VPN documentation proofreading (#1506)

* Fix typos in openconnect.rst

change Cerbort->Certbot
Update first line to reflect that openconnect was introduced in 1.3-rolling (T2036)

* typo in dmvpn.rst

* ipsec.rst justification, minor phrasing changes

* l2tp.rst justification and phrasing changes.

* sstp.rst phrasing, justification changes

* Update ipsec.rst

rephrase for clarity and to avoid possessive plural apostrophe

docs/configuration/vpn/dmvpn.rst

@@ -162,7 +162,7 @@ Example
 
 
 This blueprint uses VyOS as the DMVPN Hub and Cisco (7206VXR) and VyOS as
-multiple spoke sites. The lab was build using :abbr:`EVE-NG (Emulated Virtual
+multiple spoke sites. The lab was built using :abbr:`EVE-NG (Emulated Virtual
 Environment NG)`.
 
 .. figure:: /_static/images/blueprint-dmvpn.png

docs/configuration/vpn/ipsec.rst

@@ -13,10 +13,10 @@ address, which makes it easier to setup static routes or use dynamic routing
 protocols without having to modify IPsec policies. The other advantage is that
 it greatly simplifies router to router communication, which can be tricky with
 plain IPsec because the external outgoing address of the router usually doesn't
-match the IPsec policy of typical site-to-site setup and you need to add special
+match the IPsec policy of a typical site-to-site setup and you would need to
-configuration for it, or adjust the source address for outgoing traffic of your
+add special configuration for it, or adjust the source address of the outgoing 
-applications. GRE/IPsec has no such problem and is completely transparent for
+traffic of your applications. GRE/IPsec has no such problem and is completely
-the applications.
+transparent for applications.
 
 GRE/IPIP/SIT and IPsec are widely accepted standards, which make this scheme
 easy to implement between VyOS and virtually any other router.
@@ -163,13 +163,29 @@ Options (Global IPsec settings) Attributes
 
 * ``options``
 
- * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
+ * ``disable-route-autoinstall`` Do not automatically install routes to remote
+    networks;
 
- * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
+ * ``flexvpn`` Allows FlexVPN vendor ID payload (IKEv2 only). Send the Cisco
+    FlexVPN vendor ID payload (IKEv2 only), which is required in order to make
+    Cisco brand devices allow negotiating a local traffic selector (from
+    strongSwan's point of view) that is not the assigned virtual IP address if
+    such an address is requested by strongSwan. Sending the Cisco FlexVPN
+    vendor ID prevents the peer from narrowing the initiator's local traffic
+    selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
+    instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
+    template but should also work for GRE encapsulation;
 
- * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
+ * ``interface`` Interface Name to use. The name of the interface on which
+    virtual IP addresses should be installed. If not specified the addresses
+    will be installed on the outbound interface;
 
- * ``virtual-ip`` Allows to install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all. Define the ``virtual-address`` option to configure the IP address in site-to-site hierarchy.
+ * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma 
+    separated list of virtual IPs to request in IKEv2 configuration payloads or
+    IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an 
+    arbitrary address, specific addresses may be defined. The responder may
+    return a different address, or none at all. Define the ``virtual-address``
+    option to configure the IP address in a site-to-site hierarchy.
 
 *************************
 IPsec policy matching GRE
@@ -372,8 +388,8 @@ IKEv2 IPSec road-warriors remote-access VPN
 *******************************************
 
 Internet Key Exchange version 2, IKEv2 for short, is a request/response
-protocol developed by both Cisco and Microsoft. It is used to establish
+protocol developed by both Cisco and Microsoft. It is used to establish and
-and secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
+secure IPv4/IPv6 connections, be it a site-to-site VPN or from a
 road-warrior connecting to a hub site. IKEv2, when run in point-to-multipoint,
 or remote-access/road-warrior mode, secures the server-side with another layer
 by using an x509 signed server certificate.
@@ -396,11 +412,11 @@ This example uses CACert as certificate authority.
   set pki ca CAcert_Class_3_Root certificate 'MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGprmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAChiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoGCysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5vcmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGqeSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6HhLSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QUqGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k50cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfqi5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUECokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87cSvOK6eB1kdGKLA8ymXxZp8='
   set pki ca CAcert_Signing_Authority certificate 'MIIG7jCCBNagAwIBAgIBDzANBgkqhkiG9w0BAQsFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42yfk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jcG8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4kepKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43qlaegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQQUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivUfslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAX8wggF7MB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TAPBgNVHRMBAf8EBTADAQH/MDQGCWCGSAGG+EIBCAQnFiVodHRwOi8vd3d3LmNhY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDAzBglghkgBhvhCAQQEJhYkVVJJOmh0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAfBgNVHSMEGDAWgBQWtTIb1Mfz4OaO873SsDrusjkY0TANBgkqhkiG9w0BAQsFAAOCAgEAR5zXs6IX01JTt7Rq3b+bNRUhbO9vGBMggczo7R0qIh1kdhS6WzcrDoO6PkpuRg0L3qM7YQB6pw2V+ubzF7xl4C0HWltfzPTbzAHdJtjaJQw7QaBlmAYpN2CLB6Jeg8q/1Xpgdw/+IP1GRwdg7xUpReUA482l4MH1kf0W0ad94SuIfNWQHcdLApmno/SUh1bpZyeWrMnlhkGNDKMxCCQXQ360TwFHc8dfEAaq5ry6cZzm1oetrkSviE2qofxvv1VFiQ+9TX3/zkECCsUB/EjPM0lxFBmu9T5Ih+Eqns9ivmrEIQDv9tNyJHuLsDNqbUBal7OoiPZnXk9LH+qb+pLf1ofv5noy5vX2a5OKebHe+0Ex/A7e+G/HuOjVNqhZ9j5Nispfq9zNyOHGWD8ofj8DHwB50L1Xh5H+EbIoga/hJCQnRtxWkHP699T1JpLFYwapgplivF4TFv4fqp0nHTKC1x9gGrIgvuYJl1txIKmxXdfJzgscMzqpabhtHOMXOiwQBpWzyJkofF/w55e0LttZDBkEsilV/vW0CJsPs3eNaQF+iMWscGOkgLFlWsAS3HwyiYLNJo26aqyWPaIdc8E4ck7Sk08WrFrHIK3EHr4n1FZwmLpFAvucKqgl0hr+2jypyh5puA3KksHF3CsUzjMUvzxMhykh9zrMxQAHLBVrGwc='
 
-After you obtained your server certificate you can import it from a file
+After you obtain your server certificate you can import it from a file on the
-on the local filesystem, or paste it into the CLI. Please note that
+local filesystem, or paste it into the CLI. Please note that when entering the
-when entering the certificate manually you need to strip the
+certificate manually you need to strip the ``-----BEGIN KEY-----`` and
-``-----BEGIN KEY-----`` and ``-----END KEY-----`` tags. Also, the certificate
+``-----END KEY-----`` tags. Also, the certificate or key needs to be presented
-or key needs to be presented in a single line without line breaks (``\n``).
+in a single line without line breaks (``\n``).
 
 To import it from the filesystem use:
 
@@ -440,7 +456,7 @@ Every connection/remote-access pool we configure also needs a pool where
 we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool.
 Authorized clients will receive an IPv4 address from the 192.0.2.128/25 prefix
 and an IPv6 address from the 2001:db8:2000::/64 prefix. We can also send some
-DNS nameservers down to our clients used on their connection.
+DNS nameservers down for our clients to use with their connection.
 
 .. code-block::
 
@@ -450,8 +466,8 @@ DNS nameservers down to our clients used on their connection.
   set vpn ipsec remote-access pool ra-rw-ipv6 prefix '2001:db8:2000::/64'
 
 VyOS supports multiple IKEv2 remote-access connections. Every connection can
-have its dedicated IKE/ESP ciphers, certificates or local listen address for
+have its own dedicated IKE/ESP ciphers, certificates or local listen address
-e.g. inbound load balancing.
+for e.g. inbound load balancing.
 
 We configure a new connection named ``rw`` for road-warrior, that identifies
 itself as ``192.0.2.1`` to the clients and uses the ``vyos`` certificate

docs/configuration/vpn/l2tp.rst

@@ -148,15 +148,15 @@ For example:
 RADIUS source address
 =====================
 
-If you are using OSPF as IGP, always the closest interface connected to the
+If you are using OSPF as your IGP, use the interface connected closest to the
-RADIUS server is used. With VyOS 1.2 you can bind all outgoing RADIUS requests
+RADIUS server. You can bind all outgoing RADIUS requests to a single source IP
-to a single source IP e.g. the loopback interface.
+e.g. the loopback interface.
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius source-address <address>
 
   Source IPv4 address used in all RADIUS server queires.
 
