summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2026-05-06 14:08:24 +0100
committerGitHub <noreply@github.com>2026-05-06 14:08:24 +0100
commitdfea790b36ddab4c6661436c8eed3cea7af5bd3a (patch)
treec1a9a432839a7ce7aecc4072750d476ae6186248 /docs/configuration/vpn
parent4b36114e053ee11d0cb264a1e4cfe4692d78f194 (diff)
downloadvyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.tar.gz
vyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.zip
Revert "Add incremental RST-to-MyST swap mechanism (#1857)" (#1892)
This reverts commit 4b36114e053ee11d0cb264a1e4cfe4692d78f194.
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/ipsec/md-index.md11
-rw-r--r--docs/configuration/vpn/ipsec/md-ipsec_general.md407
-rw-r--r--docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md186
-rw-r--r--docs/configuration/vpn/ipsec/md-site2site_ipsec.md780
-rw-r--r--docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md313
-rw-r--r--docs/configuration/vpn/md-dmvpn.md431
-rw-r--r--docs/configuration/vpn/md-index.md14
-rw-r--r--docs/configuration/vpn/md-l2tp.md624
-rw-r--r--docs/configuration/vpn/md-openconnect.md330
-rw-r--r--docs/configuration/vpn/md-pptp.md594
-rw-r--r--docs/configuration/vpn/md-rsa-keys.md114
-rw-r--r--docs/configuration/vpn/md-sstp.md698
12 files changed, 0 insertions, 4502 deletions
diff --git a/docs/configuration/vpn/ipsec/md-index.md b/docs/configuration/vpn/ipsec/md-index.md
deleted file mode 100644
index cc40b6f8..00000000
--- a/docs/configuration/vpn/ipsec/md-index.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# IPsec
-
-```{toctree}
-:includehidden: true
-:maxdepth: 1
-
-ipsec_general
-site2site_ipsec
-remoteaccess_ipsec
-troubleshooting_ipsec
-```
diff --git a/docs/configuration/vpn/ipsec/md-ipsec_general.md b/docs/configuration/vpn/ipsec/md-ipsec_general.md
deleted file mode 100644
index 6fc47386..00000000
--- a/docs/configuration/vpn/ipsec/md-ipsec_general.md
+++ /dev/null
@@ -1,407 +0,0 @@
-(ipsec_general)=
-
-# IPsec General Information
-
-## Information about IPsec
-
-IPsec is the framework used to secure data.
-IPsec accomplishes these goals by providing authentication,
-encryption of IP network packets, key exchange, and key management.
-VyOS uses Strongswan package to implement IPsec.
-
-**Authentication Header (AH)** is defined in {rfc}`4302`. It creates
-a hash using the IP header and data payload, and prepends it to the
-packet. This hash is used to validate that the data has not been
-changed during transfer over the network.
-
-**Encapsulating Security Payload (ESP)** is defined in {rfc}`4303`.
-It provides encryption and authentication of the data.
-
-```{eval-rst}
-There are two IPsec modes:
- **IPsec Transport Mode**:
- In transport mode, an IPSec header (AH or ESP) is inserted
- between the IP header and the upper layer protocol header.
-
- **IPsec Tunnel Mode:**
- In tunnel mode, the original IP packet is encapsulated in
- another IP datagram, and an IPsec header (AH or ESP) is
- inserted between the outer and inner headers.
-
-.. figure:: /_static/images/ESP_AH.webp
- :scale: 80 %
- :alt: AH and ESP in Transport Mode and Tunnel Mode
-```
-
-## IKE (Internet Key Exchange)
-
-The default IPsec method for secure key negotiation is the Internet Key
-Exchange (IKE) protocol. IKE is designed to provide mutual authentication
-of systems, as well as to establish a shared secret key to create IPsec
-security associations. A security association (SA) includes all relevant
-attributes of the connection, including the cryptographic algorithm used,
-the IPsec mode, the encryption key, and other parameters related to the
-transmission of data over the VPN connection.
-
-### IKEv1
-
-IKEv1 is the older version and is still used today. Nowadays, most
-manufacturers recommend using IKEv2 protocol.
-
-IKEv1 is described in the next RFCs: {rfc}`2409` (IKE), {rfc}`3407`
-(IPsec DOI), {rfc}`3947` (NAT-T), {rfc}`3948` (UDP Encapsulation
-of ESP Packets), {rfc}`3706` (DPD)
-
-```{eval-rst}
-IKEv1 operates in two phases to establish these IKE and IPsec SAs:
- * **Phase 1** provides mutual authentication of the IKE peers and
- establishment of the session key. This phase creates an IKE SA (a
- security association for IKE) using a DH exchange, cookies, and an
- ID exchange. Once an IKE SA is established, all IKE communication
- between the initiator and responder is protected with encryption
- and an integrity check that is authenticated. The purpose of IKE
- phase 1 is to facilitate a secure channel between the peers so that
- phase 2 negotiations can occur securely. IKE phase 1 offers two modes:
- Main and Aggressive.
-
- * **Main Mode** is used for site-to-site VPN connections.
-
- * **Aggressive Mode** is used for remote access VPN connections.
-
- * **Phase 2** provides for the negotiation and establishment of the
- IPsec SAs using ESP or AH to protect IP data traffic.
-```
-
-### IKEv2
-
-IKEv2 is described in {rfc}`7296`. The biggest difference between IKEv1 and
-IKEv2 is that IKEv2 is much simpler and more reliable than IKEv1 because
-fewer messages are exchanged during the establishment of the VPN and
-additional security capabilities are available.
-
-### IKE Authentication
-
-```{eval-rst}
-VyOS supports 3 authentication methods.
- * **Pre-shared keys**: In this method, both peers of the IPsec
- tunnel must have the same preshared keys.
- * **Digital certificates**: PKI is used in this method.
- * **RSA-keys**: If the RSA-keys method is used in your IKE policy,
- you need to make sure each peer has the other peer’s public keys.
-```
-
-## DPD (Dead Peer Detection)
-
-This is a mechanism used to detect when a VPN peer is no longer active.
-This mechanism has different algorithms in IKEv1 and IKEv2 in VyOS.
-DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses
-are sent as ISAKMP R-U-THERE-ACK messages. In IKEv1, DPD sends messages
-every configured interval. The remote peer is considered unreachable
-if no response to these packets is received within the DPD timeout.
-In IKEv2, DPD sends messages every configured interval. If one request
-is not responded, Strongswan execute its retransmission algorithm with
-its timers. [IKEv2 Retransmission](#ikev2-retransmission)
-
-## Post-Quantum Preshared Keys (PPK)
-
-Post-Quantum Preshared Keys help provide some quantum resistance to IPSec
-tunnels when a post-quantum key exchange algorithm such as ML-KEM is not
-available. The use of PPKs in IKEv2 is described in {rfc}`8784`.
-
-```{eval-rst}
-.. cfgmod:: edit vpn authentication ppk <name>
-```
-
-PPKs can be configued within VyOS under the `vpn ipsec authentication ppk`
-config.
-
-```{eval-rst}
-.. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64>
-```
-
-PPKs need an id and a secret value. The ID and the secret must match if PPKs are
-required for a successful IPsec connection. The secret can be plain text, a
-hex value, or a Base64 value. The default is plain text. If using another
-type of value, you must define the secret type.
-
-```{eval-rst}
-.. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id>
-```
-
-To use a PPK within a site-to-site or remote access connection, define the PPK
-id under the connection.
-
-```{eval-rst}
-.. cfgmod:: set vpn ipsec site-to-site <name> ppk required
-```
-
-Optionally, you can require the use of PPK to have a successful connection.
-
-```{eval-rst}
-.. cfgmod:: show vpn ipsec connections
-```
-
-You can view the PPK column for information on if PPK is configured, and
-if it is in use. The output is in the format of `<configured> / <in use>`.
-The options for configured are none if not conifugred, opt if configured
-but optional, and req is configured and required. The in use will show yes
-Possible values of the `configured` field are `none` if not
-conifgured, `opt` if configured but optional, and `req` is
-configured and required. The in use will show yes
-
-## Configuration IKE
-
-```{eval-rst}
-IKE (Internet Key Exchange) Attributes
-======================================
-
-VyOS IKE group has the next options:
-
-.. cfgcmd:: set vpn ipsec ike-group <name> close-action <action>
-
- Defines the action to take if the remote peer unexpectedly
- closes a CHILD_SA:
-
- * **none** - Set action to none (default),
- * **trap** - Installs a trap policy (IPsec policy without Security
- Association) for the CHILD_SA and traffic matching these policies
- will trigger acquire events that cause the daemon to establish the
- required IKE/IPsec SAs.
- * **start** - Tries to immediately re-create the CHILD_SA.
-
-.. cfgcmd:: set vpn ipsec ike-group <name> ikev2-reauth
-
- Whether rekeying of an IKE_SA should also reauthenticate
- the peer. In IKEv1, reauthentication is always done.
- Setting this parameter enables remote host re-authentication
- during an IKE rekey.
-
-.. cfgcmd:: set vpn ipsec ike-group <name> key-exchange
-
- Which protocol should be used to initialize the connection
- If not set both protocols are handled and connections will
- use IKEv2 when initiating, but accept any protocol version
- when responding:
-
- * **ikev1** - Use IKEv1 for Key Exchange.
- * **ikev2** - Use IKEv2 for Key Exchange.
-
-.. cfgcmd:: set vpn ipsec ike-group <name> lifetime
-
- IKE lifetime in seconds <0-86400> (default 28800).
-
-.. cfgcmd:: set vpn ipsec ike-group <name> mode
-
- IKEv1 Phase 1 Mode Selection:
-
- * **main** - Use Main mode for Key Exchanges in the IKEv1 Protocol
- (Recommended Default).
- * **aggressive** - Use Aggressive mode for Key Exchanges in the IKEv1
- protocol aggressive mode is much more insecure compared to Main mode.
-
-.. stop_vyoslinter
-
-.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> dh-group <dh-group number>
-
- Dh-group. Default value is **2**.
-
-.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> encryption <encryption>
-
- Encryption algorithm. Default value is **aes128**.
-
-.. start_vyoslinter
-
-.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> hash <hash>
-
- Hash algorithm. Default value is **sha1**.
-
-.. cfgcmd:: set vpn ipsec ike-group <name> proposal <number> prf <prf>
-
- Pseudo-random function.
-
-
-DPD (Dead Peer Detection) Configuration
-=======================================
-
-.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection action <action>
-
- Action to perform for this CHILD_SA on DPD timeout.
-
- * **trap** - Installs a trap policy (IPsec policy without Security
- Association), which will catch matching traffic and tries to
- re-negotiate the tunnel on-demand.
- * **clear** - Closes the CHILD_SA and does not take further action
- (default).
- * **restart** - Immediately tries to re-negotiate the CHILD_SA
- under a fresh IKE_SA.
-
-.. stop_vyoslinter
-
-.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection interval <interval>
-
- Keep-alive interval in seconds <2-86400> (default 30).
-
-.. start_vyoslinter
-
-.. cfgcmd:: set vpn ipsec ike-group <name> dead-peer-detection timeout <timeout>
-
- Keep-alive timeout in seconds <2-86400> (default 120) **IKEv1 only**
-
-ESP (Encapsulating Security Payload) Attributes
-===============================================
-
-In VyOS, ESP attributes are specified through ESP groups.
-Multiple proposals can be specified in a single group.
-
-VyOS ESP group has the next options:
-
-.. cfgcmd:: set vpn ipsec esp-group <name> compression
-
- Enables the IPComp(IP Payload Compression) protocol which allows
- compressing the content of IP packets.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> disable-rekey
-
- Do not locally initiate a re-key of the SA, remote peer must
- re-key before expiration.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> life-bytes <bytes>
-
- ESP life in bytes <1024-26843545600000>. Number of bytes
- transmitted over an IPsec SA before it expires.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> life-packets <packets>
-
- ESP life in packets <1000-26843545600000>.
- Number of packets transmitted over an IPsec SA before it expires.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> lifetime <timeout>
-
- ESP lifetime in seconds <30-86400> (default 3600).
- How long a particular instance of a connection (a set of
- encryption/authentication keys for user packets) should last,
- from successful negotiation to expiry.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> mode <mode>
-
- The type of the connection:
-
- * **tunnel** - Tunnel mode (default).
- * **transport** - Transport mode.
-
-.. cfgcmd:: set vpn ipsec esp-group <name> pfs < dh-group>
-
- Whether Perfect Forward Secrecy of keys is desired on the
- connection's keying channel and defines a Diffie-Hellman group for
- PFS:
-
- * **enable** - Inherit Diffie-Hellman group from IKE group (default).
- * **disable** - Disable PFS.
- * **<dh-group>** - Defines a Diffie-Hellman group for PFS.
-
-.. stop_vyoslinter
-
-.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> encryption <encryption>
-
- Encryption algorithm. Default value is **aes128**.
-
-.. start_vyoslinter
-
-.. cfgcmd:: set vpn ipsec esp-group <name> proposal <number> hash <hash>
-
- Hash algorithm. Default value is **sha1**.
-
-Global IPsec Settings
-=====================
-
-.. cfgcmd:: set vpn ipsec interface <name>
-
- Interface name to restrict outbound IPsec policies. There is a possibility
- to specify multiple interfaces. If an interfaces are not specified, IPsec
- policies apply to all interfaces.
-
-
-.. cfgcmd:: set vpn ipsec log level <number>
-
- Level of logging. Default value is **0**.
-
-.. cfgcmd:: set vpn ipsec log subsystem <name>
-
- Subsystem of the daemon.
-
-Options
-=======
-
-.. cfgcmd:: set vpn ipsec options disable-route-autoinstall
-
- Do not automatically install routes to remote
- networks.
-
-.. cfgcmd:: set vpn ipsec options flexvpn
-
- Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
- FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
- Cisco brand devices allow negotiating a local traffic selector (from
- strongSwan's point of view) that is not the assigned virtual IP address if
- such an address is requested by strongSwan. Sending the Cisco FlexVPN
- vendor ID prevents the peer from narrowing the initiator's local traffic
- selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
- instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
- template but should also work for GRE encapsulation.
-
-.. cfgcmd:: set vpn ipsec options interface <name>
-
- Interface Name to use. The name of the interface on which
- virtual IP addresses should be installed. If not specified the addresses
- will be installed on the outbound interface.
-
-.. cfgcmd:: set vpn ipsec options virtual-ip
-
- Allows the installation of virtual-ip addresses.
-```
-
-### IKEv2 Retransmission
-
-If the peer does not respond on DPD packet, the router starts retransmission procedure.
-
-The following formula is used to calculate the timeout:
-
-```none
-relative timeout = timeout * base ^ (attempts-1)
-```
-
-```{cfgcmd} set vpn ipsec options retransmission attempts
-
-Number of attempts before the peer is considered to be in the down state.
-Default value is **5**.
-```
-
-```{cfgcmd} set vpn ipsec options retransmission base
-
-Base number of exponential backoff. Default value is **1.8**.
-```
-
-```{cfgcmd} set vpn ipsec options retransmission timeout
-
-Timeout in seconds before the first retransmission. Default value is **4**.
-```
-
-Using the default values, packets are retransmitted as follows:
-
-```{eval-rst}
-+-----------+-------------+------------------+------------------+
-| Attempts | Formula | Relative timeout | Absolute timeout |
-+-----------+-------------+------------------+------------------+
-| 1 | 4 * 1.8 ^ 0 | 4s | 4s |
-+-----------+-------------+------------------+------------------+
-| 2 | 4 * 1.8 ^ 1 | 7s | 11s |
-+-----------+-------------+------------------+------------------+
-| 3 | 4 * 1.8 ^ 2 | 13s | 24s |
-+-----------+-------------+------------------+------------------+
-| 4 | 4 * 1.8 ^ 3 | 23s | 47s |
-+-----------+-------------+------------------+------------------+
-| 5 | 4 * 1.8 ^ 4 | 42s | 89s |
-+-----------+-------------+------------------+------------------+
-| peer down | 4 * 1.8 ^ 5 | 76s | 165s |
-+-----------+-------------+------------------+------------------+
-```
diff --git a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md b/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md
deleted file mode 100644
index 6931e00b..00000000
--- a/docs/configuration/vpn/ipsec/md-remoteaccess_ipsec.md
+++ /dev/null
@@ -1,186 +0,0 @@
-(remoteaccess-ipsec)=
-
-# IPSec IKEv2 Remote Access VPN
-
-```{todo}
-Convert raw command blocks in this file to cfgcmd/opcmd
-directives for command coverage tracking.
-```
-
-Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec,
-that establishes a secure VPN communication between VPN devices, and defines
-negotiation and authentication processes for IPsec security associations (SAs).
-It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors
-as others call it.
-
-Key exchange and payload encryption is done using IKE and ESP proposals as known
-from IKEv1 but the connections are faster to establish, more reliable, and also
-support roaming from IP to IP (called MOBIKE which makes sure your connection
-does not drop when changing networks from e.g. WIFI to LTE and back).
-Authentication can be achieved with X.509 certificates.
-
-## Setting up certificates:
-
-First of all, we need to create a CA root certificate and server certificate
-on the server side.
-
-```none
-vyos@vpn.vyos.net# run generate pki ca install ca_root
-Enter private key type: [rsa, dsa, ec] (Default: rsa)
-Enter private key bits: (Default: 2048)
-Enter country code: (Default: GB)
-Enter state: (Default: Some-State)
-Enter locality: (Default: Some-City)
-Enter organization name: (Default: VyOS)
-Enter common name: (Default: vyos.io)
-Enter how many days certificate will be valid: (Default: 1825)
-Note: If you plan to use the generated key on this router, do not encrypt the private key.
-Do you want to encrypt the private key with a passphrase? [y/N] N
-2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
-[edit]
-
-
-vyos@vpn.vyos.net# comp
-[pki ca]
-+ ca_root {
-+ certificate "MIIDnTCCAoWgAwI…."
-+ private {
-+ key "MIIEvAIBADANBgkqhkiG9….”
