How to reset Racoon service from command line
How can I reset the Racoon service from the command line? I'd like to schedule it to reset every night as it seems to prevent a problem where certain users can make a tunnel but can't send data over it.
(I know I should look for a solution in stead of a workaround but there's some reasons I don't. I can elaborate on them if you wish.)
You could try to enable the "Prefer Old IPsec SA" option under System > Advanced. That seems to improve such situations for me when dealing with third-party devices and clients.
If you must reset racoon every night, just make up a small PHP shell script to run vpn_ipsec_configure(); and schedule it via cron.
Something like this should suffice:
#!/usr/local/bin/php -q include 'vpn.inc'; vpn_ipsec_configure(); ?>
then chmod a+x /root/resetipsec.php, and try to run it. It should reset all the IPsec tunnels and restart racoon.
You can install the cron package and then add a command to run it nightly at whatever time you like.
Thanks for your response, jimp. We're using the Shrew Soft vpn client, do you count that as "third party"? I'll try the Prefer Old IPSec SA option first.
Technically yes, but I've not had any such problems with the shrew client. However, I also haven't tried to leave it connected for any length of time.
Usually I'll see this kind of thing when connecting to a device like a watchguard firebox, linksys router, etc.
I've created the script and ran it from the command line; it ran without any problems but it doesn't seem to do anything. Nothing gets logged and my connection doesn't get interrupted.
I created the exact same script you wrote up, did the chmod, ran from both SSH connection and the Command-thingie in the web gui, same result, namely nothing.
Am I missing something? Resetting the Racoon service via the Services menu tends to disconnect open tunnels. Thanks so much for your help, it's much appreciated!
Hey I found a workaround, I can use wget on my Windows server to spider the reset button. Not very elegant but it takes the pressure off.
#!/usr/local/bin/php -q require_once('vpn.inc'); require_once('config.inc'); vpn_ipsec_configure(); ?>
I don't have a spare box with any active IPsec tunnels to try at the moment, but I can see why it might fail without that other file included. (I thought it was pulled in by one of the other files but it may not have been)
Same result, sorry. Feel free to try again and I'll happily keep testing but I understand if you have better things to do :)
Thanks again jimp!
It helps when I read the code properly… :)
This works, I tested it just now:
#!/usr/local/bin/php -q require_once('vpn.inc'); vpn_ipsec_force_reload(); ?>
Like a charm, thank you!