7 files changed, 323 insertions, 162 deletions

diff --git a/docs/vpn/dmvpn.rst b/docs/vpn/dmvpn.rst
index e5135727..5b206c57 100644
--- a/docs/vpn/dmvpn.rst
+++ b/docs/vpn/dmvpn.rst
@@ -121,13 +121,13 @@ HUB Example Configuration:
 
 .. code-block:: sh
 
-  set interfaces ethernet eth0 address '1.1.1.1/30'
+  set interfaces ethernet eth0 address '198.51.100.41/30'
   set interfaces ethernet eth1 address '192.168.1.1/24'
   set system host-name 'HUB'
 
   set interfaces tunnel tun0 address 10.0.0.1/24
   set interfaces tunnel tun0 encapsulation gre
-  set interfaces tunnel tun0 local-ip 1.1.1.1
+  set interfaces tunnel tun0 local-ip 198.51.100.41
   set interfaces tunnel tun0 multicast enable
   set interfaces tunnel tun0 parameters ip key 1
 
@@ -256,7 +256,7 @@ SPOKE1 Example Configuration
   set interfaces tunnel tun0 parameters ip key 1
 
   set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
-  set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
+  set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41
   set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
   set protocols nhrp tunnel tun0 multicast 'nhs'
   set protocols nhrp tunnel tun0 'redirect'
@@ -379,7 +379,7 @@ SPOKE2 Example Configuration
   set interfaces tunnel tun0 parameters ip key 1
 
   set protocols nhrp tunnel tun0 cisco-authentication SECRET
-  set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 1.1.1.1
+  set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address 198.51.100.41
   set protocols nhrp tunnel tun0 map 10.0.0.1/24 register
   set protocols nhrp tunnel tun0 multicast nhs
   set protocols nhrp tunnel tun0 redirect
diff --git a/docs/vpn/index.rst b/docs/vpn/index.rst
index ffdf39a0..9bab2b0c 100644
--- a/docs/vpn/index.rst
+++ b/docs/vpn/index.rst
@@ -11,7 +11,7 @@ This chapter descriptes the available VPN services provided by VyOS.
    :hidden:
 
