Cron Ipsec auto restart on fail , and email notify



  • I had seen this topic previously, but not an answer fitting exactly what I needed. From what I can tell GRE is part of the IPsec service (racoon). My GRE tunnels tend to fail about once a week (connecting to Cisco equipment), and I have to restart the service. Using elements from others I wrote this PHP script which runs as a cron, that sends a restart command ( rather than off and on ), only when it can't ping the other side, and then email notifies me. my code is horrible, and someone with more talent can probably clean it up quite a bit, but it does work. I figure it might help someone else any how. I run it with this cron command " */4  *  *  *  *  root  /usr/local/bin/php -q /root/pingresetvpn.php  "

    require_once("util.inc");
    require_once("functions.inc");
    require_once("pkg-utils.inc");
    require_once("globals.inc");
    require_once("ipsec.inc");
    require_once("vpn.inc");
    require_once("service-utils.inc");
    require_once("vslb.inc");
    include('phpmailer/class.phpmailer.php');

    $ipsec=$config['ipsec'];
    $value = 0 ;
    $outside = 0 ;
    exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret1,$exit1);//first GRE tunnel, should work the same for IPsec tunnel
    exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret2,$exit2);// second GRE tunnel, should work the same for IPsec tunnel
    exec("/sbin/ping -c 1 -t 1 8.8.8.8",$ret4,$exit4); //googles DNS server but any external pingable site will do
    print  $exit1."\n";
    print  $exit2."\n";
    print  $exit4."\n";
    if ($exit1 == null){
    Print "ping1 Success \n";
    $value += 1;
    }
    Else{
    Print "ping1 Fail \n";}
    if ($exit2 == null){
    Print "ping2 Success \n";
    $value += 1;
    }
    Else{
    Print "ping2 Fail \n";}
    if ($exit4 == null){
    Print "ping4 Success \n";
    $outside += 1;}
    Else{
    Print "ping4 Fail \n";}
    print "Value is ".$value."\n";
    if ($value == 2){
    print "All is Well in Asthland \n";
    }
    Else {
    if ($outside == 1){
    print "All is Well outside the relm , but not at home \n";
    vpn_ipsec_force_reload();
    print "IPsec restarted accrodngly \n";
    $mail = new PHPMailer();
    $mail->IsSMTP();
    $mail->Host = "youropenrelaymailserver";
    $mail->From = "you@yourdomain.com";
    $mail->FromName  =  "Firewall Report";
    $mail->AddAddress("you@yourdomain.com");
    $mail->Port  =  "25";
    $mail->Subject = "GRE is down restarting VPN ";
    $mail->Body = "IPsec has been restarted check for problems";
    if(!$mail->Send())
    {
    echo 'Message was not sent.';
    echo 'Mailer error: ' . $mail->ErrorInfo;
    }
    }
    if ($outside == 0){
    print "Not the VPN fault wait for internet \n";
    $mail = new PHPMailer();
    $mail->IsSMTP();
    $mail->Host = "youropenrelaymailserver";
    $mail->From = "you@yourdomain.com";
    $mail->FromName  =  "Firewall Report";
    $mail->AddAddress("you@yourdomain.com");
    $mail->Port  =  "25";
    $mail->Subject = "Internet is down";
    $mail->Body = "could not ping outside";
    if(!$mail->Send())
    {
    echo 'Message was not sent.';
    echo 'Mailer error: ' . $mail->ErrorInfo;
    }
    }
    }
    exit(1);
    ?>



  • I know when I've set up tunnels to Cisco PIX or ASA I've had to disable DPD before the tunnel was stable.



  • thank you for taking the time to follow up, DPD is disabled for the IPsec, as I found that same conclusion, but my "GRE" tunnels are what's failing.


Log in to reply