From af2af9b50f437bf0ac79d294b7ae49408221ba03 Mon Sep 17 00:00:00 2001 From: srividya0208 Date: Sun, 24 Apr 2022 14:46:53 -0400 Subject: deletion of note related to nat Removed the note from the firewall page as nat grouping is not added yet Added the information about new option 'none' in the site-to-site ipsec vpn page --- docs/configuration/firewall/index.rst | 2 -- docs/configuration/vpn/site2site_ipsec.rst | 7 +++++-- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 6bc362ea..c2b47c80 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -154,8 +154,6 @@ either a source or destination. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules. -.. note:: Groups can also be referenced by NAT configuration. - Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have unique names, so you may want to append "-v4" or "-v6" to your group diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index aace98aa..2fa59dc1 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -74,16 +74,19 @@ Each site-to-site peer has the next options: * ``connection-type`` - how to handle this connection process. Possible variants: - * ``initiate`` - do initial connection to remote peer immediately after + * ``initiate`` - does initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods; - * ``respond`` - do not try to initiate a connection to a remote peer. In this + * ``respond`` - does not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side. + * ``none`` - loads the connection only, which then can be manually initiated or + used as a responder configuration. + * ``default-esp-group`` - ESP group to use by default for traffic encryption. Might be overwritten by individual settings for tunnel or VTI interface binding; -- cgit v1.2.3