    openvpn
-   l2tp_ipsec
+   l2tp
    site2site_ipsec
    gre-ipsec
    dmvpn
diff --git a/docs/vpn/l2tp.rst b/docs/vpn/l2tp.rst
new file mode 100644
index 00000000..0dd5fe3e
--- /dev/null
+++ b/docs/vpn/l2tp.rst
@@ -0,0 +1,237 @@
+.. _l2tp:
+
+L2TP
+-----------
+
+VyOS utilizes accel-ppp_ to provide SSTP server functionality. It can be used
+with local authentication or a connected RADIUS server.
+
+L2TP over IPsec
+===============
+
+Example for configuring a simple L2TP over IPsec VPN for remote access (works
+with native Windows and Mac VPN clients):
+
+.. code-block:: sh
+
+  set vpn ipsec ipsec-interfaces interface eth0
+  set vpn ipsec nat-traversal enable
+  set vpn ipsec nat-networks allowed-network 0.0.0.0/0
+
+  set vpn l2tp remote-access outside-address 192.0.2.2
+  set vpn l2tp remote-access outside-nexthop 192.168.255.1
+  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
+  set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
+  set vpn l2tp remote-access authentication mode local
+  set vpn l2tp remote-access authentication local-users username test password 'test'
+
+In the example above an external IP of 192.0.2.2 is assumed. Nexthop IP address
+192.168.255.1 uses as client tunnel termination point.
+
+If a local firewall policy is in place on your external interface you will need
+to allow the ports below:
+
+* UDP port 500 (IKE)
+* IP protocol number 50 (ESP)
+* UDP port 1701 for IPsec
+
+As well as the below to allow NAT-traversal:
+
+* UDP port 4500 (NAT-T)
+
+Example:
+
+.. code-block:: sh
+
+  set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
+  set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
+  set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
+  set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
+  set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
+  set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
+  set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
+  set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
+
+To allow VPN-clients access via your external address, a NAT rule is required:
+
+
+.. code-block:: sh
+
+  set nat source rule 110 outbound-interface 'eth0'
+  set nat source rule 110 source address '192.168.255.0/24'
+  set nat source rule 110 translation address masquerade
+
+
+VPN-clients will request configuration parameters, optionally you can DNS
+parameter to the client.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
+  set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
+
+.. note:: Those are the `Google public DNS`_ servers. You can also use the
+   public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1).
+
+Established sessions can be viewed using the **show vpn remote-access**
+operational command, or **show l2tp-server sessions**
+
+.. code-block:: sh
+
+  vyos@vyos:~$ show vpn remote-access
+   ifname | username | calling-sid  |      ip       | rate-limit | type | comp | state  |  uptime
+  --------+----------+--------------+---------------+------------+------+------+--------+----------
+   ppp0   | vyos     | 192.168.0.36 | 192.168.255.1 |            | l2tp |      | active | 00:06:13
+
+
+LNS (L2TP Network Server)
+=========================
+
+LNS are often used to connect to a LAC (L2TP Access Concentrator).
+
+Below is an example to configure a LNS:
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access outside-address 192.0.2.2
+  set vpn l2tp remote-access outside-nexthop 192.168.255.1
+  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access lns shared-secret 'secret'
+  set vpn l2tp remote-access ccp-disable
+  set vpn l2tp remote-access authentication mode local
+  set vpn l2tp remote-access authentication local-users username test password 'test'
+
+The example above uses 192.0.2.2 as external IP address, the nexthop is supposed
+to be 192.168.255.1 and is used as client termination point. A LAC normally
+requires an authentication password, which is set in the example configuration
+to ``lns shared-secret 'secret'``. This setup requires the Compression Control
+Protocol (CCP) being disabled, the command ``set vpn l2tp remote-access ccp-disable``
+accomplishes that.
+
+
+Bandwidth Shaping
+=================
+
+Bandwidth rate limits can be set for local users or via RADIUS based attributes.
+
+Bandwidth Shaping for local users
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The rate-limit is set in kbit/sec.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access outside-address 192.0.2.2
+  set vpn l2tp remote-access outside-nexthop 192.168.255.1
+  set vpn l2tp remote-access client-ip-pool start 192.168.255.2
+  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
+  set vpn l2tp remote-access authentication mode local
+  set vpn l2tp remote-access authentication local-users username test password test
+  set vpn l2tp remote-access authentication local-users username test rate-limit download 20480
+  set vpn l2tp remote-access authentication local-users username test rate-limit upload 10240
+
+  vyos@vyos:~$ show vpn remote-access
+  ifname | username | calling-sid  |      ip       | rate-limit  | type | comp | state  |  uptime
+  -------+----------+--------------+---------------+-------------+------+------+--------+-----------
+  ppp0   | test     | 192.168.0.36 | 192.168.255.2 | 20480/10240 | l2tp |      | active | 00:06:30
+
+RADIUS authentication
+======================
+
+To enable RADIUS based authentication, the authentication mode needs to be
+changed withing the configuration. Previous settings like the local users, still
+exists within the configuration, however they are not used if the mode has been
+changed from local to radius. Once changed back to local, it will use all local
+accounts again.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access authentication mode <local|radius>
+
+Since the RADIUS server would be a single point of failure, multiple RADIUS
+servers can be setup and will be used subsequentially.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access authentication radius server 10.0.0.1 key 'foo'
+  set vpn l2tp remote-access authentication radius server 10.0.0.2 key 'foo'
+
+.. note:: Some RADIUS_ severs use an access control list which allows or denies
+   queries, make sure to add your VyOS router to the allowed client list.
+
+RADIUS source address
+^^^^^^^^^^^^^^^^^^^^^
+
+If you are using OSPF as IGP always the closets interface connected to the RADIUS
+server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
+single source IP e.g. the loopback interface.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access authentication radius source-address 10.0.0.3
+
+Above command will use `10.0.0.3` as source IPv4 address for all RADIUS queries
+on this NAS.
+
+.. note:: The ``source-address`` must be configured on one of VyOS interface.
+   Best proctice would be a loopback or dummy interface.
+
+RADIUS bandwidth shaping attribute
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To enable bandwidth shaping via RADIUS, the option rate-limit needs to be enabled.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access authentication radius rate-limit enable
+
+The default RADIUS attribute for rate limiting is ``Filter-Id``, but you may also
