10 files changed, 367 insertions, 115 deletions

diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst
index 6680d46a..7a4b81f7 100644
--- a/docs/configuration/vpn/dmvpn.rst
+++ b/docs/configuration/vpn/dmvpn.rst
@@ -190,7 +190,7 @@ Hub
 
   set interfaces tunnel tun100 address '172.16.253.134/29'
   set interfaces tunnel tun100 encapsulation 'gre'
-  set interfaces tunnel tun100 local-ip '192.0.2.1'
+  set interfaces tunnel tun100 source-address '192.0.2.1'
   set interfaces tunnel tun100 enable-multicast
   set interfaces tunnel tun100 parameters ip key '1'
 
@@ -200,7 +200,6 @@ Hub
   set protocols nhrp tunnel tun100 redirect
   set protocols nhrp tunnel tun100 shortcut
 
-  set vpn ipsec esp-group ESP-HUB compression 'disable'
   set vpn ipsec esp-group ESP-HUB lifetime '1800'
   set vpn ipsec esp-group ESP-HUB mode 'transport'
   set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
@@ -208,7 +207,6 @@ Hub
   set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
   set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
   set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
-  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
   set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
   set vpn ipsec ike-group IKE-HUB lifetime '3600'
   set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
@@ -296,7 +294,7 @@ VyOS can also run in DMVPN spoke mode.
   set interfaces ethernet eth0 address 'dhcp'
 
   set interfaces tunnel tun100 address '172.16.253.133/29'
-  set interfaces tunnel tun100 local-ip 0.0.0.0
+  set interfaces tunnel tun100 source-address 0.0.0.0
   set interfaces tunnel tun100 encapsulation 'gre'
   set interfaces tunnel tun100 enable-multicast
   set interfaces tunnel tun100 parameters ip key '1'
@@ -309,7 +307,6 @@ VyOS can also run in DMVPN spoke mode.
   set protocols nhrp tunnel tun100 redirect
   set protocols nhrp tunnel tun100 shortcut
 
-  set vpn ipsec esp-group ESP-HUB compression 'disable'
   set vpn ipsec esp-group ESP-HUB lifetime '1800'
   set vpn ipsec esp-group ESP-HUB mode 'transport'
   set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
@@ -318,7 +315,6 @@ VyOS can also run in DMVPN spoke mode.
   set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
   set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
   set vpn ipsec ike-group IKE-HUB close-action 'none'
-  set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
   set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
   set vpn ipsec ike-group IKE-HUB lifetime '3600'
   set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst
index 3cd9e50d..cf825a63 100644
--- a/docs/configuration/vpn/index.rst
+++ b/docs/configuration/vpn/index.rst
@@ -23,3 +23,4 @@ pages to sort
 
    dmvpn
    site2site_ipsec
+   remoteaccess_ipsec
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 327f3abb..b6ee86af 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -51,8 +51,6 @@ VyOS IKE group has the next options:
  
  * ``hold`` set action to hold;
  
- * ``clear`` set action to clear;
- 
  * ``restart`` set action to restart;
  
 * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol 
@@ -73,11 +71,9 @@ VyOS IKE group has the next options:
  * ``timeout`` keep-alive timeout in seconds <2-86400> (default 120) IKEv1 only
  
 * ``ikev2-reauth`` whether rekeying of an IKE_SA should also reauthenticate 
-  the peer. In IKEv1, reauthentication is always done:
-  
- * ``yes`` enable remote host re-authentication during an IKE rekey;
- 
- * ``no`` disable remote host re-authenticaton during an IKE rekey;
+  the peer. In IKEv1, reauthentication is always done.
+  Setting this parameter enables remote host re-authentication during an IKE 
+  rekey.
  
 * ``key-exchange`` which protocol should be used to initialize the connection
   If not set both protocols are handled and connections will use IKEv2 when 
@@ -87,13 +83,10 @@ VyOS IKE group has the next options:
  
  * ``ikev2`` use IKEv2 for Key Exchange;
  
-* ``lifetime`` IKE lifetime in seconds <30-86400> (default 28800);
-
-* ``mobike`` enable MOBIKE Support. MOBIKE is only available for IKEv2:
+* ``lifetime`` IKE lifetime in seconds <0-86400> (default 28800);
 
- * ``enable`` enable MOBIKE (default for IKEv2);
- 
- * ``disable`` disable MOBIKE;
+* ``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2
+  and enabled by default.
  
