6 files changed, 69 insertions, 43 deletions
diff --git a/docs/configuration/interfaces/pppoe.rst b/docs/configuration/interfaces/pppoe.rst
index b37e95a2..65081e1c 100644
--- a/docs/configuration/interfaces/pppoe.rst
+++ b/docs/configuration/interfaces/pppoe.rst
@@ -380,9 +380,13 @@ IPv6 DHCPv6-PD Example
 
 .. stop_vyoslinter
 
-The following configuration will assign a /64 prefix out of a /56 delegation
-to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64.
-If you do not know the prefix size delegated to you, start with sla-len 0.
+The following configuration will setup a PPPoE session source from eth1 and
+assign a /64 prefix out of a /56 delegation (requested from the ISP) to eth0.
+The IPv6 address assigned to eth0 will be <prefix>::1/64. If you do not know
+the prefix size delegated to you, start with sla-len 0.
+
+In addition we setup IPv6 :abbr:`RA (Router Advertisements)` to make the
+prefix known on the eth0 link.
 
 .. start_vyoslinter
 
@@ -395,3 +399,5 @@ If you do not know the prefix size delegated to you, start with sla-len 0.
   set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '56'
   set interfaces pppoe pppoe0 ipv6 address autoconf
   set interfaces pppoe pppoe0 source-interface eth1
+
+  set service router-advert interface eth0 prefix ::/64
diff --git a/docs/configuration/service/ipoe-server.rst b/docs/configuration/service/ipoe-server.rst
index 5608c27c..64048552 100644
--- a/docs/configuration/service/ipoe-server.rst
+++ b/docs/configuration/service/ipoe-server.rst
@@ -52,7 +52,7 @@ the configuration.
 
 .. cfgcmd:: set service ipoe-server authentication interface <interface> mac <MAC>
 
-    Creates local pppoe user with username=**<interface>** and
+    Creates local IPoE user with username=**<interface>** and
     password=**<MAC>** (mac-address)
 
 .. cfgcmd:: set service ipoe-server authentication mode <local | radius>
@@ -68,7 +68,7 @@ the configuration.
 .. cfgcmd:: set service ipoe-server client-ip-pool <POOL-NAME> range <x.x.x.x-x.x.x.x | x.x.x.x/x>
 
    Use this command to define the first IP address of a pool of
-   addresses to be given to l2tp clients. If notation ``x.x.x.x-x.x.x.x``,
+   addresses to be given to IPoE clients. If notation ``x.x.x.x-x.x.x.x``,
    it must be within a /24 subnet. If notation ``x.x.x.x/x`` is
    used there is possibility to set host/netmask.
 
@@ -251,15 +251,6 @@ User interface can be put to VRF context via RADIUS Access-Accept packet, or cha
 it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
 Define it in your RADIUS server.
 
-Renaming clients interfaces by RADIUS
-=====================================
-
-If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
-renamed.
-
-.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
-   characters, otherwise the interface won't be renamed.
-
 ****
 IPv6
 ****
@@ -267,16 +258,16 @@ IPv6
 .. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
    mask <number-of-bits>
 
-  Use this comand to set the IPv6 address pool from which an l2tp client
+  Use this comand to set the IPv6 address pool from which an IPoE client
   will get an IPv6 prefix of your defined length (mask) to terminate the
-  l2tp endpoint at their side. The mask length can be set from 48 to 128
+  IPoE endpoint at their side. The mask length can be set from 48 to 128
   bit long, the default value is 64.
 
