diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index 66ac94b13..456842488 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -1,47 +1,47 @@
{% macro conn(name, rw_conf, ike_group, esp_group) %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[rw_conf.ike_group] %}
{% set esp = esp_group[rw_conf.esp_group] %}
ra-{{ name }} {
remote_addrs = %any
local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }}
proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
- unique = never
+ unique = {{ rw_conf.unique }}
{% if rw_conf.pool is defined and rw_conf.pool is not none %}
pools = {{ rw_conf.pool | join(',') }}
{% endif %}
local {
{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %}
id = "{{ rw_conf.authentication.id }}"
{% endif %}
{% if rw_conf.authentication.server_mode == 'x509' %}
auth = pubkey
certs = {{ rw_conf.authentication.x509.certificate }}.pem
{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
auth = psk
{% endif %}
}
remote {
auth = {{ rw_conf.authentication.client_mode }}
{% if rw_conf.authentication.client_mode.startswith("eap") %}
eap_id = %any
{% endif %}
}
children {
ikev2-vpn {
esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
dpd_action = clear
{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %}
{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %}
{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
}
}
}
{% endmacro %}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 5272b57cc..093a677e9 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,1106 +1,1129 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
<properties>
<help>Virtual Private Network (VPN)</help>
</properties>
<children>
<node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
<properties>
<help>VPN IP security (IPsec) parameters</help>
<priority>901</priority>
</properties>
<children>
<leafNode name="auto-update">
<properties>
<help>Set auto-update interval for IPsec daemon</help>
<valueHelp>
<format>u32:30-65535</format>
<description>Auto-update interval (s)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-65535"/>
</constraint>
</properties>
</leafNode>
<leafNode name="disable-uniqreqids">
<properties>
<help>Option to disable requirement for unique IDs in the Security Database</help>
<valueless/>
</properties>
</leafNode>
<tagNode name="esp-group">
<properties>
<help>Name of Encapsulating Security Payload (ESP) group</help>
</properties>
<children>
<leafNode name="compression">
<properties>
<help>ESP compression</help>
<completionHelp>
<list>disable enable</list>
</completionHelp>
<valueHelp>
<format>disable</format>
<description>Disable ESP compression (default)</description>
</valueHelp>
<valueHelp>
<format>enable</format>
<description>Enable ESP compression</description>
</valueHelp>
<constraint>
<regex>^(disable|enable)$</regex>
</constraint>
</properties>
<defaultValue>disable</defaultValue>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>ESP lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
<description>ESP lifetime in seconds (default 3600)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="mode">
<properties>
<help>ESP mode</help>
<completionHelp>
<list>tunnel transport</list>
</completionHelp>
<valueHelp>
<format>tunnel</format>
<description>Tunnel mode (default)</description>
</valueHelp>
<valueHelp>
<format>transport</format>
<description>Transport mode</description>
</valueHelp>
<constraint>
<regex>^(tunnel|transport)$</regex>
</constraint>
</properties>
<defaultValue>tunnel</defaultValue>
</leafNode>
<leafNode name="pfs">
<properties>
<help>ESP Perfect Forward Secrecy</help>
<completionHelp>
<list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Use Diffie-Hellman group 2 (modp1024) - default</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
<description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
<description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
<description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
<description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
<description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
<description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
<description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
<description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
<description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
<description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
<description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
<description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
<description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
<description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
<description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
<description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
<description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
<description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
<description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
<description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
<description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
<description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable PFS</description>
</valueHelp>
<constraint>
<regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
<help>ESP-group proposal [REQUIRED]</help>
<valueHelp>
<format>u32:1-65535</format>
<description>ESP-group proposal number</description>
</valueHelp>
</properties>
<children>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<tagNode name="ike-group">
<properties>
<help>Name of Internet Key Exchange (IKE) group</help>
</properties>
<children>
<leafNode name="close-action">
<properties>
<help>close-action_help</help>
<completionHelp>
<list>none hold clear restart</list>
</completionHelp>
<valueHelp>
<format>none</format>
<description>Set action to none (default)</description>
