vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated DPD and close-action values in IPSEC

Browse Source 
Changed from 'hold' to 'trap' and from 'restart' to 'start'
in close-action.
Changed from 'hold' to 'trap' in DPD action.
This commit is contained in:
aapostoliuk 2024-01-19 12:39:38 +02:00
parent eeffa32cf0
commit cfb7e8186d
3 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/IPSec_close_action_settings.jpg vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 61 KiB

After

Width:  |  Height:  |  Size: 69 KiB

12
docs/configuration/vpn/ipsec.rst
View File

@ -49,9 +49,9 @@ VyOS IKE group has the next options:
* ``none`` set action to none (default); * ``none`` set action to none (default);
* ``hold`` set action to hold; * ``trap`` installs a trap policy for the CHILD_SA;
* ``restart`` set action to restart; * ``start`` tries to immediately re-create the CHILD_SA;
* ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol * ``dead-peer-detection`` controls the use of the Dead Peer Detection protocol
(DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty (DPD, RFC 3706) where R_U_THERE notification messages (IKEv1) or empty
@ -60,11 +60,13 @@ VyOS IKE group has the next options:
* ``action`` keep-alive failure action: * ``action`` keep-alive failure action:
* ``hold`` set action to hold (default) * ``trap`` installs a trap policy, which will catch matching traffic
and tries to re-negotiate the tunnel on-demand;
* ``clear`` set action to clear; * ``clear`` closes the CHILD_SA and does not take further action (default);
* ``restart`` set action to restart; * ``restart`` immediately tries to re-negotiate the CHILD_SA
under a fresh IKE_SA;
* ``interval`` keep-alive interval in seconds <2-86400> (default 30); * ``interval`` keep-alive interval in seconds <2-86400> (default 30);

12
docs/configuration/vpn/site2site_ipsec.rst
View File

@ -317,7 +317,7 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@ -357,7 +357,7 @@ Imagine the following topology
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'trap'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
@ -397,18 +397,18 @@ Key Parameters:
routes installed in the default table 220 for site-to-site ipsec. routes installed in the default table 220 for site-to-site ipsec.
It is mostly used with VTI configuration. It is mostly used with VTI configuration.
* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE * ``dead-peer-detection action = clear | trap | restart`` - R_U_THERE
notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2)
are periodically sent in order to check the liveliness of the IPsec peer. The are periodically sent in order to check the liveliness of the IPsec peer. The
values clear, hold, and restart all activate DPD and determine the action to values clear, trap, and restart all activate DPD and determine the action to
perform on a timeout. perform on a timeout.
With ``clear`` the connection is closed with no further actions taken. With ``clear`` the connection is closed with no further actions taken.
``hold`` installs a trap policy, which will catch matching traffic and tries ``trap`` installs a trap policy, which will catch matching traffic and tries
to re-negotiate the connection on demand. to re-negotiate the connection on demand.
``restart`` will immediately trigger an attempt to re-negotiate the ``restart`` will immediately trigger an attempt to re-negotiate the
connection. connection.
* ``close-action = none | clear | hold | restart`` - defines the action to take * ``close-action = none | clear | trap | start`` - defines the action to take
if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of
values). A closeaction should not be used if the peer uses reauthentication or values). A closeaction should not be used if the peer uses reauthentication or
uniqueids. uniqueids.