summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoraapostoliuk <a.apostoliuk@vyos.io>2024-01-19 12:39:38 +0200
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2024-01-22 10:53:21 +0000
commit3c6bb1ec30319703ae96347369cd594077c4628a (patch)
tree53433903bcc96a2fd1e1ef7c912bdd26e32bd0f6
parent5447c0509f5160db72065aaeac078639486aee68 (diff)
downloadvyos-documentation-3c6bb1ec30319703ae96347369cd594077c4628a.tar.gz
vyos-documentation-3c6bb1ec30319703ae96347369cd594077c4628a.zip
Updated DPD and close-action values in IPSEC
Changed from 'hold' to 'trap' and from 'restart' to 'start' in close-action. Changed from 'hold' to 'trap' in DPD action. (cherry picked from commit cfb7e8186d83e45092f361f9717c9542bfad053b)
-rw-r--r--docs/_static/images/IPSec_close_action_settings.jpgbin62330 -> 70253 bytes
-rw-r--r--docs/configuration/vpn/ipsec.rst12
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst12
3 files changed, 13 insertions, 11 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
index 6996f857..a4e258cc 100644
--- a/docs/_static/images/IPSec_close_action_settings.jpg
+++ b/docs/_static/images/IPSec_close_action_settings.jpg
Binary files differ
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst
index 31d4adc3..f0c6c723 100644
--- a/docs/configuration/vpn/ipsec.rst
+++ b/docs/configuration/vpn/ipsec.rst
@@ -49,9 +49,9 @@ VyOS IKE group has the next options:
* ``none`` set action to none (default);
- * ``hold`` set action to hold;
+ * ``trap`` installs a trap policy for the CHILD_SA;
- * ``restart`` set action to restart;
+ * ``start`` tries to immediately re-create the CHILD_SA;
* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
@@ -60,11 +60,13 @@ VyOS IKE group has the next options:
* ``action`` keep-alive failure action:
- * ``hold`` set action to hold (default)
+ * ``trap`` installs a trap policy, which will catch matching traffic
+ and tries to re-negotiate the tunnel on-demand;
- * ``clear`` set action to clear;
+ * ``clear`` closes the CHILD_SA and does not take further action (default);
- * ``restart`` set action to restart;
+ * ``restart`` immediately tries to re-negotiate the CHILD_SA
+ under a fresh IKE_SA;
* ``interval`` keep-alive interval in seconds <2-86400> (default 30);
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 23df1b76..78cadfb5 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -317,7 +317,7 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -357,7 +357,7 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
- set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
+ set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@@ -397,18 +397,18 @@ Key Parameters:
routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration.
-* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The
- values clear, hold, and restart all activate DPD and determine the action to
+ values clear, trap, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
- ``hold`` installs a trap policy, which will catch matching traffic and tries
+ ``trap`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the
connection.
-* ``close-action = none | clear | hold | restart`` - defines the action to take
+* ``close-action = none | clear | trap | start`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.