summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2022-12-27 21:01:28 +0100
committerGitHub <noreply@github.com>2022-12-27 21:01:28 +0100
commitc5ee22ef8674298974f147bb16fa141ffef40cbc (patch)
treedea059c26c297dd82e8bd3023b44136d7e2fab3d /docs
parentc6ec41d3742e4bb3ce0d0f95d7a64356958c05ff (diff)
parentb6b86f1946b75f14711b844c20ae14a25b0306e2 (diff)
downloadvyos-documentation-c5ee22ef8674298974f147bb16fa141ffef40cbc.tar.gz
vyos-documentation-c5ee22ef8674298974f147bb16fa141ffef40cbc.zip
Merge pull request #908 from srividya0208/close_action
ipsec_closeaction: added recommendation for closeaction options
Diffstat (limited to 'docs')
-rw-r--r--docs/_static/images/IPSec_close_action_settings.jpgbin0 -> 62330 bytes
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst19
2 files changed, 15 insertions, 4 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg
new file mode 100644
index 00000000..6996f857
--- /dev/null
+++ b/docs/_static/images/IPSec_close_action_settings.jpg
Binary files differ
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 482c7130..72163b25 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -353,7 +353,7 @@ Key Parameters:
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
- are periodically sent in order to check the liveliness of theIPsec peer. The
+ are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to
perform on a timeout.
With ``clear`` the connection is closed with no further actions taken.
@@ -367,6 +367,17 @@ Key Parameters:
values). A closeaction should not be used if the peer uses reauthentication or
uniqueids.
- For a responder, close-action or dead-peer-detection must not be enabled.
- For an initiator DPD with `restart` action, and `close-action 'restart'`
- is recommended in IKE profile.
+ When the close-action option is set on the peers, the connection-type
+ of each peer has to considered carefully. For example, if the option is set
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
+
+.. image:: /_static/images/IPSec_site-to-site_IKE_configuration.png
+ :width: 50%
+ :align: center
+
+ Similar combinations are applicable for the dead-peer-detection.