Added documentation and NEWS for closeaction

diff --git a/NEWS b/NEWS
index 30be51e44a4b307094a630fd54d552aa27ee2f43..f0322646be222214a6080d571d04ec95a36cdf1c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@ strongswan-4.5.3
 - IMC/IMV test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
   (--enable-imc-test/--enable-imv-test).
 
+- The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
+  setting, but the value defined by its own closeaction keyword. The action
+  is triggered if the remote peer closes a CHILD_SA unexpectedly.
 
 strongswan-4.5.2
 ----------------

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0390f0760317031b5a23e66c290f0e70e5efa7ad..c80ad7fbfc5c9f46eb6ab94b5822f6aea457b9de 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -367,6 +367,12 @@ See
 .IR strongswan.conf (5)
 for a description of the IKEv2 retransmission timeout.
 .TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger a closeaction when not desired.
+.TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.