ipsec: T7594: Change connection-type to trap for all peers and configurations (#1719)

The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
2025-12-13 09:02:02 +01:00 · 2025-12-09 19:42:19 +03:00 · 2025-12-09 19:42:19 +03:00 · 2b5de5f181
commit 2b5de5f181
parent b9560fe135
5 changed files with 30 additions and 12 deletions
--- a/docs/configexamples/azure-vpn-bgp.rst
+++ b/docs/configexamples/azure-vpn-bgp.rst
@ -105,7 +105,7 @@ Vyos configuration
  set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'initiate'
  set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
  set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
  set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'
--- a/docs/configexamples/azure-vpn-dual-bgp.rst
+++ b/docs/configexamples/azure-vpn-dual-bgp.rst
@ -110,7 +110,7 @@ Vyos configuration
  set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3'
  set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer azure-primary connection-type 'respond'
+  set vpn ipsec site-to-site peer azure-primary connection-type 'initiate'
  set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL'
  set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE'
  set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit'
@ -122,7 +122,7 @@ Vyos configuration
  set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3'
  set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3'
-  set vpn ipsec site-to-site peer azure-secondary connection-type 'respond'
+  set vpn ipsec site-to-site peer azure-secondary connection-type 'initiate'
  set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL'
  set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE'
  set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit'
--- a/docs/configexamples/policy-based-ipsec-and-firewall.rst
+++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@ -106,7 +106,7 @@ IPSec configuration:
    set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
    set vpn ipsec interface 'eth0'
    set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
-    set vpn ipsec site-to-site peer LEFT connection-type 'respond'
+    set vpn ipsec site-to-site peer LEFT connection-type 'none'
    set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
    set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
    set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'
--- a/docs/configuration/vpn/ipsec/site2site_ipsec.rst
+++ b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@ -285,14 +285,32 @@ Global Peer Configuration Commands
    after configuring and after boot. In this mode the connection will
    not be restarted in case of disconnection, therefore should be used
    only together with DPD or another session tracking methods.
-  * **respond** - does not try to initiate a connection to a remote
-    peer. In this mode, the IPsec session will be established only
-    after initiation from a remote peer. Could be useful when there
-    is no direct connectivity to the peer due to firewall or NAT in
-    the middle of the local and remote side.
+
+  * **trap** - does not try to initiate a connection to a remote
+    peer immediately. Instead, it installs a trap policy that will
+    trigger IKE negotiation and establish the IPsec session when
+    matching traffic is sent from the local side. This can be useful
+    when there is no direct connectivity to the peer due to firewall
+    or NAT in the middle of the local and remote side.
+
+    .. warning:: The ``trap`` mode is not needed in most environments 
+       and can lead to connection confusion or unintended tunnel uptime 
+       behavior if used incorrectly. Using this mode requires careful
+       coordination with parameters such as ``close-action`` and DPD.
+       For most deployments, use ``initiate`` and ``none`` as described below.
+
  * **none** - loads the connection only, which then can be manually
    initiated or used as a responder configuration.

+  .. note:: For most site-to-site VPNs, configure one peer
+     with ``connection-type initiate`` (active side) and the other peer
+     with ``connection-type none`` (passive side) to
+     ensure stable and predictable tunnel behavior.
+     When using ``connection-type initiate``, you must also configure
+     DPD or another session tracking method (such as ``close-action``)
+     to automatically re-establish the tunnel after a disconnection.
+     Otherwise, the tunnel will not reconnect automatically if it goes down.
+
 .. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>

  Name of ESP group to use by default for traffic encryption.
@ -566,7 +584,7 @@ Policy-Based VPN Example
  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'none'
  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
@ -696,7 +714,7 @@ Route-Based VPN Example
  set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
  set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
  set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'none'
  set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
  set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
  set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
--- a/docs/configuration/vpn/rsa-keys.rst
+++ b/docs/configuration/vpn/rsa-keys.rst
@ -77,7 +77,7 @@ On the LEFT (static address):
  set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
  set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
  set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer @RIGHT connection-type respond
+  set vpn ipsec site-to-site peer @RIGHT connection-type none
  set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
  set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote