How to reset Racoon service from command line

Vorkbaard · Mar 3, 2010, 10:39 AM

How can I reset the Racoon service from the command line? I'd like to schedule it to reset every night as it seems to prevent a problem where certain users can make a tunnel but can't send data over it.

(I know I should look for a solution in stead of a workaround but there's some reasons I don't. I can elaborate on them if you wish.)

jimp · Mar 3, 2010, 2:22 PM

You could try to enable the "Prefer Old IPsec SA" option under System > Advanced. That seems to improve such situations for me when dealing with third-party devices and clients.

If you must reset racoon every night, just make up a small PHP shell script to run vpn_ipsec_configure(); and schedule it via cron.

Something like this should suffice:

/root/resetipsec.php

#!/usr/local/bin/php -q
include 'vpn.inc';

vpn_ipsec_configure();
?>

then chmod a+x /root/resetipsec.php, and try to run it. It should reset all the IPsec tunnels and restart racoon.

You can install the cron package and then add a command to run it nightly at whatever time you like.

Vorkbaard · Mar 3, 2010, 2:38 PM

Thanks for your response, jimp. We're using the Shrew Soft vpn client, do you count that as "third party"? I'll try the Prefer Old IPSec SA option first.

jimp · Mar 3, 2010, 2:43 PM

Technically yes, but I've not had any such problems with the shrew client. However, I also haven't tried to leave it connected for any length of time.

Usually I'll see this kind of thing when connecting to a device like a watchguard firebox, linksys router, etc.

Vorkbaard · Mar 3, 2010, 8:41 PM

I've created the script and ran it from the command line; it ran without any problems but it doesn't seem to do anything. Nothing gets logged and my connection doesn't get interrupted.

I created the exact same script you wrote up, did the chmod, ran from both SSH connection and the Command-thingie in the web gui, same result, namely nothing.

Am I missing something? Resetting the Racoon service via the Services menu tends to disconnect open tunnels. Thanks so much for your help, it's much appreciated!

/edit
Hey I found a workaround, I can use wget on my Windows server to spider the reset button. Not very elegant but it takes the pressure off.

jimp · Mar 3, 2010, 9:43 PM

Try this:

#!/usr/local/bin/php -q
require_once('vpn.inc');
require_once('config.inc');

vpn_ipsec_configure();
?>

I don't have a spare box with any active IPsec tunnels to try at the moment, but I can see why it might fail without that other file included. (I thought it was pulled in by one of the other files but it may not have been)

Vorkbaard · Mar 3, 2010, 9:57 PM

Same result, sorry. Feel free to try again and I'll happily keep testing but I understand if you have better things to do :)

Thanks again jimp!

jimp · Mar 4, 2010, 12:43 AM

It helps when I read the code properly… :)

This works, I tested it just now:

#!/usr/local/bin/php -q
require_once('vpn.inc');

vpn_ipsec_force_reload();
?>

Vorkbaard · Mar 4, 2010, 7:46 PM

Like a charm, thank you!