IPsec GUI option to control Child SA ``start_action``
Currently we set the child SA start option automatically depending on a few different factors, but it would be nice to give the user a little more control over it.
Right now we set:
- Mobile: start_action = none
- VTI: start_action = start
- Tunnel mode: start_action = trap
- Responder mode forces start_action = none
The available choices are:
- none (Does nothing except load the configuration)
- start (immediately attempts to initiate)
- trap (installs trap policies to initiate on demand)
The valid choices depend on the above, since not all options make sense.
- Mobile: none (it can't initiate)
- VTI: none, start (VTI is not compatible with trap policies)
- Tunnel mode: none, start, trap
Since there is some functionality overlap with "Responder Only" mode maybe it could be combined with that into a drop down named "Initiation" or similar with the following options:
- Automatic: Current default behavior
- Responder Only: Always sets 'none'
- Initiate Immediately: Sets 'start' for tunnel and VTI
- Initiate On Demand (Tunnel Mode Only): Sets 'trap' for tunnel
The last option may be redundant since it's identical to the 'automatic' behavior for tunnel mode but users may expect to see it so we could include it for completeness.