Project

General

Profile

Actions

Feature #11576

closed

IPsec GUI option to control Child SA ``start_action``

Added by Jim Pingle about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default

Description

Currently we set the child SA start option automatically depending on a few different factors, but it would be nice to give the user a little more control over it.

Right now we set:

  • Mobile: start_action = none
  • VTI: start_action = start
  • Tunnel mode: start_action = trap
  • Responder mode forces start_action = none

The available choices are:

  • none (Does nothing except load the configuration)
  • start (immediately attempts to initiate)
  • trap (installs trap policies to initiate on demand)

The valid choices depend on the above, since not all options make sense.

  • Mobile: none (it can't initiate)
  • VTI: none, start (VTI is not compatible with trap policies)
  • Tunnel mode: none, start, trap

Since there is some functionality overlap with "Responder Only" mode maybe it could be combined with that into a drop down named "Initiation" or similar with the following options:

  • Automatic: Current default behavior
  • Responder Only: Always sets 'none'
  • Initiate Immediately: Sets 'start' for tunnel and VTI
  • Initiate On Demand (Tunnel Mode Only): Sets 'trap' for tunnel

The last option may be redundant since it's identical to the 'automatic' behavior for tunnel mode but users may expect to see it so we could include it for completeness.

Actions #1

Updated by Marcos M about 3 years ago

Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.

As for the field name, "Initiation" sounds nice, though maybe it's worth sticking closer to what's being changed - e.g. "Child SA Start Action" or "Tunnel Start Behavior". Then along in the field description, include what the default setting is.

Actions #2

Updated by Jim Pingle about 3 years ago

Marcos Mendoza wrote:

Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.

That's not so easy to say because mostly the answer is "it depends" for start action and close action. Tunnel mode does one thing, VTI does another, mobile does another. Options are limited by specific modes/features and so on. So not only does the default depend on those, but the available choices as well since some modes aren't capable of using certain options (as laid out above).

It may be too long for the description even to cover the possible matrix of choices so it may need to link to a doc which can lay it all out in more detail.

Actions #3

Updated by Jim Pingle almost 3 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Jim Pingle almost 3 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to In Progress

Input validation isn't quite right, GUI control is hidden for mobile tunnels but the validation still throws an error saying it's set.

Actions #6

Updated by Jim Pingle almost 3 years ago

  • Status changed from In Progress to Feedback
Actions #7

Updated by Jim Pingle almost 3 years ago

  • Plus Target Version set to 21.05
Actions #8

Updated by Jim Pingle almost 3 years ago

Already in 21.05 branch.

Actions #9

Updated by Jim Pingle almost 3 years ago

  • Subject changed from Add IPsec GUI option to control Child SA "start_action" to IPsec GUI option to control Child SA ``start_action``

Updating subject for release notes.

Actions #10

Updated by Jim Pingle almost 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #11

Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF