Monitoring IPSec with SNMP



  • I'm running pfSense 2.3.2 and I already have existing monitors setup in my Icinga system to monitor remote IP addresses of my client's system, but I'd like to be able to monitor if the Phase 1 or Phase 2 tunnels drop.  Is this possible with SNMP?  The reason the IP monitor isn't ideal is because our client sometimes takes the remote server offline for maintenance and doesn't tell us.  So we'd like to be alerted if the server goes down (server ping/port connection) and IPSec monitor if tunnel drops.  If not, can a script be written to give me the same details that I can have Icinga/NRPE execute?


  • Rebel Alliance Developer Netgate

    It is not possible via the built-in SNMP, but it can be done with the net-snmp package using extended commands. You'd have to setup one extended command per tunnel that would check the output of, for example "ipsec status con1000" for the first P2 of the first P1, "ipsec status con1001" for the second P2 of the first P1, "ipsec status con2000" for the first P2 of the second P1 and so on. Not so simple, but it can be done.



  • Ok, let me take a look at the ipsec command.  Thanks