-
-vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert
-Do you already have a certificate request? [y/N] N
-Enter private key type: [rsa, dsa, ec] (Default: rsa)
-Enter private key bits: (Default: 2048)
-Enter country code: (Default: GB)
-Enter state: (Default: Some-State)
-Enter locality: (Default: Some-City)
-Enter organization name: (Default: VyOS)
-Enter common name: (Default: vyos.io) vpn.vyos.net
-Do you want to configure Subject Alternative Names? [y/N] N
-Enter how many days certificate will be valid: (Default: 365)
-Enter certificate type: (client, server) (Default: server)
-Note: If you plan to use the generated key on this router, do not encrypt the private key.
-Do you want to encrypt the private key with a passphrase? [y/N] N
-2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
-
-vyos@vpn.vyos.net# comp
-[pki certificate]
-+ server_cert {
-+ certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………"
-+ private {
-+ key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….."
-+ }
-+ }
-```
-
-Once the command is completed, it will add the certificate to the configuration
-session, to the pki subtree. You can then review the proposed changes and
-commit them.
-
-## Setting up IPSec:
-
-After the PKI certs are all set up we can start configuring our IPSec/IKE
-proposals used for key-exchange end data encryption. The used encryption ciphers
-and integrity algorithms vary from operating system to operating system. The
-ones used in this example are validated to work on Windows 10.
-
-```none
-set vpn ipsec esp-group ESP-RW lifetime '3600'
-set vpn ipsec esp-group ESP-RW pfs 'disable'
-set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
-set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
-
-set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
-set vpn ipsec ike-group IKE-RW lifetime '7200'
-set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
-set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
-```
-
-Every connection/remote-access pool we configure also needs a pool where we
-can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
-Authorized clients will receive an IPv4 address from the configured IPv4 prefix
-and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers
-down to our clients used on their connection.
-
-```none
-set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
-set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
-
-set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
-set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
-```
-
-
-## Setting up tunnel:
-
-```none
-set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
-set vpn ipsec remote-access connection rw authentication server-mode 'x509'
-set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
-set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
-set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
-set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
-set vpn ipsec remote-access connection rw local-address '192.0.2.1'
-set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
-set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
-```
-
-VyOS also supports two different modes of authentication, local and RADIUS.
-To create a new local user named "vyos" with a password of "vyos" use the
-following commands.
-
-```none
-set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
-set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
-```
-
-Some client operating systems like to see the servers certificate. The following
-option causes the server to voluntarily send its certificate, even if it wasn't
-requested.
-
-```none
-set vpn ipsec remote-access connection rw authentication always-send-cert
-```
-
-
-## Client Configuration
-
-Most operating systems include native client support for IPsec IKEv2 VPN
-connections, and others typically have an app or add-on package which adds the
-capability.
-This section covers IPsec IKEv2 client configuration for Windows 10.
-
-VyOS provides a command to generate a connection profile used by Windows clients
-that will connect to the "rw" connection on our VyOS server.
-
-:::{note}
-Windows expects the server name to be also used in the server's
-certificate common name, so it's best to use this DNS name for your VPN
-connection.
-:::
-
-```none
-vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
-
-
-==== <snip> ====
-Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
-
-Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants
-GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
-==== </snip> ====
-```
-
-Add the commands from Snippet in the Windows side via PowerShell.
-Also import the root CA cert to the Windows “Trusted Root Certification
-Authorities” and establish the connection.
-
-## Verification:
-
-```none
-vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary
- Connection ID Username Protocol State Uptime Tunnel IP Remote Host Remote ID IKE Proposal IPSec Proposal
---------------- ---------- ---------- ------- -------- ----------- ------------- ----------- ------------------------------------------ ------------------
- 5 vyos IKEv2 UP 37s 192.0.2.129 10.0.0.2 10.0.0.2 AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048 ESP:AES_GCM_16-128
-```
diff --git a/docs/configuration/vpn/ipsec/md-site2site_ipsec.md b/docs/configuration/vpn/ipsec/md-site2site_ipsec.md
deleted file mode 100644
index d3b65ae1..00000000
--- a/docs/configuration/vpn/ipsec/md-site2site_ipsec.md
+++ /dev/null
@@ -1,780 +0,0 @@
-(size2site-ipsec)=
-
-# IPsec Site-to-Site VPN
-
-## IPsec Site-to-Site VPN Types
-
-VyOS supports two types of IPsec VPN: Policy-based IPsec VPN and Route-based
-IPsec VPN.
-
-### Policy-based VPN
-
-Policy-based VPN is based on static configured policies. Each policy creates
-individual IPSec SA. Traffic matches these SAs encrypted and directed to the
-remote peer.
-
-### Route-Based VPN
-
-Route-based VPN is based on secure traffic passing over Virtual Tunnel
-Interfaces (VTIs). This type of IPsec VPNs allows using routing protocols.
-
-## Configuration Site-to-Site VPN
-
-### Requirements and Prerequisites for Site-to-Site VPN
-
-**Negotiated parameters that need to match**
-
-```{eval-rst}
-Phase 1
- * IKE version
- * Authentication
- * Encryption
- * Hashing
- * PRF
- * Lifetime
-
- .. note:: Strongswan recommends to use the same lifetime value on both peers
-
-Phase 2
- * Encryption
- * Hashing
- * PFS
- * Mode (tunnel or transport)
- * Lifetime
-
- .. note:: Strongswan recommends to use the same lifetime value on both peers
-
- * Remote and Local networks in SA must be compatible on both peers
-```
-
-### Configuration Steps for Site-to-Site VPN
-
-The next example shows the configuration one of the router participating in
-IPsec VPN.
-
-```{eval-rst}
-Tunnel information:
- * Phase 1:
- * encryption: AES256
- * hash: SHA256
- * PRF: SHA256
- * DH: 14
- * lifetime: 28800
- * Phase 2:
- * IPsec mode: tunnel
- * encryption: AES256
- * hash: SHA256
- * PFS: inherited from DH Phase 1
- * lifetime: 3600
- * If Policy based VPN is used
- * Remote network is 192.168.50.0/24. Local network is 192.168.10.0/24
- * If Route based VPN is used
- * IP of the VTI interface is 10.0.0.1/30
-```
-
-:::{note}
-We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.
-:::
-
-**1. Configure ike-group (IKE Phase 1)**
-
-```none
-set vpn ipsec ike-group IKE close-action 'start'
-set vpn ipsec ike-group IKE key-exchange 'ikev1'
-set vpn ipsec ike-group IKE lifetime '28800'
-set vpn ipsec ike-group IKE proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
-set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
-set vpn ipsec ike-group IKE proposal 10 prf 'prfsha256'
-```
-
-**2. Configure ESP-group (IKE Phase 2)**
-
-```none
-set vpn ipsec esp-group ESP lifetime '3600'
-set vpn ipsec esp-group ESP mode 'tunnel'
-set vpn ipsec esp-group ESP pfs 'enable'
-set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
-set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
-```
-
-**3. Specify interface facing to the protected destination.**
-
-```none
-set vpn ipsec interface eth0
-```
-
-**4. Configure PSK keys and authentication ids for this key if authentication type is PSK**
-
-```none
-set vpn ipsec authentication psk PSK-KEY id '192.168.0.2'
-set vpn ipsec authentication psk PSK-KEY id '192.168.5.2'
-set vpn ipsec authentication psk PSK-KEY secret 'vyos'
-```
-
-To set base64 secret encode plaintext password to base64 and set secret-type
-
-```none
-echo -n "vyos" | base64
-dnlvcw==
-```
-
-```none
-set vpn ipsec authentication psk PSK-KEY secret 'dnlvcw=='
-set vpn ipsec authentication psk PSK-KEY secret-type base64
-```
-
-**5. Configure peer and apply IKE-group and esp-group to peer.**
-
-```none
-set vpn ipsec site-to-site peer PEER1 authentication local-id '192.168.0.2'
-set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer PEER1 authentication remote-id '192.168.5.2'
-set vpn ipsec site-to-site peer PEER1 connection-type 'initiate'
-set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP'
-set vpn ipsec site-to-site peer PEER1 ike-group 'IKE'
-set vpn ipsec site-to-site peer PEER1 local-address '192.168.0.2'
-set vpn ipsec site-to-site peer PEER1 remote-address '192.168.5.2'
-
-Peer selects the key from step 4 according to local-id/remote-id pair.
-```
-
-**6. Depends to vpn type (route-based vpn or policy-based vpn).**
-
-> **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**
->
-> > ```none
-> > set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
-> > set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'
-> > ```
->
-> **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**
->
-> > ```none
-> > set interfaces vti vti1 address 10.0.0.1/30
-> > set vpn ipsec site-to-site peer PEER1 vti bind vti1
-> > set vpn ipsec options disable-route-autoinstall
-> > ```
-> >
-> > Create routing between local networks via VTI interface using dynamic or
-> > static routing.
-> >
-> > ```none
-> > set protocol static route 192.168.50.0/24 next-hop 10.0.0.2
-> > ```
-
-### Initiator and Responder Connection Types
-
-In Site-to-Site IPsec VPN it is recommended that one peer should be an
-initiator and the other - the responder. The initiator actively establishes
-the VPN tunnel. The responder passively waits for the remote peer to
-establish the VPN tunnel. Depends on selected role it is recommended
-select proper values for close-action and DPD action.
-
-The result of wrong value selection can be unstable work of the VPN.
-: - Duplicate CHILD SA creation.
- - None of the VPN sides initiates the tunnel establishment.
-
-Below flow-chart could be a quick reference for the close-action
-combination depending on how the peer is configured.
-
-```{eval-rst}
-.. figure:: /_static/images/IPSec_close_action_settings.webp
-```
-
-Similar combinations are applicable for the dead-peer-detection.
-
-### Detailed Configuration Commands
-
-#### PSK Key Authentication
-
-```{cfgcmd} set vpn ipsec authentication psk \<name\> dhcp-interface
-
-ID for authentication generated from DHCP address
-dynamically.
-
-```
-
-```{cfgcmd} set vpn ipsec authentication psk id \<id\>
-
-static ID's for authentication. In general local and remote address
-``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``.
-```
-
-```{cfgcmd} set vpn ipsec authentication psk secret \<secret\>
-
-A predefined shared secret used in configured mode
-``pre-shared-secret``. Base64-encoded secrets are allowed if
-`secret-type base64` is configured.
-```
-
-```{cfgcmd} set vpn ipsec authentication psk secret-type \<type\>
-
-Specifies the secret type:
-
-* **plaintext** - Plain text type (default value).
-* **base64** - Base64 type.
-```
-
-#### Peer Configuration
-
-
-##### Peer Authentication Commands
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication mode \<mode\>
-
-Mode for authentication between VyOS and remote peer:
-
-* **pre-shared-secret** - Use predefined shared secret phrase.
-* **rsa** - Use simple shared RSA key.
-* **x509** - Use certificates infrastructure for authentication.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication local-id \<id\>
-
-ID for the local VyOS router. If defined, during the authentication
-it will be send to remote peer.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication remote-id \<id\>
-
-ID for remote peer, instead of using peer name or
-address. Useful in case if the remote peer is behind NAT
-or if ``mode x509`` is used.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa local-key \<key\>
-
-Name of PKI key-pair with local private key.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa remote-key \<key\>
-
-Name of PKI key-pair with remote public key.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication rsa passphrase \<passphrase\>
-
-Local private key passphrase.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication use-x509-id \<id\>
-
-Use local ID from x509 certificate. Cannot be used when
-``id`` is defined.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication x509 ca-certificate \<name\>
-
-Name of CA certificate in PKI configuration. Using for authenticating
-remote peer in x509 mode.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> authentication x509 certificate \<name\>
-
-Name of certificate in PKI configuration, which will be used
-for authenticating local router on remote peer.
-```
-
-```{cfgcmd} set vpn ipsec authentication x509 passphrase \<passphrase\>
-
-Private key passphrase, if needed.
-```
-
-##### Global Peer Configuration Commands
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> connection-type \<type\>
-
-Operational mode defines how to handle this connection process.
-
-* **initiate** - does initial connection to remote peer immediately
- after configuring and after boot. In this mode the connection will
- not be restarted in case of disconnection, therefore should be used
- only together with DPD or another session tracking methods.
-
-* **trap** - does not try to initiate a connection to a remote
- peer immediately. Instead, it installs a trap policy that will
- trigger IKE negotiation and establish the IPsec session when
- matching traffic is sent from the local side. This can be useful
- when there is no direct connectivity to the peer due to firewall
- or NAT in the middle of the local and remote side.
-
- :::{warning}
- The ``trap`` mode is not needed in most environments
- and can lead to connection confusion or unintended tunnel uptime
- behavior if used incorrectly. Using this mode requires careful
- coordination with parameters such as ``close-action`` and DPD.
- For most deployments, use ``initiate`` and ``none`` as described below.
- :::
-
-* **none** - loads the connection only, which then can be manually
- initiated or used as a responder configuration.
-
-:::{note}
-For most site-to-site VPNs, configure one peer
-with ``connection-type initiate`` (active side) and the other peer
-with ``connection-type none`` (passive side) to
-ensure stable and predictable tunnel behavior.
-When using ``connection-type initiate``, you must also configure
-DPD or another session tracking method (such as ``close-action``)
-to automatically re-establish the tunnel after a disconnection.
-Otherwise, the tunnel will not reconnect automatically if it goes down.
-:::
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> default-esp-group \<name\>
-
-Name of ESP group to use by default for traffic encryption.
-Might be overwritten by individual settings for tunnel or VTI
-interface binding.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> description \<description\>
-
-Description for this peer.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> dhcp-interface \<interface\>
-
-Specify the interface which IP address, received from DHCP for IPSec
-connection with this peer, will be used as ``local-address``.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> force-udp-encapsulation
-
-Force encapsulation of ESP into UDP datagrams. Useful in case if
-between local and remote side is firewall or NAT, which not
-allows passing plain ESP packets between them.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> ike-group \<name\>
-
-Name of IKE group to use for key exchanges.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> local-address \<address\>
-
-Local IP address for IPsec connection with this peer.
-If defined ``any``, then an IP address which configured on interface with
-default route will be used.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> remote-address \<address\>
-
-Remote IP address or hostname for IPsec connection. IPv4 or IPv6
-address is used when a peer has a public static IP address. Hostname
-is a DNS name which could be used when a peer has a public IP
-address and DNS name, but an IP address could be changed from time
-to time.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> replay-window \<size\>
-
-IPsec replay window to configure for CHILD_SAs
-(default: 32), a value of 0 disables IPsec replay protection.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> virtual-address \<address\>
-
-Defines a virtual IP address which is requested by the initiator and
-one or several IPv4 and/or IPv6 addresses are assigned from multiple
-pools by the responder. The wildcard addresses 0.0.0.0 and ::
-request an arbitrary address, specific addresses may be defined.
-```
-
-##### CHILD SAs Configuration Commands
-
-###### Policy-Based CHILD SAs Configuration Commands
-
-Every configured tunnel under peer configuration is a new CHILD SA.
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> disable
-
-Disable this tunnel.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> esp-group \<name\>
-
-Specify ESP group for this CHILD SA.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> priority \<number\>
-
-Priority for policy-based IPsec VPN tunnels (lowest value more
-preferable).
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> protocol \<name\>
-
-Define the protocol for match traffic, which should be encrypted and
-send to this peer.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> local prefix \<network\>
-
-IP network at the local side.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> local port \<number\>
-
-Local port number. Have effect only when used together with
-``prefix``.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> remote prefix \<network\>
-
-IP network at the remote side.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> tunnel \<number\> remote port \<number\>
-
-Remote port number. Have effect only when used together with
-``prefix``.
-```
-
-###### Route-Based CHILD SAs Configuration Commands
-
-To configure route-based VPN it is enough to create vti interface and
-bind it to the peer. Any traffic, which will be send to VTI interface
-will be encrypted and send to this peer. Using VTI makes IPsec
-configuration much flexible and easier in complex situation, and
-allows to dynamically add/delete remote networks, reachable via a
-peer, as in this mode router don't need to create additional SA/policy
-for each remote network.
-
-:::{warning}
-When using site-to-site IPsec with VTI interfaces,
-be sure to disable route autoinstall.
-:::
-```none
-set vpn ipsec options disable-route-autoinstall
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti bind \<interface\>
-
-VTI interface to bind to this peer.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti esp-group \<name\>
-
-ESP group for encrypt traffic, passed this VTI interface.
-```
-
-Traffic-selectors parameters for traffic that should pass via vti
-interface.
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti traffic-selector local prefix \<network\>
-
-Local prefix for interesting traffic.
-```
-
-```{cfgcmd} set vpn ipsec site-to-site peer \<name\> vti traffic-selector remote prefix \<network\>
-
-Remote prefix for interesting traffic.
-```
-
-### IPsec Op-mode Commands
-
-```{opcmd} show vpn ike sa
-
-Shows active IKE SAs information.
-```
-
-```{opcmd} show vpn ike secrets
-
-Shows configured authentication keys.
-```
-
-```{opcmd} show vpn ike status
-
-Shows Strongswan daemon status.
-```
-
-```{opcmd} show vpn ipsec connections
-
-Shows summary status of all configured IKE and IPsec SAs.
-```
-
-```{opcmd} show vpn ipsec sa [detail]
-
-Shows active IPsec SAs information.
-```
-
-```{opcmd} show vpn ipsec status
-
-Shows status of IPsec process.
-```
-
-```{opcmd} show vpn ipsec policy
-
-Shows the in-kernel crypto policies.
-```
-
-```{opcmd} show vpn ipsec state
-
-Shows the in-kernel crypto state.
-```
-
-```{opcmd} show log ipsec
-
-Shows IPsec logs.
-```
-
-```{opcmd} reset vpn ipsec site-to-site all
-
-Clear all ipsec connection and reinitiate them if VyOS is configured
-as initiator.
-```
-
-```{opcmd} reset vpn ipsec site-to-site peer \<name\>
-
-Clear all peer IKE SAs with IPsec SAs and reinitiate them if VyOS is
-configured as initiator.
-```
-
-```{opcmd} reset vpn ipsec site-to-site peer \<name\> tunnel \<number\>
-
-Clear scpecific IPsec SA and reinitiate it if VyOS is configured as
-initiator.
-```
-
-```{opcmd} reset vpn ipsec site-to-site peer \<name\> vti \<number\>
-
-Clear IPsec SA which is map to vti interface of this peer and
-reinitiate it if VyOS is configured as initiator.
-```
-
-```{opcmd} restart ipsec
-
-Restart Strongswan daemon.
