Project

General

Profile

Feature #11576

Add IPsec GUI option to control Child SA "start_action"

Added by Jim Pingle about 1 month ago. Updated 25 days ago.

Status:
New
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/28/2021
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default

Description

Currently we set the child SA start option automatically depending on a few different factors, but it would be nice to give the user a little more control over it.

Right now we set:

  • Mobile: start_action = none
  • VTI: start_action = start
  • Tunnel mode: start_action = trap
  • Responder mode forces start_action = none

The available choices are:

  • none (Does nothing except load the configuration)
  • start (immediately attempts to initiate)
  • trap (installs trap policies to initiate on demand)

The valid choices depend on the above, since not all options make sense.

  • Mobile: none (it can't initiate)
  • VTI: none, start (VTI is not compatible with trap policies)
  • Tunnel mode: none, start, trap

Since there is some functionality overlap with "Responder Only" mode maybe it could be combined with that into a drop down named "Initiation" or similar with the following options:

  • Automatic: Current default behavior
  • Responder Only: Always sets 'none'
  • Initiate Immediately: Sets 'start' for tunnel and VTI
  • Initiate On Demand (Tunnel Mode Only): Sets 'trap' for tunnel

The last option may be redundant since it's identical to the 'automatic' behavior for tunnel mode but users may expect to see it so we could include it for completeness.

History

#1 Updated by Marcos Mendoza 25 days ago

Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.

As for the field name, "Initiation" sounds nice, though maybe it's worth sticking closer to what's being changed - e.g. "Child SA Start Action" or "Tunnel Start Behavior". Then along in the field description, include what the default setting is.

#2 Updated by Jim Pingle 25 days ago

Marcos Mendoza wrote:

Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.

That's not so easy to say because mostly the answer is "it depends" for start action and close action. Tunnel mode does one thing, VTI does another, mobile does another. Options are limited by specific modes/features and so on. So not only does the default depend on those, but the available choices as well since some modes aren't capable of using certain options (as laid out above).

It may be too long for the description even to cover the possible matrix of choices so it may need to link to a doc which can lay it all out in more detail.

Also available in: Atom PDF