Project

General

Profile

Actions

Feature #12169

closed

IPsec keep alive option to initiate phase 2 without using ICMP

Added by Jim Pingle over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

Currently the IPsec GUI allows users to enter an IP address to ping a remote host as a means to connect a P2 and keep it active. This works OK for tunnel mode since the ping will match a trap policy and initiate the tunnel but is not viable for VTI as VTI doesn't support trap policies.

We should change this into an option where the user can opt to choose to initiate the P2 periodically if it's down on the same schedule as the ping runs, for a similar net effect.

Potential problems/random thoughts/notes when implementing this:

  • The "automatically ping host" option is the only entry in the P2 "Advanced Configuration" options, so rename that to something more relevant like "Keep Alive"
  • This should be a separate option from ping host
    • A user may still want to send a ping even if it doesn't initiate, if the far side requires traffic to keep it alive. May not be necessary these days as DPD does the job that used to do, but there may still be third parties which go by traffic to disconnect idle tunnels.
    • If this is tunnel mode it's redundant to both, so either disallow that or warn against it. Doing both for VTI is fine.
  • This should be a separate script from the current ping_hosts.sh script
  • Likely will need to be PHP, otherwise it will take a lot more work to write code to fetch and parse things out from the IPsec status and config
  • Code should collect a list of all P2s which want to be checked, and then when the time comes, loop through them and see if they are connected.
    • If there is an active child SA matching the P2, nothing should be done
    • If no matching child SA is found, then initiate the P2
  • As a part of other ongoing work, the code to fetch the status when checking is already being moved to a function, which can be leveraged for this when the time comes.
  • Also there will be a new ipsec_initiate() function which likewise may be leveraged here.
Actions

Also available in: Atom PDF