Moblie IPSec Status



  • How hard would be to add a moblie IPSec widget for status? I really think that that would be good to be able to monitor the moblie connection.

    This new verison just get's better and better.  I really looking forward to version 2.0 hit release.  It has a ton of great features.

    I do really like the Dymamic DNS IPSec Tunnel support.  I set one awhile back and it was a constant pain.  However with this new release it working like a charm and I have had not had any dropped tunnels.

    RC


  • Rebel Alliance Developer Netgate

    I'll have to look and see if there is a way to pull the status of mobile clients somehow. If there is, I can add it to the IPSec status widget.


  • Rebel Alliance Developer Netgate

    I have this mostly functional, but it still needs some work. In particular, I need to write some logic that finds the remote subnet for the mobile tunnel since it is dynamic. (The info is obtainable, it will just take a little code to work out)

    It just assumes that any SA it finds that isn't a tunnel is a mobile client, if mobile tunnels are enabled.


  • Rebel Alliance Developer Netgate

    Try these on for size…

    Put them in:

    /usr/local/www/widgets/include/ipsec.inc

    and

    /usr/local/www/widgets/widgets/ipsec.widget.php

    Just overwrite your copies.

    It should count the mobile clients among the active tunnels, and list their remote subnet and endpoint on the list with a description of "Mobile Client". I'm not sure how accurate the up/down indicator will be for mobile tunnels, but it should check the same way as it does for static tunnels.

    Let me know if it works. If it does, I'll roll up a new dashboard package tomorrow and include it. It's working fine for me; it accurately lists my mobile tunnel from Home to Work.

    What I don't know is if it will work for everyone/anyone else. :)

    ipsec.inc.txt
    ipsec.widget.php.txt



  • I try to get that done today.  How do I enable ssh so I can up load the file?
    RC



  • I have them uploaded to the server in the tmp directory.  What is the how do I use the copy command to copy them from temp to the correct path?
    RC


  • Rebel Alliance Developer Netgate

    There are some relevant articles on the Doc wiki for that:

    http://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

    http://doc.pfsense.org/index.php/HOWTO:_Access_pfSense_filesystems_remotely_with_scp

    Or, you could use the file editor in the WebGUI (Diagnostics > Edit File)

    If you've already got them uploaded, you can mv/cp them from Diagnostics > Command, or from the console.


  • Rebel Alliance Developer Netgate

    Any feedback?

    Anyone?



  • I rand the following two command from the command box in the gui console:

    cp TMP/ipsec.inc /usr/local/www/widgets/include

    and

    cp /TMP/ipsec.widget.php /usr/local/www/widgets/widgets

    I get the command returned.  However I don't see the moblie connection.  and the connection count does not represent the actual total of connections.  The one new DDNS connection nor the Remote connection.  I have a total of 6 connections right now an I am only getting a total of 4 showing up.
    RC


  • Rebel Alliance Developer Netgate

    I just went ahead and committed the changes to a new dashboard package, 0.7.6. Go to System > Packages, click the Installed Packages tab, then click the reinstall button (says "pkg") next to the Dashboard entry.

    Let me know if that is any different.

    It still works fine for me.



  • here is the latest scoop!  It's now works.  I see two moblie connections.  The count is right now but there is one that is showing up disconnected; but it is actually one fo the 2 moblie connections.  One of them is a DDNS entry and that one is showing up as moblie instead of static connection.

    The othe item is that is is not pull the correct description.  Last but not least I can't ping anything accross the tunnel. I will reboot my laptop later today and will test again.

    Again I will state there is nothing like PF-Sense on the market.  It is one of the best products around.  I just look forward until they get 2.0 finalized.  the current product is great but 2.0 is going to be incredible.

    Thanks to the entire team
    RC


  • Rebel Alliance Developer Netgate

    Ah… I bet that dynamic dns will put a kink in the status no matter what, since the status looks for an IP Address and not a hostname.

    I'll see if I can find a way to work around that one.


  • Rebel Alliance Developer Netgate

    Ok. I think I have this fixed. I made a host-based tunnel and it worked for me.

    I committed Dashboard 0.7.6.1 which should show up in a few minutes. Reinstall it and try one more time.



  • Jimp,
    Everthing is working like a charming. ;D  It is reporting all the connections correctly.  It is awesome! ;D

    I like the fact that is now reporting moblie client, If I setup say 5 to 8 people using Shrew clients my status is going to report 8 moblie clients.  Is there a way to add description or use the identifier to show up in the status tab.

    My intend now is to get a few people I know to start using secure VPN connections back to my site for data storage. I just would like to be able to look at a glance to see whom is connected.

    This is just a thought.  The new widget is working like a charm.

    Many thanks to all the developers whom are working on this product.  It only seems like it is getting better and better.

    RC


  • Rebel Alliance Developer Netgate

    I don't think it can use the identifier, just the endpoint IP addresses. There may be another way to extract tunnel information that I'm not aware of, but the commands I'm aware of only print out IP addresses and some other related info, but no identifier.

    You can look at the output of:

    setkey -D
    

    and

    setkey -D -P
    

    There is plenty of info there, but none of it is the identifier :)

    Good to hear that it's working well for you otherwise!



  • Many thanks and great job.
    RC



  • Like a charm, nice job!



  • It would be nice if you removed the "Note: You can configure your IPSEC here." message. If you didn't know where to configure IPSEC you'd probably not be interested in that particular widget anyway.

    Been using it for a couple of days now and I still like it :)


  • Rebel Alliance Developer Netgate

    @Vorkbaard:

    It would be nice if you removed the "Note: You can configure your IPSEC here." message. If you didn't know where to configure IPSEC you'd probably not be interested in that particular widget anyway.

    Been using it for a couple of days now and I still like it :)

    I'll consider that for the next update. I can't say I've ever clicked that link, but some people may find it useful…


  • Rebel Alliance Developer Netgate

    @jimp:

    @Vorkbaard:

    It would be nice if you removed the "Note: You can configure your IPSEC here." message. If you didn't know where to configure IPSEC you'd probably not be interested in that particular widget anyway.

    Been using it for a couple of days now and I still like it :)

    I'll consider that for the next update. I can't say I've ever clicked that link, but some people may find it useful…

    I removed that link (actually, moved it to the widget title) in the current version, which should be up now.


Locked