-```
-
-## Examples:
-
-### Policy-Based VPN Example
-
-**PEER1:**
-- WAN interface on `eth0`
-- `eth0` interface IP: `10.0.1.2/30`
-- `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
-- Initiator
-
-**PEER2:**
-- WAN interface on `eth0`
-- `eth0` interface IP: `10.0.2.2/30`
-- `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
-- Responder
-
-```none
-# PEER1
-set interfaces dummy dum0 address '192.168.0.1/32'
-set interfaces ethernet eth0 address '10.0.1.2/30'
-set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
-set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
-set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
-set vpn ipsec authentication psk AUTH-PSK secret 'test'
-set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
-set vpn ipsec ike-group IKE-GROUP close-action 'start'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
-set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
-set vpn ipsec ike-group IKE-GROUP lifetime '28800'
-set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
-set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
-set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
-set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
-set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
-set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
-set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
-set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
-set vpn ipsec site-to-site peer PEER2 tunnel 0 local prefix '192.168.0.0/24'
-set vpn ipsec site-to-site peer PEER2 tunnel 0 remote prefix '192.168.1.0/24'
-
-
-# PEER2
-set interfaces dummy dum0 address '192.168.1.1/32'
-set interfaces ethernet eth0 address '10.0.2.2/30'
-set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
-set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
-set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
-set vpn ipsec authentication psk AUTH-PSK secret 'test'
-set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
-set vpn ipsec ike-group IKE-GROUP close-action 'none'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
-set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
-set vpn ipsec ike-group IKE-GROUP lifetime '28800'
-set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
-set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
-set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-set vpn ipsec site-to-site peer PEER1 connection-type 'none'
-set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
-set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
-set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
-set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
-set vpn ipsec site-to-site peer PEER1 tunnel 0 local prefix '192.168.1.0/24'
-set vpn ipsec site-to-site peer PEER1 tunnel 0 remote prefix '192.168.0.0/24'
-```
-
-Show status of policy-based IPsec VPN setup:
-
-```none
-vyos@PEER2:~$ show vpn ike sa
-Peer ID / IP Local ID / IP
------------- -------------
-10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
-
- State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
- ----- ------ ------- ---- --------- ----- ------ ------
- up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 1254 25633
-
-
-vyos@srv-gw0:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
--------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
-PEER1-tunnel-0 up 20m42s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
-
-vyos@PEER2:~$ show vpn ipsec connections
-Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
--------------- ------- ------ ---------------- -------------- -------------- ---------- ----------- ----------------------------------
-PEER1 up IKEv1 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
-PEER1-tunnel-0 up IPsec 10.0.1.2 192.168.1.0/24 192.168.0.0/24 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
-```
-
-If there is SNAT rules on eth0, need to add exclude rule
-
-```none
-# PEER1 side
-set nat source rule 10 destination address '192.168.1.0/24'
-set nat source rule 10 'exclude'
-set nat source rule 10 outbound-interface name 'eth0'
-set nat source rule 10 source address '192.168.0.0/24'
-
-# PEER2 side
-set nat source rule 10 destination address '192.168.0.0/24'
-set nat source rule 10 'exclude'
-set nat source rule 10 outbound-interface name 'eth0'
-set nat source rule 10 source address '192.168.1.0/24'
-```
-
-### Route-Based VPN Example
-
-**PEER1:**
-- WAN interface on `eth0`
-- `eth0` interface IP: `10.0.1.2/30`
-- 'vti0' interface IP: `10.100.100.1/30`
-- `dum0` interface IP: `192.168.0.1/24` (for testing purposes)
-- Role: Initiator
-
-**PEER2:**
-- WAN interface on `eth0`
-- `eth0` interface IP: `10.0.2.2/30`
-- 'vti0' interface IP: `10.100.100.2/30`
-- `dum0` interface IP: `192.168.1.0/24` (for testing purposes)
-- Role: Responder
-
-```none
-# PEER1
-set interfaces dummy dum0 address '192.168.0.1/32'
-set interfaces ethernet eth0 address '10.0.1.2/30'
-set interfaces vti vti0 address '10.100.100.1/30'
-set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
-set protocols static route 192.168.1.0/24 next-hop 10.100.100.2
-set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
-set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
-set vpn ipsec authentication psk AUTH-PSK secret 'test'
-set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
-set vpn ipsec ike-group IKE-GROUP close-action 'start'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
-set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
-set vpn ipsec ike-group IKE-GROUP lifetime '28800'
-set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
-set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec options disable-route-autoinstall
-set vpn ipsec site-to-site peer PEER2 authentication local-id '10.0.1.2'
-set vpn ipsec site-to-site peer PEER2 authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer PEER2 authentication remote-id '10.0.2.2'
-set vpn ipsec site-to-site peer PEER2 connection-type 'initiate'
-set vpn ipsec site-to-site peer PEER2 default-esp-group 'ESP-GRPOUP'
-set vpn ipsec site-to-site peer PEER2 ike-group 'IKE-GROUP'
-set vpn ipsec site-to-site peer PEER2 local-address '10.0.1.2'
-set vpn ipsec site-to-site peer PEER2 remote-address '10.0.2.2'
-set vpn ipsec site-to-site peer PEER2 vti bind 'vti0'
-
-
-# PEER2
-set interfaces dummy dum0 address '192.168.1.1/32'
-set interfaces ethernet eth0 address '10.0.2.2/30'
-set interfaces vti vti0 address '10.100.100.2/30'
-set protocols static route 0.0.0.0/0 next-hop 10.0.2.1
-set protocols static route 192.168.0.0/24 next-hop 10.100.100.1
-set vpn ipsec authentication psk AUTH-PSK id '10.0.1.2'
-set vpn ipsec authentication psk AUTH-PSK id '10.0.2.2'
-set vpn ipsec authentication psk AUTH-PSK secret 'test'
-set vpn ipsec esp-group ESP-GRPOUP lifetime '3600'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 encryption 'aes256'
-set vpn ipsec esp-group ESP-GRPOUP proposal 10 hash 'sha1'
-set vpn ipsec ike-group IKE-GROUP close-action 'none'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'clear'
-set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
-set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev2'
-set vpn ipsec ike-group IKE-GROUP lifetime '28800'
-set vpn ipsec ike-group IKE-GROUP proposal 10 dh-group '14'
-set vpn ipsec ike-group IKE-GROUP proposal 10 encryption 'aes256'
-set vpn ipsec ike-group IKE-GROUP proposal 10 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec options disable-route-autoinstall
-set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
-set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
-set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-set vpn ipsec site-to-site peer PEER1 connection-type 'none'
-set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
-set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
-set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
-set vpn ipsec site-to-site peer PEER1 remote-address '10.0.1.2'
-set vpn ipsec site-to-site peer PEER1 vti bind 'vti0'
-```
-
-Show status of route-based IPsec VPN setup:
-
-```none
-vyos@PEER2:~$ show vpn ike sa
-Peer ID / IP Local ID / IP
------------- -------------
-10.0.1.2 10.0.1.2 10.0.2.2 10.0.2.2
-
- State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
- ----- ------ ------- ---- --------- ----- ------ ------
- up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_2048 no 404 27650
-
-vyos@PEER2:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
-PEER1-vti up 3m28s 0B/0B 0/0 10.0.1.2 10.0.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_2048
-
-vyos@PEER2:~$ show vpn ipsec connections
-Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
------------- ------- ------ ---------------- ---------- ----------- ---------- ----------- ----------------------------------
-PEER1 up IKEv2 10.0.1.2 - - 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
-PEER1-vti up IPsec 10.0.1.2 0.0.0.0/0 0.0.0.0/0 10.0.2.2 10.0.1.2 AES_CBC/256/HMAC_SHA1_96/MODP_2048
- ::/0 ::/0
-```
diff --git a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md b/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md
deleted file mode 100644
index 2ca37bc2..00000000
--- a/docs/configuration/vpn/ipsec/md-troubleshooting_ipsec.md
+++ /dev/null
@@ -1,313 +0,0 @@
-(troubleshooting-ipsec)=
-
-# Troubleshooting Site-to-Site VPN IPsec
-
-```{todo}
-Convert raw command blocks in this file to cfgcmd/opcmd
-directives for command coverage tracking.
-```
-
-
-## Introduction
-
-This document describes the methodology to monitor and troubleshoot
-Site-to-Site VPN IPsec.
-
-Steps for troubleshooting problems with Site-to-Site VPN IPsec:
-: 1. Ping the remote site through the tunnel using the source and
- destination IPs included in the policy.
- 2. Check connectivity between the routers using the ping command
- (if ICMP traffic is allowed).
- 3. Check the IKE SAs' statuses.
- 4. Check the IPsec SAs' statuses.
- 5. Check logs to view debug messages.
-
-## Checking IKE SA Status
-
-The next command shows IKE SAs' statuses.
-
-```none
-vyos@vyos:~$ show vpn ike sa
-
-Peer ID / IP Local ID / IP
------------- -------------
-192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
-
- State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
- ----- ------ ------- ---- --------- ----- ------ ------
- up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 162 27023
-```
-
-This command shows the next information:
-: - IKE SA status.
- - Selected IKE version.
- - Selected Encryption, Hash and Diffie-Hellman Group.
- - NAT-T.
- - ID and IP of both peers.
- - A-Time: established time, L-Time: time for next rekeying.
-
-## IPsec SA (CHILD SA) Status
-
-The next commands show IPsec SAs' statuses.
-
-```none
-vyos@vyos:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
-------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
-PEER-tunnel-1 up 16m30s 168B/168B 2/2 192.168.1.2 192.168.1.2 AES_CBC_128/HMAC_SHA1_96/MODP_2048
-```
-
-```none
-vyos@vyos:~$ show vpn ipsec sa detail
-PEER: #1, ESTABLISHED, IKEv2, 101275ac719d5a1b_i* 68ea4ec3bed3bf0c_r
- local '192.168.0.1' @ 192.168.0.1[4500]
- remote '192.168.1.2' @ 192.168.1.2[4500]
- AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
- established 4054s ago, rekeying in 23131s
- PEER-tunnel-1: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
- installed 1065s ago, rekeying in 1998s, expires in 2535s
- in c5821882, 168 bytes, 2 packets, 81s ago
- out c433406a, 168 bytes, 2 packets, 81s ago
- local 10.0.0.0/24
- remote 10.0.1.0/24
-```
-
-These commands show the next information:
-: - IPsec SA status.
- - Uptime and time for the next rekeing.
- - Amount of transferred data.
- - Remote and local ID and IP.
- - Selected Encryption, Hash and Diffie-Hellman Group.
- - Mode (tunnel or transport).
- - Remote and local prefixes which are use for policy.
-
-There is a possibility to view the summarized information of SAs' status
-
-```none
-vyos@vyos:~$ show vpn ipsec connections
-Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
-------------- ------- ------ ---------------- ----------- ----------- ----------- ----------- ----------------------------------
-PEER up IKEv2 192.168.1.2 - - 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
-PEER-tunnel-1 up IPsec 192.168.1.2 10.0.0.0/24 10.0.1.0/24 192.168.0.1 192.168.1.2 AES_CBC/128/HMAC_SHA1_96/MODP_2048
-```
-
-
-## Viewing Logs for Debugging
-
-If IKE SAs or IPsec SAs are down, need to debug IPsec connectivity
-using logs `show log ipsec`
-
-The next example of the successful IPsec connection initialization.
-
-```none
-vyos@vyos:~$ show log ipsec
-Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
-Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
-Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
-Jun 20 14:29:47 charon[2428]: 02[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
-Jun 20 14:29:47 charon-systemd[2428]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
-Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.0.1' (myself) with pre-shared key
-Jun 20 14:29:47 charon[2428]: 02[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
-Jun 20 14:29:47 charon-systemd[2428]: establishing CHILD_SA PEER-tunnel-1{1}
-Jun 20 14:29:47 charon[2428]: 02[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
-Jun 20 14:29:47 charon-systemd[2428]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
-Jun 20 14:29:47 charon[2428]: 02[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
-Jun 20 14:29:47 charon-systemd[2428]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
-Jun 20 14:29:47 charon[2428]: 13[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
-Jun 20 14:29:47 charon[2428]: 13[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
-Jun 20 14:29:47 charon-systemd[2428]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (220 bytes)
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
-Jun 20 14:29:47 charon-systemd[2428]: parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> peer supports MOBIKE
-Jun 20 14:29:47 charon-systemd[2428]: authentication of '192.168.1.2' with pre-shared key successful
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
-Jun 20 14:29:47 charon-systemd[2428]: peer supports MOBIKE
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> scheduling rekeying in 27703s
-Jun 20 14:29:47 charon-systemd[2428]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> maximum IKE_SA lifetime 30583s
-Jun 20 14:29:47 charon-systemd[2428]: scheduling rekeying in 27703s
-Jun 20 14:29:47 charon[2428]: 13[CFG] <PEER|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
-Jun 20 14:29:47 charon-systemd[2428]: maximum IKE_SA lifetime 30583s
-Jun 20 14:29:47 charon-systemd[2428]: selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
-Jun 20 14:29:47 charon[2428]: 13[IKE] <PEER|1> CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
-Jun 20 14:29:47 charon-systemd[2428]: CHILD_SA PEER-tunnel-1{1} established with SPIs cb94fb3f_i ca99c8a9_o and TS 10.0.0.0/24 === 10.0.1.0/24
-```
-
-
-## Troubleshooting Examples
-
-### IKE PROPOSAL are Different
-
-In this situation, IKE SAs can be down or not active.
-
-```none
-vyos@vyos:~$ show vpn ike sa
-```
-
-The problem is in IKE phase (Phase 1). The next step is checking debug logs.
-
-Responder Side:
-
-```none
-Jun 23 07:36:33 charon[2440]: 01[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 07:36:33 charon-systemd[2440]: received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 07:36:33 charon[2440]: 01[CFG] <1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 07:36:33 charon-systemd[2440]: configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 07:36:33 charon[2440]: 01[IKE] <1> received proposals unacceptable
-Jun 23 07:36:33 charon-systemd[2440]: received proposals unacceptable
-Jun 23 07:36:33 charon[2440]: 01[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
-```
-
-Initiator side:
-
-```none
-Jun 23 07:36:32 charon-systemd[2444]: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
-Jun 23 07:36:32 charon[2444]: 14[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify error
-Jun 23 07:36:32 charon-systemd[2444]: received NO_PROPOSAL_CHOSEN notify error
-```
-
-The notification **NO_PROPOSAL_CHOSEN** means that the proposal mismatch.
-On the Responder side there is concrete information where is mismatch.
-Encryption **AES_CBC_128** is configured in IKE policy on the responder
-but **AES_CBC_256** is configured on the initiator side.
-
-### PSK Secret Mismatch
-
-In this situation, IKE SAs can be down or not active.
-
-```none
-vyos@vyos:~$ show vpn ike sa
-```
-
-The problem is in IKE phase (Phase 1). The next step is checking debug logs.
-
-Responder:
-
-```none
-Jun 23 08:07:26 charon-systemd[2440]: tried 1 shared key for '192.168.1.2' - '192.168.0.1', but MAC mismatched
-Jun 23 08:07:26 charon[2440]: 13[ENC] <PEER|3> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
-```
-
-Initiator side:
-
-```none
-Jun 23 08:07:24 charon[2436]: 12[ENC] <PEER|1> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
-Jun 23 08:07:24 charon-systemd[2436]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
-Jun 23 08:07:24 charon[2436]: 12[IKE] <PEER|1> received AUTHENTICATION_FAILED notify error
-Jun 23 08:07:24 charon-systemd[2436]: received AUTHENTICATION_FAILED notify error
-```
-
-The notification **AUTHENTICATION_FAILED** means that the authentication
-is failed. There is a reason to check PSK on both side.
-
-### ESP Proposal Mismatch
-
-The output of **show** commands shows us that IKE SA is established but
-IPSec SA is not.
-
-```none
-vyos@vyos:~$ show vpn ike sa
-Peer ID / IP Local ID / IP
------------- -------------
-192.168.1.2 192.168.1.2 192.168.0.1 192.168.0.1
-
- State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
- ----- ------ ------- ---- --------- ----- ------ ------
- up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_2048 no 158 26817
-```
-
-```none
-vyos@vyos:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------
-```
-
-The next step is checking debug logs.
-
-Initiator side:
-
-```none
-Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
-Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
-Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[500] to 192.168.0.1[500] (472 bytes)
-Jun 23 08:16:10 charon[3789]: 13[CFG] <PEER|1> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
-Jun 23 08:16:10 charon-systemd[3789]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> authentication of '192.168.0.1' (myself) with pre-shared key
-Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.0.1' (myself) with pre-shared key
-Jun 23 08:16:10 charon[3789]: 13[IKE] <PEER|1> establishing CHILD_SA PEER-tunnel-1{1}
-Jun 23 08:16:10 charon-systemd[3789]: establishing CHILD_SA PEER-tunnel-1{1}
-Jun 23 08:16:10 charon[3789]: 13[ENC] <PEER|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
-Jun 23 08:16:10 charon-systemd[3789]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
-Jun 23 08:16:10 charon[3789]: 13[NET] <PEER|1> sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
-Jun 23 08:16:10 charon-systemd[3789]: sending packet: from 192.168.0.1[4500] to 192.168.1.2[4500] (268 bytes)
-Jun 23 08:16:10 charon[3789]: 09[NET] <PEER|1> received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
-Jun 23 08:16:10 charon-systemd[3789]: received packet: from 192.168.1.2[4500] to 192.168.0.1[4500] (140 bytes)
-Jun 23 08:16:10 charon[3789]: 09[ENC] <PEER|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
-Jun 23 08:16:10 charon-systemd[3789]: parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> authentication of '192.168.1.2' with pre-shared key successful
-Jun 23 08:16:10 charon-systemd[3789]: authentication of '192.168.1.2' with pre-shared key successful
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> peer supports MOBIKE
-Jun 23 08:16:10 charon-systemd[3789]: peer supports MOBIKE
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
-Jun 23 08:16:10 charon-systemd[3789]: IKE_SA PEER[1] established between 192.168.0.1[192.168.0.1]...192.168.1.2[192.168.1.2]
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> scheduling rekeying in 26975s
-Jun 23 08:16:10 charon-systemd[3789]: scheduling rekeying in 26975s
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> maximum IKE_SA lifetime 29855s
-Jun 23 08:16:10 charon-systemd[3789]: maximum IKE_SA lifetime 29855s
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
-Jun 23 08:16:10 charon-systemd[3789]: received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
-Jun 23 08:16:10 charon[3789]: 09[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
-Jun 23 08:16:10 charon-systemd[3789]: failed to establish CHILD_SA, keeping IKE_SA
-```
-
-There are messages: **NO_PROPOSAL_CHOSEN** and
-**failed to establish CHILD_SA** which refers that the problem is in
-the IPsec(ESP) proposal mismatch.