 * ``mode`` IKEv1 Phase 1 Mode Selection:
 
@@ -126,12 +119,8 @@ Multiple proposals can be specified in a single group.
 
 VyOS ESP group has the next options:
 
-* ``compression`` whether IPComp compression of content is proposed 
-  on the connection:
-
- * ``disable`` disable IPComp compression (default);
- 
- * ``enable`` enable IPComp compression;
+* ``compression``  Enables the  IPComp(IP Payload Compression) protocol which
+  allows compressing the content of IP packets.  
  
 * ``life-bytes`` ESP life in bytes <1024-26843545600000>. 
   Number of bytes transmitted over an IPsec SA before it expires;
@@ -172,11 +161,11 @@ Options (Global IPsec settings) Attributes
 
  * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
  
- * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
+ * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
  
  * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
  
- * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.
+ * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy.
  
 *************************
 IPsec policy matching GRE
@@ -232,8 +221,8 @@ On the LEFT:
 On the RIGHT, setup by analogy and swap local and remote addresses.
 
 
-Source tunnel from loopbacks
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Source tunnel from dummy interface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The scheme above doesn't work when one of the routers has a dynamic external
 address though. The classic workaround for this is to setup an address on a
@@ -251,7 +240,7 @@ On the LEFT:
 
 .. code-block:: none
 
-  set interfaces loopback lo address 192.168.99.1/32
+  set interfaces dummy dum0 address 192.168.99.1/32
 
   set interfaces tunnel tun0 encapsulation gre
   set interfaces tunnel tun0 address 10.10.10.1/30
@@ -262,7 +251,7 @@ On the RIGHT:
 
 .. code-block:: none
 
-  set interfaces loopback lo address 192.168.99.2/32
+  set interfaces dummy dum0 address 192.168.99.2/32
 
   set interfaces tunnel tun0 encapsulation gre
   set interfaces tunnel tun0 address 10.10.10.2/30
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 8dc34ee4..4a7657e7 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -17,8 +17,8 @@ with native Windows and Mac VPN clients):
   set vpn ipsec interface eth0
 
   set vpn l2tp remote-access outside-address 192.0.2.2
-  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
-  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+  set vpn l2tp remote-access default-pool 'L2TP-POOL'
   set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
   set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
   set vpn l2tp remote-access authentication mode local
@@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required:
 
 .. code-block:: none
 
-  set nat source rule 110 outbound-interface 'eth0'
+  set nat source rule 110 outbound-interface name 'eth0'
   set nat source rule 110 source address '192.168.255.0/24'
   set nat source rule 110 translation address masquerade
 
@@ -73,15 +73,16 @@ parameter to the client.
   set vpn l2tp remote-access name-server '198.51.100.8'
   set vpn l2tp remote-access name-server '198.51.100.4'
 
-Established sessions can be viewed using the **show vpn remote-access**
-operational command, or **show l2tp-server sessions**
+Established sessions can be viewed using the **show l2tp-server sessions** 
+operational command
 
 .. code-block:: none
 
-  vyos@vyos:~$ show vpn remote-access
-   ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime
-  --------+----------+--------------+---------------+------------+------+------+--------+----------
-   ppp0   | vyos     | 192.168.0.36 | 192.168.255.1 |            | l2tp |      | active | 00:06:13
+  vyos@vyos:~$ show l2tp-server sessions
+   ifname | username |      ip       | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+  --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
+   l2tp0  | test     | 192.168.255.3 |     |        | 192.168.0.36 |            | active | 02:01:47 | 7.7 KiB  | 1.2 KiB
+
 
 
 LNS (L2TP Network Server)
@@ -94,8 +95,8 @@ Below is an example to configure a LNS:
 .. code-block:: none
 
   set vpn l2tp remote-access outside-address 192.0.2.2
-  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
-  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+  set vpn l2tp remote-access default-pool 'L2TP-POOL'
   set vpn l2tp remote-access lns shared-secret 'secret'
   set vpn l2tp remote-access ccp-disable
   set vpn l2tp remote-access authentication mode local
@@ -121,17 +122,18 @@ The rate-limit is set in kbit/sec.
 .. code-block:: none
 
   set vpn l2tp remote-access outside-address 192.0.2.2
-  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
-  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access client-ip-pool L2TP-POOL range 192.168.255.2-192.168.255.254
+  set vpn l2tp remote-access default-pool 'L2TP-POOL'
   set vpn l2tp remote-access authentication mode local
   set vpn l2tp remote-access authentication local-users username test password test
   set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
   set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
 
