Supported Modes
- VTI (default?)
- GRE in transport mode
General Syntax
network vpn ipsec connection new blah --type=[net-to-net|host-to-net]
network vpn ipsec connection destroy blah
network vpn ipsec connection blah key value ...
Name
The name must of course be ASCII only and unique
Mode
network vpn ipsec connection mode tunnel (default)
network vpn ipsec connection mode vti
network vpn ipsec connection mode gre-transport
Peer
network vpn ipsec connection blah peer 1.2.3.4
network vpn ipsec connection blah peer blah.tld.com
Security Policy
network vpn ipsec connection blah security-policy secure
Authentication
network vpn ipsec connection blah authentication mode pre-shared-key
network vpn ipsec connection blah authentication pre-shared-key super-secret-key
network vpn ipsec connection blah authentication mode certificate???
Prefixes
network vpn ipsec connection blah remote prefix 192.168.0.0/24
network vpn ipsec connection blah remote prefix +192.168.1.0/24 -192.168.0.0/24
network vpn ipsec connection blah local prefix 192.168.10.0/24
IDs
network vpn ipsec connection blah remote id @abc
network vpn ipsec connection blah local id 1.2.3.4
valid ip or string beginning with @
Inactivity
network vpn ipsec connection blah inactivity-timeout 10m
Missing Things
- always-on vs. on-demand
- VTIs?
- How do we handle changes of the auth mode (especially what do we with the unused passwords/keys)
- Why do we add connection before everything? Although this may be useful
*