ipsec: T7594: Rename respond connection-type in IPSec peer settings to trap

The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.

Author: alexandr-san4ez

data/templates/ipsec/swanctl/peer.j2

@@ -27,7 +27,7 @@
         reauth_time = 0
 {% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
         keyingtries = 0
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('trap') %}
         keyingtries = 1
 {% endif %}
 {% if peer_conf.force_udp_encapsulation is vyos_defined %}
@@ -96,7 +96,7 @@
                 start_action = none
 {%     elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
                 start_action = start
-{%     elif peer_conf.connection_type is vyos_defined('respond') %}
+{%     elif peer_conf.connection_type is vyos_defined('trap') %}
                 start_action = trap
 {%     elif peer_conf.connection_type is vyos_defined('none') %}
                 start_action = none
@@ -160,7 +160,7 @@
                 start_action = none
 {%         elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
                 start_action = start
-{%         elif peer_conf.connection_type is vyos_defined('respond') %}
+{%         elif peer_conf.connection_type is vyos_defined('trap') %}
                 start_action = trap
 {%         elif peer_conf.connection_type is vyos_defined('none') %}
                 start_action = none

interface-definitions/include/version/ipsec-version.xml.i

@@ -1,3 +1,3 @@
 <!-- include start from include/version/ipsec-version.xml.i -->
-<syntaxVersion component='ipsec' version='13'></syntaxVersion>
+<syntaxVersion component='ipsec' version='14'></syntaxVersion>
 <!-- include end -->

interface-definitions/vpn_ipsec.xml.in

@@ -1160,22 +1160,22 @@
                     <properties>
                       <help>Connection type</help>
                       <completionHelp>
-                        <list>initiate respond none</list>
+                        <list>initiate trap none</list>
                       </completionHelp>
                       <valueHelp>
                         <format>initiate</format>
                         <description>Bring the connection up immediately</description>
                       </valueHelp>
                       <valueHelp>
-                        <format>respond</format>
-                        <description>Wait for the peer to initiate the connection</description>
+                        <format>trap</format>
+                        <description>Bring the connection up only when matching traffic is detected</description>
                       </valueHelp>
                       <valueHelp>
                         <format>none</format>
                         <description>Load the connection only</description>
                       </valueHelp>
                       <constraint>
-                        <regex>(initiate|respond|none)</regex>
+                        <regex>(initiate|trap|none)</regex>
                       </constraint>
                     </properties>
                   </leafNode>

smoketest/config-tests/bgp-azure-ipsec-gateway

@@ -176,7 +176,7 @@ set vpn ipsec log level '2'
 set vpn ipsec log subsystem 'ike'
 set vpn ipsec site-to-site peer peer_51-105-0-1 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-1 authentication remote-id '51.105.0.1'
-set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-1 default-esp-group 'ESP-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-1 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-1 ikev2-reauth 'inherit'
@@ -185,7 +185,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-1 remote-address '51.105.0.1'
 set vpn ipsec site-to-site peer peer_51-105-0-1 vti bind 'vti51'
 set vpn ipsec site-to-site peer peer_51-105-0-2 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-2 authentication remote-id '51.105.0.2'
-set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-2 default-esp-group 'ESP-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-2 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-2 ikev2-reauth 'inherit'
@@ -194,7 +194,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-2 remote-address '51.105.0.2'
 set vpn ipsec site-to-site peer peer_51-105-0-2 vti bind 'vti52'
 set vpn ipsec site-to-site peer peer_51-105-0-3 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-3 authentication remote-id '51.105.0.3'
-set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-3 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-3 ikev2-reauth 'inherit'
 set vpn ipsec site-to-site peer peer_51-105-0-3 local-address '192.0.2.189'
@@ -203,7 +203,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-3 vti bind 'vti32'
 set vpn ipsec site-to-site peer peer_51-105-0-3 vti esp-group 'ESP-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-4 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-4 authentication remote-id '51.105.0.4'
-set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-4 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-4 ikev2-reauth 'inherit'
 set vpn ipsec site-to-site peer peer_51-105-0-4 local-address '192.0.2.189'
@@ -212,7 +212,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-4 vti bind 'vti31'
 set vpn ipsec site-to-site peer peer_51-105-0-4 vti esp-group 'ESP-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-5 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-5 authentication remote-id '51.105.0.5'
-set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-5 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-5 ikev2-reauth 'inherit'
 set vpn ipsec site-to-site peer peer_51-105-0-5 local-address '192.0.2.189'
@@ -221,7 +221,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-5 vti bind 'vti42'
 set vpn ipsec site-to-site peer peer_51-105-0-5 vti esp-group 'ESP-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-6 authentication mode 'pre-shared-secret'
 set vpn ipsec site-to-site peer peer_51-105-0-6 authentication remote-id '51.105.0.6'
-set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'trap'
 set vpn ipsec site-to-site peer peer_51-105-0-6 ike-group 'IKE-AZURE'
 set vpn ipsec site-to-site peer peer_51-105-0-6 ikev2-reauth 'inherit'
 set vpn ipsec site-to-site peer peer_51-105-0-6 local-address '192.0.2.189'

smoketest/configs/bgp-azure-ipsec-gateway

@@ -372,7 +372,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 default-esp-group ESP-AZURE
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
@@ -386,7 +386,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 default-esp-group ESP-AZURE
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
@@ -400,7 +400,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
                 local-address 192.0.2.189
@@ -414,7 +414,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
                 local-address 192.0.2.189
@@ -428,7 +428,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
                 local-address 192.0.2.189
@@ -442,7 +442,7 @@ vpn {
                     mode pre-shared-secret
                     pre-shared-secret averysecretpsktowardsazure
                 }
-                connection-type respond
+                connection-type trap
                 ike-group IKE-AZURE
                 ikev2-reauth inherit
                 local-address 192.0.2.189

src/migration-scripts/ipsec/13-to-14

@@ -0,0 +1,33 @@
+# Copyright VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library.  If not, see <http://www.gnu.org/licenses/>.
+
+# Rename connection-type 'respond' to 'none' (T7594):
+#   vpn ipsec site-to-site peer <name> connection-type respond -> none
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec', 'site-to-site']
+
+def migrate(config: ConfigTree) -> None:
+    # If IPsec config does not exist, nothing to do
+    if not config.exists(base):
+        return
+
+    # Iterate through defined peers
+    for peer in config.list_nodes(base + ['peer']):
+        path = base + ['peer', peer, 'connection-type']
+        if config.exists(path) and config.return_value(path) == 'respond':
+            # Replace old behavior with explicit passive type
+            config.set(path, 'none', replace=True)