From db0232d643241d4c7b50dad92d3c601e82ae2935 Mon Sep 17 00:00:00 2001 From: Monviech <79600909+Monviech@users.noreply.github.com> Date: Thu, 26 Sep 2024 11:35:22 +0200 Subject: [PATCH] ipsec: settings: Add make_before_break option (#7855) --- .../mvc/app/controllers/OPNsense/IPsec/forms/settings.xml | 6 ++++++ src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml | 1 + 2 files changed, 7 insertions(+) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml index fe149b669..4bfbb637f 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/IPsec/forms/settings.xml @@ -78,6 +78,12 @@ text Limit new connections based on the current number of half open IKE_SAs. + + ipsec.charon.make_before_break + + checkbox + Initiate IKEv2 reauthentication with a make-before-break instead of a break-before-make scheme. Make-before-break uses overlapping IKE and CHILD SA during reauthentication by first recreating all new SAs before deleting the old ones. This behavior can be beneficial to avoid connectivity gaps during reauthentication, but requires support for overlapping SAs by the peer. + header diff --git a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml index 727f70cb5..fa279755a 100644 --- a/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml +++ b/src/opnsense/mvc/app/models/OPNsense/IPsec/IPsec.xml @@ -55,6 +55,7 @@ 1 Y +