the
-  IKE ID is the same as the remote-identity configured on the peer device.
-
-* ``disable-route-autoinstall`` - This option when configured disables the
-  routes installed in the default table 220 for site-to-site ipsec.
-  It is mostly used with VTI configuration.
-
-* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
-  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
-  are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, trap, and restart all activate DPD and determine the action to
-  perform on a timeout.
-  With ``clear`` the connection is closed with no further actions taken.
-  ``trap`` installs a trap policy, which will catch matching traffic and tries
-  to re-negotiate the connection on demand.
-  ``restart`` will immediately trigger an attempt to re-negotiate the
-  connection.
-
-* ``close-action = none | clear | trap | start`` - defines the action to take
-  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
-  values). A closeaction should not be used if the peer uses reauthentication or
-  uniqueids.
-
-  When the close-action option is set on the peers, the connection-type
-  of each peer has to considered carefully. For example, if the option is set
-  on both peers, then both would attempt to initiate and hold open multiple
-  copies of each child SA. This might lead to instability of the device or
-  cpu/memory utilization.
-
-  Below flow-chart could be a quick reference for the close-action
-  combination depending on how the peer is configured.
-
-.. figure:: /_static/images/IPSec_close_action_settings.jpg
-
-  Similar combinations are applicable for the dead-peer-detection.