summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorsrividya0208 <a.srividya@vyos.io>2022-12-22 01:06:10 -0500
committersrividya0208 <a.srividya@vyos.io>2022-12-26 09:26:32 -0500
commitb6b86f1946b75f14711b844c20ae14a25b0306e2 (patch)
tree47bb6fdf455e8add746bc3e5a4a3c4f773c21a65
parentaade883e244075b3ac6678b64c9da7929e74192a (diff)
downloadvyos-documentation-b6b86f1946b75f14711b844c20ae14a25b0306e2.tar.gz
vyos-documentation-b6b86f1946b75f14711b844c20ae14a25b0306e2.zip
ipsec_closeaction: added recommendation for closeaction options
Added VPN IPSec connection-type recommendation for the close-action and dpd settings. For example close-action restart should not be added on both peers
-rw-r--r--docs/_static/images/IPSec_close_action_settings.jpgbin0 -> 62330 bytes
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst19
2 files changed, 15 insertions, 4 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
new file mode 100644
index 00000000..6996f857
--- /dev/null
+++ b/docs/_static/images/IPSec_close_action_settings.jpg
Binary files differ
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 482c7130..72163b25 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -353,7 +353,7 @@ Key Parameters:
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
- are periodically sent in order to check the liveliness of theIPsec peer. The
+ are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
@@ -367,6 +367,17 @@ Key Parameters:
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
- For a responder, close-action or dead-peer-detection must not be enabled.
- For an initiator DPD with `restart` action, and `close-action 'restart'`
- is recommended in IKE profile.
+ When the close-action option is set on the peers, the connection-type
+ of each peer has to considered carefully. For example, if the option is set
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
+
+.. image:: /_static/images/IPSec_site-to-site_IKE_configuration.png
+ :width: 50%
+ :align: center
+
+ Similar combinations are applicable for the dead-peer-detection.