diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-07-22 12:26:46 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-07-22 12:26:46 +0200 |
| commit | 284b5b8e9bec10f4e69c0add321361a832d39b66 (patch) | |
| tree | c7a59787c6175906ad38c1858a3ee1d5a86f004b | |
| parent | 64cf8032d6551c0b0412d0b501106723d2ac56d8 (diff) | |
| download | vyos-documentation-284b5b8e9bec10f4e69c0add321361a832d39b66.tar.gz vyos-documentation-284b5b8e9bec10f4e69c0add321361a832d39b66.zip | |
ipsec: T6599: add CLI documentation to disable ESP re-key
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index ddacbbfe..5e44312d 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -14,7 +14,7 @@ protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of a typical site-to-site setup and you would need to -add special configuration for it, or adjust the source address of the outgoing +add special configuration for it, or adjust the source address of the outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for applications. @@ -158,6 +158,9 @@ VyOS ESP group has the next options: * ``hash`` hash algorithm (default sha1). + * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote + peer must re-key before expiration. + *********************************************** Options (Global IPsec settings) Attributes *********************************************** @@ -181,9 +184,9 @@ Options (Global IPsec settings) Attributes virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma + * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma separated list of virtual IPs to request in IKEv2 configuration payloads or - IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an + IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, or none at all. Define the ``virtual-address`` option to configure the IP address in a site-to-site hierarchy. @@ -641,7 +644,7 @@ Operation Mode .. opcmd:: reset vpn ipsec site-to-site all - Reset all site-to-site IPSec VPN sessions. It terminates all active + Reset all site-to-site IPSec VPN sessions. It terminates all active child_sa and reinitiates the connection. .. opcmd:: reset vpn ipsec site-to-site peer <name> |