[SOVLED] How to restart ipsec service from command line

deajan

Hello,

I stumbled upon this http://forum.pfsense.org/index.php/topic,23327.0.html forum message where jimp suggested a script to be able to reload ipsec racoon service from command line.

Here's the slightly modified version that works for pfSense 2.1

Create a file called /root/reset_ipsec.php with the following content

#!/usr/local/bin/php -q

require_once("service-utils.inc"); 
require_once('vpn.inc');
vpn_ipsec_force_reload();

exit;
?>

Make it executable with```
chmod +x /root/reset_ipsec.php

Now you can run /root/reset_ipsec.php directly from cron.

Cheers.

jimp

2.1 has one built in:

pfSsh.php playback restartipsec

deajan

Didn't read the fine manual yet, i guess i should :)
Thanks.

esquire1968

Hi!

Thanks for your script, it worked well with 2.1.5.

With 2.2. it doesn't work?! Could you post an update, please?

The script works when I stop the service before.

Best regards,
esquire1968

jimp

Unfortunately it's not a simple fix, I pushed a corrected to the code repository, it will work again in 2.2.1.

Once the commit shows up on github it could be applied with the system patches package.

esquire1968

Hi!

Sorry, it doesn't work. With the command pfSsh.php playback restartipsec, I get the following error:

Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on line 50

Starting with line 46 of /etc/inc/vpn.inc:

46 {
47	global $config, $ipsec_loglevels;
48
49	$cfgtext = array();
50	foreach ($ipsec_loglevels as $lkey => $ldescr) {
51		if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
52			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
53		else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
54		    intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
55			$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
56				mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
57	}
58	if ($forconfig)
59		return implode(',', $cfgtext);
60 }

What's wrong?

Best regards,
esquire1968

doktornotor

You need the patch as noted above…

https://redmine.pfsense.org/projects/pfsense/repository/revisions/01f3438e7ab91d29751fc27a4627a98c8cba2b4b

esquire1968

Hi!

Thanks for your answer. With the patch, I get no error-message. But it doesn't work- I get the following log:

Feb 7 08:59:49 charon: 08[NET] error writing to socket: Can't assign requested address 
Feb 7 08:59:49 charon: 10[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
Feb 7 08:59:49 charon: 10[IKE] sending retransmit 5 of request message ID 0, seq 1 
Feb 7 08:59:49 charon: 10[IKE] <con1|2>sending retransmit 5 of request message ID 0, seq 1 
Feb 7 08:59:07 charon: 08[NET] error writing to socket: Can't assign requested address 
Feb 7 08:59:07 charon: 10[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
Feb 7 08:59:07 charon: 10[IKE] sending retransmit 4 of request message ID 0, seq 1 
Feb 7 08:59:07 charon: 10[IKE] <con1|2>sending retransmit 4 of request message ID 0, seq 1 
Feb 7 08:58:46 ipsec_starter[22573]:  
Feb 7 08:58:46 ipsec_starter[22573]: 'con1' routed 
Feb 7 08:58:46 charon: 10[CFG] received stroke: route 'con1' 
Feb 7 08:58:46 charon: 11[CFG] added configuration 'con1' 
Feb 7 08:58:46 charon: 11[CFG] left nor right host is our side, assuming left=local 
Feb 7 08:58:46 charon: 11[CFG] received stroke: add connection 'con1' 
Feb 7 08:58:46 charon: 10[CFG] deleted connection 'con1' 
Feb 7 08:58:46 charon: 10[CFG] received stroke: delete connection 'con1' 
Feb 7 08:58:46 ipsec_starter[22573]:  
Feb 7 08:58:46 charon: 16[CFG] received stroke: unroute 'con1' 
Feb 7 08:58:46 charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' 
Feb 7 08:58:46 charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
Feb 7 08:58:46 charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
Feb 7 08:58:46 charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
Feb 7 08:58:46 charon: 11[CFG] loaded ca certificate "C=CA, ST=XX, L=XXX, O=XXX, CN=XX CA, E=xx.xx@xx.com" from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
Feb 7 08:58:46 charon: 11[CFG] loaded ca certificate "C=AT, ST=XX, L=XX, O=XX, E=xxx.xxx@xxx.com, CN=XX" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
Feb 7 08:58:46 charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
Feb 7 08:58:46 charon: 11[CFG] loaded IKE secret for %any xxx.xxx.xxx.xxx 
Feb 7 08:58:46 charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
Feb 7 08:58:46 charon: 11[CFG] rereading secrets 
Feb 7 08:58:44 charon: 08[NET] error writing to socket: Can't assign requested address 
Feb 7 08:58:44 charon: 16[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
Feb 7 08:58:44 charon: 16[IKE] sending retransmit 3 of request message ID 0, seq 1</con1|2></con1|2> 

