4. [SOLVED] IPSec status vs GUI

[SOLVED] IPSec status vs GUI

  • A

    I can see some tunnels with UP status at the GUI, but, when i run ipsec status, the conXXXX do not show ESTABLISHED status. For example:

    ipsec statusall | grep con31006
    con31006:   child:  x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0 TUNNEL, dpdaction=restart
    con31006{23186}:  ROUTED, TUNNEL, reqid 684
    con31006{23186}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
    con31006{25820}:  INSTALLED, TUNNEL, reqid 684, ESP SPIs: cec9b817_i 90ef7890_o
    con31006{25820}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
    con31006{25820}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0

    0_1540989123515_vpnStatus.png

    I know that interface uses vici to get ipsec status, but, this can be different from ipsec status command?

    0
  • Rebel Alliance Developer Netgate

    doing that grep you could be missing some related info.

    If this is IKEv2 and one of several P2 entries for example it may not show how you expect. The fact that it has a rekey time on the second to last line implies that it's up, though.

    0
  • A

    Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

    If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

    Thank you so much.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy