Using Cron to stap and restart IPSEC service

bwstu · Oct 17, 2011, 12:16 AM

Hi all,

I have a Netgate pfSense Router that I am using with about 40 or so IPSEC VPN connections. Some of the VPN connections are connected to Draytek Routers that seem to not drop and reconnect the VPN correctly.

My work around at the moment is to schedule a reboot of pfSense daily at 4am.

I would much prefer using Cron to stop the VPN service at 4am, and start it again at 4:15.

The current command I am using to reboot the router is: 0/4///*/root "/sbin/shutdown -r now"

Can anyone provide assistance on what the proper command would be to stop, and then to start the service 10 or 15 minutes later would be?

Thanks in advance.
Stu

marcelloc · Oct 17, 2011, 12:59 AM

You can use the script on this topic with few modifications.

http://forum.pfsense.org/index.php/topic,42025.0.html

bwstu · Oct 17, 2011, 1:31 AM

Thanks for that,

Is there no simple command I can use to disable IPSEC, then enable again? Just thought that there would be as there is a "Stop/Start/Restart button in the GUI that I can click if I want to do it manually.

I am much more familiar with Windows scripts, and not these php ones, any idea which parts I need to modify?

Ideally, I'd like 2 scripts, one to stop, and then a separate one to start again.

Sorry to bug you but I am just not familiar with the non gui stuff in pfSense.

Thanks again for your patience!
Stu

marcelloc · Oct 17, 2011, 2:17 AM

Run the script with an ip address as argument.

When script sucessfull pings an ip, the action is disable IPSec.

When Ping fails, IPSec is enabled.

The first goal of this script was to establish VPN when private link fails.
This is not a patch, just a workaround.

bwstu · Oct 17, 2011, 5:36 AM

Hi again,

Sorry, I am not sure what to adjust, and how to split it into the two files that I would need.

I will keep on searching the forums and see if anyone else has had similar requirements.

Thanks,
Stu

marcelloc · Oct 17, 2011, 11:56 AM

As I told you on last post, there is no need to edit the script.

Here is an example:

192.168.1.1 exist in your network
192.168.1.50 Does not exist.

To enable my IPSec I run at console or via cron

Php -q /var/www/check_IPSec.php 192.168.1.50

To disable

Php -q /var/www/check_IPSec.php 192.168.1.1

bwstu · Oct 17, 2011, 10:20 PM

OK, sorry, I didn't quite understand. I thought I had to edit the script and insert the IP addresses there.

Thanks very much for clearing that up. I will try it tonight when everyone has logged off their systems.

bwstu · Dec 21, 2011, 11:26 PM

Hello again!

I have finally had a chance to try and implement this before the holidays.

I can successfully run these commands via the shell:

php -q /root/PHPipsec.php 192.168.200.250 (This stops IPSEC as IP does ping)
php -q /root/PHPipsec.php 192.168.200.251 (This starts IPSEC as IP does not ping)

I am unable to schedule via Cron though, nothing seems to happen, I have setup my Cron task like this:

16 / 9 / * / * / * / root / php -q /root/PHPipsec.php 192.168.200.250
18 / 9 / * / * / * / root / php -q /root/PHPipsec.php 192.168.200.251

Could anyone assist with why this is running in teh shell, but not via cron? I really don't feel like restarting the ipsec service manually every day for the next 3 weeks while I am on leave :)

Thanks very much!
Stu

marcelloc · Dec 21, 2011, 11:34 PM

Use php full path.

Find it with find / -name php

bwstu · Dec 21, 2011, 11:42 PM

Hi,

I ran that from the shell. I get this:

[2.0-RELEASE][root@testpfsense.testlocaldomain]/root(4): find / -PHPipsec php
find: -PHPipsec: unknown option

Am I typing something wrong?

bwstu · Dec 21, 2011, 11:47 PM

Update -

I typed it in correctly and get this as a result:

[2.0-RELEASE][root@testpfsense.testlocaldomain]/root(7): find / -name PHPipsec.php
/root/PHPipsec.php

That is what I am using in my Cron job though. Should I try move it out of the root folder? Maybe Cron doesn't like running the script from there?

Thanks again!
Stu

bwstu · Dec 21, 2011, 11:51 PM

No, that didn't do it…

My task now looks like this, but still didn't work:

51 9 * * * root php -q /sbin/PHPipsec.php 192.168.200.250

Still, when I copy and past into my SSH session to the shell. It works perfectly.

So frustrating.

Stu

marcelloc · Dec 22, 2011, 12:24 AM

use this way in cron:

0 4 * * * root /usr/local/bin/php -q /sbin/PHPipsec.php

bwstu · Dec 22, 2011, 12:31 AM

Thanks you very much, that did it! I can now go on holiday and not have to manually restart Racoon every night/morning.

Merry Christmas and Happy new year!

Thanks again, that's awesome.
Stu

katdrvr · Jan 13, 2012, 3:33 PM

I would like to try to use this method to restart my ipsec vpn since it seems to quit working after 4 or 5 hours.

When I do; find / -name PHPipsec.php I get nothing, it would appear that I don't have this on my install (pfsense 2.0.1-RELEASE (amd64) ). I can stop and start racoon from the "Status:Services" page.

Any help would be very appreciated.

Thanks in advance

Mike

marcelloc · Jan 13, 2012, 3:48 PM

The second post of this thread shows the link to script thread.

@marcelloc:

You can use the script on this topic with few modifications.

http://forum.pfsense.org/index.php/topic,42025.0.html