-.. note:: The ``source-address`` must be configured on one of VyOS interface.
+.. note:: The ``source-address`` must be configured to that of an interface.
    Best practice would be a loopback or dummy interface.
 
 RADIUS advanced options
@@ -218,7 +218,7 @@ RADIUS advanced options
   The default attribute is `Filter-Id`.
 
 .. note:: If you set a custom RADIUS attribute you must define it on both
-   dictionaries at RADIUS server and client.
+   dictionaries on the RADIUS server and client.
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit enable
 
@@ -226,7 +226,7 @@ RADIUS advanced options
 
 .. cfgcmd:: set vpn l2tp remote-access authentication radius rate-limit vendor
 
-  Specifies the vendor dictionary, dictionary needs to be in
+  Specifies the vendor dictionary. This dictionary needs to be present in
   /usr/share/accel-ppp/radius.
 
 Received RADIUS attributes have a higher priority than parameters defined within
@@ -236,25 +236,28 @@ Allocation clients ip addresses by RADIUS
 =========================================
 
 If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
-address will be allocated to the client and the option ``default-pool`` within the CLI
+address will be allocated to the client and the option ``default-pool`` within
-config is being ignored.
+the CLI config will be ignored.
 
-If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address
-from a predefined IP pool whose name equals the attribute value.
+will be allocated from a predefined IP pool whose name equals the attribute
+value.
 
-If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the
-will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose
+name equals the attribute value.
 
-If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an
-delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+IPv6 delegation prefix will be allocated from a predefined IPv6 pool
-whose name equals the attribute value.
+``delegate`` whose name equals the attribute value.
 
 .. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
           RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
 
-User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+The client's interface can be put into a VRF context via a RADIUS Access-Accept
-it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these
-Define it in your RADIUS server.
+purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS
+server.
 
 Renaming clients interfaces by RADIUS
 =====================================
@@ -296,19 +299,19 @@ IPv6
 .. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
    mask <number-of-bits>
 
-  Use this comand to set the IPv6 address pool from which an l2tp client
+  Use this comand to set the IPv6 address pool from which an l2tp client will
-  will get an IPv6 prefix of your defined length (mask) to terminate the
+  get an IPv6 prefix of your defined length (mask) to terminate the l2tp 
-  l2tp endpoint at their side. The mask length can be set from 48 to 128
+  endpoint at their side. The mask length can be set between 48 and 128 bits
-  bit long, the default value is 64.
+  long, the default value is 64.
 
 .. cfgcmd:: set vpn l2tp remote-access client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
    delegation-prefix <number-of-bits>
 
-  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on l2tp.
-  l2tp. You will have to set your IPv6 pool and the length of the
+  You will have to set your IPv6 pool and the length of the delegation 
-  delegation prefix. From the defined IPv6 pool you will be handing out
+  prefix. From the defined IPv6 pool you will be handing out networks of the
-  networks of the defined length (delegation-prefix). The length of the
+  defined length (delegation-prefix). The length of the delegation prefix can
-  delegation prefix can be set from 32 to 64 bit long.
+  be between 32 and 64 bits long.
 
 .. cfgcmd:: set vpn l2tp remote-access default-ipv6-pool <IPv6-POOL-NAME>
 
@@ -325,19 +328,19 @@ IPv6 Advanced Options
 =====================
 .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-accept-peer-interface-id
 
-  Accept peer interface identifier. By default is not defined.
+  Accept peer interface identifier. By default this is not defined.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
 
-  Specifies fixed or random interface identifier for IPv6.
+  Specifies if a fixed or random interface identifier is used for IPv6. The
-  By default is fixed.
+  default is fixed.
 
   * **random** - Random interface identifier for IPv6
   * **x:x:x:x** - Specify interface identifier for IPv6
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv6-interface-id <random | x:x:x:x>
 
-  Specifies peer interface identifier for IPv6. By default is fixed.
+  Specifies the peer interface identifier for IPv6. The default is fixed.
 
   * **random** - Random interface identifier for IPv6
   * **x:x:x:x** - Specify interface identifier for IPv6
@@ -350,19 +353,19 @@ Scripting
 
 .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-change <path_to_script>
 
-  Script to run when session interface changed by RADIUS CoA handling
+  Script to run when the session interface is changed by RADIUS CoA handling
 
 .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-down <path_to_script>
 
-  Script to run when session interface going to terminate
+  Script to run when the session interface is about to terminate
 
 .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-pre-up <path_to_script>
 
-  Script to run before session interface comes up
+  Script to run before the session interface comes up
 
 .. cfgcmd:: set vpn l2tp remote-access extended-scripts on-up <path_to_script>
 
-  Script to run when session interface is completely configured and started
+  Script to run when the session interface is completely configured and started
 
 ****************
 Advanced Options
@@ -378,17 +381,17 @@ Authentication Advanced Options
 .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> static-ip
    <address>
 
-  Assign static IP address to `<user>` account.
+  Assign a static IP address to `<user>` account.
 
 .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit
    download <bandwidth>
 
-  Download bandwidth limit in kbit/s for `<user>`.
+  Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s.
 
 .. cfgcmd:: set vpn l2tp remote-access authentication local-users username <user> rate-limit
    upload <bandwidth>
 
-  Upload bandwidth limit in kbit/s for `<user>`.
+  Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s
 
 .. cfgcmd:: set vpn l2tp remote-access authentication protocols
    <pap | chap | mschap | mschap-v2>
@@ -413,10 +416,10 @@ PPP Advanced Options
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options interface-cache <number>
 
-  Specifies number of interfaces to keep in cache. It means that don’t
+  Specifies number of interfaces to cache. This prevents interfaces from being
-  destroy interface after corresponding session is destroyed, instead
+  removed once the corresponding session is destroyed. Instead, interfaces are
-  place it to cache and use it later for new sessions repeatedly.
+  cached for later use in new sessions. This should reduce the kernel-level
-  This should reduce kernel-level interface creation/deletion rate lack.
+  interface creation/deletion rate.
   Default value is **0**.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options ipv4 <require | prefer | allow | deny>
@@ -436,19 +439,20 @@ PPP Advanced Options
 .. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-interval <interval>
 
   If this option is specified and is greater than 0, then the PPP module will
-  send LCP pings of the echo request every `<interval>` seconds.
+  send LCP echo requests every `<interval>` seconds.
   Default value is **30**.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options lcp-echo-timeout
 
-  Specifies timeout in seconds to wait for any peer activity. If this option
+  Specifies timeout in seconds to wait for any peer activity. If this option is
   specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
   is not used. Default value is **0**.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options min-mtu <number>
 
-  Defines minimum acceptable MTU. If client will try to negotiate less then
+  Defines the minimum acceptable MTU. If a client tries to negotiate an MTU
-  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  lower than this it will be NAKed, and disconnected if it rejects a greater 
+  MTU.
   Default value is **100**.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options mppe <require | prefer | deny>
@@ -460,9 +464,10 @@ PPP Advanced Options
   * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
   * **deny** - deny mppe
 
-  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Default behavior - don't ask the client for mppe, but allow it if the client
-  Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
+  wants.
-  attribute.
+  Please note that RADIUS may override this option with the 
+  MS-MPPE-Encryption-Policy attribute.
 
 .. cfgcmd:: set vpn l2tp remote-access ppp-options mru <number>
 
@@ -481,7 +486,7 @@ Global Advanced options
 
 .. cfgcmd:: set vpn l2tp remote-access limits connection-limit <value>
 
-  Acceptable rate of connections (e.g. 1/min, 60/sec)
+  Maximum accepted connection rate (e.g. 1/min, 60/sec)
 
 .. cfgcmd:: set vpn l2tp remote-access limits timeout <value>
 
@@ -497,9 +502,9 @@ Global Advanced options
 
 .. cfgcmd:: set vpn l2tp remote-access name-server <address>
 
-  Connected client should use `<address>` as their DNS server. This
+  Connected clients should use `<address>` as their DNS server. This command
-  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured
-  can be configured for IPv4, up to three for IPv6.
+  for IPv4, up to three for IPv6.
 
