summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn')
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst49
1 files changed, 49 insertions, 0 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index e81c5c3b..9ddda340 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -344,3 +344,52 @@ Imagine the following topology
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti10'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'ESP_DEFAULT'
+
+Key Parameters:
+
+* ``authentication local-id/remote-id`` - IKE identification is used for
+ validation of VPN peer devices during IKE negotiation. If you do not configure
+ local/remote-identity, the device uses the IPv4 or IPv6 address that
+ corresponds to the local/remote peer by default.
+ In certain network setups (like ipsec interface with dynamic address, or
+ behind the NAT ), the IKE ID received from the peer does not match the IKE
+ gateway configured on the device. This can lead to a Phase 1 validation
+ failure.
+ So, make sure to configure the local/remote id explicitly and ensure that the
+ IKE ID is the same as the remote-identity configured on the peer device.
+
+* ``disable-route-autoinstall`` - This option when configured disables the
+ routes installed in the default table 220 for site-to-site ipsec.
+ It is mostly used with VTI configuration.
+
+* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE
+ notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
+ are periodically sent in order to check the liveliness of the IPsec peer. The
+ values clear, hold, and restart all activate DPD and determine the action to
+ perform on a timeout.
+ With ``clear`` the connection is closed with no further actions taken.
+ ``hold`` installs a trap policy, which will catch matching traffic and tries
+ to re-negotiate the connection on demand.
+ ``restart`` will immediately trigger an attempt to re-negotiate the
+ connection.
+
+* ``close-action = none | clear | hold | restart`` - defines the action to take
+ if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
+ values). A closeaction should not be used if the peer uses reauthentication or
+ uniqueids.
+
+ When the close-action option is set on the peers, the connection-type
+ of each peer has to considered carefully. For example, if the option is set
+ on both peers, then both would attempt to initiate and hold open multiple
+ copies of each child SA. This might lead to instability of the device or
+ cpu/memory utilization.
+
+ Below flow-chart could be a quick reference for the close-action
+ combination depending on how the peer is configured.
+
+.. figure:: /_static/images/IPSec_site-to-site_IKE_configuration.png
+ :width: 50%
+ :align: center
+
+ Similar combinations are applicable for the dead-peer-detection.
+