-
-The reason of this problem is showed on the responder side.
-
-```none
-Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
-Jun 23 08:16:12 charon-systemd[2440]: received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
-Jun 23 08:16:12 charon[2440]: 01[CFG] <PEER|5> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
-Jun 23 08:16:12 charon-systemd[2440]: configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
-Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> no acceptable proposal found
-Jun 23 08:16:12 charon-systemd[2440]: no acceptable proposal found
-Jun 23 08:16:12 charon[2440]: 01[IKE] <PEER|5> failed to establish CHILD_SA, keeping IKE_SA
-```
-
-Encryption **AES_CBC_128** is configured in IKE policy on the responder but **AES_CBC_256**
-is configured on the initiator side.
-
-### Prefixes in Policies Mismatch
-
-As in previous situation, IKE SA is in up state but IPsec SA is not up.
-According to logs we can see **TS_UNACCEPTABLE** notification. It means
-that prefixes (traffic selectors) mismatch on both sides
-
-Initiator:
-
-```none
-Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
-Jun 23 14:13:17 charon-systemd[4996]: maximum IKE_SA lifetime 29437s
-Jun 23 14:13:17 charon[4996]: 11[IKE] <PEER|1> failed to establish CHILD_SA, keeping IKE_SA
-Jun 23 14:13:17 charon-systemd[4996]: received TS_UNACCEPTABLE notify, no CHILD_SA built
-Jun 23 14:13:17 charon-systemd[4996]: failed to establish CHILD_SA, keeping IKE_SA
-```
-
-The reason of this problem is showed on the responder side.
-
-```none
-Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
-Jun 23 14:13:19 charon-systemd[2440]: traffic selectors 10.0.2.0/24 === 10.0.0.0/24 unacceptable
-Jun 23 14:13:19 charon[2440]: 01[IKE] <PEER|7> failed to establish CHILD_SA, keeping IKE_SA
-Jun 23 14:13:19 charon-systemd[2440]: failed to establish CHILD_SA, keeping IKE_SA
-Jun 23 14:13:19 charon[2440]: 01[ENC] <PEER|7> generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
-Jun 23 14:13:19 charon-systemd[2440]: generating IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(TS_UNACCEPT) ]
-```
-
-Traffic selectors **10.0.2.0/24 === 10.0.0.0/24** are unacceptable on the
-responder side.
diff --git a/docs/configuration/vpn/md-dmvpn.md b/docs/configuration/vpn/md-dmvpn.md
deleted file mode 100644
index 4dc2c85f..00000000
--- a/docs/configuration/vpn/md-dmvpn.md
+++ /dev/null
@@ -1,431 +0,0 @@
-(vpn-dmvpn)=
-
-# DMVPN
-
-{abbr}`DMVPN (Dynamic Multipoint Virtual Private Network)` is a dynamic
-{abbr}`VPN (Virtual Private Network)` technology originally developed by Cisco.
-While their implementation was somewhat proprietary, the underlying
-technologies are actually standards based. The three technologies are:
-
-- {abbr}`NHRP (Next Hop Resolution Protocol)` {rfc}`2332`
-- {abbr}`mGRE (Multipoint Generic Routing Encapsulation)` {rfc}`1702`
-- {abbr}`IPSec (IP Security)` - too many RFCs to list, but start with
- {rfc}`4301`
-
-NHRP provides the dynamic tunnel endpoint discovery mechanism (endpoint
-registration, and endpoint discovery/lookup), mGRE provides the tunnel
-encapsulation itself, and the IPSec protocols handle the key exchange, and
-crypto mechanism.
-
-In short, DMVPN provides the capability for creating a dynamic-mesh VPN
-network without having to pre-configure (static) all possible tunnel end-point
-peers.
-
-:::{note}
-DMVPN only automates the tunnel endpoint discovery and setup. A
-complete solution also incorporates the use of a routing protocol. BGP is
-particularly well suited for use with DMVPN.
-:::
-
-:::{figure} /_static/images/vpn_dmvpn_topology01.webp
-:alt: Baseline DMVPN topology
-:scale: 40 %
-Baseline DMVPN topology
-:::
-
-## Configuration
-
-### Tunnel interface configuration
-
-NHRP never handles routing of prefixes itself. You need to run some real routing
-protocol (e.g. BGP) to advertise routes over the tunnels. What nhrpd does it
-establishes ‘shortcut routes’ that optimizes the routing protocol to avoid going
-through extra nodes in NBMA GRE mesh.
-
-NHRP does route NHRP domain addresses individually using per-host prefixes.
-This is similar to Cisco FlexVPN, but in contrast to opennhrp which uses
-a generic subnet route.
-
-To create NBMA GRE tunnel you might use the following:
-
-```none
-set interfaces tunnel tun100 address '10.0.0.1/32'
-set interfaces tunnel tun100 enable-multicast
-set interfaces tunnel tun100 encapsulation 'gre'
-set interfaces tunnel tun100 ip adjust-mss '1360'
-set interfaces tunnel tun100 mtu '1400'
-set interfaces tunnel tun100 parameters ip key '42'
-set interfaces tunnel tun100 source-interface 'eth0'
-```
-
-- Please refer to the {ref}`tunnel-interface` documentation for the individual
- tunnel related options.
-
- :::{note}
- The IP-address is assigned as host prefix to tunnel interface.
- NHRP will automatically create additional host routes pointing to tunnel interface
- when a connection with these hosts is established.
- :::
-
-The tunnel interface subnet prefix should be announced by routing protocol
-from the hub nodes (e.g. BGP ‘network’ announce). This allows the routing
-protocol to decide which is the closest hub and determine the relay hub on
-prefix basis when direct tunnel is not established.
-
-### NHRP protocol configuration
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> authentication \<secret\>
-
-Enables Cisco style authentication on NHRP packets. This embeds the
-plaintext password to the outgoing NHRP packets. Maximum length of
-the password is 8 characters.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> holdtime \<timeout\>
-
-Holdtime is the number of seconds that have to pass before stopping to
-advertise an NHRP NBMA address as valid. It also controls how often NHRP
-registration requests are sent. By default registrations are sent every
-one third of the holdtime
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> map tunnel-ip \<tunnel-ip\> nbma \<nbma-ip\>
-
-* **tunnel-ip** - Tunnel ip address in format **x.x.x.x**.
-* **nbma-ip** - NBMA ip address in format **x.x.x.x** or **local**
-
-Map an IP address of a station to the station’s NBMA address.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> mtu \<mtu\>
-
-Configure NHRP advertised MTU.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> multicast \<nbma-ip\>
-
-* **nbma-ip** - NBMA ip address in format **x.x.x.x** or **dynamic**
-
-Sends multicast packets to the specified NBMA address. If dynamic is specified
-then destination NBMA address (or addresses) are learnt dynamically.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> network-id \<network-id\>
-
-* **network-id** - NHRP network id <1-4294967295>
-
-Enable NHRP on this interface and set the interface’s network ID. The network ID
-is used to allow creating multiple nhrp domains on a router when multiple interfaces
-are configured on the router. Interfaces configured with the same ID are part of the
-same logical NBMA network. The ID is a local only parameter and is not sent to other
-NHRP nodes and so IDs on different nodes do not need to match. When NHRP packets are
-received on an interface they are assigned to the local NHRP domain for that interface.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> nhs tunnel-ip \<tunnel-ip\> nbma \<nbma-ip\>
-
-* **tunnel-ip** - Tunnel ip address in format **x.x.x.x** or **dynamic**
-* **nbma-ip** - NBMA ip address in format **x.x.x.x**
-
-Configure the Next Hop Server address and its NBMA address. If dynamic is specified
-then Next Hop Server can have dynamic address which maps to its NBMA address.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> redirect
-
-This enable redirect replies on the NHS similar to ICMP redirects except this is
-managed by the nhrp protocol. This setting allows spokes to communicate with each
-others directly.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> registration-no-unique
-
-Allow the client to not set the unique flag in the NHRP packets. This is useful when
-a station has a dynamic IP address that could change over time.
-```
-
-```{cfgcmd} set protocols nhrp tunnel \<tunnel\> shortcut
-
-Enable shortcut (spoke-to-spoke) tunnels to allow NHC to talk to each others directly
-after establishing a connection without going through the hub.
-```
-
-
-### IPSEC configuration
-
-- Please refer to the {ref}`ipsec_general` documentation for the individual IPSec
- related options.
-
-:::{note}
-NHRP daemon based on FRR nhrpd. It controls IPSEC. That's why 'close-action'
-parameter in IKE configuration always is set to 'close' and 'dead-peer-detection action'
-always is set to 'clear'.
-:::
-
-```{cfgcmd} set vpn ipsec profile \<profile-name\> authentication mode pre-shared-secret
-
-Set preshared secret mode authentication
-```
-
-```{cfgcmd} set vpn ipsec profile \<profile-name\> authentication pre-shared-secret \<secret\>
-
-Set preshared secret
-```
-
-```{cfgcmd} set vpn ipsec profile \<profile-name\> bind tunnel \<tunnel name\>
-
-Bind IPSEC profile to the specific tunnel interface.
-```
-
-```{cfgcmd} set vpn ipsec profile \<profile-name\> esp-group 'ESP-HUB'
-
-Map ESP group to IPSEC profile
-```
-
-```{cfgcmd} set vpn ipsec profile \<profile-name\> ike-group 'IKE-HUB'
-
-Map IKE group to IPSEC profile
-```
-
-
-## Monitoring
-
-```{opcmd} show ip nhrp cache
-
-Forwarding cache information.
-```
-
-```{opcmd} show ip nhrp nhs
-
-Next hop server information.
-```
-
-```{opcmd} show ip nhrp shortcut
-
-Shortcut information.
-```
-
-
-## Example
-
-This blueprint uses VyOS as the DMVPN Hub and Cisco IOSv 15.5(3)M and VyOS as
-multiple spoke sites.
-
-:::{figure} /_static/images/blueprint-dmvpn.webp
-:align: center
-:alt: DMVPN Network Topology Diagram
-:width: 70%
-DMVPN Network Topology Diagram
-:::
-
-Each node (Hub and Spoke) uses an IP address from the network 10.0.0.0/24.
-
-The below referenced IP address `192.168.0.2` is used as example address
-representing a global unicast address under which the HUB can be contacted by
-each and every individual spoke.
-(dmvpn-example-configuration)=
-
-### Configuration
-
-#### Hub
-
-##### VyOS-HUB-1
-
-```none
-set interfaces ethernet eth0 address '192.168.0.2/30'
-
-set interfaces tunnel tun100 address '10.0.0.100/32'
-set interfaces tunnel tun100 enable-multicast
-set interfaces tunnel tun100 encapsulation 'gre'
-set interfaces tunnel tun100 parameters ip key '42'
-set interfaces tunnel tun100 source-interface 'eth0'
-
-set protocols nhrp tunnel tun100 authentication 'test123'
-set protocols nhrp tunnel tun100 holdtime '300'
-set protocols nhrp tunnel tun100 multicast 'dynamic'
-set protocols nhrp tunnel tun100 network-id '1'
-set protocols nhrp tunnel tun100 redirect
-set protocols nhrp tunnel tun100 registration-no-unique
-
-set protocols static route 0.0.0.0/0 next-hop 192.168.0.1
-
-set vpn ipsec esp-group ESP-HUB lifetime '1800'
-set vpn ipsec esp-group ESP-HUB mode 'transport'
-set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
-set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
-set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
-set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
-set vpn ipsec ike-group IKE-HUB lifetime '3600'
-set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
-set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
-set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
-set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
-set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
-set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
-set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
-```
-
-:::{note}
-Setting this up on AWS will require a "Custom Protocol Rule" for
-protocol number "47" (GRE) Allow Rule in TWO places. Firstly on the VPC
-Network ACL, and secondly on the security group network ACL attached to the
-EC2 instance. This has been tested as working for the official AMI image on
-the AWS Marketplace. (Locate the correct VPC and security group by navigating
-through the details pane below your EC2 instance in the AWS console).
-:::
-
-#### Spokes
-
-> The individual spoke configurations only differ in interface IP addresses.
-
-##### VyOS-Spoke-1 and VyOS-Spoke-2
-
-```none
-set interfaces ethernet eth0 address '192.168.1.2/30'
-
-set interfaces tunnel tun100 address '10.0.0.1/32'
-set interfaces tunnel tun100 enable-multicast
-set interfaces tunnel tun100 encapsulation 'gre'
-set interfaces tunnel tun100 parameters ip key '42'
-set interfaces tunnel tun100 source-interface 'eth0'
-
-set protocols nhrp tunnel tun100 authentication 'test123'
-set protocols nhrp tunnel tun100 holdtime '300'
-set protocols nhrp tunnel tun100 multicast 'dynamic'
-set protocols nhrp tunnel tun100 network-id '1'
-set protocols nhrp tunnel tun100 nhs tunnel-ip dynamic nbma '192.168.0.2'
-set protocols nhrp tunnel tun100 registration-no-unique
-set protocols nhrp tunnel tun100 shortcut
-
-set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
-set protocols static route 10.0.0.0/24 next-hop 10.0.0.100
-
-set vpn ipsec esp-group ESP-HUB lifetime '1800'
-set vpn ipsec esp-group ESP-HUB mode 'transport'
-set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
-set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
-set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
-set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
-set vpn ipsec ike-group IKE-HUB lifetime '3600'
-set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
-set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
-set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
-set vpn ipsec interface 'eth0'
-set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
-set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
-set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
-set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
-set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
-```
-
-
-##### Cisco-Spoke-3
-
-```none
-crypto isakmp policy 10
- encr aes 256
- authentication pre-share
- group 2
- lifetime 3600
-crypto isakmp key secret address 0.0.0.0
-!
-!
-crypto ipsec transform-set DMVPNESP esp-aes 256 esp-sha-hmac
- mode transport
-!
-crypto ipsec profile DMVPNPROFILE
- set security-association lifetime seconds 1800
- set transform-set DMVPNESP
- set pfs group2
-!
-!
-!
-!
-!
-!
-!
-interface Tunnel100
- ip address 10.0.0.3 255.255.255.0
- no ip redirects
- ip nhrp authentication test123
- ip nhrp map multicast dynamic
- ip nhrp network-id 1
- ip nhrp holdtime 300
- ip nhrp nhs 10.0.0.100 nbma 192.168.0.2
- ip nhrp registration no-unique
- ip nhrp redirect
-tunnel source GigabitEthernet0/0
- tunnel mode gre multipoint
- tunnel key 42
- tunnel protection ipsec profile DMVPNPROFILE
-!
-interface GigabitEthernet0/0
- ip address 192.168.3.2 255.255.255.252
- duplex auto
- speed auto
- media-type rj45
-!
-ip route 0.0.0.0 0.0.0.0 192.168.3.1
-```
-
-
-##### Monitoring DMVPN Network
-
-Let send ICMP packets from VyOS-SPOKE-1 to Cisco-SPOKE-3
-
-```none
-vyos@vyos:~$ ping 10.0.0.3
-PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
-64 bytes from 10.0.0.3: icmp_seq=1 ttl=255 time=3.44 ms
-64 bytes from 10.0.0.3: icmp_seq=2 ttl=255 time=3.07 ms
-^C
---- 10.0.0.3 ping statistics ---
-2 packets transmitted, 2 received, 0% packet loss, time 1002ms
-rtt min/avg/max/mdev = 3.072/3.257/3.442/0.185 ms
-```
-
-
-##### Monitoring on HUB
-
-```none
-vyos@vyos:~$ show ip nhrp cache
-Iface Type Protocol NBMA Claimed NBMA Flags Identity
-tun100 dynamic 10.0.0.1 192.168.1.2 192.168.1.2 T 192.168.1.2
-tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2
-tun100 dynamic 10.0.0.2 192.168.2.2 192.168.2.2 T 192.168.2.2
-tun100 local 10.0.0.100 192.168.0.2 192.168.0.2 -
-
-vyos@vyos:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
--------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
-dmvpn-NHRPVPN-tun100-child up 3m46s 230B/270B 2/2 192.168.1.2 192.168.1.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
-dmvpn-NHRPVPN-tun100-child up 5m48s 460B/540B 4/4 192.168.2.2 192.168.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
-dmvpn-NHRPVPN-tun100-child up 16m26s 1K/1K 13/12 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
-```
-
-
-##### Monitoring on Spokes
-
-```none
-vyos@vyos:~$ show ip nhrp cache
-Iface Type Protocol NBMA Claimed NBMA Flags Identity
-tun100 local 10.0.0.1 192.168.1.2 192.168.1.2 -
-tun100 dynamic 10.0.0.3 192.168.3.2 192.168.3.2 T 192.168.3.2
-tun100 nhs 10.0.0.100 192.168.0.2 192.168.0.2 T 192.168.0.2
-
-vyos@vyos:~$ show ip nhrp nhs
-Iface FQDN NBMA Protocol
-tun100 192.168.0.2 192.168.0.2 10.0.0.100
-
-vyos@vyos:~$ show ip nhrp shortcut
-Type Prefix Via Identity
-dynamic 10.0.0.3/32 10.0.0.3 192.168.3.2
-
-vyos@vyos:~$ show vpn ipsec sa
-Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
--------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------------
-dmvpn-NHRPVPN-tun100-child up 6m43s 898B/695B 7/6 192.168.0.2 192.168.0.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
-dmvpn-NHRPVPN-tun100-child up 49s 215B/187B 2/2 192.168.3.2 192.168.3.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
-```
diff --git a/docs/configuration/vpn/md-index.md b/docs/configuration/vpn/md-index.md
deleted file mode 100644
index 9b06e5df..00000000
--- a/docs/configuration/vpn/md-index.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# VPN
-
-```{toctree}
-:includehidden: true
-:maxdepth: 1
-
-ipsec/index
-l2tp
-openconnect
-pptp
-rsa-keys
-sstp
-dmvpn
-```
diff --git a/docs/configuration/vpn/md-l2tp.md b/docs/configuration/vpn/md-l2tp.md
deleted file mode 100644
index d932d095..00000000
--- a/docs/configuration/vpn/md-l2tp.md
+++ /dev/null
@@ -1,624 +0,0 @@
-(l2tp)=
-
-# L2TP
-
-VyOS utilizes [accel-ppp] to provide L2TP server functionality. It can be used
-with local authentication or a connected RADIUS server.
-
-## Configuring L2TP Server
-
-```none
-set vpn l2tp remote-access authentication mode local
-set vpn l2tp remote-access authentication local-users username test password 'test'
-set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
-set vpn l2tp remote-access default-pool 'L2TP-POOL'
-set vpn l2tp remote-access outside-address 192.0.2.2
-set vpn l2tp remote-access gateway-address 192.168.255.1
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication mode \<local | radius\>
-
-Set authentication backend. The configured authentication backend is used
-for all queries.
-
-* **radius**: All authentication queries are handled by a configured RADIUS
- server.
-* **local**: All authentication queries are handled locally.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> password \<pass\>
-
-Create `<user>` for local authentication on this system. The users password
-will be set to `<pass>`.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\>
-
-Use this command to define the first IP address of a pool of
-addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``,
-it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
-used there is possibility to set host/netmask.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access default-pool \<POOL-NAME\>
-
-Use this command to define default address pool name.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access gateway-address \<gateway\>
-
-Specifies single `<gateway>` IP address to be used as local address of PPP
-interfaces.
-```
-
-
-## Configuring IPsec
-
-```none
-set vpn ipsec interface eth0
-set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
-set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret secret
-```
-
-
-```{cfgcmd} set vpn ipsec interface \<INTERFACE\>
-
-Use this command to define IPsec interface.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication mode \<pre-shared-secret | x509\>
-
-Set mode for IPsec authentication between VyOS and L2TP clients.
-```
-
-
-```{cfgcmd} set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret \<secret\>
-
-Set predefined shared secret phrase.
-```
-
-If a local firewall policy is in place on your external interface you will need
-to allow the ports below:
-- UDP port 500 (IKE)
-- IP protocol number 50 (ESP)
-- UDP port 1701 for IPsec
-
-As well as the below to allow NAT-traversal (when NAT is detected by the
-VPN client, ESP is encapsulated in UDP for NAT-traversal):
-
-- UDP port 4500 (NAT-T)
-
-Example:
-
-```none
-set firewall ipv4 name OUTSIDE-LOCAL rule 40 action 'accept'
-set firewall ipv4 name OUTSIDE-LOCAL rule 40 protocol 'esp'
-set firewall ipv4 name OUTSIDE-LOCAL rule 41 action 'accept'
-set firewall ipv4 name OUTSIDE-LOCAL rule 41 destination port '500'
-set firewall ipv4 name OUTSIDE-LOCAL rule 41 protocol 'udp'
-set firewall ipv4 name OUTSIDE-LOCAL rule 42 action 'accept'
-set firewall ipv4 name OUTSIDE-LOCAL rule 42 destination port '4500'
-set firewall ipv4 name OUTSIDE-LOCAL rule 42 protocol 'udp'
-set firewall ipv4 name OUTSIDE-LOCAL rule 43 action 'accept'
-set firewall ipv4 name OUTSIDE-LOCAL rule 43 destination port '1701'
-set firewall ipv4 name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
-set firewall ipv4 name OUTSIDE-LOCAL rule 43 protocol 'udp'
-```
-
-To allow VPN-clients access via your external address, a NAT rule is required:
-
-```none
-set nat source rule 110 outbound-interface name 'eth0'
-set nat source rule 110 source address '192.168.255.0/24'
-set nat source rule 110 translation address masquerade
-```
-
-
-## Configuring RADIUS authentication
-
-To enable RADIUS based authentication, the authentication mode needs to be
-changed within the configuration. Previous settings like the local users, still
-exists within the configuration, however they are not used if the mode has been
-changed from local to radius. Once changed back to local, it will use all local
-accounts again.
-
-```none
-set vpn l2tp remote-access authentication mode radius
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> key \<secret\>
-
-Configure RADIUS `<server>` and its required shared `<secret>` for
-communicating with the RADIUS server.
-```
-
-Since the RADIUS server would be a single point of failure, multiple RADIUS
-servers can be setup and will be used subsequentially.
-For example:
-
-```none
-set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
-set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
-```
-
-:::{note}
-Some RADIUS severs use an access control list which allows or denies
-queries, make sure to add your VyOS router to the allowed client list.
-:::
-
-### RADIUS source address
-
-If you are using OSPF as your IGP, use the interface connected closest to the
-RADIUS server. You can bind all outgoing RADIUS requests to a single source IP
-e.g. the loopback interface.
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-:::{note}
-The `source-address` must be configured to that of an interface.
-Best practice would be a loopback or dummy interface.
-:::
-
-### RADIUS advanced options
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> port \<port\>
-
-Configure RADIUS `<server>` and its required port for authentication requests.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> fail-time \<time\>
-
-Mark RADIUS server as offline for this given `<time>` in seconds.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius server \<server\> disable
-
-Temporary disable this RADIUS server.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius acct-timeout \<timeout\>
-
-Timeout to wait reply for Interim-Update packets. (default 3 seconds)
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author server \<address\>
-
-Specifies IP address for Dynamic Authorization Extension server (DM/CoA).
-This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author port \<port\>
-
-UDP port for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius dynamic-author key \<secret\>
-
-Secret for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius max-try \<number\>
-
-Maximum number of tries to send Access-Request/Accounting-Request queries
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius timeout \<timeout\>
-
-Timeout to wait response from server (seconds)
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius nas-identifier \<identifier\>
-
-Value to send to RADIUS server in NAS-Identifier attribute and to be matched
-in DM/CoA requests.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius nas-ip-address \<address\>
-
-Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
-in DM/CoA requests. Also DM/CoA server will bind to that address.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit attribute \<attribute\>
-
-Specifies which RADIUS server attribute contains the rate limit information.
-The default attribute is `Filter-Id`.
-```
-
-:::{note}
-If you set a custom RADIUS attribute you must define it on both
-dictionaries on the RADIUS server and client.
-:::
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit enable
-
-Enables bandwidth shaping via RADIUS.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication radius rate-limit vendor
-
-Specifies the vendor dictionary. This dictionary needs to be present in
-/usr/share/accel-ppp/radius.
-```
-
-Received RADIUS attributes have a higher priority than parameters defined within
-the CLI configuration, refer to the explanation below.
-
-### Allocation clients ip addresses by RADIUS
-
-If the RADIUS server sends the attribute `Framed-IP-Address` then this IP
-address will be allocated to the client and the option `default-pool` within
-the CLI config will be ignored.
-
-If the RADIUS server sends the attribute `Framed-Pool`, then the IP address
-will be allocated from a predefined IP pool whose name equals the attribute
-value.
-
-If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the
-IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose
-name equals the attribute value.
-
-If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an
-IPv6 delegation prefix will be allocated from a predefined IPv6 pool
-`delegate` whose name equals the attribute value.
-
-:::{note}
-`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in
-RFC6911. If they are not defined in your RADIUS server, add new [dictionary].
-:::
-
-The client's interface can be put into a VRF context via a RADIUS Access-Accept
-packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these
-purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS
-server.
-
-### Renaming clients interfaces by RADIUS
-
-If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be
-renamed.
-
-:::{note}
-The value of the attribute `NAS-Port-Id` must be less than 16
-characters, otherwise the interface won't be renamed.
-:::
-
-## Configuring LNS (L2TP Network Server)
-
-LNS are often used to connect to a LAC (L2TP Access Concentrator).
-
-```{cfgcmd} set vpn l2tp remote-access lns host-name \<hostname\>
-
-Sent to the client (LAC) in the Host-Name attribute
-```
-
-```{cfgcmd} set vpn l2tp remote-access lns shared-secret \<secret\>
-
-Tunnel password used to authenticate the client (LAC)
-```
-
-To explain the usage of LNS follow our blueprint {ref}`examples-lac-lns`.
-
-## IPv6
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6 \<require | prefer | allow | deny\>
-
-Specifies IPv6 negotiation preference.
-* **require** - Require IPv6 negotiation
-* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv6 only if client requests
-* **deny** - Do not negotiate IPv6 (default value)
-```
-
-```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\>
-
-Use this comand to set the IPv6 address pool from which an l2tp client will
-get an IPv6 prefix of your defined length (mask) to terminate the l2tp
-endpoint at their side. The mask length can be set between 48 and 128 bits
-long, the default value is 64.
-```
-
-```{cfgcmd} set vpn l2tp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\>
-
-Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp.
-You will have to set your IPv6 pool and the length of the delegation
-prefix. From the defined IPv6 pool you will be handing out networks of the
-defined length (delegation-prefix). The length of the delegation prefix can
-be between 32 and 64 bits long.
-```
-
-```{cfgcmd} set vpn l2tp remote-access default-ipv6-pool \<IPv6-POOL-NAME\>
-
-Use this command to define default IPv6 address pool name.
-```
-
-```none
-set vpn l2tp remote-access ppp-options ipv6 allow
-set vpn l2tp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
-set vpn l2tp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64'
-set vpn l2tp remote-access default-ipv6-pool IPv6-POOL
-```
-
-
-### IPv6 Advanced Options
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id
-
-Accept peer interface identifier. By default this is not defined.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies if a fixed or random interface identifier is used for IPv6. The
-default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies the peer interface identifier for IPv6. The default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-* **ipv4-addr** - Calculate interface identifier from IPv4 address.
-* **calling-sid** - Calculate interface identifier from calling-station-id.
-```
-
-
-## Scripting
-
-```{cfgcmd} set vpn l2tp remote-access extended-scripts on-change \<path_to_script\>
-
-Script to run when the session interface is changed by RADIUS CoA handling
-```
-
-```{cfgcmd} set vpn l2tp remote-access extended-scripts on-down \<path_to_script\>
-
-Script to run when the session interface is about to terminate
-```
-
-```{cfgcmd} set vpn l2tp remote-access extended-scripts on-pre-up \<path_to_script\>
-
-Script to run before the session interface comes up
-```
-
-```{cfgcmd} set vpn l2tp remote-access extended-scripts on-up \<path_to_script\>
-
-Script to run when the session interface is completely configured and started
-```
-
-
-## Advanced Options
-
-### Authentication Advanced Options
-
-```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> disable
-
-Disable `<user>` account.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> static-ip \<address\>
-
-Assign a static IP address to `<user>` account.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\>
-
-Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s.
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\>
-
-Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s
-```
-
-```{cfgcmd} set vpn l2tp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\>
-
-Require the peer to authenticate itself using one of the following protocols:
-pap, chap, mschap, mschap-v2.
-```
-
-
-### Client IP Pool Advanced Options
-
-```{cfgcmd} set vpn l2tp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\>
-
-Use this command to define the next address pool name.
-```
-
-
-### PPP Advanced Options
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options disable-ccp
-
-Disable Compression Control Protocol (CCP).
-CCP is enabled by default.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options interface-cache \<number\>
-
-Specifies number of interfaces to cache. This prevents interfaces from being
-removed once the corresponding session is destroyed. Instead, interfaces are
-cached for later use in new sessions. This should reduce the kernel-level
-interface creation/deletion rate.
-Default value is **0**.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options ipv4 \<require | prefer | allow | deny\>
-
-Specifies IPv4 negotiation preference.
-* **require** - Require IPv4 negotiation
-* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv4 only if client requests (Default value)
-* **deny** - Do not negotiate IPv4
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-failure \<number\>
-
-Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-value `<number>`, the session will be reset. Default value is **3**.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-interval \<interval\>
-
-If this option is specified and is greater than 0, then the PPP module will
-send LCP echo requests every `<interval>` seconds.
-Default value is **30**.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options lcp-echo-timeout
-
-Specifies timeout in seconds to wait for any peer activity. If this option is
-specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-is not used. Default value is **0**.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options min-mtu \<number\>
-
-Defines the minimum acceptable MTU. If a client tries to negotiate an MTU
-lower than this it will be NAKed, and disconnected if it rejects a greater
-MTU.
-Default value is **100**.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options mppe \<require | prefer | deny\>
-
-Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation
-preference.
-* **require** - ask client for mppe, if it rejects drop connection
-* **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
-* **deny** - deny mppe
-
-Default behavior - don't ask the client for mppe, but allow it if the client
-wants. Please note that RADIUS may override this option with the
-MS-MPPE-Encryption-Policy attribute.
-```
-
-```{cfgcmd} set vpn l2tp remote-access ppp-options mru \<number\>
-
-Defines preferred MRU. By default is not defined.
-```
-
-
-### Global Advanced options
-
-```{cfgcmd} set vpn l2tp remote-access description \<description\>
-
-Set description.
-```
-
-```{cfgcmd} set vpn l2tp remote-access limits burst \<value\>
-
-Burst count
-```
-
-```{cfgcmd} set vpn l2tp remote-access limits connection-limit \<value\>
-
-Maximum accepted connection rate (e.g. 1/min, 60/sec)
-```
-
-```{cfgcmd} set vpn l2tp remote-access limits timeout \<value\>
-
-Timeout in seconds
-```
-
-```{cfgcmd} set vpn l2tp remote-access mtu
-
-Maximum Transmission Unit (MTU) (default: **1436**)
-```
-
-```{cfgcmd} set vpn l2tp remote-access max-concurrent-sessions
-
-Maximum number of concurrent session start attempts
-```
-
-```{cfgcmd} set vpn l2tp remote-access name-server \<address\>
-
-Connected clients should use `<address>` as their DNS server. This command
-accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured
-for IPv4, up to three for IPv6.
-```
-
-```{cfgcmd} set vpn l2tp remote-access shaper fwmark \<1-2147483647\>
-
-Match firewall mark value
-```
-
-```{cfgcmd} set vpn l2tp remote-access snmp master-agent
-
-Enable SNMP
-```
-
-```{cfgcmd} set vpn l2tp remote-access wins-server \<address\>
-
-Windows Internet Name Service (WINS) servers propagated to client
-```
-
-
-## Monitoring
-
-```none
-vyos@vyos:~$ show l2tp-server sessions
- ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
---------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
- l2tp0 | test | 192.168.255.3 | | | 192.168.0.36 | | active | 02:01:47 | 7.7 KiB | 1.2 KiB
-```
-
-```none
-vyos@vyos:~$ show l2tp-server statistics
- uptime: 0.02:49:49
-cpu: 0%
-mem(rss/virt): 5920/100892 kB
-core:
- mempool_allocated: 133202
- mempool_available: 131770
- thread_count: 1
- thread_active: 1
- context_count: 5
- context_sleeping: 0
- context_pending: 0
- md_handler_count: 3
- md_handler_pending: 0
- timer_count: 0
- timer_pending: 0
-sessions:
- starting: 0
- active: 0
- finishing: 0
-l2tp:
- tunnels:
- starting: 0
- active: 0
- finishing: 0
- sessions (control channels):
- starting: 0
- active: 0
- finishing: 0
- sessions (data channels):
- starting: 0
- active: 0
- finishing: 0
-```
-
-[accel-ppp]: https://accel-ppp.org/
-[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
-[cloudflare]: https://blog.cloudflare.com/announcing-1111
-[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
-[freeradius]: https://freeradius.org
-[google public dns]: https://developers.google.com/speed/public-dns
-[network policy server]: <https://en.wikipedia.org/wiki/Network_Policy_Server>
-[opennic]: https://www.opennic.org/
-[quad9]: https://quad9.net
-[radius]: https://en.wikipedia.org/wiki/RADIUS
diff --git a/docs/configuration/vpn/md-openconnect.md b/docs/configuration/vpn/md-openconnect.md
deleted file mode 100644
index 0bf804ff..00000000
--- a/docs/configuration/vpn/md-openconnect.md
+++ /dev/null
@@ -1,330 +0,0 @@
-(vpn-openconnect)=
-
-# OpenConnect
-
-```{todo}
-Convert raw command blocks in this file to cfgcmd/opcmd
-directives for command coverage tracking.
-```
-
-OpenConnect-compatible server feature has been available since Equuleus (1.3).
-Openconnect VPN supports SSL connection and offers full network access. SSL VPN
-network extension connects the end-user system to the corporate network with
-access controls based only on network layer information, such as destination IP
-address and port number. So, it provides safe communication for all types of
-device traffic across public networks and private networks, also encrypts the
-traffic with SSL protocol.
-
-The remote user will use the openconnect client to connect to the router and
-will receive an IP address from a VPN pool, allowing full access to the
-network.
-
-## Configuration
-
-### SSL Certificates
-
-We need to generate the certificate which authenticates users who attempt to
-access the network resource through the SSL VPN tunnels. The following commands
-will create a self signed certificates and will be stored in configuration:
-
-```none
-run generate pki ca install <CA name>
-run generate pki certificate sign <CA name> install <Server name>
-```
-
-We can also create the certificates using Certbot which is an easy-to-use
-client that fetches a certificate from Let's Encrypt an open certificate
-authority launched by the EFF, Mozilla, and others and deploys it to a web
-server.
-
-```none
-sudo certbot certonly --standalone --preferred-challenges http -d <domain name>
-```
-
-
-### Server Configuration
-
-```none
-set vpn openconnect authentication local-users username <user> password <pass>
-set vpn openconnect authentication mode <local password|radius|certificate>
-set vpn openconnect network-settings client-ip-settings subnet <subnet>
-set vpn openconnect network-settings name-server <address>
-set vpn openconnect network-settings name-server <address>
-set vpn openconnect ssl ca-certificate <pki-ca-name>
-set vpn openconnect ssl certificate <pki-cert-name>
-set vpn openconnect ssl passphrase <pki-password>
-```
-
-
-### 2FA OTP support
-
-Instead of password only authentication, 2FA password
-authentication + OTP key can be used. Alternatively, OTP authentication only,
-without a password, can be used.
