diff options
| author | Robert Göhler <github@ghlr.de> | 2024-01-25 15:19:04 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-25 15:19:04 +0100 |
| commit | 7d34dafb63d9746fb42c7e68f94dd716f2e7eba4 (patch) | |
| tree | f7ba92c9a7ab456be371054581421a7f42b4ac69 /docs/configuration/vpn/site2site_ipsec.rst | |
| parent | 7b23beeb3c3aea849f3663cf5dadbfeccb0c3029 (diff) | |
| parent | 3c6bb1ec30319703ae96347369cd594077c4628a (diff) | |
| download | vyos-documentation-7d34dafb63d9746fb42c7e68f94dd716f2e7eba4.tar.gz vyos-documentation-7d34dafb63d9746fb42c7e68f94dd716f2e7eba4.zip | |
Merge pull request #1253 from vyos/mergify/bp/sagitta/pr-1249
Updated DPD and close-action values in IPSEC (backport #1249)
Diffstat (limited to 'docs/configuration/vpn/site2site_ipsec.rst')
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 23df1b76..78cadfb5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -317,7 +317,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -357,7 +357,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -397,18 +397,18 @@ Key Parameters: routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to + values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries + ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take +* ``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. |