When I use the "restart ipsec service"-button, it works well! Here is the log:

Feb 7 09:08:55 charon: 03[IKE] IKE_SA con1[1] established between yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
Feb 7 09:08:55 charon: 03[IKE] <con1|1>IKE_SA con1[1] established between yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
Feb 7 09:08:55 charon: 03[CFG] selected peer config "con1" 
Feb 7 09:08:55 charon: 03[CFG] looking for pre-shared key peer configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
Feb 7 09:08:55 charon: 03[ENC] parsed ID_PROT request 0 [ ID HASH ] 
Feb 7 09:08:55 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (76 bytes) 
Feb 7 09:08:55 charon: 03[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (260 bytes) 
Feb 7 09:08:55 charon: 03[ENC] generating ID_PROT response 0 [ KE No ] 
Feb 7 09:08:55 charon: 03[ENC] parsed ID_PROT request 0 [ KE No ] 
Feb 7 09:08:55 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (292 bytes) 
Feb 7 09:08:54 charon: 03[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (136 bytes) 
Feb 7 09:08:54 charon: 03[ENC] generating ID_PROT response 0 [ SA V V V ] 
Feb 7 09:08:54 charon: 03[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA 
Feb 7 09:08:54 charon: 03[IKE] <1> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA 
Feb 7 09:08:54 charon: 03[IKE] received DPD vendor ID 
Feb 7 09:08:54 charon: 03[IKE] <1> received DPD vendor ID 
Feb 7 09:08:54 charon: 03[ENC] parsed ID_PROT request 0 [ SA V ] 
Feb 7 09:08:54 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (104 bytes) 
Feb 7 09:08:51 ipsec_starter[79219]:  
Feb 7 09:08:51 ipsec_starter[79219]: 'con1' routed 
Feb 7 09:08:51 charon: 07[CFG] received stroke: route 'con1' 
Feb 7 09:08:51 charon: 03[CFG] added configuration 'con1' 
Feb 7 09:08:51 charon: 03[CFG] received stroke: add connection 'con1' 
Feb 7 09:08:51 ipsec_starter[79219]: charon (79273) started after 60 ms 
Feb 7 09:08:51 charon: 00[JOB] spawning 16 worker threads 
Feb 7 09:08:51 charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies) 
Feb 7 09:08:51 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity 
Feb 7 09:08:51 charon: 00[CFG] loaded 0 RADIUS server configurations 
Feb 7 09:08:51 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory 
Feb 7 09:08:51 charon: 00[CFG] loaded IKE secret for %any xxx.xxx.xxx.xxx 
Feb 7 09:08:51 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
Feb 7 09:08:51 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' 
Feb 7 09:08:51 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
Feb 7 09:08:51 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
Feb 7 09:08:51 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
Feb 7 09:08:51 charon: 00[CFG] loaded ca certificate "C=EH, ST=XX L=XXX, O=XXX, CN=XXX CA, E=xxx.xxx@xxx.com" from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
Feb 7 09:08:51 charon: 00[CFG] loaded ca certificate "C=AT, ST=XX, L=XXX, O=XXX, E=xxx.xxx@xxx.com, CN=XXX ca" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
Feb 7 09:08:51 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
Feb 7 09:08:51 charon: 00[CFG] ipseckey plugin is disabled 
Feb 7 09:08:51 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed 
Feb 7 09:08:51 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument 
Feb 7 09:08:51 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, amd64) 
Feb 7 09:08:51 ipsec_starter[78836]: no known IPsec stack detected, ignoring! 
Feb 7 09:08:51 ipsec_starter[78836]: no KLIPS IPsec stack detected 
Feb 7 09:08:51 ipsec_starter[78836]: no netkey IPsec stack detected 
Feb 7 09:08:51 ipsec_starter[78836]: Starting strongSwan 5.2.1 IPsec [starter]...</con1|1> 

