Use Ipsec as a backup route



  • There is something already done to use ipsec as a backup route? When private links fails, establish ipsec using internet.

    If so, how to enable it on pfsense2?

    If not, this is the first try on doing it by crontab + php script.
    Current stage is beta

    require_once("util.inc");
    require_once("functions.inc");
    require_once("pkg-utils.inc");
    require_once("globals.inc");
    require_once("filter.inc");
    require_once("shaper.inc");
    require_once("ipsec.inc");
    require_once("vpn.inc");
    
    $ipsec=$config['ipsec'];
    $host=array_pop($argv);
    if (! is_ipaddr($host)){
            print "invalid ip address!\n";
            exit(1);
    }
    array_shift($argv);
    $args=implode(" ", $argv);
    exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit1);
    if ($exit1 == 0) exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit2);
    if ($exit2 == 0) exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit3);
    $exit = ($exit1 + $exit2 + $exit3);
    if ($exit == 0){
            #link online
            if (array_key_exists("enable",$ipsec)){
                    print "link online, disabling ipsec\n";
                    unset ($config['ipsec']['enable']);
                    write_config();
                    vpn_ipsec_configure();
                    vpn_ipsec_refresh_policies();
                    filter_configure();
            }
            else
                    print "link online\n";
    }
    else{
            if (! array_key_exists("enable",$ipsec)){
                    print "link offline, enabling ipsec\n";
                    $config['ipsec']['enable']="";
                    write_config();
                    vpn_ipsec_configure();
                    vpn_ipsec_refresh_policies();
                    filter_configure();
                    }
            else
                    print "link offline\n";
    }
    ?>
    

    save it on /var/www/checklink.php and run it at cron. Pass any icmp args and the host you want to check as last argument.

    sample: php -q  /var/www/checklink.php -s 172.16.5.6 172.16.2.7 (if 172.16.2.7 ping fails, then ipsec will be enabled)

    Thanks for any help on answering or testing

    att,
    Marcello Coutinho


Log in to reply