</valueHelp>
<valueHelp>
<format>hold</format>
<description>Set action to hold</description>
</valueHelp>
<valueHelp>
<format>clear</format>
<description>Set action to clear</description>
</valueHelp>
<valueHelp>
<format>restart</format>
<description>Set action to restart</description>
</valueHelp>
<constraint>
<regex>^(none|hold|clear|restart)$</regex>
</constraint>
</properties>
</leafNode>
<node name="dead-peer-detection">
<properties>
<help>Dead Peer Detection (DPD)</help>
</properties>
<children>
<leafNode name="action">
<properties>
<help>Keep-alive failure action</help>
<completionHelp>
<list>hold clear restart</list>
</completionHelp>
<valueHelp>
<format>hold</format>
<description>Set action to hold (default)</description>
</valueHelp>
<valueHelp>
<format>clear</format>
<description>Set action to clear</description>
</valueHelp>
<valueHelp>
<format>restart</format>
<description>Set action to restart</description>
</valueHelp>
<constraint>
<regex>^(hold|clear|restart)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="interval">
<properties>
<help>Keep-alive interval</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive interval in seconds (default 30)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive timeout in seconds (default 120)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="ikev2-reauth">
<properties>
<help>ikev2-reauth_help</help>
<completionHelp>
<list>yes no</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="key-exchange">
<properties>
<help>Key Exchange Version</help>
<completionHelp>
<list>ikev1 ikev2</list>
</completionHelp>
<valueHelp>
<format>ikev1</format>
<description>Use IKEv1 for Key Exchange [DEFAULT]</description>
</valueHelp>
<valueHelp>
<format>ikev2</format>
<description>Use IKEv2 for Key Exchange</description>
</valueHelp>
<constraint>
<regex>^(ikev1|ikev2)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>IKE lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
<description>IKE lifetime in seconds (default 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="mobike">
<properties>
<help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Enable MOBIKE (default for IKEv2)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable MOBIKE</description>
</valueHelp>
<constraint>
<regex>^(enable|disable)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="mode">
<properties>
<help>IKEv1 Phase 1 Mode Selection</help>
<completionHelp>
<list>main aggressive</list>
</completionHelp>
<valueHelp>
<format>main</format>
<description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description>
</valueHelp>
<valueHelp>
<format>aggressive</format>
<description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description>
</valueHelp>
<constraint>
<regex>^(main|aggressive)$</regex>
</constraint>
</properties>
</leafNode>
<tagNode name="proposal">
<properties>
<help>proposal_help</help>
<valueHelp>
<format>u32:1-65535</format>
<description>IKE-group proposal</description>
</valueHelp>
</properties>
<children>
<leafNode name="dh-group">
<defaultValue>2</defaultValue>
<properties>
<help>dh-grouphelp</help>
<completionHelp>
<list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
</completionHelp>
<valueHelp>
<format>1</format>
<description>Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>2</format>
<description>Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>5</format>
<description>Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>14</format>
<description>Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>15</format>
<description>Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>16</format>
<description>Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>17</format>
<description>Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>18</format>
<description>Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>19</format>
<description>Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>20</format>
<description>Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>21</format>
<description>Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>22</format>
<description>Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>23</format>
<description>Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>24</format>
<description>Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>25</format>
<description>Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>26</format>
<description>Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>27</format>
<description>Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>28</format>
<description>Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>29</format>
<description>Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>30</format>
<description>Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>31</format>
<description>Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>32</format>
<description>Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<constraint>
<regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<leafNode name="include-ipsec-conf">
<properties>
<help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help>
</properties>
</leafNode>
<leafNode name="include-ipsec-secrets">
<properties>
<help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
</properties>
</leafNode>
<leafNode name="interface">
<properties>
<help>Onterface used for IPsec communication</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<node name="log">
<properties>
<help>IPsec logging</help>
</properties>
<children>
<leafNode name="level">
<properties>
<help>strongSwan Logger Level</help>
<valueHelp>
<format>u32:0</format>
<description>Very basic auditing logs e.g. SA up/SA down (default)</description>
</valueHelp>
<valueHelp>
<format>u32:1</format>
<description>Generic control flow with errors, a good default to see whats going on</description>
</valueHelp>
<valueHelp>