+redefine it.
+
+.. code-block:: sh
+
+  set vpn l2tp remote-access authentication radius rate-limit attribute Download-Speed
+
+.. note:: If you set a custom RADIUS attribute you must define it on both
+   dictionaries at RADIUS server and client, which is the vyos router in our
+   example.
+
+The RADIUS dictionaries in VyOS are located at ``/usr/share/accel-ppp/radius/``
+
+RADIUS advanced features
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Received RADIUS attributes have a higher priority than parameters defined within
+the CLI configuration, refer to the explanation below.
+
+Allocation clients ip addresses by RADIUS
+*****************************************
+
+If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
+address will be allocated to the client and the option ip-pool within the CLI
+config is being ignored.
+
+Renaming clients interfaces by RADIUS
+*************************************
+
+If the RADIUS server uses the attribute ``NAS-Port-Id``, ppp tunnels will be
+renamed.
+
+.. note:: The value of the attribute ``NAS-Port-Id`` must be less than 16
+   characters, otherwise the interface won't be renamed.
+
+
+.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
+.. _Quad9: https://quad9.net
+.. _CloudFlare: https://blog.cloudflare.com/announcing-1111
+.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS
+.. _FreeRADIUS: https://freeradius.org
+.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
+.. _accel-ppp: https://accel-ppp.org/
diff --git a/docs/vpn/l2tp_ipsec.rst b/docs/vpn/l2tp_ipsec.rst
deleted file mode 100644
index 6f80fe35..00000000
--- a/docs/vpn/l2tp_ipsec.rst
+++ /dev/null
@@ -1,132 +0,0 @@
-.. _l2tp_ipsec:
-
-L2TP over IPsec
----------------
-
-Example for configuring a simple L2TP over IPsec VPN for remote access (works
-with native Windows and Mac VPN clients):
-
-.. code-block:: sh
-
-  set vpn ipsec ipsec-interfaces interface eth0
-  set vpn ipsec nat-traversal enable
-  set vpn ipsec nat-networks allowed-network 0.0.0.0/0
-
-  set vpn l2tp remote-access outside-address 203.0.113.2
-  set vpn l2tp remote-access client-ip-pool start 192.168.255.1
-  set vpn l2tp remote-access client-ip-pool stop 192.168.255.254
-  set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
-  set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret <secret>
-  set vpn l2tp remote-access authentication mode local
-  set vpn l2tp remote-access authentication local-users username <username> password <password>
-
-In the example above an external IP of 203.0.113.2 is assumed.
-
-If a local firewall policy is in place on your external interface you will need
-to open:
-
-* UDP port 500 (IKE)
-* IP protocol number 50 (ESP)
-* UDP port 1701 for IPsec
-
-In addition when NAT is detected by the VPN client ESP is encapsulated in UDP
-for NAT-traversal:
-
-* UDP port 4500 (NAT-T)
-
-Example:
-
-.. code-block:: sh
-
-  set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 40 destination port '50'
-  set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
-  set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
-  set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
-  set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
-  set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
-  set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
-  set firewall name OUTSIDE-LOCAL rule 43 ipsec 'match-ipsec'
-  set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
-
-Also note that if you wish to allow the VPN to be used for external access you
-will need to add the appropriate source NAT rules to your configuration.
-
-.. code-block:: sh
-
-  set nat source rule 110 outbound-interface 'eth0'
-  set nat source rule 110 source address '192.168.255.0/24'
-  set nat source rule 110 translation address masquerade
-
-To be able to resolve when connected to the VPN, the following DNS rules are
-needed as well.
-
-.. code-block:: sh
-
-  set vpn l2tp remote-access dns-servers server-1 '8.8.8.8'
-  set vpn l2tp remote-access dns-servers server-2 '8.8.4.4'
-
-.. note:: Those are the `Google public DNS`_ servers. You can also use the
-   public available servers from Quad9_ (9.9.9.9) or Cloudflare_ (1.1.1.1).
-
-Established sessions can be viewed using the **show vpn remote-access**
-operational command.
-
-.. code-block:: sh
-
-  vyos@vyos:~$ show vpn remote-access
-  Active remote access VPN sessions:
-  User            Proto Iface     Tunnel IP       TX byte RX byte  Time
-  ----            ----- -----     ---------       ------- -------  ----
-  vyos            L2TP  l2tp0     192.168.255.1      3.2K    8.0K  00h06m13s
-
-RADIUS authentication
-^^^^^^^^^^^^^^^^^^^^^
-
-The above configuration made use of local accounts on the VyOS router for
-authenticating L2TP/IPSec clients. In bigger environments usually something
-like RADIUS_ (FreeRADIUS_ or Microsoft `Network Policy Server`_, NPS) is used.
-
-VyOS supports either `local` or `radius` user authentication:
-
-.. code-block:: sh
-
-  set vpn l2tp remote-access authentication mode <local|radius>
-
-In addition one or more RADIUS_ servers can be configured to server for user
-authentication. This is done using the `radius server` and `radius server key`
-nodes:
-
-.. code-block:: sh
-
-  set vpn l2tp remote-access authentication radius server 1.1.1.1 key 'foo'
-  set vpn l2tp remote-access authentication radius server 2.2.2.2 key 'foo'
-
-.. note:: Some RADIUS_ severs make use of an access control list who is allowed
-   to query the server. Please configure your VyOS router in the allowed client
-   list.
-
-RADIUS source address
-*********************
-
-If you are using e.g. OSPF as IGP always the nearest interface facing the RADIUS
-server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests to a
-single source IP e.g. the loopback interface.
-
-.. code-block:: sh
-
-  set vpn l2tp remote-access authentication radius source-address 3.3.3.3
-
-Above command will use `3.3.3.3` as source IPv4 address for all RADIUS queries
-on this NAS.
-
-
-.. _`Google Public DNS`: https://developers.google.com/speed/public-dns
-.. _Quad9: https://quad9.net
-.. _CloudFlare: https://blog.cloudflare.com/announcing-1111
-.. _RADIUS: https://en.wikipedia.org/wiki/RADIUS
-.. _FreeRADIUS: https://freeradius.org
-.. _`Network Policy Server`: https://en.wikipedia.org/wiki/Network_Policy_Server
\ No newline at end of file
diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 2ae353e8..5a269b43 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -246,7 +246,7 @@ The required config file may look like:
   # LDAP server URL
   URL             ldap://ldap.example.com
   # Bind DN (If your LDAP server doesn't support anonymous binds)
-  BindDN          cn=Manager,dc=example,dc=com
+  BindDN          cn=LDAPUser,dc=example,dc=com
   # Bind Password password
   Password        S3cr3t
   # Network timeout (in seconds)
@@ -258,10 +258,66 @@ The required config file may look like:
   BaseDN          "ou=people,dc=example,dc=com"
   # User Search Filter
   SearchFilter    "(&(uid=%u)(objectClass=shadowAccount))"
-  # Require Group Membership
+  # Require Group Membership - allow all users
   RequireGroup    false
   </Authorization>
 
