4. [SOLVED] IPSec status vs GUI

[SOLVED] IPSec status vs GUI

  • A

    I can see some tunnels with UP status at the GUI, but, when i run ipsec status, the conXXXX do not show ESTABLISHED status. For example:

    ipsec statusall | grep con31006
    con31006:   child:  x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0 TUNNEL, dpdaction=restart
    con31006{23186}:  ROUTED, TUNNEL, reqid 684
    con31006{23186}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
    con31006{25820}:  INSTALLED, TUNNEL, reqid 684, ESP SPIs: cec9b817_i 90ef7890_o
    con31006{25820}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
    con31006{25820}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0

    0_1540989123515_vpnStatus.png

    I know that interface uses vici to get ipsec status, but, this can be different from ipsec status command?

    0
  • Rebel Alliance Developer Netgate

    doing that grep you could be missing some related info.

    If this is IKEv2 and one of several P2 entries for example it may not show how you expect. The fact that it has a rekey time on the second to last line implies that it's up, though.

    0
  • A

    Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

    If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

    Thank you so much.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy