Made a script to test IPSec connections and reconnect tunnel if they fail



  • I use our pfSense at work to connect to the AWS provided VPC IPSec tunnels and route our developer/deployment traffic through these tunnels.

    I've noticed that periodically the tunnels just stop passing traffic even though they show as up and connected from both ends (AWS side and pfSense side).

    So I wrote and tested this script and scheduled it with the "Cron" package. Works a charm for us now :)

    #!/bin/sh
    
    # This script was designed to run on pfSense 2.3.x, as a cron job using the "Cron" package,
    # It will run a command if all three hosts listed fail to reply to pings.
    # 2017 John at John Skinner dot net
    
    # THE PING SECTION
    # The section below pings three different hosts, once each,
    #  and saves the results for each as separate variables
    #  (number one "1" for sucsessful responce, and zero "0" for failed responce)
    # In the block below, make sure to edit your local IP address and the host IP addresses for your situation
    # The local IP address is after the "-S", and the host you want to ping is the second IP address
    
    RESULTS1=$(/sbin/ping -c 1 -S 192.168.1.1 172.16.1.1 | /usr/bin/grep icmp | /usr/bin/wc -l)
    RESULTS2=$(/sbin/ping -c 1 -S 192.168.1.1 172.16.1.2 | /usr/bin/grep icmp | /usr/bin/wc -l)
    RESULTS3=$(/sbin/ping -c 1 -S 192.168.1.1 172.16.1.3 | /usr/bin/grep icmp | /usr/bin/wc -l)
    
    # THE MATH SECTION
    # This section adds all the results above to a new variable
    
    RESULTS4=$(( RESULTS1 + RESULTS2 + $RESULTS3 ))
    
    # PING AND MATH TESTING SECTION
    # Uncomment the line below to test the results of the ping and the math sections
    #echo $RESULTS4
    # (When uncommenting the PING AND MATH TESTING line above, you may want to comment-out all the following lines of this script)
    
    # DECIDE TO RUN COMMAND SECTION
    # Based on the results of the pings and the math, this section decides to either
    #  1.) send a notification email, write a log, and run the command if all the pings fail,
    #  or
    #  2.) send a notification email, and write a log, if any of the pings reply.
    if [ $RESULTS4 -eq 0 ]; then
    
    # The line below will write a custom message, with the tag "IPSec", to the local system log
            /usr/bin/logger -t IPSec "AWS Corp tunnel is down. Restarting IPSec."
    
    # The line below will:
    #  1.) take down a specific IPSec tunnel connection with configuation named "con1000",
    #  2.) wait 20 secionds, and bring the connection back up (list you connections using the command "ipsec status"),
    #  3.) email the results of bringing the connection back up, to the email address in SYSTEM -> ADVANCED -> NOTIFICATIONS
            /usr/local/sbin/ipsec down con1000; sleep 20; /usr/local/sbin/ipsec up con1000 | /usr/local/bin/mail.php -s"AWS Corp tunnel is down. Restarting IPSec"
    else
    
    # The lines below will write a custom message to the local system log and send an email notification upon a successful ping reply from any of the hosts.
            /usr/bin/logger -t IPSec "AWS Corp tunnel is up"
            /bin/echo "AWS Corp tunnel is up" | /usr/local/bin/mail.php -s"AWS Corp tunnel is up"
    fi
    ```[2017-08-10_ping_test_and-restart_IPSec_tunnel.txt](/public/_imported_attachments_/1/2017-08-10_ping_test_and-restart_IPSec_tunnel.txt)

Log in to reply