How to restart racoon from watchdog script

    If I wanted to set up a watchdog script to restart racoon when it crashes ( perhaps similar to ), how would I start racoon from the script?

    If I try to use '/usr/local/sbin/racoon -f /var/etc/racoon.conf' then racoon restarts again when I refresh the webgui 'Services' page (as if pfSense was keeping track of the process numbers), and of course /etc/rc.d/ipsec start doesn't do anything.

    Last week I checked in a shell script on 2.1 that will do this, though it requires other changes on 2.1 to function. Once you're on 2.1 you can just do this:

    pfSsh.php playback svc stop racoon
    pfSsh.php playback svc start racoon

    Here is a script that just restarts the whole router if racoon crashes, seems to be working OK for me on 2.0:


    Find the pid of the process (PPID will be the shell that started it)

    remember no spaces allowed between varnames, just equals sign, and the value

    Script name cannot contain the word racoon in order to to avoid self-triggering

    sleep 30

    FIND_PROC=pgrep racoon

    if FIND_PROC is empty, the process has died; restart it

    if [ -z "${FIND_PROC}" ]; then
         echo racoon failed at date
          nohup  shutdown -r now &


    With cron entry:

            • root /root/ >> /root/ipsec-watchdog.log

    I put the sleep in to give racoon time to launch when the router boots, before the script checks for it.

    I have a CARP slave that kicks in when the main router is rebooting, so the effect is almost the same as restarting the service.

  • It'd be very helpful to try to understand why racoon is crashing …

    Which version are you running ?

    I'm running 2.0.2 with racoon 0.8.0.

    The right combination of loss of connectivity to remote endpoints seems to be triggering the crashing.

    I've submitted a bug report here:

    I also submitted this to FreeBSD a while ago, but it got closed.  Should I open up a new one?

    It seems like the more Phase1's not establishing, the more likely racoon is to segfault.

