vyos · dmbaturin · Dec 9, 2025 · Dec 1, 2025
diff --git a/docs/configexamples/azure-vpn-bgp.rst b/docs/configexamples/azure-vpn-bgp.rst
@@ -105,7 +105,7 @@ Vyos configuration
   set vpn ipsec site-to-site peer azure authentication local-id '198.51.100.3'
   set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer 203.0.113.2 authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'respond'
+  set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'initiate'
   set vpn ipsec site-to-site peer 203.0.113.2 description 'AZURE PRIMARY TUNNEL'
   set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'AZURE'
   set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit'

diff --git a/docs/configexamples/azure-vpn-dual-bgp.rst b/docs/configexamples/azure-vpn-dual-bgp.rst
@@ -110,7 +110,7 @@ Vyos configuration
   set vpn ipsec site-to-site peer azure-primary authentication local-id '198.51.100.3'
   set vpn ipsec site-to-site peer azure-primary authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer azure-primary authentication remote-id '203.0.113.2'
-  set vpn ipsec site-to-site peer azure-primary connection-type 'respond'
+  set vpn ipsec site-to-site peer azure-primary connection-type 'initiate'
   set vpn ipsec site-to-site peer azure-primary description 'AZURE PRIMARY TUNNEL'
   set vpn ipsec site-to-site peer azure-primary ike-group 'AZURE'
   set vpn ipsec site-to-site peer azure-primary ikev2-reauth 'inherit'
@@ -122,7 +122,7 @@ Vyos configuration
   set vpn ipsec site-to-site peer azure-secondary authentication local-id '198.51.100.3'
   set vpn ipsec site-to-site peer azure-secondary authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer azure-secondary authentication remote-id '203.0.113.3'
-  set vpn ipsec site-to-site peer azure-secondary connection-type 'respond'
+  set vpn ipsec site-to-site peer azure-secondary connection-type 'initiate'
   set vpn ipsec site-to-site peer azure-secondary description 'AZURE secondary TUNNEL'
   set vpn ipsec site-to-site peer azure-secondary ike-group 'AZURE'
   set vpn ipsec site-to-site peer azure-secondary ikev2-reauth 'inherit'

diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@@ -106,7 +106,7 @@ IPSec configuration:
     set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
     set vpn ipsec interface 'eth0'
     set vpn ipsec site-to-site peer LEFT authentication mode 'pre-shared-secret'
-    set vpn ipsec site-to-site peer LEFT connection-type 'respond'
+    set vpn ipsec site-to-site peer LEFT connection-type 'none'
     set vpn ipsec site-to-site peer LEFT default-esp-group 'ESP-GROUP'
     set vpn ipsec site-to-site peer LEFT ike-group 'IKE-GROUP'
     set vpn ipsec site-to-site peer LEFT local-address '192.0.2.130'

diff --git a/docs/configuration/vpn/ipsec/site2site_ipsec.rst b/docs/configuration/vpn/ipsec/site2site_ipsec.rst
@@ -78,7 +78,7 @@
    * If Route based VPN is used
        * IP of the VTI interface is 10.0.0.1/30

 .. note:: We do not recommend using policy-based vpn and route-based vpn configurations to the same peer.

 **1. Configure ike-group (IKE Phase 1)**

@@ -108,7 +108,7 @@

    set vpn ipsec interface eth0

 **4. Configure PSK keys and authentication ids for this key if authentication type is PSK**

 .. code-block:: none

@@ -146,14 +146,14 @@

 **6. Depends to vpn type (route-based vpn or policy-based vpn).**

   **6.1 For Policy-based VPN configure SAs using tunnel command specifying remote and local networks.**

    .. code-block:: none

        set vpn ipsec site-to-site peer PEER1 tunnel 1 local prefix '192.168.10.0/24'
        set vpn ipsec site-to-site peer PEER1 tunnel 1 remote prefix '192.168.50.0/24'

   **6.2 For Route-based VPN create VTI interface, set IP address to this interface and bind this interface to the vpn peer.**

    .. code-block:: none

@@ -243,29 +243,29 @@
  address. Useful in case if the remote peer is behind NAT
  or if ``mode x509`` is used.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa local-key <key>

  Name of PKI key-pair with local private key.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa remote-key <key>

  Name of PKI key-pair with remote public key.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication rsa passphrase <passphrase>

  Local private key passphrase.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication use-x509-id <id>

  Use local ID from x509 certificate. Cannot be used when
  ``id`` is defined.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 ca-certificate <name>

  Name of CA certificate in PKI configuration. Using for authenticating
  remote peer in x509 mode.