+Active Directory
+****************
+
+Despite the fact that AD is a superset of LDAP
+
+.. code-block:: sh
+
+  <LDAP>
+    # LDAP server URL
+    URL ldap://dc01.example.com
+    # Bind DN (If your LDAP server doesn’t support anonymous binds)
+    BindDN CN=LDAPUser,DC=example,DC=com
+    # Bind Password
+    Password mysecretpassword
+    # Network timeout (in seconds)
+    Timeout  15
+    # Enable Start TLS
+    TLSEnable no
+    # Follow LDAP Referrals (anonymously)
+    FollowReferrals no
+  </LDAP>
+
+  <Authorization>
+    # Base DN
+    BaseDN        "DC=example,DC=com"
+    # User Search Filter, user must be a member of the VPN AD group
+    SearchFilter  "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
+    # Require Group Membership
+    RequireGroup    false # already handled by SearchFilter
+    <Group>
+      BaseDN        "OU=Groups,DC=example,DC=com"
+      SearchFilter  "(|(cn=VPN))"
+      MemberAttribute  memberOf
+    </Group>
+  </Authorization>
+
+If you only wan't to check if the user account is enabled and can authenticate
+(against the primary group) the following snipped is sufficient:
+
+.. code-block:: sh
+
+  <LDAP>
+    URL ldap://ds0001.gefoekom.de
+    BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de
+    Password g7LjfjmlPhhHnvmal75hbfdknms-44
+    Timeout  15
+    TLSEnable no
+    FollowReferrals no
+  </LDAP>
+
+  <Authorization>
+    BaseDN          "OU=GeFoekoM,DC=gefoekom,DC=de"
+    SearchFilter    "sAMAccountName=%u"
+    RequireGroup    false
+  </Authorization>
+
 A complete LDAP auth OpenVPN configuration could look like the following example:
 