-To do this, an OTP configuration must be added to the configuration above:
-
-```none
-set vpn openconnect authentication mode local <password-otp|otp>
-set vpn openconnect authentication local-users username <user> otp <key>
-set vpn openconnect authentication local-users username <user> interval <interval (optional)>
-set vpn openconnect authentication local-users username <user> otp-length <otp-length (optional)>
-set vpn openconnect authentication local-users username <user> token-type <token-type (optional)>
-```
-
-For generating an OTP key in VyOS, you can use the CLI command
-(operational mode):
-
-```none
-generate openconnect username <user> otp-key hotp-time
-```
-
-
-### User Certificate Authentication
-
-You can configure users to be authenticated by certificate by setting
-the authentication mode to certificate, and defining what field (by OID)
-in the certificate will be used to identify the username. Two pre-defined
-
-shortcuts for Common Name (OID 2.5.4.3) and User ID
-(OID 0.9.2342.19200300.100.1.1) have been provided as cn or uid.
-
-Otherwise a specific OID value must be provided.
-
-The user's certificate must be signed by the certificate authority
-defined in the configuration for it to be validated for authentication.
-
-```none
-set vpn openconnect authentication mode certificate
-set vpn openconnect authentication mode certificate user-identifier-field cn
-set vpn openconnect ssl ca-certificate <cert>
-```
-
-
-## Verification
-
-```none
-vyos@vyos:~$ sh openconnect-server sessions
-interface username ip remote IP RX TX state uptime
------------ ---------- ------------- ----------- ------- --------- --------- --------
-sslvpn0 tst 172.20.20.198 192.168.6.1 0 bytes 152 bytes connected 3s
-```
-
-:::{note}
-It is compatible with Cisco (R) AnyConnect (R) clients.
-:::
-
-## Example
-
-### SSL Certificates generation
-
-Follow the instructions to generate CA cert (in configuration mode):
-
-```none
-vyos@vyos# run generate pki ca install ca-ocserv
-Enter private key type: [rsa, dsa, ec] (Default: rsa)
-Enter private key bits: (Default: 2048)
-Enter country code: (Default: GB) US
-Enter state: (Default: Some-State) Delaware
-Enter locality: (Default: Some-City) Mycity
-Enter organization name: (Default: VyOS) MyORG
-Enter common name: (Default: vyos.io) oc-ca
-Enter how many days certificate will be valid: (Default: 1825) 3650
-Note: If you plan to use the generated key on this router, do not encrypt the private key.
-Do you want to encrypt the private key with a passphrase? [y/N] N
-2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
-[edit]
-```
-
-Follow the instructions to generate server cert (in configuration mode):
-
-```none
-vyos@vyos# run generate pki certificate sign ca-ocserv install srv-ocserv
-Do you already have a certificate request? [y/N] N
-Enter private key type: [rsa, dsa, ec] (Default: rsa)
-Enter private key bits: (Default: 2048)
-Enter country code: (Default: GB) US
-Enter state: (Default: Some-State) Delaware
-Enter locality: (Default: Some-City) Mycity
-Enter organization name: (Default: VyOS) MyORG
-Enter common name: (Default: vyos.io) oc-srv
-Do you want to configure Subject Alternative Names? [y/N] N
-Enter how many days certificate will be valid: (Default: 365) 1830
-Enter certificate type: (client, server) (Default: server)
-Note: If you plan to use the generated key on this router, do not encrypt the private key.
-Do you want to encrypt the private key with a passphrase? [y/N] N
-2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
-[edit]
-```
-
-Each of the install command should be applied to the configuration and commited
-before using under the openconnect configuration:
-
-```none
-vyos@vyos# commit
-[edit]
-vyos@vyos# save
-Saving configuration to '/config/config.boot'...
-Done
-[edit]
-```
-
-
-### Openconnect Configuration
-
-Simple setup with one user added and password authentication:
-
-```none
-set vpn openconnect authentication local-users username tst password 'OC_bad_Secret'
-set vpn openconnect authentication mode local password
-set vpn openconnect network-settings client-ip-settings subnet '172.20.20.0/24'
-set vpn openconnect network-settings name-server '10.1.1.1'
-set vpn openconnect network-settings name-server '10.1.1.2'
-set vpn openconnect ssl ca-certificate 'ca-ocserv'
-set vpn openconnect ssl certificate 'srv-ocserv'
-```
-
-To enable the HTTP security headers in the configuration file, use the command:
-
-```none
-set vpn openconnect http-security-headers
-```
-
-
-### Adding a 2FA with an OTP-key
-
-First the OTP keys must be generated and sent to the user and to the
-configuration:
-
-```none
-vyos@vyos:~$ generate openconnect username tst otp-key hotp-time
-# You can share it with the user, he just needs to scan the QR in his OTP app
-# username: tst
-# OTP KEY: 5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2
-# OTP URL: otpauth://totp/tst@vyos?secret=5PA4SGYTQSGOBO3H3EQSSNCUNZAYAPH2&digits=6&period=30
-█████████████████████████████████████████
-█████████████████████████████████████████
-████ ▄▄▄▄▄ █▀ ██▄▀ ▄█▄▀▀▄▄▄▄██ ▄▄▄▄▄ ████
-████ █ █ █▀ █▄▄▀▀▀▄█ ▄▄▀▄ █ █ █ ████
-████ █▄▄▄█ █▀█▀▄▄▀ ▄▀ █▀ ▀▄██ █▄▄▄█ ████
-████▄▄▄▄▄▄▄█▄█▄▀ ▀▄█ ▀ ▀ ▀ █▄█▄▄▄▄▄▄▄████
-████ ▄▄▄▀▄▄ ▄███▀▄▀█▄██▀ ▀▄ ▀▄█ ▀ ▀████
-████ ▀▀ ▀ ▄█▄ ▀ ▀▄ ▄█▀ ▄█ ▄▀▀▄██ █████
-████▄ █▄▀▀▄█▀ ▀█▄█▄▄▄▄ ▄▀█▀▀█ ▀ ▄ ▀█▀████
-█████ ▀█▀▄▄ █ ▀▄▄ ▄█▄ ▀█▀▀ █▀ ▄█████
-████▀██▀█▄▄ ▀▀▀▀█▄▀ ▀█▄▄▀▀▀ ▀ ▀█▄██▀▀████
-████▄ ▄ ▄▀▄██▀█ ▄ ▀▄██ ▄▄ ▀▀▄█▄██ ▄█████
-████▀▀ ▄▀ ▄ ▀█▀█▀█ █▀█▄▄▀█▀█▄██▄▄█ ▀████
-████ █ ▀█▄▄█▄ ▀ ▄▄▀▀ ▀ █▄█▀████ █▀ ▀████
-████▄██▄██▄█▀ ▄▀ ▄▄▀▄ ▄▀█ ▄ ▄▄▄ ▀█▄ ████
-████ ▄▄▄▄▄ █▄ ▀█▄█ ▄ ▀ ▄ ▄ █▄█ ▄▀▄█████
-████ █ █ █ ▀▄██▄▄▀█▄▀▄██▄▀ ▄ ▀██▀████
-████ █▄▄▄█ █ ██▀▄▄ ▀▄▄▀█▀ ▀█ ▄▀█ ▀██████
-████▄▄▄▄▄▄▄█▄███▄███▄█▄▄▄▄█▄▄█▄██▄█▄█████
-█████████████████████████████████████████
-█████████████████████████████████████████
-# To add this OTP key to configuration, run the following commands:
-set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa'
-```
-
-Next it is necessary to configure 2FA for OpenConnect:
-
-```none
-set vpn openconnect authentication mode local password-otp
-set vpn openconnect authentication local-users username tst otp key 'ebc1c91b13848ce0bb67d9212934546e41803cfa'
-```
-
-Now when connecting the user will first be asked for the password
-and then the OTP key.
-
-:::{warning}
-When using Time-based one-time password (TOTP) (OTP HOTP-time),
-be sure that the time on the server and the
-OTP token generator are synchronized by NTP
-:::
-
-To display the configured OTP user settings, use the command:
-
-```none
-show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri>
-```
-
-
-### Identity Based Configuration
-
-OpenConnect supports a subset of it's configuration options to be applied on a
-per user/group basis, for configuration purposes we refer to this functionality
-as "Identity based config". The following [OpenConnect Server Manual](https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that%20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group)
-outlines the set of configuration options that are allowed. This can be
-leveraged to apply different sets of configs to different users or groups of
-users.
-
-```none
-sudo mkdir -p /config/auth/ocserv/config-per-user
-sudo touch /config/auth/ocserv/default-user.conf
-
-set vpn openconnect authentication identity-based-config mode user
-set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user
-set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf
-```
-
-:::{warning}
-The above directory and default-config must be a child directory
-of /config/auth, since files outside this directory are not persisted after an
-image upgrade.
-:::
-
-Once you commit the above changes you can create a config file in the
-/config/auth/ocserv/config-per-user directory that matches a username of a
-user you have created e.g. "tst". Now when logging in with the "tst" user the
-config options you set in this file will be loaded.
-
-Be sure to set a sane default config in the default config file, this will be
-loaded in the case that a user is authenticated and no file is found in the
-configured directory matching the users username/group.
-
-```none
-sudo nano /config/auth/ocserv/config-per-user/tst
-```
-
-The same configuration options apply when Identity based config is configured
-in group mode except that group mode can only be used with RADIUS
-authentication.
-
-:::{warning}
-OpenConnect server matches the filename in a case sensitive
-manner, make sure the username/group name you configure matches the
-filename exactly.
-:::
-
-### Configuring RADIUS accounting
-
-OpenConnect can be configured to send accounting information to a
-RADIUS server to capture user session data such as time of
-connect/disconnect, data transferred, and so on.
-
-Configure an accounting server and enable accounting with:
-
-```none
-set vpn openconnect accounting mode radius
-set vpn openconnect accounting radius server 172.20.20.10
-set vpn openconnect accounting radius server 172.20.20.10 port 1813
-set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret
-```
-
-:::{warning}
-The RADIUS accounting feature must be used with the OpenConnect
-authentication mode RADIUS. It cannot be used with local authentication.
-You must configure the OpenConnect authentication mode to "radius".
-:::
-
-An example of the data captured by a FREERADIUS server with sql accounting:
-
-```none
-mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct;
-+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
-| username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start |
-+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
-| test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 |
-+----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
-```
-
diff --git a/docs/configuration/vpn/md-pptp.md b/docs/configuration/vpn/md-pptp.md
deleted file mode 100644
index 5df63755..00000000
--- a/docs/configuration/vpn/md-pptp.md
+++ /dev/null
@@ -1,594 +0,0 @@
-(pptp)=
-
-# PPTP-Server
-
-The Point-to-Point Tunneling Protocol (PPTP) has been implemented in VyOS only
-for backwards compatibility. PPTP has many well known security issues and you
-should use one of the many other new VPN implementations.
-
-## Configuring PPTP Server
-
-```none
-set vpn pptp remote-access authentication mode local
-set vpn pptp remote-access authentication local-users username test password 'test'
-set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.255.2-192.168.255.254
-set vpn pptp remote-access default-pool 'PPTP-POOL'
-set vpn pptp remote-access outside-address 192.0.2.2
-set vpn pptp remote-access gateway-address 192.168.255.1
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication mode \<local | radius\>
-
-Set authentication backend. The configured authentication backend is used
-for all queries.
-* **radius**: All authentication queries are handled by a configured RADIUS
-server.
-* **local**: All authentication queries are handled locally.
-* **noauth**: Authentication disabled.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> password \<pass\>
-
-Create `<user>` for local authentication on this system. The users password
-will be set to `<pass>`.
-```
-
-```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\>
-
-Use this command to define the first IP address of a pool of
-addresses to be given to PPTP clients. If notation ``x.x.x.x-x.x.x.x``,
-it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
-used there is possibility to set host/netmask.
-```
-
-```{cfgcmd} set vpn pptp remote-access default-pool \<POOL-NAME\>
-
-Use this command to define default address pool name.
-```
-
-```{cfgcmd} set vpn pptp remote-access gateway-address \<gateway\>
-
-Specifies single `<gateway>` IP address to be used as local address of PPP
-interfaces.
-```
-
-
-## Configuring RADIUS authentication
-
-To enable RADIUS based authentication, the authentication mode needs to be
-changed within the configuration. Previous settings like the local users, still
-exists within the configuration, however they are not used if the mode has been
-changed from local to radius. Once changed back to local, it will use all local
-accounts again.
-
-```none
-set vpn pptp remote-access authentication mode radius
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> key \<secret\>
-
-Configure RADIUS `<server>` and its required shared `<secret>` for
-communicating with the RADIUS server.
-```
-
-Since the RADIUS server would be a single point of failure, multiple RADIUS
-servers can be setup and will be used subsequentially.
-For example:
-
-```none
-set vpn pptp remote-access authentication radius server 10.0.0.1 key 'foo'
-set vpn pptp remote-access authentication radius server 10.0.0.2 key 'foo'
-```
-
-:::{note}
-Some RADIUS severs use an access control list which allows or denies
-queries, make sure to add your VyOS router to the allowed client list.
-:::
-
-### RADIUS source address
-
-If you are using OSPF as IGP, always the closest interface connected to the
-RADIUS server is used. You can bind all outgoing RADIUS requests
-to a single source IP e.g. the loopback interface.
-
-```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-:::{note}
-Some RADIUS severs use an access control list which allows or denies
-queries, make sure to add your VyOS router to the allowed client list.
-:::
-
-### RADIUS advanced options
-
-```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> port \<port\>
-
-Configure RADIUS `<server>` and its required port for authentication requests.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> fail-time \<time\>
-
-Mark RADIUS server as offline for this given `<time>` in seconds.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius server \<server\> disable
-
-Temporary disable this RADIUS server.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius acct-timeout \<timeout\>
-
-Timeout to wait reply for Interim-Update packets. (default 3 seconds)
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author server \<address\>
-
-Specifies IP address for Dynamic Authorization Extension server (DM/CoA).
-This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author port \<port\>
-
-UDP port for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius dynamic-author key \<secret\>
-
-Secret for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius max-try \<number\>
-
-Maximum number of tries to send Access-Request/Accounting-Request queries
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius timeout \<timeout\>
-
-Timeout to wait response from server (seconds)
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius nas-identifier \<identifier\>
-
-Value to send to RADIUS server in NAS-Identifier attribute and to be matched
-in DM/CoA requests.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius nas-ip-address \<address\>
-
-Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
-in DM/CoA requests. Also DM/CoA server will bind to that address.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit attribute \<attribute\>
-
-Specifies which RADIUS server attribute contains the rate limit information.
-The default attribute is `Filter-Id`.
-```
-
-:::{note}
-If you set a custom RADIUS attribute you must define it on both
-dictionaries at RADIUS server and client.
-:::
-
-```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit enable
-
-Enables bandwidth shaping via RADIUS.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication radius rate-limit vendor
-
-Specifies the vendor dictionary, dictionary needs to be in
-/usr/share/accel-ppp/radius.
-```
-
-Received RADIUS attributes have a higher priority than parameters defined within
-the CLI configuration, refer to the explanation below.
-
-### Allocation clients ip addresses by RADIUS
-
-If the RADIUS server sends the attribute `Framed-IP-Address` then this IP
-address will be allocated to the client and the option `default-pool` within the CLI
-config is being ignored.
-
-If the RADIUS server sends the attribute `Framed-Pool`, IP address will be allocated
-from a predefined IP pool whose name equals the attribute value.
-
-If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, IPv6 address
-will be allocated from a predefined IPv6 pool `prefix` whose name equals the attribute value.
-
-If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, IPv6
-delegation pefix will be allocated from a predefined IPv6 pool `delegate`
-whose name equals the attribute value.
-
-:::{note}
-`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in
-RFC6911. If they are not defined in your RADIUS server, add new [dictionary].
-:::
-
-User interface can be put to VRF context via RADIUS Access-Accept packet, or change
-it via RADIUS CoA. `Accel-VRF-Name` is used from these purposes. It is custom [ACCEL-PPP attribute].
-Define it in your RADIUS server.
-
-### Renaming clients interfaces by RADIUS
-
-If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be
-renamed.
-
-:::{note}
-The value of the attribute `NAS-Port-Id` must be less than 16
-characters, otherwise the interface won't be renamed.
-:::
-
-## IPv6
-
-```{cfgcmd} set vpn pptp remote-access ppp-options ipv6 \<require | prefer | allow | deny\>
-
-Specifies IPv6 negotiation preference.
-* **require** - Require IPv6 negotiation
-* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv6 only if client requests
-* **deny** - Do not negotiate IPv6 (default value)
-```
-
-```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\>
-
-Use this comand to set the IPv6 address pool from which an PPTP client
-will get an IPv6 prefix of your defined length (mask) to terminate the
-PPTP endpoint at their side. The mask length can be set from 48 to 128
-bit long, the default value is 64.
-```
-
-```{cfgcmd} set vpn pptp remote-access client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\>
-
-Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-PPTP. You will have to set your IPv6 pool and the length of the
-delegation prefix. From the defined IPv6 pool you will be handing out
-networks of the defined length (delegation-prefix). The length of the
-delegation prefix can be set from 32 to 64 bit long.
-```
-
-```{cfgcmd} set vpn pptp remote-access default-ipv6-pool \<IPv6-POOL-NAME\>
-
-Use this command to define default IPv6 address pool name.
-```
-
-```none
-set vpn pptp remote-access ppp-options ipv6 allow
-set vpn pptp remote-access client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
-set vpn pptp remote-access client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64'
-set vpn pptp remote-access default-ipv6-pool IPv6-POOL
-```
-
-
-### IPv6 Advanced Options
-
-```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-accept-peer-interface-id
-
-Accept peer interface identifier. By default is not defined.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies fixed or random interface identifier for IPv6.
-By default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies peer interface identifier for IPv6. By default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-* **ipv4-addr** - Calculate interface identifier from IPv4 address.
-* **calling-sid** - Calculate interface identifier from calling-station-id.
