configuration page: corrected spelling and grammatical mistakes

There were minimal grammatical and spelling mistakes in the files which I
corrected as documentation proof reading.
Also added information about few ipsec vpn parameters.

2 files changed, 49 insertions, 9 deletions

diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index bbe2b881..411b7b5e 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -160,7 +160,7 @@ servers can be setup and will be used subsequentially.
 RADIUS source address
 ^^^^^^^^^^^^^^^^^^^^^
 
-If you are using OSPF as IGP always the closets interface connected to the
+If you are using OSPF as IGP, always the closest interface connected to the
 RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
 to a single source IP e.g. the loopback interface.
 
@@ -172,7 +172,7 @@ Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
 on this NAS.
 
 .. note:: The ``source-address`` must be configured on one of VyOS interface.
-   Best proctice would be a loopback or dummy interface.
+   Best practice would be a loopback or dummy interface.
 
 RADIUS bandwidth shaping attribute
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index e81c5c3b..aace98aa 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -264,9 +264,15 @@ rules. (if you used the default configuration at the top of this page)
 IKEv2
 ^^^^^
 
+Example:
+
+* left local_ip: 192.168.0.10 # VPN Gateway, behind NAT device
+* left public_ip:172.18.201.10
+* right local_ip: 172.18.202.10 # right side WAN IP
+
 Imagine the following topology
 
-.. figure:: /_static/images/vpn_s2s_ikev2.png
+.. figure:: /_static/images/vpn_s2s_ikev2_c.png
    :scale: 50 %
    :alt: IPSec IKEv2 site2site VPN
 
@@ -289,9 +295,6 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
   set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
   set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
@@ -304,10 +307,10 @@ Imagine the following topology
   set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 'secretkey'
   set vpn ipsec site-to-site peer 172.18.202.10 authentication remote-id '172.18.202.10'
-  set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'initiate'
+  set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond'
   set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'IKEv2_DEFAULT'
   set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
-  set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
+  set vpn ipsec site-to-site peer 172.18.202.10 local-address '192.168.0.10'
   set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti10'
   set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'ESP_DEFAULT'
 
@@ -323,7 +326,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
@@ -344,3 +347,40 @@ Imagine the following topology
   set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
   set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
   set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+Key Parameters:
+
+* ``authentication id/remote-id`` - IKE identification is used for validation 
+  of VPN peer devices during IKE negotiation. If you do not configure local/
+  remote-identity, the device uses the IPv4 or IPv6 address that corresponds 
+  to the local/remote peer by default.
+  In certain network setups (like ipsec interface with dynamic address, or 
+  behind the NAT ), the IKE ID received from the peer does not match the IKE 
+  gateway configured on the device. This can lead to a Phase 1 validation 
+  failure.
+  So, make sure to configure the local/remote id explicitly and ensure that the 
+  IKE ID is the same as the remote-identity configured on the peer device.
+
+* ``disable-route-autoinstall`` - This option when configured disables the
+  routes installed in the default table 220 for site-to-site ipsec.
+  It is mostly used with VTI configuration.
+
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE 
+  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) 
+  are periodically sent in order to check the liveliness of theIPsec peer. The 
+  values clear, hold, and restart all activate DPD and determine the action to 
+  perform on a timeout.
+  With ``clear`` the connection is closed with no further actions taken. 
+  ``hold`` installs a trap policy, which will catch matching traffic and tries 
+  to re-negotiate the connection on demand. 
+  ``restart`` will immediately trigger an attempt to re-negotiate the 
+  connection.
+
+* ``close-action = none | clear | hold | restart`` - defines the action to take 
+  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of 
+  values). A closeaction should not be used if the peer uses reauthentication or
+  uniqueids.
+  
+  For a responder, close-action or dead-peer-detection must not be enabled.  
+  For an initiator DPD with `restart` action, and `close-action 'restart'` 
+  is recommended in IKE profile.