-  vyos@vyos:~$ show vpn remote-access
-  ifname | username | calling-sid  |      ip       | rate-limit  | type | comp | state  |  uptime
-  -------+----------+--------------+---------------+-------------+------+------+--------+-----------
-  ppp0   | test     | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp |      | active | 00:06:30
+  vyos@vyos:~$ show l2tp-server sessions
+   ifname | username |      ip       | ip6 | ip6-dp | calling-sid | rate-limit | state  |  uptime  | rx-bytes | tx-bytes
+  --------+----------+---------------+-----+--------+-------------+------------+--------+----------+----------+----------
+   l2tp0  | test     | 192.168.255.3 |     |        | 192.168.0.36 |            | active | 02:01:47 | 7.7 KiB  | 1.2 KiB
+
 
 RADIUS authentication
 ======================
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 1b4d4b4c..1cc197e9 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -222,6 +222,52 @@ To display the configured OTP user settings, use the command:
 
   show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri>
 
+Identity Based Configuration
+============================
+
+OpenConnect supports a subset of it's configuration options to be applied on a
+per user/group basis, for configuration purposes we refer to this functionality
+as "Identity based config". The following `OpenConnect Server Manual
+<https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that%
+20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_
+outlines the set of configuration options that are allowed. This can be
+leveraged to apply different sets of configs to different users or groups of
+users.
+
+.. code-block:: none
+
+  sudo mkdir -p /config/auth/ocserv/config-per-user
+  sudo touch /config/auth/ocserv/default-user.conf
+
+  set vpn set vpn openconnect authentication identity-based-config mode user
+  set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user
+  set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf
+
+.. warning:: The above directory and default-config must be a child directory
+  of /config/auth, since files outside this directory are not persisted after an
+  image upgrade.
+
+Once you commit the above changes you can create a config file in the
+/config/auth/ocserv/config-per-user directory that matches a username of a
+user you have created e.g. "tst". Now when logging in with the "tst" user the
+config options you set in this file will be loaded.
+
+Be sure to set a sane default config in the default config file, this will be
+loaded in the case that a user is authenticated and no file is found in the
+configured directory matching the users username/group.
+
+.. code-block:: none
+
+  sudo nano /config/auth/ocserv/config-per-user/tst
+
+The same configuration options apply when Identity based config is configured
+in group mode except that group mode can only be used with RADIUS
+authentication.
+
+.. warning:: OpenConnect server matches the filename in a case sensitive
+  manner, make sure the username/group name you configure matches the
+  filename exactly.
+
 Configuring RADIUS accounting
 =============================
 
diff --git a/docs/configuration/vpn/pptp.rst b/docs/configuration/vpn/pptp.rst
index 12364acb..fe536eec 100644
--- a/docs/configuration/vpn/pptp.rst
+++ b/docs/configuration/vpn/pptp.rst
@@ -20,8 +20,8 @@ server example
 
   set vpn pptp remote-access authentication local-users username test password 'test'
   set vpn pptp remote-access authentication mode 'local'
-  set vpn pptp remote-access client-ip-pool start '192.168.0.10'
-  set vpn pptp remote-access client-ip-pool stop '192.168.0.15'
+  set vpn pptp remote-access client-ip-pool PPTP-POOL range 192.168.0.10-192.168.0.15
+  set vpn pptp remote-access default-pool 'PPTP-POOL'
   set vpn pptp remote-access gateway-address '10.100.100.1'
   set vpn pptp remote-access outside-address '10.1.1.120'
 
diff --git a/docs/configuration/vpn/remoteaccess_ipsec.rst b/docs/configuration/vpn/remoteaccess_ipsec.rst
new file mode 100644
index 00000000..9bc49979
--- /dev/null
+++ b/docs/configuration/vpn/remoteaccess_ipsec.rst
@@ -0,0 +1,176 @@
+.. _remoteaccess_ipsec:
+
+IPSec IKEv2 Remote Access VPN
+=============================
+
+Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec,
+that establishes a secure VPN communication between VPN devices,  and defines 
+negotiation and authentication processes for IPsec security associations (SAs).
+It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors
+as others call it.
+
+Key exchange and payload encryption is done using IKE and ESP proposals as known
+from IKEv1 but the connections are faster to establish, more reliable, and also
+support roaming from IP to IP (called MOBIKE which makes sure your connection 
+does not drop when changing networks from e.g. WIFI to LTE and back). 
+Authentication can be achieved with X.509 certificates.
+
+Setting up certificates:
+^^^^^^^^^^^^^^^^^^^^^^^^
+First of all, we need to create a CA root certificate and server certificate 
+on the server side.
+
+.. code-block:: none
+
+  vyos@vpn.vyos.net# run generate pki ca install ca_root
+  Enter private key type: [rsa, dsa, ec] (Default: rsa)
+  Enter private key bits: (Default: 2048)
+  Enter country code: (Default: GB)
+  Enter state: (Default: Some-State)
+  Enter locality: (Default: Some-City)
+  Enter organization name: (Default: VyOS)
+  Enter common name: (Default: vyos.io)
+  Enter how many days certificate will be valid: (Default: 1825)
+  Note: If you plan to use the generated key on this router, do not encrypt the private key.
+  Do you want to encrypt the private key with a passphrase? [y/N] N
+  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+  [edit]
+
+
+  vyos@vpn.vyos.net# comp
+  [pki ca]
+  + ca_root {
+  +     certificate "MIIDnTCCAoWgAwI…."
+  +     private {
+  +         key "MIIEvAIBADANBgkqhkiG9….”
+
+  vyos@vpn.vyos.net# run generate pki certificate sign ca_root install server_cert
+  Do you already have a certificate request? [y/N] N
+  Enter private key type: [rsa, dsa, ec] (Default: rsa)
+  Enter private key bits: (Default: 2048)
+  Enter country code: (Default: GB)
+  Enter state: (Default: Some-State)
+  Enter locality: (Default: Some-City)
+  Enter organization name: (Default: VyOS)
+  Enter common name: (Default: vyos.io) vpn.vyos.net
+  Do you want to configure Subject Alternative Names? [y/N] N
+  Enter how many days certificate will be valid: (Default: 365)
+  Enter certificate type: (client, server) (Default: server)
+  Note: If you plan to use the generated key on this router, do not encrypt the private key.
+  Do you want to encrypt the private key with a passphrase? [y/N] N
+  2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
+
+  vyos@vpn.vyos.net# comp
+  [pki certificate]
+  + server_cert {
+  +     certificate "MIIDuzCCAqOgAwIBAgIUaSrCPWx………"
+  +     private {
+  +         key "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBK….."
+  +     }
+  + }
+
+
+Once the command is completed, it will add the certificate to the configuration 
+session, to the pki subtree. You can then review the proposed changes and 
+commit them.
+
+Setting up IPSec:
+^^^^^^^^^^^^^^^^^
+
+After the PKI certs are all set up we can start configuring our IPSec/IKE 
+proposals used for key-exchange end data encryption. The used encryption ciphers
+and integrity algorithms vary from operating system to operating system. The 
+ones used in this example are validated to work on Windows 10.
+
+.. code-block:: none
+
+  set vpn ipsec esp-group ESP-RW lifetime '3600'
+  set vpn ipsec esp-group ESP-RW pfs 'disable'
+  set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes128gcm128'
+  set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
+
+  set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
+  set vpn ipsec ike-group IKE-RW lifetime '7200'
+  set vpn ipsec ike-group IKE-RW proposal 10 dh-group '14'
+  set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes128gcm128'
+  set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha256'
+
+Every connection/remote-access pool we configure also needs a pool where we
+can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
+Authorized clients will receive an IPv4 address from the configured IPv4 prefix
+and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers
+down to our clients used on their connection.
+
+.. code-block:: none
+
+  set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.1'
+  set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
+
+  set vpn ipsec remote-access pool ra-rw-ipv6 name-server '2001:db8:1000::1'
+  set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
+
+Setting up tunnel:
+^^^^^^^^^^^^^^^^^^
+
+.. code-block:: none
+
+  set vpn ipsec remote-access connection rw authentication local-id '192.0.2.1'
+  set vpn ipsec remote-access connection rw authentication server-mode 'x509'
+  set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'ca_root'
+  set vpn ipsec remote-access connection rw authentication x509 certificate 'server_cert'
+  set vpn ipsec remote-access connection rw esp-group 'ESP-RW'
+  set vpn ipsec remote-access connection rw ike-group 'IKE-RW'
+  set vpn ipsec remote-access connection rw local-address '192.0.2.1'
+  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4'
+  set vpn ipsec remote-access connection rw pool 'ra-rw-ipv6'
+
+VyOS also supports two different modes of authentication, local and RADIUS.
+To create a new local user named "vyos" with a password of "vyos" use the 
+following commands.
+
+.. code-block:: none
+
+  set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2'
+  set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos'
+
+Client Configuration
+^^^^^^^^^^^^^^^^^^^^
+
+Most operating systems include native client support for IPsec IKEv2 VPN
+connections, and others typically have an app or add-on package which adds the
+capability.
+This section covers IPsec IKEv2 client configuration for Windows 10.
+
+VyOS provides a command to generate a connection profile used by Windows clients
+that will connect to the "rw" connection on our VyOS server.
+
+.. note:: Windows expects the server name to be also used in the server's
+   certificate common name, so it's best to use this DNS name for your VPN
+   connection.
+
+.. code-block:: none
+
+  vyos@vpn.vyos.net:~$ generate ipsec profile windows-remote-access rw remote vpn.vyos.net
+
+
+  ==== <snip> ====
+  Add-VpnConnection -Name "VyOS IKEv2 VPN" -ServerAddress "vpn.vyos.net" -TunnelType "Ikev2"
+
+  Set-VpnConnectionIPsecConfiguration -ConnectionName "VyOS IKEv2 VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants 
+  GCMAES128 -EncryptionMethod GCMAES128 -IntegrityCheckMethod SHA256128 -PfsGroup None -DHGroup "Group14" -PassThru -Force
+  ==== </snip> ====
+
+Add the commands from Snippet in the Windows side via PowerShell.
+Also import the root CA cert to the Windows “Trusted Root Certification 
+Authorities” and establish the connection.
+
+Verification:
+^^^^^^^^^^^^^
+
+.. code-block:: none
+
+  vyos@vpn.vyos.net:~$ show vpn ipsec remote-access summary
+    Connection ID  Username    Protocol    State    Uptime    Tunnel IP    Remote Host    Remote ID    IKE Proposal                                IPSec Proposal
+  ---------------  ----------  ----------  -------  --------  -----------  -------------  -----------  ------------------------------------------  ------------------
+                5  vyos        IKEv2       UP       37s       192.0.2.129  10.0.0.2       10.0.0.2     AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048  ESP:AES_GCM_16-128
+
diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst
index a95f5f33..1ebab731 100644
--- a/docs/configuration/vpn/rsa-keys.rst
+++ b/docs/configuration/vpn/rsa-keys.rst
@@ -17,7 +17,7 @@ install <key-pair nam>>". You may choose different length than 2048 of course.
   Note: If you plan to use the generated key on this router, do not encrypt the private key.
   Do you want to encrypt the private key with a passphrase? [y/N] N
   Configure mode commands to install key pair:
-  Do you want to install the public key? [Y/n] Yrgerg
+  Do you want to install the public key? [Y/n] Y
   set pki key-pair ipsec-LEFT public key 'MIIBIjANBgkqh...'
   Do you want to install the private key? [Y/n] Y
   set pki key-pair ipsec-LEFT private key 'MIIEvgIBADAN...'
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index e89d25c6..23df1b76 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -10,8 +10,8 @@ connected/routed networks.
 To configure site-to-site connection you need to add peers with the
 ``set vpn ipsec site-to-site peer <name>`` command.
 
