[SOLVED] IPSec status vs GUI

alanwds · Oct 31, 2018, 5:59 PM

I can see some tunnels with UP status at the GUI, but, when i run ipsec status, the conXXXX do not show ESTABLISHED status. For example:

ipsec statusall | grep con31006
    con31006:   child:  x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0 TUNNEL, dpdaction=restart
    con31006{23186}:  ROUTED, TUNNEL, reqid 684
    con31006{23186}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
    con31006{25820}:  INSTALLED, TUNNEL, reqid 684, ESP SPIs: cec9b817_i 90ef7890_o
    con31006{25820}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
    con31006{25820}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0

I know that interface uses vici to get ipsec status, but, this can be different from ipsec status command?

jimp · Oct 31, 2018, 2:32 PM

doing that grep you could be missing some related info.

If this is IKEv2 and one of several P2 entries for example it may not show how you expect. The fact that it has a rekey time on the second to last line implies that it's up, though.

alanwds · Oct 31, 2018, 5:59 PM

Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

Thank you so much.