ipsec: T7594: Change connection-type to trap for all peers and configurations
#1719
Conversation
zdc
left a comment
zdc
left a comment
There was a problem hiding this comment.
The trap mode is one of the most common causes of IPsec connectivity issues. In most cases, users do not actually need it and enable it only due to its previously misleading name in the CLI.
In our documentation, we should default to recommending either initiate or none, depending on the topology and specific situation. Customers should understand that the most stable configuration is initiate on one side and none on the other.
trap is a specialized mode that should only be used when customers specifically need to trigger IPsec tunnel establishment by traffic. Additionally, it must be properly synchronized with other settings that users often overlook, such as close-action and dpd-action.
alexandr-san4ez
force-pushed
the
T7594-current
branch
from
2d34fb4 to
af81aad
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates IPsec site-to-site VPN documentation to address issues with the misleading respond connection-type mode. The PR removes documentation for respond mode (which behaved like traffic-triggered trap mode) and updates all configuration examples to use the recommended initiate (active) or none (passive) connection types instead. The documentation now includes trap mode with appropriate warnings about its complexity, though examples no longer use it.
Key changes:
- Replaces
respondmode documentation withtrapmode, adding warnings about its complexity and coordination requirements - Updates configuration examples to use
initiatefor active peers (e.g., VyOS connecting to Azure) andnonefor passive peers - Adds guidance recommending
initiate/nonepairing for stable tunnel behavior
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/configuration/vpn/ipsec/site2site_ipsec.rst | Replaces respond with trap in connection-type documentation; adds warning and best practice notes; updates Policy-Based and Route-Based VPN examples to use none instead of respond |
| docs/configuration/vpn/rsa-keys.rst | Updates RSA keys example to use connection-type none for the passive LEFT peer |
| docs/configexamples/policy-based-ipsec-and-firewall.rst | Updates policy-based IPsec example to use connection-type none for LEFT peer |
| docs/configexamples/azure-vpn-dual-bgp.rst | Updates both Azure VPN tunnels to use connection-type initiate (VyOS as active initiator) |
| docs/configexamples/azure-vpn-bgp.rst | Updates Azure VPN tunnel to use connection-type initiate (VyOS as active initiator) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…urations The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
alexandr-san4ez
force-pushed
the
T7594-current
branch
from
af81aad to
225f9f7
Compare
2 participants
Change Summary
The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
Related Task(s)
Related PR(s)
respondconnection-type in IPSec peer settings totrapvyos-1x#4881Checklist: