Change default close_action for IPsec connections from "none" to "trap" #1477
Description
Brief description
Modify the default value of the IPsec parameter close_action from none to trap so that IPsec tunnels are automatically re-established on demand when matching traffic is detected.
Why
The current default (close_action=none) does not automatically re-initiate IPsec tunnels after they go down. This behavior is often unexpected, especially for site-to-site tunnels that administrators assume will come back up automatically when traffic resumes.
As a result, users must manually restart tunnels or add additional logic or monitoring to ensure availability, increasing operational complexity.
Purpose
Improve the default reliability and usability of IPsec tunnels by ensuring they are automatically reactivated when traffic requires it, without requiring manual intervention or additional configuration.
Proposed solution
- Change the default value of
close_actiontotrapfor newly created IPsec tunnels. - Change the default value of
close_actiontotrapafter a tunnel has been edited.
Alternative solutions
- Expose
close_actionas a selectable option in the UI during tunnel creation, withtrappreselected.
Possible negative aspects
- Increased IKE negotiation attempts when matching traffic is generated, potentially increasing background traffic.
- Log noise and repeated connection attempts in case of misconfigured or unreachable peers.
- Unexpected automatic tunnel reactivation for administrators who prefer fully manual control.
- Slight increase in CPU and network usage in setups with many IPsec tunnels and intermittent traffic.
Components
NethSecurity 8.7.1