Since we are rewriting IPsec scripts, we may also take a chance to refactor the CLI syntax.
Some issues I noticed:
Boolean nodes
First, there are lots of nodes whose possible values are "<enable|disable>". Just like all similar boolean nodes, the value doesn't add any new information, and that structure makes
Current: set vpn ipsec esp-group Foo compression enable vs Proposed: set vpn ipsec esp-group Foo enable-compression
The second option makes it immediately obvious what the default it, and it's also faster to enter.
Peer IDs
Right now, local peer ID is specified under authentication id. The remote peer ID, however, is specified by prepending a @ character to the peer, e.g. set vpn ipsec site-to-site peer @mypeer.
That's a batshit insane scheme that clearly arose when someone in the old days of Vyatta first designed that syntax with an assumption that peer ID is always its address, and then added a band-aid fix after realizing that it's not the case.
It's incredibly counter-intuitive and deeply problematic if the remote ID is dictated by the peer and you can't convince them to add a @ to it.
It would be better to make the peer node name purely informational and put the actual remote address and peer IDs inside it.
We already have an authentication remote-id option that, as I remember, overrides the peer @id given in the node name, which only adds more confusion.
set vpn ipsec site-to-site peer MyCoolPeer remote-address 192.0.2.1 set vpn ipsec site-to-site peer MyCoolPeer authentication local-id OurSideID set vpn ipsec site-to-site peer MyCoolPeer authentication remote-id TheirSideID
Second,