Feature #11576
closedIPsec GUI option to control Child SA ``start_action``
100%
Description
Currently we set the child SA start option automatically depending on a few different factors, but it would be nice to give the user a little more control over it.
Right now we set:
- Mobile: start_action = none
- VTI: start_action = start
- Tunnel mode: start_action = trap
- Responder mode forces start_action = none
The available choices are:
- none (Does nothing except load the configuration)
- start (immediately attempts to initiate)
- trap (installs trap policies to initiate on demand)
The valid choices depend on the above, since not all options make sense.
- Mobile: none (it can't initiate)
- VTI: none, start (VTI is not compatible with trap policies)
- Tunnel mode: none, start, trap
Since there is some functionality overlap with "Responder Only" mode maybe it could be combined with that into a drop down named "Initiation" or similar with the following options:
- Automatic: Current default behavior
- Responder Only: Always sets 'none'
- Initiate Immediately: Sets 'start' for tunnel and VTI
- Initiate On Demand (Tunnel Mode Only): Sets 'trap' for tunnel
The last option may be redundant since it's identical to the 'automatic' behavior for tunnel mode but users may expect to see it so we could include it for completeness.
Updated by Marcos M over 3 years ago
Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.
As for the field name, "Initiation" sounds nice, though maybe it's worth sticking closer to what's being changed - e.g. "Child SA Start Action" or "Tunnel Start Behavior". Then along in the field description, include what the default setting is.
Updated by Jim Pingle over 3 years ago
Marcos Mendoza wrote:
Something that's somewhat confusing (even now with "Child SA Close Action") is what exactly the default is. This could be better left to either the field description and/or docs.
That's not so easy to say because mostly the answer is "it depends" for start action and close action. Tunnel mode does one thing, VTI does another, mobile does another. Options are limited by specific modes/features and so on. So not only does the default depend on those, but the available choices as well since some modes aren't capable of using certain options (as laid out above).
It may be too long for the description even to cover the possible matrix of choices so it may need to link to a doc which can lay it all out in more detail.
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset a8ccdf506d95df855f9779e3bb090e740154cb7f.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to In Progress
Input validation isn't quite right, GUI control is hidden for mobile tunnels but the validation still throws an error saying it's set.
Updated by Jim Pingle over 3 years ago
- Status changed from In Progress to Feedback
Applied in changeset 0a7699de800e849056773b5c4a762096e1689260.
Updated by Jim Pingle over 3 years ago
- Subject changed from Add IPsec GUI option to control Child SA "start_action" to IPsec GUI option to control Child SA ``start_action``
Updating subject for release notes.
Updated by Jim Pingle over 3 years ago
- Target version changed from 2.6.0 to 2.5.2