From e96e7bc19ae96568818d9f3726c22427aa7baa39 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Mon, 22 Jul 2024 12:26:46 +0200 Subject: ipsec: T6599: add CLI documentation to disable ESP re-key (cherry picked from commit 284b5b8e9bec10f4e69c0add321361a832d39b66) --- docs/configuration/vpn/ipsec.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index ddacbbfe..5e44312d 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -14,7 +14,7 @@ protocols without having to modify IPsec policies. The other advantage is that it greatly simplifies router to router communication, which can be tricky with plain IPsec because the external outgoing address of the router usually doesn't match the IPsec policy of a typical site-to-site setup and you would need to -add special configuration for it, or adjust the source address of the outgoing +add special configuration for it, or adjust the source address of the outgoing traffic of your applications. GRE/IPsec has no such problem and is completely transparent for applications. @@ -158,6 +158,9 @@ VyOS ESP group has the next options: * ``hash`` hash algorithm (default sha1). + * ``disable-rekey`` Do not locally initiate a re-key of the SA, remote + peer must re-key before expiration. + *********************************************** Options (Global IPsec settings) Attributes *********************************************** @@ -181,9 +184,9 @@ Options (Global IPsec settings) Attributes virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface; - * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma + * ``virtual-ip`` Allows the installation of virtual-ip addresses. A comma separated list of virtual IPs to request in IKEv2 configuration payloads or - IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an + IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, or none at all. Define the ``virtual-address`` option to configure the IP address in a site-to-site hierarchy. @@ -641,7 +644,7 @@ Operation Mode .. opcmd:: reset vpn ipsec site-to-site all - Reset all site-to-site IPSec VPN sessions. It terminates all active + Reset all site-to-site IPSec VPN sessions. It terminates all active child_sa and reinitiates the connection. .. opcmd:: reset vpn ipsec site-to-site peer -- cgit v1.2.3