diff options
author | srividya0208 <a.srividya@vyos.io> | 2022-12-22 01:06:10 -0500 |
---|---|---|
committer | srividya0208 <a.srividya@vyos.io> | 2022-12-26 09:26:32 -0500 |
commit | b6b86f1946b75f14711b844c20ae14a25b0306e2 (patch) | |
tree | 47bb6fdf455e8add746bc3e5a4a3c4f773c21a65 | |
parent | aade883e244075b3ac6678b64c9da7929e74192a (diff) | |
download | vyos-documentation-b6b86f1946b75f14711b844c20ae14a25b0306e2.tar.gz vyos-documentation-b6b86f1946b75f14711b844c20ae14a25b0306e2.zip |
ipsec_closeaction: added recommendation for closeaction options
Added VPN IPSec connection-type recommendation for the close-action and
dpd settings.
For example close-action restart should not be added on both peers
-rw-r--r-- | docs/_static/images/IPSec_close_action_settings.jpg | bin | 0 -> 62330 bytes | |||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 19 |
2 files changed, 15 insertions, 4 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg Binary files differnew file mode 100644 index 00000000..6996f857 --- /dev/null +++ b/docs/_static/images/IPSec_close_action_settings.jpg diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 482c7130..72163b25 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -353,7 +353,7 @@ Key Parameters: * ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of theIPsec peer. The + are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. @@ -367,6 +367,17 @@ Key Parameters: values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - For a responder, close-action or dead-peer-detection must not be enabled. - For an initiator DPD with `restart` action, and `close-action 'restart'` - is recommended in IKE profile. + When the close-action option is set on the peers, the connection-type + of each peer has to considered carefully. For example, if the option is set + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. + +.. image:: /_static/images/IPSec_site-to-site_IKE_configuration.png + :width: 50% + :align: center + + Similar combinations are applicable for the dead-peer-detection. |