How to reset Racoon service from command line
-
How can I reset the Racoon service from the command line? I'd like to schedule it to reset every night as it seems to prevent a problem where certain users can make a tunnel but can't send data over it.
(I know I should look for a solution in stead of a workaround but there's some reasons I don't. I can elaborate on them if you wish.)
-
You could try to enable the "Prefer Old IPsec SA" option under System > Advanced. That seems to improve such situations for me when dealing with third-party devices and clients.
If you must reset racoon every night, just make up a small PHP shell script to run vpn_ipsec_configure(); and schedule it via cron.
Something like this should suffice:
/root/resetipsec.php
#!/usr/local/bin/php -q include 'vpn.inc'; vpn_ipsec_configure(); ?>
then chmod a+x /root/resetipsec.php, and try to run it. It should reset all the IPsec tunnels and restart racoon.
You can install the cron package and then add a command to run it nightly at whatever time you like.
-
Thanks for your response, jimp. We're using the Shrew Soft vpn client, do you count that as "third party"? I'll try the Prefer Old IPSec SA option first.
-
Technically yes, but I've not had any such problems with the shrew client. However, I also haven't tried to leave it connected for any length of time.
Usually I'll see this kind of thing when connecting to a device like a watchguard firebox, linksys router, etc.
-
I've created the script and ran it from the command line; it ran without any problems but it doesn't seem to do anything. Nothing gets logged and my connection doesn't get interrupted.
I created the exact same script you wrote up, did the chmod, ran from both SSH connection and the Command-thingie in the web gui, same result, namely nothing.
Am I missing something? Resetting the Racoon service via the Services menu tends to disconnect open tunnels. Thanks so much for your help, it's much appreciated!
/edit
Hey I found a workaround, I can use wget on my Windows server to spider the reset button. Not very elegant but it takes the pressure off. -
Try this:
#!/usr/local/bin/php -q require_once('vpn.inc'); require_once('config.inc'); vpn_ipsec_configure(); ?>
I don't have a spare box with any active IPsec tunnels to try at the moment, but I can see why it might fail without that other file included. (I thought it was pulled in by one of the other files but it may not have been)
-
Same result, sorry. Feel free to try again and I'll happily keep testing but I understand if you have better things to do :)
Thanks again jimp!
-
It helps when I read the code properly… :)
This works, I tested it just now:
#!/usr/local/bin/php -q require_once('vpn.inc'); vpn_ipsec_force_reload(); ?>
-
Like a charm, thank you!