<format>u32:2</format>
<description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="subsystem">
<properties>
<help>Subsystem in the daemon the log comes from</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
<valueHelp>
<format>dmn</format>
<description>Main daemon setup/cleanup/signal handling</description>
</valueHelp>
<valueHelp>
<format>mgr</format>
<description>IKE_SA manager, handling synchronization for IKE_SA access</description>
</valueHelp>
<valueHelp>
<format>ike</format>
<description>IKE_SA/ISAKMP SA</description>
</valueHelp>
<valueHelp>
<format>chd</format>
<description>CHILD_SA/IPsec SA</description>
</valueHelp>
<valueHelp>
<format>job</format>
<description>Jobs queuing/processing and thread pool management</description>
</valueHelp>
<valueHelp>
<format>cfg</format>
<description>Configuration management and plugins</description>
</valueHelp>
<valueHelp>
<format>knl</format>
<description>IPsec/Networking kernel interface</description>
</valueHelp>
<valueHelp>
<format>net</format>
<description>IKE network communication</description>
</valueHelp>
<valueHelp>
<format>asn</format>
<description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
</valueHelp>
<valueHelp>
<format>enc</format>
<description>Packet encoding/decoding encryption/decryption operations</description>
</valueHelp>
<valueHelp>
<format>lib</format>
<description>libstrongswan library messages</description>
</valueHelp>
<valueHelp>
<format>esp</format>
<description>libipsec library messages</description>
</valueHelp>
<valueHelp>
<format>tls</format>
<description> libtls library messages</description>
</valueHelp>
<valueHelp>
<format>tnc</format>
<description>Trusted Network Connect</description>
</valueHelp>
<valueHelp>
<format>imc</format>
<description>Integrity Measurement Collector</description>
</valueHelp>
<valueHelp>
<format>imv</format>
<description>Integrity Measurement Verifier</description>
</valueHelp>
<valueHelp>
<format>pts</format>
<description> Platform Trust Service</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Any subsystem</description>
</valueHelp>
<constraint>
<regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
<node name="options">
<properties>
<help>Global IPsec settings</help>
</properties>
<children>
<leafNode name="disable-route-autoinstall">
<properties>
<help>Do not automatically install routes to remote networks</help>
<valueless/>
</properties>
</leafNode>
<node name="remote-access">
<properties>
<help>remote-access global options</help>
</properties>
<children>
<node name="dhcp">
<properties>
<help>DHCP pool options for remote-access</help>
</properties>
<children>
<leafNode name="interface">
<properties>
<help>Interface with DHCP server to use</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
</properties>
</leafNode>
<leafNode name="server">
<properties>
<help>DHCP server address</help>
<valueHelp>
<format>ipv4</format>
<description>DHCP server IPv4 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
<tagNode name="profile">
<properties>
<help>VPN IPSec Profile</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Authentication [REQUIRED]</help>
</properties>
<children>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
<completionHelp>
<list>pre-shared-secret</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>Use pre shared secret key</description>
</valueHelp>
</properties>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
<node name="bind">
<properties>
<help>DMVPN crypto configuration</help>
</properties>
<children>
<leafNode name="tunnel">
<properties>
<help>Tunnel interface associated with this configuration profile</help>
<completionHelp>
<path>interfaces tunnel</path>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Associated interface to this configuration profile</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
</children>
</node>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
</children>
</tagNode>
<node name="remote-access">
<properties>
<help>IKEv2 remote access VPN</help>
</properties>
<children>
<tagNode name="connection">
<properties>
<help>IKEv2 VPN connection name</help>
</properties>
<children>
<node name="authentication">
<properties>
<help>Authentication for remote access</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="client-mode">
<properties>
<help>Client authentication mode</help>
<completionHelp>
<list>eap-tls eap-mschapv2</list>
</completionHelp>
<valueHelp>
<format>eap-tls</format>
<description>EAP-TLS</description>
</valueHelp>
<valueHelp>
<format>eap-mschapv2</format>
<description>EAP-MSCHAPv2</description>
</valueHelp>
<constraint>
<regex>^(eap-tls|eap-mschapv2)$</regex>
</constraint>
</properties>
<defaultValue>eap-mschapv2</defaultValue>
</leafNode>
<node name="local-users">
<properties>
<help>Local user authentication for PPPoE server</help>
</properties>
<children>
<tagNode name="username">
<properties>
<help>User name for authentication</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<leafNode name="password">
<properties>
<help>Password for authentication</help>
</properties>
</leafNode>
</children>
</tagNode>
</children>
</node>
<leafNode name="server-mode">
<properties>
<help>Server authentication mode</help>
<completionHelp>
<list>pre-shared-secret x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>pre-shared-secret_description</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>x509_description</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|x509)$</regex>
</constraint>
</properties>
<defaultValue>x509</defaultValue>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
#include <include/ipsec/local-address.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
<leafNode name="timeout">
<properties>
<help>Timeout to close connection if no data is transmitted</help>
<valueHelp>
<format>u32:10-86400</format>
<description>Timeout in seconds (default 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 10-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="pool">
<properties>
<help>Pool name used for IP address assignments</help>
<completionHelp>
<path>vpn ipsec remote-access pool</path>
<list>dhcp</list>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Pool name</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
+ <leafNode name="unique">
+ <properties>
+ <help>Connection uniqueness policy to enforce</help>
+ <completionHelp>
+ <list>never keep replace</list>
+ </completionHelp>
+ <valueHelp>
+ <format>never</format>
+ <description>Never enforce connection uniqueness policy</description>
+ </valueHelp>
+ <valueHelp>
+ <format>keep</format>
+ <description>Rejects new connection attempts if the same user already has an active connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>replace</format>
+ <description>Delete any existing connection if a new one for the same user gets established</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(never|keep|replace)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
</children>
</tagNode>
<tagNode name="pool">
<properties>
<help>IP address pool for remote-access users</help>
</properties>
<children>
<leafNode name="exclude">
<properties>
<help>Local IPv4 or IPv6 pool prefix exclusions</help>
<valueHelp>
<format>ipv4</format>
<description>Local IPv4 pool prefix exclusion</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Local IPv6 pool prefix exclusion</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="prefix">
<properties>
<help>Local IPv4 or IPv6 pool prefix</help>
<valueHelp>
<format>ipv4</format>
<description>Local IPv4 pool prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Local IPv6 pool prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<!-- Include Accel-PPP definition here, maybe time for a rename? -->
#include <include/accel-ppp/name-server.xml.i>
</children>
</tagNode>
</children>
</node>
<node name="site-to-site">
<properties>
<help>Site-to-site VPN</help>
</properties>
<children>
<tagNode name="peer">
<properties>
<help>VPN peer</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address of the peer</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address of the peer</description>
</valueHelp>
<valueHelp>
<format>txt</format>
<description>Hostname of the peer</description>
</valueHelp>
<valueHelp>
<format><@text></format>
<description>ID of the peer</description>
</valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Peer authentication [REQUIRED]</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-rsa.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
<completionHelp>
<list>pre-shared-secret rsa x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>pre-shared-secret_description</description>
</valueHelp>
<valueHelp>
<format>rsa</format>
<description>rsa_description</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>x509_description</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|rsa|x509)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
<leafNode name="remote-id">
<properties>
<help>ID for remote authentication</help>
<valueHelp>
<format>txt</format>
<description>ID used for peer authentication</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="use-x509-id">
<properties>
<help>Use certificate common name as ID</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="connection-type">
<properties>
<help>Connection type</help>
<completionHelp>
<list>initiate respond</list>
</completionHelp>
<valueHelp>
<format>initiate</format>
<description>initiate_description</description>
</valueHelp>
<valueHelp>
<format>respond</format>
<description>respond_description</description>
</valueHelp>
<constraint>
<regex>^(initiate|respond)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="default-esp-group">
<properties>
<help>Defult ESP group name</help>
<completionHelp>
<path>vpn ipsec esp-group</path>
</completionHelp>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
#include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
<help>Force UDP Encapsulation for ESP Payloads</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>This endpoint will force UDP encapsulation for this peer</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>This endpoint will not force UDP encapsulation for this peer</description>
</valueHelp>
<constraint>
<regex>^(enable|disable)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
<completionHelp>
<list>yes no inherit</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable remote host re-authenticaton during an IKE re-key.</description>
</valueHelp>
<valueHelp>
<format>inherit</format>
<description>Inherit the reauth configuration form your IKE-group (Default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no|inherit)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/local-address.xml.i>
<tagNode name="tunnel">
<properties>
<help>Peer tunnel [REQUIRED]</help>
<valueHelp>
<format>u32</format>
<description>Peer tunnel [REQUIRED]</description>
</valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ip-protocol.xml.i>
<node name="remote">
<properties>
<help>Remote parameters for interesting traffic</help>
</properties>
<children>
#include <include/port-number.xml.i>
<leafNode name="prefix">
<properties>
<help>Remote IPv4 or IPv6 prefix</help>
<valueHelp>
<format>ipv4</format>
<description>Remote IPv4 prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Remote IPv6 prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
<node name="vti">
<properties>
<help>Virtual tunnel interface [REQUIRED]</help>
</properties>
<children>
<leafNode name="bind">
<properties>
<help>VTI tunnel interface associated with this configuration</help>
<completionHelp>
<path>interfaces vti</path>
</completionHelp>
</properties>
</leafNode>
#include <include/ipsec/esp-group.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>