-```
-
-
-## Scripting
-
-```{cfgcmd} set vpn pptp remote-access extended-scripts on-change \<path_to_script\>
-
-Script to run when session interface changed by RADIUS CoA handling
-```
-
-```{cfgcmd} set vpn pptp remote-access extended-scripts on-down \<path_to_script\>
-
-Script to run when session interface going to terminate
-```
-
-```{cfgcmd} set vpn pptp remote-access extended-scripts on-pre-up \<path_to_script\>
-
-Script to run before session interface comes up
-```
-
-```{cfgcmd} set vpn pptp remote-access extended-scripts on-up \<path_to_script\>
-
-Script to run when session interface is completely configured and started
-```
-
-
-## Advanced Options
-
-### Authentication Advanced Options
-
-```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> disable
-
-Disable `<user>` account.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> static-ip \<address\>
-
-Assign static IP address to `<user>` account.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit download \<bandwidth\>
-
-Download bandwidth limit in kbit/s for `<user>`.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication local-users username \<user\> rate-limit upload \<bandwidth\>
-
-Upload bandwidth limit in kbit/s for `<user>`.
-```
-
-```{cfgcmd} set vpn pptp remote-access authentication protocols \<pap | chap | mschap | mschap-v2\>
-
-Require the peer to authenticate itself using one of the following protocols:
-pap, chap, mschap, mschap-v2.
-```
-
-
-### Client IP Pool Advanced Options
-
-```{cfgcmd} set vpn pptp remote-access client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\>
-
-Use this command to define the next address pool name.
-```
-
-
-### PPP Advanced Options
-
-```{cfgcmd} set vpn pptp remote-access ppp-options disable-ccp
-
-Disable Compression Control Protocol (CCP).
-CCP is enabled by default.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options interface-cache \<number\>
-
-Specifies number of interfaces to keep in cache. It means that don’t
-destroy interface after corresponding session is destroyed, instead
-place it to cache and use it later for new sessions repeatedly.
-This should reduce kernel-level interface creation/deletion rate lack.
-Default value is **0**.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options ipv4 \<require | prefer | allow | deny\>
-
-Specifies IPv4 negotiation preference.
-* **require** - Require IPv4 negotiation
-* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv4 only if client requests (Default value)
-* **deny** - Do not negotiate IPv4
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-failure \<number\>
-
-Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-value `<number>`, the session will be reset. Default value is **3**.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-interval \<interval\>
-
-If this option is specified and is greater than 0, then the PPP module will
-send LCP pings of the echo request every `<interval>` seconds.
-Default value is **30**.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options lcp-echo-timeout
-
-Specifies timeout in seconds to wait for any peer activity. If this option
-specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-is not used. Default value is **0**.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options min-mtu \<number\>
-
-Defines minimum acceptable MTU. If client will try to negotiate less then
-specified MTU then it will be NAKed or disconnected if rejects greater MTU.
-Default value is **100**.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options mppe \<require | prefer | deny\>
-
-Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation
-preference.
-* **require** - ask client for mppe, if it rejects drop connection
-* **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
-* **deny** - deny mppe
-
-Default behavior - don't ask client for mppe, but allow it if client wants.
-Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
-attribute.
-```
-
-```{cfgcmd} set vpn pptp remote-access ppp-options mru \<number\>
-
-Defines preferred MRU. By default is not defined.
-```
-
-
-### Global Advanced options
-
-```{cfgcmd} set vpn pptp remote-access description \<description\>
-
-Set description.
-```
-
-```{cfgcmd} set vpn pptp remote-access limits burst \<value\>
-
-Burst count
-```
-
-```{cfgcmd} set vpn pptp remote-access limits connection-limit \<value\>
-
-Acceptable rate of connections (e.g. 1/min, 60/sec)
-```
-
-```{cfgcmd} set vpn pptp remote-access limits timeout \<value\>
-
-Timeout in seconds
-```
-
-```{cfgcmd} set vpn pptp remote-access mtu
-
-Maximum Transmission Unit (MTU) (default: **1436**)
-```
-
-```{cfgcmd} set vpn pptp remote-access max-concurrent-sessions
-
-Maximum number of concurrent session start attempts
-```
-
-```{cfgcmd} set vpn pptp remote-access name-server \<address\>
-
-Connected client should use `<address>` as their DNS server. This
-command accepts both IPv4 and IPv6 addresses. Up to two nameservers
-can be configured for IPv4, up to three for IPv6.
-```
-
-```{cfgcmd} set vpn pptp remote-access shaper fwmark \<1-2147483647\>
-
-Match firewall mark value
-```
-
-```{cfgcmd} set vpn pptp remote-access snmp master-agent
-
-Enable SNMP
-```
-
-```{cfgcmd} set vpn pptp remote-access wins-server \<address\>
-
-Windows Internet Name Service (WINS) servers propagated to client
-```
-
-
-## Monitoring
-
-```{opcmd} show pptp-server sessions
-
-Use this command to locally check the active sessions in the PPTP
-server.
-```
-
-```none
-vyos@vyos:~$ show pptp-server sessions
- ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
---------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
- pptp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:01:26 | 6.9 KiB | 220 B
-```
-
-```none
-vyos@vyos:~$ show pptp-server statistics
- uptime: 0.00:04:52
-cpu: 0%
-mem(rss/virt): 5504/100176 kB
-core:
- mempool_allocated: 152007
- mempool_available: 149007
- thread_count: 1
- thread_active: 1
- context_count: 6
- context_sleeping: 0
- context_pending: 0
- md_handler_count: 6
- md_handler_pending: 0
- timer_count: 2
- timer_pending: 0
-sessions:
- starting: 0
- active: 1
- finishing: 0
-pptp:
- starting: 0
- active: 1
-```
-
-
-## Troubleshooting
-
-```none
-vyos@vyos:~$sudo journalctl -u accel-ppp@pptp -b 0
-
-Feb 29 14:58:57 vyos accel-pptp[4629]: pptp: new connection from 192.168.10.100
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 1> <Bearer 1> <Max-Chan 0>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Outgoing-Call-Request <Call-ID 2961> <Call-Serial 2> <Min-BPS 300> <Max-BPS 100000000> <Bearer 3> <Framing 3> <Window-Size 64> <Delay 0>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [PPTP Outgoing-Call-Reply <Call-ID 2> <Peer-Call-ID 2961> <Result 1> <Error 0> <Cause 0> <Speed 100000000> <Window-Size 64> <Delay 0> <Channel 0>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_init
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: auth_layer_init
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: ccp_layer_init
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipcp_layer_init
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: ipv6cp_layer_init
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: ppp establishing
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: lcp_layer_start
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=0 <mru 1400> <magic 0142785a> <pcomp> <accomp> < d 3 6 >]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: recv [LCP ConfReq id=1 <mru 1400> <magic 0142785a>]
-Feb 29 14:58:57 vyos accel-pptp[4629]: :: send [LCP ConfAck id=1]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: fsm timeout 9
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=75 <auth PAP> <mru 1436> <magic 483920bd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=75 <auth MSCHAP-v2>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=76 <auth CHAP-md5> <mru 1436> <magic 483920bd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=76 <auth MSCHAP-v2>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=77 <auth MSCHAP-v1> <mru 1436> <magic 483920bd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfNak id=77 <auth MSCHAP-v2>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [LCP ConfReq id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP ConfAck id=78 <auth MSCHAP-v2> <mru 1436> <magic 483920bd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: lcp_layer_started
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: auth_layer_start
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: send [MSCHAP-v2 Challenge id=1 <8aa758781676e6a8e85c11963ee010>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=2 <MSRASV5.20>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [LCP Ident id=3 <MSRAS-0-MSEDGEWIN10>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: [43B blob data]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [PPTP Set-Link-Info]
-Feb 29 14:59:00 vyos accel-pptp[4629]: :: recv [MSCHAP-v2 Response id=1 <90c21af1091f745e8bf22388b058>, <e695ae5aae274c88a3fa1ee3dc9057aece4d53c87b9fea>, F=0, name="test"]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: connect: ppp0 <--> pptp(192.168.10.100)
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ppp connected
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [MSCHAP-v2 Success id=1 "S=347F417CF04BEBBC7F75CFA7F43474C36FB218F9 M=Authentication succeeded"]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: test: authentication succeeded
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: auth_layer_started
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_start
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [CCP ConfReq id=b9 <mppe +H -M +S -L -D -C>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_start
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipv6cp_layer_start
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: IPV6CP: discarding packet
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [LCP ProtoRej id=122 <8057>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=6 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfReq id=3b <addr 10.0.0.1>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfRej id=6 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [LCP ProtoRej id=7 <80fd>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ccp_layer_finished
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfAck id=3b <addr 10.0.0.1>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.2>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.2>]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: send [IPCP ConfAck id=9]
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: ipcp_layer_started
-Feb 29 14:59:00 vyos accel-pptp[4629]: ppp0:test: rename interface to 'pptp0'
-Feb 29 14:59:00 vyos accel-pptp[4629]: pptp0:test: pptp: ppp started
-```
-
-[accel-ppp]: https://accel-ppp.org/
-[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
-[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
diff --git a/docs/configuration/vpn/md-rsa-keys.md b/docs/configuration/vpn/md-rsa-keys.md
deleted file mode 100644
index 875ba91b..00000000
--- a/docs/configuration/vpn/md-rsa-keys.md
+++ /dev/null
@@ -1,114 +0,0 @@
-# RSA-Keys
-
-```{todo}
-Convert raw command blocks in this file to cfgcmd/opcmd
-directives for command coverage tracking.
-```
-
-RSA can be used for services such as key exchanges and for encryption purposes.
-To make IPSec work with dynamic address on one/both sides, we will have to use
-RSA keys for authentication. They are very fast and easy to setup.
-
-First, on both routers run the operational command "generate pki key-pair
-install \<key-pair name>". You may choose different length than 2048 of course.
-
-```none
-vyos@left# run generate pki key-pair install ipsec-LEFT
-Enter private key type: [rsa, dsa, ec] (Default: rsa)
-Enter private key bits: (Default: 2048)
-Note: If you plan to use the generated key on this router, do not encrypt the private key.
-Do you want to encrypt the private key with a passphrase? [y/N] N
-Configure mode commands to install key pair:
-Do you want to install the public key? [Y/n] Y
-set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-Do you want to install the private key? [Y/n] Y
-set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
-[edit]
-```
-
-Configuration commands will display.
-Note the command with the public key
-(set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...').
-Then do the same on the opposite router:
-
-```none
-vyos@left# run generate pki key-pair install ipsec-RIGHT
-```
-
-Note the command with the public key
-(set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...').
-
-The noted public keys should be entered on the opposite routers.
-
-On the LEFT:
-
-```none
-set pki key-pair ipsec-RIGHT public key 'FAAOCAQ8AMII...'
-```
-
-On the RIGHT:
-
-```none
-set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
-```
-
-Now you are ready to setup IPsec. The key points:
-1. Since both routers do not know their effective public addresses,
- we set the local-address of the peer to "any".
-2. On the initiator, we set the peer address to its public address,
- but on the responder we only set the id.
-3. On the initiator, we need to set the remote-id option so that it
- can identify IKE traffic from the responder correctly.
-4. On the responder, we need to set the local id so that initiator
- can know who's talking to it for the point #3 to work.
-
-On the LEFT (static address):
-
-```none
-set vpn ipsec interface eth0
-
-set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-set vpn ipsec site-to-site peer @RIGHT authentication id LEFT
-set vpn ipsec site-to-site peer @RIGHT authentication mode rsa
-set vpn ipsec site-to-site peer @RIGHT authentication rsa local-key ipsec-LEFT
-set vpn ipsec site-to-site peer @RIGHT authentication rsa remote-key ipsec-RIGHT
-set vpn ipsec site-to-site peer @RIGHT authentication remote-id RIGHT
-set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
-set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
-set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
-set vpn ipsec site-to-site peer @RIGHT connection-type none
-set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32 # Additional loopback address on the local
-set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote
-```
-
-On the RIGHT (dynamic address):
-
-```none
-set vpn ipsec interface eth0
-
-set vpn ipsec esp-group MyESPGroup proposal 1 encryption aes128
-set vpn ipsec esp-group MyESPGroup proposal 1 hash sha1
-
-set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group 2
-set vpn ipsec ike-group MyIKEGroup proposal 1 encryption aes128
-set vpn ipsec ike-group MyIKEGroup proposal 1 hash sha1
-
-set vpn ipsec site-to-site peer 192.0.2.10 authentication id RIGHT
-set vpn ipsec site-to-site peer 192.0.2.10 authentication mode rsa
-set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa local-key ipsec-RIGHT
-set vpn ipsec site-to-site peer 192.0.2.10 authentication rsa remote-key ipsec-LEFT
-set vpn ipsec site-to-site peer 192.0.2.10 authentication remote-id LEFT
-set vpn ipsec site-to-site peer 192.0.2.10 connection-type initiate
-set vpn ipsec site-to-site peer 192.0.2.10 default-esp-group MyESPGroup
-set vpn ipsec site-to-site peer 192.0.2.10 ike-group MyIKEGroup
-set vpn ipsec site-to-site peer 192.0.2.10 local-address any
-set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 local prefix 192.168.99.2/32 # Additional loopback address on the local
-set vpn ipsec site-to-site peer 192.0.2.10 tunnel 1 remote prefix 192.168.99.1/32 # Additional loopback address on the remote
-```
-
diff --git a/docs/configuration/vpn/md-sstp.md b/docs/configuration/vpn/md-sstp.md
deleted file mode 100644
index 54383cc6..00000000
--- a/docs/configuration/vpn/md-sstp.md
+++ /dev/null
@@ -1,698 +0,0 @@
-(sstp)=
-
-# SSTP Server
-
-{abbr}`SSTP (Secure Socket Tunneling Protocol)` is a form of {abbr}`VPN
-(Virtual Private Network)` tunnel that provides a mechanism to transport PPP
-traffic through an SSL/TLS channel. SSL/TLS provides transport-level security
-with key negotiation, encryption and traffic integrity checking. The use of
-SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls
-and proxy servers except for authenticated web proxies.
-
-SSTP is available for Linux, BSD, and Windows.
-
-VyOS utilizes [accel-ppp](https://accel-ppp.org/) to provide SSTP server functionality. We support both
-local and RADIUS authentication.
-
-As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed
-certificates or private PKI is required.
-
-## Configuring SSTP Server
-
-### Certificates
-
-Using our documentation chapter - {ref}`pki` generate and install CA and Server certificate
-
-```none
-vyos@vyos:~$ generate pki ca install CA
-```
-
-```none
-vyos@vyos:~$ generate pki certificate sign CA install Server
-```
-
-
-### Configuration
-
-```none
-set vpn sstp authentication local-users username test password 'test'
-set vpn sstp authentication mode 'local'
-set vpn sstp client-ip-pool SSTP-POOL range '10.0.0.2-10.0.0.100'
-set vpn sstp default-pool 'SSTP-POOL'
-set vpn sstp gateway-address '10.0.0.1'
-set vpn sstp ssl ca-certificate 'CA1'
-set vpn sstp ssl certificate 'Server'
-```
-
-```{cfgcmd} set vpn sstp authentication mode \<local | radius\>
-
-Set authentication backend. The configured authentication backend is used
-for all queries.
-* **radius**: All authentication queries are handled by a configured RADIUS
-server.
-* **local**: All authentication queries are handled locally.
-```
-
-```{cfgcmd} set vpn sstp authentication local-users username \<user\> password \<pass\>
-
-Create `<user>` for local authentication on this system. The users password
-will be set to `<pass>`.
-```
-
-```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> range \<x.x.x.x-x.x.x.x | x.x.x.x/x\>
-
-Use this command to define the first IP address of a pool of
-addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
-it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
-used there is possibility to set host/netmask.
-```
-
-```{cfgcmd} set vpn sstp default-pool \<POOL-NAME\>
-
-Use this command to define default address pool name.
-```
-
-```{cfgcmd} set vpn sstp gateway-address \<gateway\>
-
-Specifies single `<gateway>` IP address to be used as local address of PPP
-interfaces.
-```
-
-```{cfgcmd} set vpn sstp ssl ca-certificate \<file\>
-
-Name of installed certificate authority certificate.
-```
-
-```{cfgcmd} set vpn sstp ssl certificate \<file\>
-
-Name of installed server certificate.
-```
-
-
-## Configuring RADIUS authentication
-
-To enable RADIUS based authentication, the authentication mode needs to be
-changed within the configuration. Previous settings like the local users still
-exist within the configuration, however they are not used if the mode has been
-changed from local to radius. Once changed back to local, it will use all local
-accounts again.
-
-```none
-set vpn sstp authentication mode radius
-```
-
-```{cfgcmd} set vpn sstp authentication radius server \<server\> key \<secret\>
-
-Configure RADIUS `<server>` and its required shared `<secret>` for
-communicating with the RADIUS server.
-```
-
-Since the RADIUS server would be a single point of failure, multiple RADIUS
-servers can be setup and will be used subsequentially.
-For example:
-
-```none
-set vpn sstp authentication radius server 10.0.0.1 key 'foo'
-set vpn sstp authentication radius server 10.0.0.2 key 'foo'
-```
-
-:::{note}
-Some RADIUS severs use an access control list which allows or denies
-queries, make sure to add your VyOS router to the allowed client list.
-:::
-
-### RADIUS source address
-
-If you are using OSPF as your IGP, use the interface connected closest to the
-RADIUS server. You can bind all outgoing RADIUS requests to a single source IP
-e.g. the loopback interface.
-
-```{cfgcmd} set vpn sstp authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-:::{note}
-The `source-address` must be configured to that of an interface.
-Best practice would be a loopback or dummy interface.
-:::
-
-### RADIUS advanced options
-
-```{cfgcmd} set vpn sstp authentication radius server \<server\> port \<port\>
-
-Configure RADIUS `<server>` and its required port for authentication requests.
-```
-
-```{cfgcmd} set vpn sstp authentication radius server \<server\> fail-time \<time\>
-
-Mark RADIUS server as offline for this given `<time>` in seconds.
-```
-
-```{cfgcmd} set vpn sstp authentication radius server \<server\> disable
-
-Temporary disable this RADIUS server.
-```
-
-```{cfgcmd} set vpn sstp authentication radius acct-timeout \<timeout\>
-
-Timeout to wait reply for Interim-Update packets. (default 3 seconds)
-```
-
-```{cfgcmd} set vpn sstp authentication radius dynamic-author server \<address\>
-
-Specifies IP address for Dynamic Authorization Extension server (DM/CoA).
-This IP must exist on any VyOS interface or it can be ``0.0.0.0``.