 .. cfgcmd:: set vpn l2tp remote-access shaper fwmark <1-2147483647>
 

docs/configuration/vpn/openconnect.rst

@@ -4,7 +4,7 @@
 OpenConnect
 ###########
 
-OpenConnect-compatible server feature is available from this release.
+OpenConnect-compatible server feature has been available since Equuleus (1.3).
 Openconnect VPN supports SSL connection and offers full network access. SSL VPN
 network extension connects the end-user system to the corporate network with
 access controls based only on network layer information, such as destination IP
@@ -32,7 +32,7 @@ will create a self signed certificates and will be stored in configuration:
   run generate pki ca install <CA name>
   run generate pki certificate sign <CA name> install <Server name>
  
-We can also create the certificates using Cerbort which is an easy-to-use 
+We can also create the certificates using Certbot which is an easy-to-use 
 client that fetches a certificate from Let's Encrypt an open certificate 
 authority launched by the EFF, Mozilla, and others and deploys it to a web 
 server.

docs/configuration/vpn/sstp.rst

@@ -16,8 +16,8 @@ SSTP is available for Linux, BSD, and Windows.
 VyOS utilizes accel-ppp_ to provide SSTP server functionality. We support both
 local and RADIUS authentication.
 
-As SSTP provides PPP via a SSL/TLS channel the use of either publically signed
+As SSTP provides PPP via a SSL/TLS channel the use of either publicly signed
-certificates as well as a private PKI is required.
+certificates or private PKI is required.
 
 ***********************
 Configuring SSTP Server
@@ -92,8 +92,8 @@ Configuring RADIUS authentication
 *********************************
 
 To enable RADIUS based authentication, the authentication mode needs to be
-changed within the configuration. Previous settings like the local users, still
+changed within the configuration. Previous settings like the local users still
-exists within the configuration, however they are not used if the mode has been
+exist within the configuration, however they are not used if the mode has been
 changed from local to radius. Once changed back to local, it will use all local
 accounts again.
 
@@ -121,15 +121,15 @@ For example:
 RADIUS source address
 =====================
 
-If you are using OSPF as IGP, always the closest interface connected to the
+If you are using OSPF as your IGP, use the interface connected closest to the
-RADIUS server is used. You can bind all outgoing RADIUS requests
+RADIUS server. You can bind all outgoing RADIUS requests to a single source IP
-to a single source IP e.g. the loopback interface.
+e.g. the loopback interface.
 
 .. cfgcmd:: set vpn sstp authentication radius source-address <address>
 
   Source IPv4 address used in all RADIUS server queires.
 
-.. note:: The ``source-address`` must be configured on one of VyOS interface.
+.. note:: The ``source-address`` must be configured to that of an interface.
    Best practice would be a loopback or dummy interface.
 
 RADIUS advanced options
@@ -191,7 +191,7 @@ RADIUS advanced options
   The default attribute is `Filter-Id`.
 
 .. note:: If you set a custom RADIUS attribute you must define it on both
-   dictionaries at RADIUS server and client.
+   dictionaries on the RADIUS server and client.
 
 .. cfgcmd:: set vpn sstp authentication radius rate-limit enable
 
@@ -199,7 +199,7 @@ RADIUS advanced options
 
 .. cfgcmd:: set vpn sstp authentication radius rate-limit vendor
 
-  Specifies the vendor dictionary, dictionary needs to be in
+  Specifies the vendor dictionary, This dictionary needs to be present in
   /usr/share/accel-ppp/radius.
 
 Received RADIUS attributes have a higher priority than parameters defined within
@@ -209,25 +209,28 @@ Allocation clients ip addresses by RADIUS
 =========================================
 
 If the RADIUS server sends the attribute ``Framed-IP-Address`` then this IP
-address will be allocated to the client and the option ``default-pool`` within the CLI
+address will be allocated to the client and the option ``default-pool`` within
-config is being ignored.
+the CLI config will being ignored.
 
-If the RADIUS server sends the attribute ``Framed-Pool``, IP address will be allocated
+If the RADIUS server sends the attribute ``Framed-Pool``, then the IP address
-from a predefined IP pool whose name equals the attribute value.
+will be allocated from a predefined IP pool whose name equals the attribute
+value.
 
-If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, IPv6 address
+If the RADIUS server sends the attribute ``Stateful-IPv6-Address-Pool``, the
-will be allocated from a predefined IPv6 pool ``prefix`` whose name equals the attribute value.
+IPv6 address will be allocated from a predefined IPv6 pool ``prefix`` whose
+name equals the attribute value.
 
