Skip to content

ipsec: T7594: Rename respond connection-type in IPSec peer settings to trap #4881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: current
Choose a base branch
from
Open

ipsec: T7594: Rename respond connection-type in IPSec peer settings to trap #4881

wants to merge 1 commit into from
+47 −14

Conversation

@alexandr-san4ez
Copy link
Contributor

@alexandr-san4ez alexandr-san4ez commented Nov 28, 2025
edited
Loading

Change summary

This config item is a continuous source of confusion and misconfigurations, and it is understandable. While CLI says this:

vyos@vyos# set vpn ipsec site-to-site peer PEER_NAME connection-type 
Possible completions:
   initiate             Bring the connection up immediately
   respond              Wait for the peer to initiate the connection
   none                 Load the connection only

The respond actually does not do what is noted in the description:

vyos-1x/data/templates/ipsec/swanctl/peer.j2

Lines 96 to 97 in 22c6a81

{% elif peer_conf.connection_type is vyos_defined('respond') %}
start_action = trap

In a pair of IPSec peers, to avoid SA duplication, one must keep silent and the other attempt to connect. With the initiate / respond pair, one peer will actively try to initiate a connection, and another will be silent, but only if there is no traffic that matches a traffic selector for a peer. If such traffic occurs, it will try to connect as well.

The risk is relatively low, but if this happens, such peers may loop into an endless renegotiation process.

To avoid confusion, @zdc suggests:
1. Rename respond to trap and fix the description.
2. Migrate all respond to none, so the system does what is configured in the CLI.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

Step 1: configure site-to-site peer with connection type 'respond'

conf
set interfaces vti vti1
set protocols static route 172.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'respond'                 # <<<
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '172.168.99.2'
set vpn ipsec site-to-site peer B remote-address '172.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

Step 2: upgrade the router on new version

vyos@vyos:~$ add system image /path/to/vyos-image.iso
...
vyos@vyos:~$ sudo reboot now

Step 3: verify configuration after reboot the router

vyos@vyos:~$ sh conf commands | match connection-type
set vpn ipsec site-to-site peer B connection-type 'none'

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions
Copy link

github-actions bot commented Nov 28, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

sever-sever
sever-sever requested changes Nov 28, 2025
View reviewed changes
@alexandr-san4ez
ipsec: T7594: Rename respond connection-type in IPSec peer settings…
5b1f1d0 
… to `trap`

The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
@sever-sever sever-sever added the bp/circinus Create automatic backport for circinus label Dec 1, 2025
sever-sever
sever-sever reviewed Dec 1, 2025
View reviewed changes
Copy link
Member

@sever-sever sever-sever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zdc I'm confused
We rename respond => trap,
But migration commands will replace respond => None ?
Yes, it will do what it is expected to do, but how many configs can this migration affect?
Wouldn't it be better to migrate the old syntax so as not to affect the current IPsec peer logic?

@sever-sever sever-sever self-requested a review December 1, 2025 14:23
@alexandr-san4ez alexandr-san4ez mentioned this pull request Dec 1, 2025
Open
1 task
@github-actions
Copy link

github-actions bot commented Dec 1, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zdc zdc Awaiting requested review from zdc

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

@sarthurdev sarthurdev Awaiting requested review from sarthurdev

@c-po c-po Awaiting requested review from c-po

@sever-sever sever-sever Awaiting requested review from sever-sever

Requested changes must be addressed to merge this pull request.

Assignees

@alexandr-san4ez alexandr-san4ez

Labels

bp/circinus Create automatic backport for circinus current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexandr-san4ez @sever-sever