Page MenuHomeVyOS Platform

Adding ipsec ike closeaction
Closed, ResolvedPublicFEATURE REQUEST


If we have remote peers behind NAT, they never reconnect when received action for close a CHILD_SA.
It happens if we configure HQ and before restart strongswan generates action for close CHILD_SA.

From strongswan docs

closeaction = none | clear | hold | restart

defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see dpdaction for
meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids checking,
as these events might trigger the defined action when not desired. Prior to 5.1.0, closeaction was
not supported for IKEv1 connections.

Proposed syntax:

vyos@PEER3# set vpn ipsec ike-group TAG close-action 
Possible completions:
   none         Set action to none (default)
   hold         Set action to hold
   clear        Set action to clear
   restart      Set action to restart


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Unknown Object (User) claimed this task.Oct 31 2019, 7:30 AM
Unknown Object (User) created this task.
syncer changed the task status from Open to Backport candidate.Nov 2 2019, 5:28 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.4); removed VyOS 1.2 Crux.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer reopened this task as Backport pending.Jan 20 2020, 11:47 AM
syncer reassigned this task from Unknown Object (User) to jestabro.
syncer triaged this task as Normal priority.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.