 .. cfgcmd:: set service ipoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
    delegation-prefix <number-of-bits>
 
   Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-  l2tp. You will have to set your IPv6 pool and the length of the
+  IPoE. You will have to set your IPv6 pool and the length of the
   delegation prefix. From the defined IPv6 pool you will be handing out
   networks of the defined length (delegation-prefix). The length of the
   delegation prefix can be set from 32 to 64 bit long.
@@ -398,6 +389,11 @@ Global Advanced options
 Monitoring
 **********
 
+.. opcmd:: show ipoe-server sessions
+
+   Use this command to locally check the active sessions in the IPoE
+   server.
+
 .. code-block:: none
 
     vyos@vyos:~$ show ipoe-server sessions
diff --git a/docs/configuration/service/pppoe-server.rst b/docs/configuration/service/pppoe-server.rst
index 04113666..99b3fbb5 100644
--- a/docs/configuration/service/pppoe-server.rst
+++ b/docs/configuration/service/pppoe-server.rst
@@ -352,16 +352,16 @@ IPv6
 .. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
    mask <number-of-bits>
 
-  Use this comand to set the IPv6 address pool from which an l2tp client
+  Use this comand to set the IPv6 address pool from which an PPPoE client
   will get an IPv6 prefix of your defined length (mask) to terminate the
-  l2tp endpoint at their side. The mask length can be set from 48 to 128
+  PPPoE endpoint at their side. The mask length can be set from 48 to 128
   bit long, the default value is 64.
 
 .. cfgcmd:: set service pppoe-server client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
    delegation-prefix <number-of-bits>
 
   Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
-  l2tp. You will have to set your IPv6 pool and the length of the
+  PPPoE. You will have to set your IPv6 pool and the length of the
   delegation prefix. From the defined IPv6 pool you will be handing out
   networks of the defined length (delegation-prefix). The length of the
   delegation prefix can be set from 32 to 64 bit long.
@@ -624,7 +624,7 @@ address from the pool 10.1.1.100-111, terminates at the local endpoint
 Dual-Stack IPv4/IPv6 provisioning with Prefix Delegation
 ========================================================
 
-The example below covers a dual-stack configuration via pppoe-server.
+The example below covers a dual-stack configuration.
 
 .. code-block:: none
 
@@ -642,7 +642,7 @@ The example below covers a dual-stack configuration via pppoe-server.
   set service pppoe-server gateway-address '10.100.100.1'
 
 The client, once successfully authenticated, will receive an IPv4 and an
-IPv6 /64 address to terminate the pppoe endpoint on the client side and
+IPv6 /64 address to terminate the PPPoE endpoint on the client side and
 a /56 subnet for the clients internal use.
 
 .. code-block:: none
diff --git a/docs/configuration/service/router-advert.rst b/docs/configuration/service/router-advert.rst
index eb1a6844..f179153a 100644
--- a/docs/configuration/service/router-advert.rst
+++ b/docs/configuration/service/router-advert.rst
@@ -26,7 +26,7 @@ Supported interface types:
 Enabling Advertisments
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-.. cfgcmd:: set service router-advert interface <interface> ....
+.. cfgcmd:: set service router-advert interface <interface> ...
 
 .. stop_vyoslinter
 
@@ -52,7 +52,11 @@ Enabling Advertisments
 Advertising a Prefix
 ''''''''''''''''''''
 
-.. cfgcmd:: set service router-advert interface <interface> prefix 2001:DB8::/32
+.. cfgcmd:: set service router-advert interface <interface> prefix <prefix/mask>
+
+   .. note:: You can also opt for using `::/64` as prefix for your :abbr:`RAs (Router
+    Advertisements)`. This will take the IPv6 GUA prefix assigned to the interface,
+    which comes in handy when using DHCPv6-PD.
 
 .. stop_vyoslinter
 
diff --git a/docs/configuration/system/option.rst b/docs/configuration/system/option.rst
index 788765f0..02c889dd 100644
--- a/docs/configuration/system/option.rst
+++ b/docs/configuration/system/option.rst
@@ -24,7 +24,7 @@ General
 
 .. cfgcmd:: set system option root-partition-auto-resize
 
-    Enables the root partition auto-extension and resizes to the maximum 
+    Enables the root partition auto-extension and resizes to the maximum
     available space on system boot.
 
 Kernel
@@ -35,6 +35,23 @@ Kernel
     Disable all optional CPU mitigations. This improves system performance,
     but it may also expose users to several CPU vulnerabilities.
 
