diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 518402c538..15b5f59561 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -27,7 +27,7 @@
reauth_time = 0
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
keyingtries = 0
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('trap') %}
keyingtries = 1
{% endif %}
{% if peer_conf.force_udp_encapsulation is vyos_defined %}
@@ -96,7 +96,7 @@
start_action = none
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
start_action = start
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('trap') %}
start_action = trap
{% elif peer_conf.connection_type is vyos_defined('none') %}
start_action = none
@@ -160,7 +160,7 @@
start_action = none
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
start_action = start
-{% elif peer_conf.connection_type is vyos_defined('respond') %}
+{% elif peer_conf.connection_type is vyos_defined('trap') %}
start_action = trap
{% elif peer_conf.connection_type is vyos_defined('none') %}
start_action = none
diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i
index a4d556cfc6..6c24b0b2de 100644
--- a/interface-definitions/include/version/ipsec-version.xml.i
+++ b/interface-definitions/include/version/ipsec-version.xml.i
@@ -1,3 +1,3 @@
-
+
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 7d901402dc..a2721e2a12 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1160,22 +1160,22 @@
Connection type
- initiate respond none
+ initiate trap none
initiate
Bring the connection up immediately
- respond
- Wait for the peer to initiate the connection
+ trap
+ Bring the connection up only when matching traffic is detected
none
Load the connection only
- (initiate|respond|none)
+ (initiate|trap|none)
diff --git a/smoketest/config-tests/bgp-azure-ipsec-gateway b/smoketest/config-tests/bgp-azure-ipsec-gateway
index bef48fd6d8..823a2c36a7 100644
--- a/smoketest/config-tests/bgp-azure-ipsec-gateway
+++ b/smoketest/config-tests/bgp-azure-ipsec-gateway
@@ -176,7 +176,7 @@ set vpn ipsec log level '2'
set vpn ipsec log subsystem 'ike'
set vpn ipsec site-to-site peer peer_51-105-0-1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-1 authentication remote-id '51.105.0.1'
-set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-1 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-1 default-esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-1 ikev2-reauth 'inherit'
@@ -185,7 +185,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-1 remote-address '51.105.0.1'
set vpn ipsec site-to-site peer peer_51-105-0-1 vti bind 'vti51'
set vpn ipsec site-to-site peer peer_51-105-0-2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-2 authentication remote-id '51.105.0.2'
-set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-2 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-2 default-esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-2 ikev2-reauth 'inherit'
@@ -194,7 +194,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-2 remote-address '51.105.0.2'
set vpn ipsec site-to-site peer peer_51-105-0-2 vti bind 'vti52'
set vpn ipsec site-to-site peer peer_51-105-0-3 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-3 authentication remote-id '51.105.0.3'
-set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-3 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-3 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-3 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_51-105-0-3 local-address '192.0.2.189'
@@ -203,7 +203,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-3 vti bind 'vti32'
set vpn ipsec site-to-site peer peer_51-105-0-3 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-4 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-4 authentication remote-id '51.105.0.4'
-set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-4 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-4 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-4 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_51-105-0-4 local-address '192.0.2.189'
@@ -212,7 +212,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-4 vti bind 'vti31'
set vpn ipsec site-to-site peer peer_51-105-0-4 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-5 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-5 authentication remote-id '51.105.0.5'
-set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-5 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-5 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-5 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_51-105-0-5 local-address '192.0.2.189'
@@ -221,7 +221,7 @@ set vpn ipsec site-to-site peer peer_51-105-0-5 vti bind 'vti42'
set vpn ipsec site-to-site peer peer_51-105-0-5 vti esp-group 'ESP-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-6 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_51-105-0-6 authentication remote-id '51.105.0.6'
-set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'respond'
+set vpn ipsec site-to-site peer peer_51-105-0-6 connection-type 'trap'
set vpn ipsec site-to-site peer peer_51-105-0-6 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer peer_51-105-0-6 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_51-105-0-6 local-address '192.0.2.189'
diff --git a/src/migration-scripts/ipsec/13-to-14 b/src/migration-scripts/ipsec/13-to-14
new file mode 100644
index 0000000000..f676a09be0
--- /dev/null
+++ b/src/migration-scripts/ipsec/13-to-14
@@ -0,0 +1,33 @@
+# Copyright VyOS maintainers and contributors
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library. If not, see .
+
+# Rename connection-type 'respond' to 'trap' (T7594):
+# vpn ipsec site-to-site peer connection-type respond -> trap
+
+from vyos.configtree import ConfigTree
+
+base = ['vpn', 'ipsec', 'site-to-site']
+
+def migrate(config: ConfigTree) -> None:
+ # If IPsec config does not exist, nothing to do
+ if not config.exists(base):
+ return
+
+ # Iterate through defined peers
+ for peer in config.list_nodes(base + ['peer']):
+ path = base + ['peer', peer, 'connection-type']
+ if config.value_exists(path, 'respond'):
+ # Replace old behavior with explicit passive type
+ config.set(path, 'trap', replace=True)