 .. code-block:: sh
diff --git a/docs/vpn/pptp.rst b/docs/vpn/pptp.rst
index 2d560919..ad8a37c4 100644
--- a/docs/vpn/pptp.rst
+++ b/docs/vpn/pptp.rst
@@ -4,7 +4,7 @@ PPTP-Server
 -----------
 
 The Point-to-Point Tunneling Protocol (PPTP_) has been implemented in VyOS only for backwards compatibility.
-PPTP has many well known secrurity issues and you should use one of the many other new VPN implementations.
+PPTP has many well known security issues and you should use one of the many other new VPN implementations.
 
 As per default and if not otherwise defined, mschap-v2 is being used for authentication and mppe 128-bit (stateless) for encryption.
 If no gateway-address is set within the configuration, the lowest IP out of the /24 client-ip-pool is being used. For instance, in the example below it would be 192.168.0.1.
diff --git a/docs/vpn/site2site_ipsec.rst b/docs/vpn/site2site_ipsec.rst
index 9279c112..ff398dab 100644
--- a/docs/vpn/site2site_ipsec.rst
+++ b/docs/vpn/site2site_ipsec.rst
@@ -11,9 +11,9 @@ Example:
 * WAN interface on `eth1`
 * left subnet: `192.168.0.0/24` site1, server side (i.e. locality, actually
   there is no client or server roles)
-* left local_ip: `1.1.1.1` # server side WAN IP
+* left local_ip: `198.51.100.3` # server side WAN IP
 * right subnet: `10.0.0.0/24` site2,remote office side
-* right local_ip: `2.2.2.2` # remote office side WAN IP
+* right local_ip: `203.0.113.2` # remote office side WAN IP
 
 .. code-block:: sh
 
@@ -30,15 +30,15 @@ Example:
   set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
   set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
   set vpn ipsec ipsec-interfaces interface 'eth1'
-  set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'SomePreSharedKey'
-  set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer 2.2.2.2 local-address '1.1.1.1'
-  set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-nat-networks 'disable'
-  set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 allow-public-networks 'disable'
-  set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 local prefix '192.168.0.0/24'
-  set vpn ipsec site-to-site peer 2.2.2.2 tunnel 0 remote prefix '10.0.0.0/21'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SomePreSharedKey'
+  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'office-srv-ike'
+  set vpn ipsec site-to-site peer 203.0.113.2 local-address '198.51.100.3'
+  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-nat-networks 'disable'
+  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 allow-public-networks 'disable'
+  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 esp-group 'office-srv-esp'
+  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '192.168.0.0/24'
+  set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/21'
 
   # remote office config
   set vpn ipsec esp-group office-srv-esp compression 'disable'
@@ -53,15 +53,15 @@ Example:
   set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
   set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
   set vpn ipsec ipsec-interfaces interface 'eth1'
-  set vpn ipsec site-to-site peer 1.1.1.1 authentication mode 'pre-shared-secret'
-  set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret 'SomePreSharedKey'
-  set vpn ipsec site-to-site peer 1.1.1.1 ike-group 'office-srv-ike'
-  set vpn ipsec site-to-site peer 1.1.1.1 local-address '2.2.2.2'
-  set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-nat-networks 'disable'
-  set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 allow-public-networks 'disable'
-  set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 esp-group 'office-srv-esp'
-  set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 local prefix '10.0.0.0/21'
-  set vpn ipsec site-to-site peer 1.1.1.1 tunnel 0 remote prefix '192.168.0.0/24'
+  set vpn ipsec site-to-site peer 198.51.100.3 authentication mode 'pre-shared-secret'
+  set vpn ipsec site-to-site peer 198.51.100.3 authentication pre-shared-secret 'SomePreSharedKey'
+  set vpn ipsec site-to-site peer 198.51.100.3 ike-group 'office-srv-ike'
+  set vpn ipsec site-to-site peer 198.51.100.3 local-address '203.0.113.2'
+  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-nat-networks 'disable'
+  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 allow-public-networks 'disable'
+  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 esp-group 'office-srv-esp'
+  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 local prefix '10.0.0.0/21'
+  set vpn ipsec site-to-site peer 198.51.100.3 tunnel 0 remote prefix '192.168.0.0/24'
 
 Show status of new setup:
 
@@ -70,7 +70,7 @@ Show status of new setup:
   vyos@srv-gw0:~$ show vpn ike sa
   Peer ID / IP                            Local ID / IP
   ------------                            -------------
-  2.2.2.2                                 1.1.1.1
+  203.0.113.2                                 198.51.100.3
      State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
      -----  -------  ----    -------  -----  ------  ------
      up     aes256   sha1    5        no     734     3600
@@ -78,7 +78,7 @@ Show status of new setup:
   vyos@srv-gw0:~$ show vpn ipsec sa
   Peer ID / IP                            Local ID / IP
   ------------                            -------------
-  2.2.2.2                                 1.1.1.1
+  203.0.113.2                                 198.51.100.3
      Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
      ------  -----  -------------  -------  ----    -----  ------  ------  -----
      0       up     7.5M/230.6K    aes256   sha1    no     567     1800    all