-If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, IPv6
+If the RADIUS server sends the attribute ``Delegated-IPv6-Prefix-Pool``, an
-delegation pefix will be allocated from a predefined IPv6 pool ``delegate``
+IPv6 delegation prefix will be allocated from a predefined IPv6 pool ``delegate``
 whose name equals the attribute value.
 
 .. note:: ``Stateful-IPv6-Address-Pool`` and ``Delegated-IPv6-Prefix-Pool`` are defined in
           RFC6911. If they are not defined in your RADIUS server, add new dictionary_.
 
-User interface can be put to VRF context via RADIUS Access-Accept packet, or change
+The client's interface can be put into a VRF context via a RADIUS Access-Accept
-it via RADIUS CoA. ``Accel-VRF-Name`` is used from these purposes. It is custom `ACCEL-PPP attribute`_.
+packet, or changed via RADIUS CoA. ``Accel-VRF-Name`` is used for these
-Define it in your RADIUS server.
+purposes. This is a custom `ACCEL-PPP attribute`_. Define it in your RADIUS
+server.
 
 Renaming clients interfaces by RADIUS
 =====================================
@@ -254,19 +257,19 @@ IPv6
 .. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> prefix <address>
    mask <number-of-bits>
 
-  Use this comand to set the IPv6 address pool from which an SSTP client
+  Use this comand to set the IPv6 address pool from which an SSTP client will
-  will get an IPv6 prefix of your defined length (mask) to terminate the
+  get an IPv6 prefix of your defined length (mask) to terminate the SSTP
-  SSTP endpoint at their side. The mask length can be set from 48 to 128
+  endpoint at their side. The mask length can be set between 48 and 128 bits
-  bit long, the default value is 64.
+  long, the default value is 64.
 
 .. cfgcmd:: set vpn sstp client-ipv6-pool <IPv6-POOL-NAME> delegate <address>
    delegation-prefix <number-of-bits>
 
-  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on
+  Use this command to configure DHCPv6 Prefix Delegation (RFC3633) on SSTP. You
-  SSTP. You will have to set your IPv6 pool and the length of the
+  will have to set your IPv6 pool and the length of the delegation prefix. From
-  delegation prefix. From the defined IPv6 pool you will be handing out
+  the defined IPv6 pool you will be handing out networks of the defined length
-  networks of the defined length (delegation-prefix). The length of the
+  (delegation-prefix). The length of the delegation prefix can be set between 
-  delegation prefix can be set from 32 to 64 bit long.
+  32 and 64 bits long.
 
 .. cfgcmd:: set vpn sstp default-ipv6-pool <IPv6-POOL-NAME>
 
@@ -283,19 +286,19 @@ IPv6 Advanced Options
 =====================
 .. cfgcmd:: set vpn sstp ppp-options ipv6-accept-peer-interface-id
 
-  Accept peer interface identifier. By default is not defined.
+  Accept peer interface identifier. By default this is not defined.
 
 .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
 
-  Specifies fixed or random interface identifier for IPv6.
+  Specifies if a fixed or random interface identifier is used for IPv6. The
-  By default is fixed.
+  default is fixed.
 
   * **random** - Random interface identifier for IPv6
   * **x:x:x:x** - Specify interface identifier for IPv6
 
 .. cfgcmd:: set vpn sstp ppp-options ipv6-interface-id <random | x:x:x:x>
 
-  Specifies peer interface identifier for IPv6. By default is fixed.
+  Specifies the peer interface identifier for IPv6. The default is fixed.
 
   * **random** - Random interface identifier for IPv6
   * **x:x:x:x** - Specify interface identifier for IPv6
@@ -308,19 +311,19 @@ Scripting
 
 .. cfgcmd:: set vpn sstp extended-scripts on-change <path_to_script>
 
-  Script to run when session interface changed by RADIUS CoA handling
+  Script to run when the session interface is changed by RADIUS CoA handling
 
 .. cfgcmd:: set vpn sstp extended-scripts on-down <path_to_script>
 
-  Script to run when session interface going to terminate
+  Script to run when the session interface about to terminate
 
 .. cfgcmd:: set vpn sstp extended-scripts on-pre-up <path_to_script>
 
-  Script to run before session interface comes up
+  Script to run before the session interface comes up
 
 .. cfgcmd:: set vpn sstp extended-scripts on-up <path_to_script>
 
-  Script to run when session interface is completely configured and started
+  Script to run when the session interface is completely configured and started
 
 ****************
 Advanced Options
@@ -336,17 +339,17 @@ Authentication Advanced Options
 .. cfgcmd:: set vpn sstp authentication local-users username <user> static-ip
    <address>
 
-  Assign static IP address to `<user>` account.
+  Assign a static IP address to `<user>` account.
 