-```
-
-```{cfgcmd} set vpn sstp authentication radius dynamic-author port \<port\>
-
-UDP port for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn sstp authentication radius dynamic-author key \<secret\>
-
-Secret for Dynamic Authorization Extension server (DM/CoA)
-```
-
-```{cfgcmd} set vpn sstp authentication radius max-try \<number\>
-
-Maximum number of tries to send Access-Request/Accounting-Request queries
-```
-
-```{cfgcmd} set vpn sstp authentication radius timeout \<timeout\>
-
-Timeout to wait response from server (seconds)
-```
-
-```{cfgcmd} set vpn sstp authentication radius nas-identifier \<identifier\>
-
-Value to send to RADIUS server in NAS-Identifier attribute and to be matched
-in DM/CoA requests.
-```
-
-```{cfgcmd} set vpn sstp authentication radius nas-ip-address \<address\>
-
-Value to send to RADIUS server in NAS-IP-Address attribute and to be matched
-in DM/CoA requests. Also DM/CoA server will bind to that address.
-```
-
-```{cfgcmd} set vpn sstp authentication radius source-address \<address\>
-
-Source IPv4 address used in all RADIUS server queires.
-```
-
-```{cfgcmd} set vpn sstp authentication radius rate-limit attribute \<attribute\>
-
-Specifies which RADIUS server attribute contains the rate limit information.
-The default attribute is `Filter-Id`.
-```
-
-:::{note}
-If you set a custom RADIUS attribute you must define it on both
-dictionaries on the RADIUS server and client.
-:::
-
-```{cfgcmd} set vpn sstp authentication radius rate-limit enable
-
-Enables bandwidth shaping via RADIUS.
-```
-
-```{cfgcmd} set vpn sstp authentication radius rate-limit vendor
-
-Specifies the vendor dictionary, This dictionary needs to be present in
-/usr/share/accel-ppp/radius.
-```
-
-Received RADIUS attributes have a higher priority than parameters defined within
-the CLI configuration, refer to the explanation below.
-
-### Allocation clients ip addresses by RADIUS
-
-If the RADIUS server sends the attribute `Framed-IP-Address` then this IP
-address will be allocated to the client and the option `default-pool` within
-the CLI config will being ignored.
-
-If the RADIUS server sends the attribute `Framed-Pool`, then the IP address
-will be allocated from a predefined IP pool whose name equals the attribute
-value.
-
-If the RADIUS server sends the attribute `Stateful-IPv6-Address-Pool`, the
-IPv6 address will be allocated from a predefined IPv6 pool `prefix` whose
-name equals the attribute value.
-
-If the RADIUS server sends the attribute `Delegated-IPv6-Prefix-Pool`, an
-IPv6 delegation prefix will be allocated from a predefined IPv6 pool `delegate`
-whose name equals the attribute value.
-
-:::{note}
-`Stateful-IPv6-Address-Pool` and `Delegated-IPv6-Prefix-Pool` are defined in
-RFC6911. If they are not defined in your RADIUS server, add new [dictionary].
-:::
-
-The client's interface can be put into a VRF context via a RADIUS Access-Accept
-packet, or changed via RADIUS CoA. `Accel-VRF-Name` is used for these
-purposes. This is a custom [ACCEL-PPP attribute]. Define it in your RADIUS
-server.
-
-### Renaming clients interfaces by RADIUS
-
-If the RADIUS server uses the attribute `NAS-Port-Id`, ppp tunnels will be
-renamed.
-
-:::{note}
-The value of the attribute `NAS-Port-Id` must be less than 16
-characters, otherwise the interface won't be renamed.
-:::
-
-## IPv6
-
-```{cfgcmd} set vpn sstp ppp-options ipv6 \<require | prefer | allow | deny\>
-
-Specifies IPv6 negotiation preference.
-* **require** - Require IPv6 negotiation
-* **prefer** - Ask client for IPv6 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv6 only if client requests
-* **deny** - Do not negotiate IPv6 (default value)
-```
-
-```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> prefix \<address\> mask \<number-of-bits\>
-
-Use this comand to set the IPv6 address pool from which an SSTP client will
-get an IPv6 prefix of your defined length (mask) to terminate the SSTP
-endpoint at their side. The mask length can be set between 48 and 128 bits
-long, the default value is 64.
-```
-
-```{cfgcmd} set vpn sstp client-ipv6-pool \<IPv6-POOL-NAME\> delegate \<address\> delegation-prefix \<number-of-bits\>
-
-Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You
-will have to set your IPv6 pool and the length of the delegation prefix. From
-the defined IPv6 pool you will be handing out networks of the defined length
-(delegation-prefix). The length of the delegation prefix can be set between
-32 and 64 bits long.
-```
-
-```{cfgcmd} set vpn sstp default-ipv6-pool \<IPv6-POOL-NAME\>
-
-Use this command to define default IPv6 address pool name.
-```
-
-```none
-set vpn sstp ppp-options ipv6 allow
-set vpn sstp client-ipv6-pool IPv6-POOL delegate '2001:db8:8003::/48' delegation-prefix '56'
-set vpn sstp client-ipv6-pool IPv6-POOL prefix '2001:db8:8002::/48' mask '64'
-set vpn sstp default-ipv6-pool IPv6-POOL
-```
-
-
-### IPv6 Advanced Options
-
-```{cfgcmd} set vpn sstp ppp-options ipv6-accept-peer-interface-id
-
-Accept peer interface identifier. By default this is not defined.
-```
-
-```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies if a fixed or random interface identifier is used for IPv6. The
-default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-```
-
-```{cfgcmd} set vpn sstp ppp-options ipv6-interface-id \<random | x:x:x:x\>
-
-Specifies the peer interface identifier for IPv6. The default is fixed.
-* **random** - Random interface identifier for IPv6
-* **x:x:x:x** - Specify interface identifier for IPv6
-* **ipv4-addr** - Calculate interface identifier from IPv4 address.
-* **calling-sid** - Calculate interface identifier from calling-station-id.
-```
-
-
-## Scripting
-
-```{cfgcmd} set vpn sstp extended-scripts on-change \<path_to_script\>
-
-Script to run when the session interface is changed by RADIUS CoA handling
-```
-
-```{cfgcmd} set vpn sstp extended-scripts on-down \<path_to_script\>
-
-Script to run when the session interface about to terminate
-```
-
-```{cfgcmd} set vpn sstp extended-scripts on-pre-up \<path_to_script\>
-
-Script to run before the session interface comes up
-```
-
-```{cfgcmd} set vpn sstp extended-scripts on-up \<path_to_script\>
-
-Script to run when the session interface is completely configured and started
-```
-
-
-## Advanced Options
-
-### Authentication Advanced Options
-
-```{cfgcmd} set vpn sstp authentication local-users username \<user\> disable
-
-Disable `<user>` account.
-```
-
-```{cfgcmd} set vpn sstp authentication local-users username \<user\> static-ip \<address\>
-
-Assign a static IP address to `<user>` account.
-```
-
-```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit download \<bandwidth\>
-
-Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s.
-```
-
-```{cfgcmd} set vpn sstp authentication local-users username \<user\> rate-limit upload \<bandwidth\>
-
-Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s.
-```
-
-```{cfgcmd} set vpn sstp authentication protocols \<pap | chap | mschap | mschap-v2\>
-
-Require the peer to authenticate itself using one of the following protocols:
-pap, chap, mschap, mschap-v2.
-```
-
-
-### Client IP Pool Advanced Options
-
-```{cfgcmd} set vpn sstp client-ip-pool \<POOL-NAME\> next-pool \<NEXT-POOL-NAME\>
-
-Use this command to define the next address pool name.
-```
-
-
-### PPP Advanced Options
-
-```{cfgcmd} set vpn sstp ppp-options disable-ccp
-
-Disable Compression Control Protocol (CCP).
-CCP is enabled by default.
-```
-
-```{cfgcmd} set vpn sstp ppp-options interface-cache \<number\>
-
-Specifies number of interfaces to cache. This prevents interfaces from being
-removed once the corresponding session is destroyed. Instead, interfaces are
-cached for later use in new sessions. This should reduce the kernel-level
-interface creation/deletion rate.
-Default value is **0**.
-```
-
-```{cfgcmd} set vpn sstp ppp-options ipv4 \<require | prefer | allow | deny\>
-
-Specifies IPv4 negotiation preference.
-* **require** - Require IPv4 negotiation
-* **prefer** - Ask client for IPv4 negotiation, do not fail if it rejects
-* **allow** - Negotiate IPv4 only if client requests (Default value)
-* **deny** - Do not negotiate IPv4
-```
-
-```{cfgcmd} set vpn sstp ppp-options lcp-echo-failure \<number\>
-
-Defines the maximum `<number>` of unanswered echo requests. Upon reaching the
-value `<number>`, the session will be reset. Default value is **3**.
-```
-
-```{cfgcmd} set vpn sstp ppp-options lcp-echo-interval \<interval\>
-
-If this option is specified and is greater than 0, then the PPP module will
-send LCP echo requests every `<interval>` seconds.
-Default value is **30**.
-```
-
-```{cfgcmd} set vpn sstp ppp-options lcp-echo-timeout
-
-Specifies timeout in seconds to wait for any peer activity. If this option is
-specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
-is not used. Default value is **0**.
-```
-
-```{cfgcmd} set vpn sstp ppp-options min-mtu \<number\>
-
-Defines the minimum acceptable MTU. If a client tries to negotiate an MTU
-lower than this it will be NAKed, and disconnected if it rejects a greater
-MTU.
-Default value is **100**.
-```
-
-```{cfgcmd} set vpn sstp ppp-options mppe \<require | prefer | deny\>
-
-Specifies {abbr}`MPPE (Microsoft Point-to-Point Encryption)` negotiation
-preference.
-* **require** - ask client for mppe, if it rejects drop connection
-* **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
-* **deny** - deny mppe
-
-Default behavior - don't ask the client for mppe, but allow it if the client
-wants. Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
-attribute.
-```
-
-```{cfgcmd} set vpn sstp ppp-options mru \<number\>
-
-Defines preferred MRU. By default is not defined.
-```
-
-
-### Global Advanced options
-
-```{cfgcmd} set vpn sstp description \<description\>
-
-Set description.
-```
-
-```{cfgcmd} set vpn sstp limits burst \<value\>
-
-Burst count
-```
-
-```{cfgcmd} set vpn sstp limits connection-limit \<value\>
-
-Maximum accepted connection rate (e.g. 1/min, 60/sec)
-```
-
-```{cfgcmd} set vpn sstp limits timeout \<value\>
-
-Timeout in seconds
-```
-
-```{cfgcmd} set vpn sstp mtu
-
-Maximum Transmission Unit (MTU) (default: **1500**)
-```
-
-```{cfgcmd} set vpn sstp max-concurrent-sessions
-
-Maximum number of concurrent session start attempts
-```
-
-```{cfgcmd} set vpn sstp name-server \<address\>
-
-Connected clients should use `<address>` as their DNS server. This command
-accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured
-for IPv4, up to three for IPv6.
-```
-
-```{cfgcmd} set vpn sstp shaper fwmark \<1-2147483647\>
-
-Match firewall mark value
-```
-
-```{cfgcmd} set vpn sstp snmp master-agent
-
-Enable SNMP
-```
-
-```{cfgcmd} set vpn sstp wins-server \<address\>
-
-Windows Internet Name Service (WINS) servers propagated to client
-```
-
-```{cfgcmd} set vpn sstp host-name \<hostname\>
-
-If this option is given, only SSTP connections to the specified host
-and with the same TLS SNI will be allowed.
-```
-
-
-## Configuring SSTP client
-
-Once you have setup your SSTP server there comes the time to do some basic
-testing. The Linux client used for testing is called [sstpc]. [sstpc] requires a
-PPP configuration/peer file.
-
-If you use a self-signed certificate, do not forget to install CA on the client side.
-
-The following PPP configuration tests MSCHAP-v2:
-
-```none
-$ cat /etc/ppp/peers/vyos
-usepeerdns
-#require-mppe
-#require-pap
-require-mschap-v2
-noauth
-lock
-refuse-pap
-refuse-eap
-refuse-chap
-refuse-mschap
-#refuse-mschap-v2
-nobsdcomp
-nodeflate
-debug
-```
-
-You can now "dial" the peer with the follwoing command: `sstpc --log-level 4
---log-stderr --user vyos --password vyos vpn.example.com -- call vyos`.
-
-A connection attempt will be shown as:
-
-```none
-$ sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos
-
-Mar 22 13:29:12 sstpc[12344]: Resolved vpn.example.com to 192.0.2.1
-Mar 22 13:29:12 sstpc[12344]: Connected to vpn.example.com
-Mar 22 13:29:12 sstpc[12344]: Sending Connect-Request Message
-Mar 22 13:29:12 sstpc[12344]: SEND SSTP CRTL PKT(14)
-Mar 22 13:29:12 sstpc[12344]: TYPE(1): CONNECT REQUEST, ATTR(1):
-Mar 22 13:29:12 sstpc[12344]: ENCAP PROTO(1): 6
-Mar 22 13:29:12 sstpc[12344]: RECV SSTP CRTL PKT(48)
-Mar 22 13:29:12 sstpc[12344]: TYPE(2): CONNECT ACK, ATTR(1):
-Mar 22 13:29:12 sstpc[12344]: CRYPTO BIND REQ(4): 40
-Mar 22 13:29:12 sstpc[12344]: Started PPP Link Negotiation
-Mar 22 13:29:15 sstpc[12344]: Sending Connected Message
-Mar 22 13:29:15 sstpc[12344]: SEND SSTP CRTL PKT(112)
-Mar 22 13:29:15 sstpc[12344]: TYPE(4): CONNECTED, ATTR(1):
-Mar 22 13:29:15 sstpc[12344]: CRYPTO BIND(3): 104
-Mar 22 13:29:15 sstpc[12344]: Connection Established
-
-$ ip addr show ppp0
-164: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1452 qdisc fq_codel state UNKNOWN group default qlen 3
- link/ppp promiscuity 0
- inet 100.64.2.2 peer 100.64.1.1/32 scope global ppp0
- valid_lft forever preferred_lft forever
-```
-
-
-## Monitoring
-
-```{opcmd} show sstp-server sessions
-
-Use this command to locally check the active sessions in the SSTP
-server.
-```
-
-```none
-vyos@vyos:~$ show sstp-server sessions
- ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes
---------+----------+----------+-----+--------+----------------+------------+--------+----------+----------+----------
- sstp0 | test | 10.0.0.2 | | | 192.168.10.100 | | active | 00:15:46 | 16.3 KiB | 210 B
-```
-
-```none
-vyos@vyos:~$ show sstp-server statistics
- uptime: 0.01:21:54
-cpu: 0%
-mem(rss/virt): 6688/100464 kB
-core:
- mempool_allocated: 149420
- mempool_available: 146092
- thread_count: 1
- thread_active: 1
- context_count: 6
- context_sleeping: 0
- context_pending: 0
- md_handler_count: 7
- md_handler_pending: 0
- timer_count: 2
- timer_pending: 0
-sessions:
- starting: 0
- active: 1
- finishing: 0
-sstp:
- starting: 0
- active: 1
-```
-
-
-## Troubleshooting
-
-```none
-vyos@vyos:~$sudo journalctl -u accel-ppp@sstp -b 0
-
-Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: new connection from 192.168.10.100:49852
-Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: starting
-Feb 28 17:03:04 vyos accel-sstp[2492]: sstp: started
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTP_DUPLEX_POST /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/ HTTP/1.1>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <SSTPCORRELATIONID: {48B82435-099A-4158-A987-052E7570CFAA}>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Content-Length: 18446744073709551615>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [HTTP <Host: vyos.io>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <HTTP/1.1 200 OK>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Date: Wed, 28 Feb 2024 17:03:04 GMT>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [HTTP <Content-Length: 18446744073709551615>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [SSTP SSTP_MSG_CALL_CONNECT_REQUEST]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [SSTP SSTP_MSG_CALL_CONNECT_ACK]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_init
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: auth_layer_init
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: ccp_layer_init
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipcp_layer_init
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: ipv6cp_layer_init
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: ppp establishing
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: lcp_layer_start
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=0 <mru 4091> <magic 345f64ca> <pcomp> <accomp> < d 3 6 >]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfRej id=0 <pcomp> <accomp> < d 3 6 >]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=1 <mru 4091> <magic 345f64ca>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfNak id=1 <mru 1452>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: recv [LCP ConfReq id=2 <mru 1452> <magic 345f64ca>]
-Feb 28 17:03:04 vyos accel-sstp[2492]: :: send [LCP ConfAck id=2]
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: fsm timeout 9
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: send [LCP ConfReq id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP ConfAck id=56 <auth PAP> <mru 1452> <magic 1cd9ad05>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: lcp_layer_started
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: auth_layer_start
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=3 <MSRASV5.20>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [LCP Ident id=4 <MSRAS-0-MSEDGEWIN10>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: [50B blob data]
-Feb 28 17:03:07 vyos accel-sstp[2492]: :: recv [PAP AuthReq id=3]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: connect: ppp0 <--> sstp(192.168.10.100:49852)
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ppp connected
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [PAP AuthAck id=3 "Authentication succeeded"]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: test: authentication succeeded
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: auth_layer_started
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ccp_layer_start
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_start
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipv6cp_layer_start
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [SSTP SSTP_MSG_CALL_CONNECTED]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: IPV6CP: discarding packet
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [LCP ProtoRej id=88 <8057>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=7 <addr 0.0.0.0> <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfReq id=25 <addr 10.0.0.1>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfRej id=7 <dns1 0.0.0.0> <wins1 0.0.0.0> <dns2 0.0.0.0> <wins2 0.0.0.0>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfAck id=25 <addr 10.0.0.1>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=8 <addr 0.0.0.0>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfNak id=8 <addr 10.0.0.5>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: recv [IPCP ConfReq id=9 <addr 10.0.0.5>]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: send [IPCP ConfAck id=9]
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: ipcp_layer_started
-Feb 28 17:03:07 vyos accel-sstp[2492]: ppp0:test: rename interface to 'sstp0'
-Feb 28 17:03:07 vyos accel-sstp[2492]: sstp0:test: sstp: ppp: started
-```
-
-[accel-ppp attribute]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.accel
-[dictionary]: https://github.com/accel-ppp/accel-ppp/blob/master/accel-pppd/radius/dict/dictionary.rfc6911
-[sstpc]: https://github.com/reliablehosting/sstp-client