Page MenuHomePhabricator

Adding ipsec ike closeaction
Backport candidate, Requires assessmentPublicFEATURE REQUEST

Description

If we have remote peers behind NAT, they never reconnect when received action for close a CHILD_SA.
It happens if we configure HQ and before restart strongswan generates action for close CHILD_SA.

From strongswan docs

closeaction = none | clear | hold | restart
defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see dpdaction for
meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking,
as these events might trigger the defined action when not desired. Prior to 5.1.0, closeaction was
not supported for IKEv1 connections.

Proposed syntax:

vyos@PEER3# set vpn ipsec ike-group TAG close-action 
Possible completions:
   none         Set action to none (default)
   hold         Set action to hold
   clear        Set action to clear
   restart      Set action to restart

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

Dmitry claimed this task.Thu, Oct 31, 7:30 AM
Dmitry created this task.
syncer changed the task status from Open to Backport candidate.Sat, Nov 2, 5:28 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.4); removed VyOS 1.2 Crux.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
pasik added a subscriber: pasik.Mon, Nov 4, 9:51 AM