diff options
| -rw-r--r-- | docs/_static/images/IPSec_close_action_settings.jpg | bin | 62330 -> 70253 bytes | |||
| -rw-r--r-- | docs/configuration/vpn/ipsec.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 12 |
3 files changed, 13 insertions, 11 deletions
diff --git a/docs/_static/images/IPSec_close_action_settings.jpg b/docs/_static/images/IPSec_close_action_settings.jpg Binary files differindex 6996f857..a4e258cc 100644 --- a/docs/_static/images/IPSec_close_action_settings.jpg +++ b/docs/_static/images/IPSec_close_action_settings.jpg diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index b6ee86af..fad69bc3 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -49,9 +49,9 @@ VyOS IKE group has the next options: * ``none`` set action to none (default); - * ``hold`` set action to hold; + * ``trap`` installs a trap policy for the CHILD_SA; - * ``restart`` set action to restart; + * ``start`` tries to immediately re-create the CHILD_SA; * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty @@ -60,11 +60,13 @@ VyOS IKE group has the next options: * ``action`` keep-alive failure action: - * ``hold`` set action to hold (default) + * ``trap`` installs a trap policy, which will catch matching traffic + and tries to re-negotiate the tunnel on-demand; - * ``clear`` set action to clear; + * ``clear`` closes the CHILD_SA and does not take further action (default); - * ``restart`` set action to restart; + * ``restart`` immediately tries to re-negotiate the CHILD_SA + under a fresh IKE_SA; * ``interval`` keep-alive interval in seconds <2-86400> (default 30); diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 23df1b76..78cadfb5 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -317,7 +317,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -357,7 +357,7 @@ Imagine the following topology set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike @@ -397,18 +397,18 @@ Key Parameters: routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE +* ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to + values clear, trap, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries + ``trap`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take +* ``close-action = none | clear | trap | start`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. |
