diff options
author | Robert Göhler <github@ghlr.de> | 2022-12-27 21:01:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-27 21:01:28 +0100 |
commit | c5ee22ef8674298974f147bb16fa141ffef40cbc (patch) | |
tree | dea059c26c297dd82e8bd3023b44136d7e2fab3d /docs | |
parent | c6ec41d3742e4bb3ce0d0f95d7a64356958c05ff (diff) | |
parent | b6b86f1946b75f14711b844c20ae14a25b0306e2 (diff) | |
download | vyos-documentation-c5ee22ef8674298974f147bb16fa141ffef40cbc.tar.gz vyos-documentation-c5ee22ef8674298974f147bb16fa141ffef40cbc.zip |
Merge pull request #908 from srividya0208/close_action
ipsec_closeaction: added recommendation for closeaction options
Diffstat (limited to 'docs')
-rw-r--r-- | docs/_static/images/IPSec_close_action_settings.jpg | bin | 0 -> 62330 bytes | |||
-rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 19 |
2 files changed, 15 insertions, 4 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg Binary files differnew file mode 100644 index 00000000..6996f857 --- /dev/null +++ b/docs/_static/images/IPSec_close_action_settings.jpg diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 482c7130..72163b25 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -353,7 +353,7 @@ Key Parameters: * ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of theIPsec peer. The + are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. @@ -367,6 +367,17 @@ Key Parameters: values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - For a responder, close-action or dead-peer-detection must not be enabled. - For an initiator DPD with `restart` action, and `close-action 'restart'` - is recommended in IKE profile. + When the close-action option is set on the peers, the connection-type + of each peer has to considered carefully. For example, if the option is set + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. + +.. image:: /_static/images/IPSec_site-to-site_IKE_configuration.png + :width: 50% + :align: center + + Similar combinations are applicable for the dead-peer-detection. |