Added documentation and NEWS for closeaction

2 files changed, 9 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 30be51e44..f0322646b 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@ strongswan-4.5.3
 - IMC/IMV test pair implementing the RFC 5792 PA-TNC (IF-M) protocol.
   (--enable-imc-test/--enable-imv-test).
 
+- The IKEv2 close action does not use the same value as the ipsec.conf dpdaction
+  setting, but the value defined by its own closeaction keyword. The action
+  is triggered if the remote peer closes a CHILD_SA unexpectedly.
 
 strongswan-4.5.2
 ----------------
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0390f0760..c80ad7fbf 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -367,6 +367,12 @@ See
 .IR strongswan.conf (5)
 for a description of the IKEv2 retransmission timeout.
 .TP
+.BR closeaction " = " none " | clear | hold | restart"
+defines the action to take if the remote peer unexpectedly closes a CHILD_SA
+(IKEv2 only, see dpdaction for meaning of values). A closeaction should not be
+used if the peer uses reauthentication or uniquids checking, as these events
+might trigger a closeaction when not desired.
+.TP
 .BR inactivity " = <time>"
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.