vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

ipsec: T7504: Added retransmission documentation (#1661)

Browse Source 
Added retransmission documentation

Co-authored-by: aapostoliuk <aapostoliuk@vyos.io>
This commit is contained in:
aapostoliuk 2025-07-24 17:29:39 +03:00 committed by GitHub
parent 5507e1855d
commit f39b25611e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/configuration/vpn/ipsec/ipsec_general.rst
View File

@ -106,7 +106,7 @@ every configured interval. The remote peer is considered unreachable
if no response to these packets is received within the DPD timeout. if no response to these packets is received within the DPD timeout.
In IKEv2, DPD sends messages every configured interval. If one request In IKEv2, DPD sends messages every configured interval. If one request
is not responded, Strongswan execute its retransmission algorithm with is not responded, Strongswan execute its retransmission algorithm with
its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html its timers. `IKEv2 Retransmission`_
***************** *****************
Configuration IKE Configuration IKE
@ -306,3 +306,47 @@ Options
.. cfgcmd:: set vpn ipsec options virtual-ip .. cfgcmd:: set vpn ipsec options virtual-ip
Allows the installation of virtual-ip addresses. Allows the installation of virtual-ip addresses.
IKEv2 Retransmission
====================
If the peer does not respond on DPD packet, the router starts retransmission procedure.
The following formula is used to calculate the timeout:
.. code-block:: none
relative timeout = timeout * base ^ (attempts-1)
.. cfgcmd:: set vpn ipsec options retransmission attempts
Number of attempts before the peer is considered to be in the down state.
Default value is **5**.
.. cfgcmd:: set vpn ipsec options retransmission base
Base number of exponential backoff. Default value is **1.8**.
.. cfgcmd:: set vpn ipsec options retransmission timeout
Timeout in seconds before the first retransmission. Default value is **4**.
Using the default values, packets are retransmitted as follows:
+-----------+-------------+------------------+------------------+
| Attempts | Formula | Relative timeout | Absolute timeout |
+-----------+-------------+------------------+------------------+
| 1 | 4 * 1.8 ^ 0 | 4s | 4s |
+-----------+-------------+------------------+------------------+
| 2 | 4 * 1.8 ^ 1 | 7s | 11s |
+-----------+-------------+------------------+------------------+
| 3 | 4 * 1.8 ^ 2 | 13s | 24s |
+-----------+-------------+------------------+------------------+
| 4 | 4 * 1.8 ^ 3 | 23s | 47s |
+-----------+-------------+------------------+------------------+
| 5 | 4 * 1.8 ^ 4 | 42s | 89s |
+-----------+-------------+------------------+------------------+
| peer down | 4 * 1.8 ^ 5 | 76s | 165s |
+-----------+-------------+------------------+------------------+