 .. cfgcmd:: set vpn ipsec site-to-site peer <name> authentication x509 certificate <name>

  Name of certificate in PKI configuration, which will be used
  for authenticating local router on remote peer.
@@ -285,14 +285,32 @@
     after configuring and after boot. In this mode the connection will
     not be restarted in case of disconnection, therefore should be used
     only together with DPD or another session tracking methods.
-  * **respond** - does not try to initiate a connection to a remote
-    peer. In this mode, the IPsec session will be established only
-    after initiation from a remote peer. Could be useful when there
-    is no direct connectivity to the peer due to firewall or NAT in
-    the middle of the local and remote side.
+
+  * **trap** - does not try to initiate a connection to a remote
+    peer immediately. Instead, it installs a trap policy that will
+    trigger IKE negotiation and establish the IPsec session when
+    matching traffic is sent from the local side. This can be useful
+    when there is no direct connectivity to the peer due to firewall
+    or NAT in the middle of the local and remote side.
+
+    .. warning:: The ``trap`` mode is not needed in most environments 
+       and can lead to connection confusion or unintended tunnel uptime 
+       behavior if used incorrectly. Using this mode requires careful
+       coordination with parameters such as ``close-action`` and DPD.
+       For most deployments, use ``initiate`` and ``none`` as described below.
+
   * **none** - loads the connection only, which then can be manually
     initiated or used as a responder configuration.
 
+  .. note:: For most site-to-site VPNs, configure one peer
+     with ``connection-type initiate`` (active side) and the other peer
+     with ``connection-type none`` (passive side) to
+     ensure stable and predictable tunnel behavior.
+     When using ``connection-type initiate``, you must also configure
+     DPD or another session tracking method (such as ``close-action``)
+     to automatically re-establish the tunnel after a disconnection.
+     Otherwise, the tunnel will not reconnect automatically if it goes down.
+
 .. cfgcmd:: set vpn ipsec site-to-site peer <name> default-esp-group <name>
 
   Name of ESP group to use by default for traffic encryption.
@@ -566,7 +584,7 @@
   set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
   set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'none'
   set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
   set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
   set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'
@@ -696,7 +714,7 @@
   set vpn ipsec site-to-site peer PEER1 authentication local-id '10.0.2.2'
   set vpn ipsec site-to-site peer PEER1 authentication mode 'pre-shared-secret'
   set vpn ipsec site-to-site peer PEER1 authentication remote-id '10.0.1.2'
-  set vpn ipsec site-to-site peer PEER1 connection-type 'respond'
+  set vpn ipsec site-to-site peer PEER1 connection-type 'none'
   set vpn ipsec site-to-site peer PEER1 default-esp-group 'ESP-GRPOUP'
   set vpn ipsec site-to-site peer PEER1 ike-group 'IKE-GROUP'
   set vpn ipsec site-to-site peer PEER1 local-address '10.0.2.2'

diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst
@@ -77,7 +77,7 @@ On the LEFT (static address):
   set vpn ipsec site-to-site peer @RIGHT default-esp-group MyESPGroup
   set vpn ipsec site-to-site peer @RIGHT ike-group MyIKEGroup
   set vpn ipsec site-to-site peer @RIGHT local-address 192.0.2.10
-  set vpn ipsec site-to-site peer @RIGHT connection-type respond
+  set vpn ipsec site-to-site peer @RIGHT connection-type none
   set vpn ipsec site-to-site peer @RIGHT tunnel 1 local prefix 192.168.99.1/32  # Additional loopback address on the local
   set vpn ipsec site-to-site peer @RIGHT tunnel 1 remote prefix 192.168.99.2/32 # Additional loopback address on the remote