 .. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
    download <bandwidth>
 
-  Download bandwidth limit in kbit/s for `<user>`.
+  Rate limit the download bandwidth for `<user>` to `<bandwidth>` kbit/s.
 
 .. cfgcmd:: set vpn sstp authentication local-users username <user> rate-limit
    upload <bandwidth>
 
-  Upload bandwidth limit in kbit/s for `<user>`.
+  Rate limit the upload bandwidth for `<user>` to `<bandwidth>` kbit/s.
 
 .. cfgcmd:: set vpn sstp authentication protocols
    <pap | chap | mschap | mschap-v2>
@@ -371,10 +374,10 @@ PPP Advanced Options
 
 .. cfgcmd:: set vpn sstp ppp-options interface-cache <number>
 
-  Specifies number of interfaces to keep in cache. It means that don’t
+  Specifies number of interfaces to cache. This prevents interfaces from being
-  destroy interface after corresponding session is destroyed, instead
+  removed once the corresponding session is destroyed. Instead, interfaces are
-  place it to cache and use it later for new sessions repeatedly.
+  cached for later use in new sessions. This should reduce the kernel-level
-  This should reduce kernel-level interface creation/deletion rate lack.
+  interface creation/deletion rate.
   Default value is **0**.
 
 .. cfgcmd:: set vpn sstp ppp-options ipv4 <require | prefer | allow | deny>
@@ -394,19 +397,20 @@ PPP Advanced Options
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-interval <interval>
 
   If this option is specified and is greater than 0, then the PPP module will
-  send LCP pings of the echo request every `<interval>` seconds.
+  send LCP echo requests every `<interval>` seconds.
   Default value is **30**.
 
 .. cfgcmd:: set vpn sstp ppp-options lcp-echo-timeout
 
-  Specifies timeout in seconds to wait for any peer activity. If this option
+  Specifies timeout in seconds to wait for any peer activity. If this option is
   specified it turns on adaptive lcp echo functionality and "lcp-echo-failure"
   is not used. Default value is **0**.
 
 .. cfgcmd:: set vpn sstp ppp-options min-mtu <number>
 
-  Defines minimum acceptable MTU. If client will try to negotiate less then
+  Defines the minimum acceptable MTU. If a client tries to negotiate an MTU
-  specified MTU then it will be NAKed or disconnected if rejects greater MTU.
+  lower than this it will be NAKed, and disconnected if it rejects a greater
+  MTU.
   Default value is **100**.
 
 .. cfgcmd:: set vpn sstp ppp-options mppe <require | prefer | deny>
@@ -418,7 +422,8 @@ PPP Advanced Options
   * **prefer** - ask client for mppe, if it rejects don't fail. (Default value)
   * **deny** - deny mppe
 
-  Default behavior - don't ask client for mppe, but allow it if client wants.
+  Default behavior - don't ask the client for mppe, but allow it if the client
+  wants.
   Please note that RADIUS may override this option by MS-MPPE-Encryption-Policy
   attribute.
 
@@ -439,7 +444,7 @@ Global Advanced options
 
 .. cfgcmd:: set vpn sstp limits connection-limit <value>
 
-  Acceptable rate of connections (e.g. 1/min, 60/sec)
+  Maximum accepted connection rate (e.g. 1/min, 60/sec)
 
 .. cfgcmd:: set vpn sstp limits timeout <value>
 
@@ -455,9 +460,9 @@ Global Advanced options
 
 .. cfgcmd:: set vpn sstp name-server <address>
 
-  Connected client should use `<address>` as their DNS server. This
+  Connected clients should use `<address>` as their DNS server. This command
-  command accepts both IPv4 and IPv6 addresses. Up to two nameservers
+  accepts both IPv4 and IPv6 addresses. Up to two nameservers can be configured
-  can be configured for IPv4, up to three for IPv6.
+  for IPv4, up to three for IPv6.
 
 .. cfgcmd:: set vpn sstp shaper fwmark <1-2147483647>