From b6b86f1946b75f14711b844c20ae14a25b0306e2 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Thu, 22 Dec 2022 01:06:10 -0500 Subject: ipsec_closeaction: added recommendation for closeaction options Added VPN IPSec connection-type recommendation for the close-action and dpd settings. For example close-action restart should not be added on both peers --- docs/_static/images/IPSec_close_action_settings.jpg | Bin 0 -> 62330 bytes docs/configuration/vpn/site2site_ipsec.rst | 19 +++++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 docs/_static/images/IPSec_close_action_settings.jpg diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg new file mode 100644 index 00000000..6996f857 Binary files /dev/null and b/docs/_static/images/IPSec_close_action_settings.jpg differ diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 482c7130..72163b25 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -353,7 +353,7 @@ Key Parameters: * ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of theIPsec peer. The + are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. @@ -367,6 +367,17 @@ Key Parameters: values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - For a responder, close-action or dead-peer-detection must not be enabled. - For an initiator DPD with `restart` action, and `close-action 'restart'` - is recommended in IKE profile. + When the close-action option is set on the peers, the connection-type + of each peer has to considered carefully. For example, if the option is set + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. + +.. image:: /_static/images/IPSec_site-to-site_IKE_configuration.png + :width: 50% + :align: center + + Similar combinations are applicable for the dead-peer-detection. -- cgit v1.2.3