How to reset Racoon service from command line



  • How can I reset the Racoon service from the command line? I'd like to schedule it to reset every night as it seems to prevent a problem where certain users can make a tunnel but can't send data over it.

    (I know I should look for a solution in stead of a workaround but there's some reasons I don't. I can elaborate on them if you wish.)


  • Rebel Alliance Developer Netgate

    You could try to enable the "Prefer Old IPsec SA" option under System > Advanced. That seems to improve such situations for me when dealing with third-party devices and clients.

    If you must reset racoon every night, just make up a small PHP shell script to run vpn_ipsec_configure(); and schedule it via cron.

    Something like this should suffice:

    /root/resetipsec.php

    #!/usr/local/bin/php -q
    include 'vpn.inc';
    
    vpn_ipsec_configure();
    ?>
    

    then chmod a+x /root/resetipsec.php, and try to run it. It should reset all the IPsec tunnels and restart racoon.

    You can install the cron package and then add a command to run it nightly at whatever time you like.



  • Thanks for your response, jimp. We're using the Shrew Soft vpn client, do you count that as "third party"? I'll try the Prefer Old IPSec SA option first.


  • Rebel Alliance Developer Netgate

    Technically yes, but I've not had any such problems with the shrew client. However, I also haven't tried to leave it connected for any length of time.

    Usually I'll see this kind of thing when connecting to a device like a watchguard firebox, linksys router, etc.



  • I've created the script and ran it from the command line; it ran without any problems but it doesn't seem to do anything. Nothing gets logged and my connection doesn't get interrupted.

    I created the exact same script you wrote up, did the chmod, ran from both SSH connection and the Command-thingie in the web gui, same result, namely nothing.

    Am I missing something? Resetting the Racoon service via the Services menu tends to disconnect open tunnels. Thanks so much for your help, it's much appreciated!

    /edit
    Hey I found a workaround, I can use wget on my Windows server to spider the reset button. Not very elegant but it takes the pressure off.


  • Rebel Alliance Developer Netgate

    Try this:

    #!/usr/local/bin/php -q
    require_once('vpn.inc');
    require_once('config.inc');
    
    vpn_ipsec_configure();
    ?>
    

    I don't have a spare box with any active IPsec tunnels to try at the moment, but I can see why it might fail without that other file included. (I thought it was pulled in by one of the other files but it may not have been)



  • Same result, sorry. Feel free to try again and I'll happily keep testing but I understand if you have better things to do :)

    Thanks again jimp!


  • Rebel Alliance Developer Netgate

    It helps when I read the code properly… :)

    This works, I tested it just now:

    #!/usr/local/bin/php -q
    require_once('vpn.inc');
    
    vpn_ipsec_force_reload();
    ?>
    


  • Like a charm, thank you!


Log in to reply