Project

General

Profile

Actions

Feature #11576

closed

IPsec GUI option to control Child SA ``start_action``

Added by Jim Pingle 9 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
02/28/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default

Description

Currently we set the child SA start option automatically depending on a few different factors, but it would be nice to give the user a little more control over it.

Right now we set:

  • Mobile: start_action = none
  • VTI: start_action = start
  • Tunnel mode: start_action = trap
  • Responder mode forces start_action = none

The available choices are:

  • none (Does nothing except load the configuration)
  • start (immediately attempts to initiate)
  • trap (installs trap policies to initiate on demand)

The valid choices depend on the above, since not all options make sense.

  • Mobile: none (it can't initiate)
  • VTI: none, start (VTI is not compatible with trap policies)
  • Tunnel mode: none, start, trap

Since there is some functionality overlap with "Responder Only" mode maybe it could be combined with that into a drop down named "Initiation" or similar with the following options:

  • Automatic: Current default behavior
  • Responder Only: Always sets 'none'
  • Initiate Immediately: Sets 'start' for tunnel and VTI
  • Initiate On Demand (Tunnel Mode Only): Sets 'trap' for tunnel

The last option may be redundant since it's identical to the 'automatic' behavior for tunnel mode but users may expect to see it so we could include it for completeness.

Actions

Also available in: Atom PDF