ipsec: T7504: Added retransmission documentation (#1661)

Added retransmission documentation

Co-authored-by: aapostoliuk <aapostoliuk@vyos.io>

docs/configuration/policy/prefix-list.rst

@@ -15,7 +15,7 @@ Prefix filtering can be done using prefix-list and prefix-list6.
 Configuration
 *************
 
-Prefix Lists
+IPv4 Prefix Lists (prefix-list)
 ============
 
 .. cfgcmd:: set policy prefix-list <text>
@@ -46,7 +46,7 @@ Prefix Lists
 
    Netmask less than length
 
-Example: Prefix Lists
+Example: IPv4 Prefix Lists (prefix-list)
 ============
 
 This example creates an IPv4 prefix-list named PL4-EXAMPLE-NAME, defines 3 
@@ -62,7 +62,7 @@ rules each with 1 prefix, and matches le (less than/equal to) /32.
 .. cfgcmd:: set policy prefix-list PL4-EXAMPLE-NAME rule 30 le '32'
 .. cfgcmd:: set policy prefix-list PL4-EXAMPLE-NAME rule 30 prefix '203.0.113.0/24'
 
-IPv6 Prefix Lists
+IPv6 Prefix Lists (prefix-list6)
 =================
 
 .. cfgcmd:: set policy prefix-list6 <text>
@@ -94,3 +94,19 @@ IPv6 Prefix Lists
 .. cfgcmd:: set policy prefix-list6 <text> rule <1-65535> le <0-128>
 
    Netmask less than length
+
+Example: IPv6 Prefix Lists (prefix-list6)
+============
+
+This example creates an IPv6 prefix-list6 named PL6-EXAMPLE-NAME, defines 3 
+rules each with 1 prefix, and matches le (less than/equal to) /128.
+
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 action 'permit'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 le '128'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 10 prefix '2001:db8:0:0::/64'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 action 'permit'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 le '128'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 20 prefix '2001:db8:0:1::/64'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 action 'permit'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 le '128'
+.. cfgcmd:: set policy prefix-list6 PL6-EXAMPLE-NAME rule 30 prefix '2001:db8:0:2::/64'

docs/configuration/vpn/ipsec/ipsec_general.rst

@@ -106,7 +106,7 @@ every configured interval. The remote peer is considered unreachable
 if no response to these packets is received within the DPD timeout.
 In IKEv2, DPD sends messages every configured interval. If one request
 is not responded, Strongswan execute its retransmission algorithm with
-its timers. https://docs.strongswan.org/docs/5.9/config/retransmission.html
+its timers.  `IKEv2 Retransmission`_
 
 *****************
 Configuration IKE
@@ -306,3 +306,47 @@ Options
 .. cfgcmd:: set vpn ipsec options virtual-ip
 
   Allows the installation of virtual-ip addresses.
+
+IKEv2 Retransmission
+====================
+
+If the peer does not respond on DPD packet, the router starts retransmission procedure.
+
+The following formula is used to calculate the timeout:
+
+.. code-block:: none
+
+  relative timeout = timeout * base ^ (attempts-1)
+
+.. cfgcmd:: set vpn ipsec options retransmission attempts
+
+  Number of attempts before the peer is considered to be in the down state.
+  Default value is **5**.
+
+.. cfgcmd:: set vpn ipsec options retransmission base
+
+  Base number of exponential backoff. Default value is **1.8**.
+
+.. cfgcmd:: set vpn ipsec options retransmission timeout
+
+  Timeout in seconds before the first retransmission. Default value is **4**.
+
+Using the default values, packets are retransmitted as follows:
+
++-----------+-------------+------------------+------------------+
+| Attempts  | Formula     | Relative timeout | Absolute timeout |
++-----------+-------------+------------------+------------------+
+| 1         | 4 * 1.8 ^ 0 | 4s               | 4s               |
++-----------+-------------+------------------+------------------+
+| 2         | 4 * 1.8 ^ 1 | 7s               | 11s              |
++-----------+-------------+------------------+------------------+
+| 3         | 4 * 1.8 ^ 2 | 13s              | 24s              |
++-----------+-------------+------------------+------------------+
+| 4         | 4 * 1.8 ^ 3 | 23s              | 47s              |
++-----------+-------------+------------------+------------------+
+| 5         | 4 * 1.8 ^ 4 | 42s              | 89s              |
++-----------+-------------+------------------+------------------+
+| peer down | 4 * 1.8 ^ 5 | 76s              | 165s             |
++-----------+-------------+------------------+------------------+
+
+