-The peer name must be an alphanumeric and can have hypen or underscore as 
-special characters. It is purely informational. 
+The peer name must be an alphanumeric and can have hypen or underscore as
+special characters. It is purely informational.
 
 Each site-to-site peer has the next options:
 
@@ -20,11 +20,11 @@ Each site-to-site peer has the next options:
 
  * ``psk`` - Preshared secret key name:
 
-  * ``dhcp-interface`` - ID for authentication generated from DHCP address 
+  * ``dhcp-interface`` - ID for authentication generated from DHCP address
     dynamically;
-  * ``id`` - static ID's for authentication. In general local and remote 
+  * ``id`` - static ID's for authentication. In general local and remote
     address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``;
-  * ``secret`` - predefined shared secret. Used if configured mode 
+  * ``secret`` - predefined shared secret. Used if configured mode
     ``pre-shared-secret``;
 
 
@@ -110,7 +110,7 @@ Each site-to-site peer has the next options:
 
 * ``remote-address`` - remote IP address or hostname for IPSec connection.
   IPv4 or IPv6 address is used when a peer has a public static IP address.
-  Hostname is a DNS name which could be used when a peer has a public IP 
+  Hostname is a DNS name which could be used when a peer has a public IP
   address and DNS name, but an IP address could be changed from time to time.
 
 * ``tunnel`` - define criteria for traffic to be matched for encrypting and send
@@ -149,6 +149,10 @@ Each site-to-site peer has the next options:
  * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI
    interface.
 
+* ``virtual-address`` - Defines a virtual IP address which is requested by the
+  initiator and one or several IPv4 and/or IPv6 addresses are assigned from
+  multiple pools by the responder.
+
 Examples:
 ------------------
 
@@ -241,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule
   # server side
   set nat source rule 10 destination address '10.0.0.0/24'
   set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface 'eth1'
+  set nat source rule 10 outbound-interface name 'eth1'
   set nat source rule 10 source address '192.168.0.0/24'
 
   # remote office side
   set nat source rule 10 destination address '192.168.0.0/24'
   set nat source rule 10 'exclude'
-  set nat source rule 10 outbound-interface 'eth1'
+  set nat source rule 10 outbound-interface name 'eth1'
   set nat source rule 10 source address '10.0.0.0/24'
 
 To allow traffic to pass through to clients, you need to add the following
@@ -280,118 +284,144 @@ Imagine the following topology
 
    IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio)
 
+**LEFT:**
+* WAN interface on `eth0.201`
+* `eth0.201` interface IP: `172.18.201.10/24`
+* `vti10` interface IP: `10.0.0.2/31`
+* `dum0` interface IP: `10.0.11.1/24` (for testing purposes)
+
+**RIGHT:**
+* WAN interface on `eth0.202`
+* `eth0.201` interface IP: `172.18.202.10/24`
+* `vti10` interface IP: `10.0.0.3/31`
+* `dum0` interface IP: `10.0.12.1/24` (for testing purposes)
 
 .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021`
    gives you additional information for using /31 subnets on point-to-point
    links.
 
-**left**
+**LEFT**
 
 .. code-block:: none
 
+  set interfaces ethernet eth0 vif 201 address '172.18.201.10/24'
+  set interfaces dummy dum0 address '10.0.11.1/24'
   set interfaces vti vti10 address '10.0.0.2/31'
 
-  set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
-  set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
-  set vpn ipsec authentication psk OFFICE-B secret 'secretkey'
+  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10'
+  set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10'
+  set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey'
   set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
   set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
+  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
   set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
   set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec interface 'eth0.201'
-  set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
-  set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
-  set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
-  set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10'
-  set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
-  set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10'
-  set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10'
+  set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT'
 
-**right**
+  set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
+
+**RIGHT**
 
 .. code-block:: none
 
+  set interfaces ethernet eth0 vif 202 address '172.18.202.10/24'
+  set interfaces dummy dum0 address '10.0.12.1/24'
   set interfaces vti vti10 address '10.0.0.3/31'
 
-  set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
-  set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
-  set vpn ipsec authentication psk OFFICE-A secret 'secretkey'
+  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10'
+  set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10'
+  set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey'
   set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
   set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
   set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
-  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
+  set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
+  set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
   set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
+  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
   set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
   set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
-  set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
   set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
   set vpn ipsec interface 'eth0.202'
-  set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
-  set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
-  set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate'
-  set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT'
-  set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
-  set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
-  set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10'
-  set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10'
+  set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT'
+
+  set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10
 
 Key Parameters:
 
 * ``authentication local-id/remote-id`` - IKE identification is used for
   validation of VPN peer devices during IKE negotiation. If you do not configure
-  local/remote-identity, the device uses the IPv4 or IPv6 address that 
+  local/remote-identity, the device uses the IPv4 or IPv6 address that
   corresponds to the local/remote peer by default.
-  In certain network setups (like ipsec interface with dynamic address, or 
-  behind the NAT ), the IKE ID received from the peer does not match the IKE 
-  gateway configured on the device. This can lead to a Phase 1 validation 
+  In certain network setups (like ipsec interface with dynamic address, or
+  behind the NAT ), the IKE ID received from the peer does not match the IKE
+  gateway configured on the device. This can lead to a Phase 1 validation
   failure.
-  So, make sure to configure the local/remote id explicitly and ensure that the 
+  So, make sure to configure the local/remote id explicitly and ensure that the
   IKE ID is the same as the remote-identity configured on the peer device.
 
