1 files changed, 27 insertions, 24 deletions

diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 23df1b76..ab0f623f 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -16,7 +16,8 @@ special characters. It is purely informational.
 Each site-to-site peer has the next options:
 
 * ``authentication`` - configure authentication between VyOS and a remote peer.
-  Suboptions:
+  If pre-shared-secret mode is used, the secret key must be defined in 
+  ``set vpn ipsec authentication`` and suboptions:
 
  * ``psk`` - Preshared secret key name:
 
@@ -36,8 +37,7 @@ Each site-to-site peer has the next options:
 
   * ``pre-shared-secret`` - use predefined shared secret phrase;
 
-  * ``rsa`` - use simple shared RSA key. The key must be defined in the
-    ``set vpn rsa-keys`` section;
+  * ``rsa`` - use simple shared RSA key.
 
   * ``x509`` - use certificates infrastructure for authentication.
 
@@ -45,29 +45,26 @@ Each site-to-site peer has the next options:
    address. Useful in case if the remote peer is behind NAT or if ``mode x509``
    is used;
 
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
-   in the ``set vpn rsa-keys`` section;
+ * ``rsa`` - options for RSA authentication mode:
 
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
+  * ``local-key`` - name of PKI key-pair with local private key
 
- * ``x509`` - options for x509 authentication mode:
+  * ``remote-key`` - name of PKI key-pair with remote public key
 
-  * ``ca-cert-file`` - CA certificate file. Using for authenticating
-    remote peer;
+  * ``passphrase`` - local private key passphrase
 
-  * ``cert-file`` - certificate file, which will be used for authenticating
-    local router on remote peer;
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+   ``id`` is defined;
 
-  * ``crl-file`` - file with the Certificate Revocation List. Using to check if
-    a certificate for the remote peer is valid or revoked;
+ * ``x509`` - options for x509 authentication mode:
 
-  * ``key`` - a private key, which will be used for authenticating local router
-    on remote peer:
+  * ``ca-certificate`` - CA certificate in PKI configuration. Using for 
+    authenticating remote peer;
 
-   * ``file`` - path to the key file;
+  * ``certificate`` - certificate file in PKI configuration, which will be used
+    for authenticating local router on remote peer;
 
-   * ``password`` - passphrase private key, if needed.
+  * ``passphrase`` - private key passphrase, if needed.
 
 * ``connection-type`` - how to handle this connection process. Possible
   variants:
@@ -113,6 +110,9 @@ Each site-to-site peer has the next options:
   Hostname is a DNS name which could be used when a peer has a public IP
   address and DNS name, but an IP address could be changed from time to time.
 
+* ``replay-window`` - IPsec replay window to configure for this CHILD_SA 
+  (default: 32), a value of 0 disables IPsec replay protection
+
 * ``tunnel`` - define criteria for traffic to be matched for encrypting and send
   it to a peer:
 
@@ -127,6 +127,9 @@ Each site-to-site peer has the next options:
 
   * ``prefix`` - IP network at local side.
 
+ * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value 
+   more preferable)
+
  * ``protocol`` - define the protocol for match traffic, which should be
    encrypted and send to this peer;
 
@@ -317,7 +320,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -357,7 +360,7 @@ Imagine the following topology
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
   set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -397,18 +400,18 @@ Key Parameters:
   routes installed in the default table 220 for site-to-site ipsec.
   It is mostly used with VTI configuration.
 
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
   notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
   are periodically sent in order to check the liveliness of the IPsec peer. The
-  values clear, hold, and restart all activate DPD and determine the action to
+  values clear, trap, and restart all activate DPD and determine the action to
   perform on a timeout.
   With ``clear`` the connection is closed with no further actions taken.
-  ``hold`` installs a trap policy, which will catch matching traffic and tries
+  ``trap`` installs a trap policy, which will catch matching traffic and tries
   to re-negotiate the connection on demand.
   ``restart`` will immediately trigger an attempt to re-negotiate the
   connection.
 
-* ``close-action = none | clear | hold | restart`` - defines the action to take
+* ``close-action = none | clear | trap | start`` - defines the action to take
   if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
   values). A closeaction should not be used if the peer uses reauthentication or
   uniqueids.