+    This will add the following option to the Kernel commandline:
+
+    * ``mitigations=off``
+
+    .. note:: Setting will only become active with the next reboot!
+
+.. cfgcmd:: set system option kernel disable-power-saving
+
+    Disable CPU power saving mechanisms also known as C states.
+
+    This will add the following two options to the Kernel commandline:
+
+    * ``intel_idle.max_cstate=0`` Disable intel_idle and fall back on acpi_idle
+    * ``processor.max_cstate=1`` Limit processor to maximum C-state 1
+
+    .. note:: Setting will only become active with the next reboot!
+
 ***********
 HTTP client
 ***********
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 78cadfb5..ab0f623f 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -16,7 +16,8 @@ special characters. It is purely informational.
 Each site-to-site peer has the next options:
 
 * ``authentication`` - configure authentication between VyOS and a remote peer.
-  Suboptions:
+  If pre-shared-secret mode is used, the secret key must be defined in 
+  ``set vpn ipsec authentication`` and suboptions:
 
  * ``psk`` - Preshared secret key name:
 
@@ -36,8 +37,7 @@ Each site-to-site peer has the next options:
 
   * ``pre-shared-secret`` - use predefined shared secret phrase;
 
-  * ``rsa`` - use simple shared RSA key. The key must be defined in the
-    ``set vpn rsa-keys`` section;
+  * ``rsa`` - use simple shared RSA key.
 
   * ``x509`` - use certificates infrastructure for authentication.
 
@@ -45,29 +45,26 @@ Each site-to-site peer has the next options:
    address. Useful in case if the remote peer is behind NAT or if ``mode x509``
    is used;
 
- * ``rsa-key-name`` - shared RSA key for authentication. The key must be defined
-   in the ``set vpn rsa-keys`` section;
+ * ``rsa`` - options for RSA authentication mode:
 
- * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
-   ``id`` is defined;
+  * ``local-key`` - name of PKI key-pair with local private key
 
- * ``x509`` - options for x509 authentication mode:
+  * ``remote-key`` - name of PKI key-pair with remote public key
 
-  * ``ca-cert-file`` - CA certificate file. Using for authenticating
-    remote peer;
+  * ``passphrase`` - local private key passphrase
 
-  * ``cert-file`` - certificate file, which will be used for authenticating
-    local router on remote peer;
+ * ``use-x509-id`` - use local ID from x509 certificate. Cannot be used when
+   ``id`` is defined;
 
-  * ``crl-file`` - file with the Certificate Revocation List. Using to check if
-    a certificate for the remote peer is valid or revoked;
+ * ``x509`` - options for x509 authentication mode:
 
-  * ``key`` - a private key, which will be used for authenticating local router
-    on remote peer:
+  * ``ca-certificate`` - CA certificate in PKI configuration. Using for 
+    authenticating remote peer;
 
-   * ``file`` - path to the key file;
+  * ``certificate`` - certificate file in PKI configuration, which will be used
+    for authenticating local router on remote peer;
 
-   * ``password`` - passphrase private key, if needed.
+  * ``passphrase`` - private key passphrase, if needed.
 
 * ``connection-type`` - how to handle this connection process. Possible
   variants:
@@ -113,6 +110,9 @@ Each site-to-site peer has the next options:
   Hostname is a DNS name which could be used when a peer has a public IP
   address and DNS name, but an IP address could be changed from time to time.
 
+* ``replay-window`` - IPsec replay window to configure for this CHILD_SA 
+  (default: 32), a value of 0 disables IPsec replay protection
+
 * ``tunnel`` - define criteria for traffic to be matched for encrypting and send
   it to a peer:
 
@@ -127,6 +127,9 @@ Each site-to-site peer has the next options:
 
   * ``prefix`` - IP network at local side.
 
+ * ``priority`` - Add priority for policy-based IPSec VPN tunnels(lowest value 
+   more preferable)
+
  * ``protocol`` - define the protocol for match traffic, which should be
    encrypted and send to this peer;