 * ``disable-route-autoinstall`` - This option when configured disables the
   routes installed in the default table 220 for site-to-site ipsec.
   It is mostly used with VTI configuration.
 
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE 
-  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) 
-  are periodically sent in order to check the liveliness of the IPsec peer. The 
-  values clear, hold, and restart all activate DPD and determine the action to 
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+  notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
+  are periodically sent in order to check the liveliness of the IPsec peer. The
+  values clear, hold, and restart all activate DPD and determine the action to
   perform on a timeout.
-  With ``clear`` the connection is closed with no further actions taken. 
-  ``hold`` installs a trap policy, which will catch matching traffic and tries 
-  to re-negotiate the connection on demand. 
-  ``restart`` will immediately trigger an attempt to re-negotiate the 
+  With ``clear`` the connection is closed with no further actions taken.
+  ``hold`` installs a trap policy, which will catch matching traffic and tries
+  to re-negotiate the connection on demand.
+  ``restart`` will immediately trigger an attempt to re-negotiate the
   connection.
 
-* ``close-action = none | clear | hold | restart`` - defines the action to take 
-  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of 
+* ``close-action = none | clear | hold | restart`` - defines the action to take
+  if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
   values). A closeaction should not be used if the peer uses reauthentication or
   uniqueids.
-  
-  When the close-action option is set on the peers, the connection-type 
+
+  When the close-action option is set on the peers, the connection-type
   of each peer has to considered carefully. For example, if the option is set
-  on both peers, then both would attempt to initiate and hold open multiple 
-  copies of each child SA. This might lead to instability of the device or 
-  cpu/memory utilization.   
-  
-  Below flow-chart could be a quick reference for the close-action 
-  combination depending on how the peer is configured.   
+  on both peers, then both would attempt to initiate and hold open multiple
+  copies of each child SA. This might lead to instability of the device or
+  cpu/memory utilization.
+
+  Below flow-chart could be a quick reference for the close-action
+  combination depending on how the peer is configured.
 
 .. figure:: /_static/images/IPSec_close_action_settings.jpg
-   
+
   Similar combinations are applicable for the dead-peer-detection.
diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst
index f3e062fe..d9bb4353 100644
--- a/docs/configuration/vpn/sstp.rst
+++ b/docs/configuration/vpn/sstp.rst
@@ -116,9 +116,20 @@ Configuration
   Specifies the port `<port>` that the SSTP port will listen on (default 443).
 
 
-.. cfgcmd:: set vpn sstp client-ip-pool subnet <subnet>
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
 
-  Use `<subnet>` as the IP pool for all connecting clients.
+   Use this command to define the first IP address of a pool of
+   addresses to be given to SSTP clients. If notation ``x.x.x.x-x.x.x.x``,
+   it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
+   used there is possibility to set host/netmask.
+
+.. cfgcmd:: set vpn sstp client-ip-pool <POOL-NAME> next-pool <NEXT-POOL-NAME>
+
+   Use this command to define the next address pool name.
+
+.. cfgcmd:: set vpn sstp default-pool <POOL-NAME>
+
+   Use this command to define default address pool name.
 
 
 .. cfgcmd:: set vpn sstp client-ipv6-pool prefix <address> mask <number-of-bits>
@@ -282,7 +293,8 @@ Example
   set vpn sstp authentication local-users username vyos password vyos
   set vpn sstp authentication mode local
   set vpn sstp gateway-address 192.0.2.254
-  set vpn sstp client-ip-pool subnet 192.0.2.0/25
+  set vpn sstp client-ip-pool SSTP-POOL range 192.0.2.0/25
+  set vpn sstp default-pool 'SSTP-POOL'
   set vpn sstp name-server 10.0.0.1
   set vpn sstp name-server 10.0.0.2
   set vpn sstp ssl ca-cert-file /config/auth/ca.crt