Best regards,
esquire1968

doktornotor

I frankly have no idea what's the difference between the button and script. The button may work perfectly fine except for the fact it fails to apply changed configuration here so it's totally useless. So, the only workable way to really restart this thing is stop and start (always thought restart would do that but here apparently some reload attempt is made or god knows what…) Cannot see myself getting in love with strongswan any time soon.

esquire1968

Hi again!

The effect of the script and the "restart button" is the same, it doesn't work. See the log as below:

Feb 11 19:04:57 charon: 13[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' 
Feb 11 19:04:57 charon: 13[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
Feb 11 19:04:57 charon: 13[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
Feb 11 19:04:57 charon: 13[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=EH, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx@xxx.com from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=AT, ST=yy, L=yyy, O=yyy, E=yyy@yyy.com, CN=yyy" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
Feb 11 19:04:57 charon: 13[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
Feb 11 19:04:57 charon: 13[CFG] loaded IKE secret for %any nnn.nnn.nnn.nnn 
Feb 11 19:04:57 charon: 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'

What is wrong here?

Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.

Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

The reason why I need a solution is, that my internet connection stops every 24 hours (daily at 05:10), I get a new IP and the DynDNS will be updated. IPsec tries to establish the tunnel with the old IP - I don't know why.

I'm thankful for any tipps.

Best regards
esquire1968

doktornotor

@esquire1968:

What is wrong here?
Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.
Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

No, NFC. Nada. Nothing. Zero. Strongswan suxxx…

https://redmine.pfsense.org/issues/4268
https://redmine.pfsense.org/issues/4353

jimp

pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

The restart action was set to only refresh the configuration, to minimize disruption to running tunnels.

esquire1968

Sorry, I'm a Little bit confused!  :-[

Now, I've 2 links to new files …

https://redmine.pfsense.org/projects/pfsense/repository/revisions/01f3438e7ab91d29751fc27a4627a98c8cba2b4b

... and ...

https://redmine.pfsense.org/projects/pfsense/repository/revisions/41da54ce14d2d43a5ce9738bd80b73355fa26180

Witch are the right one?

Should I set a cron-job with the following command 1 Minute after the new Internet Connection has been started:

[code]pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

Best regards
esquire1968

doktornotor

@esquire1968:

Sorry, I'm a Little bit confused!  :-[
Now, I've 2 links to new files …
[/quote]

Does not matter. Plus, the "restart" is apparently useless so just ignore the patch.

esquire1968

Hi again!

When I start the following command via SSH, it works!

pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

The same command as a cron-job does nothing!

12   5   *   *   *   root   pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

Why? Pls help!

Thx
esquire1968

doktornotor

Always use full paths with cron…

doktornotor

@doktornotor:

Always use full paths (like /usr/local/sbin/pfSsh.php) with cron…

esquire1968

Thanks! Now it works!

How can I reduce the log entries für IPsec. I've a lot of logs like this …

Feb 16 13:35:02 charon: 07[NET] sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 
Feb 16 13:35:02 charon: 07[ENC] generating INFORMATIONAL_V1 request 851016784 [ HASH N(DPD_ACK) ] 
Feb 16 13:35:02 charon: 07[ENC] parsed INFORMATIONAL_V1 request 703088055 [ HASH N(DPD) ] 
Feb 16 13:35:02 charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 

'IPsec debug' is 'silent'.

Chreers
esquire1968

kapara

With the new version 2.3 are we able to take advantage of all the strongswan commands?

I am running 2.2.6 and I lost all connectivity to the GUI during setup of a VPN.  Since I cannot reboot (Business Hours) I wanted to check the status of the VPN's and I was able to run from shell:  ipsec status and was able to get details on all configured tunnels.

https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

Can we use this to restart the ipsec or is that not recommended?