Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cron Ipsec auto restart on fail , and email notify

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      parsalog
      last edited by

      I had seen this topic previously, but not an answer fitting exactly what I needed. From what I can tell GRE is part of the IPsec service (racoon). My GRE tunnels tend to fail about once a week (connecting to Cisco equipment), and I have to restart the service. Using elements from others I wrote this PHP script which runs as a cron, that sends a restart command ( rather than off and on ), only when it can't ping the other side, and then email notifies me. my code is horrible, and someone with more talent can probably clean it up quite a bit, but it does work. I figure it might help someone else any how. I run it with this cron command " */4  *  *  *  *  root  /usr/local/bin/php -q /root/pingresetvpn.php  "

      require_once("util.inc");
      require_once("functions.inc");
      require_once("pkg-utils.inc");
      require_once("globals.inc");
      require_once("ipsec.inc");
      require_once("vpn.inc");
      require_once("service-utils.inc");
      require_once("vslb.inc");
      include('phpmailer/class.phpmailer.php');

      $ipsec=$config['ipsec'];
      $value = 0 ;
      $outside = 0 ;
      exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret1,$exit1);//first GRE tunnel, should work the same for IPsec tunnel
      exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret2,$exit2);// second GRE tunnel, should work the same for IPsec tunnel
      exec("/sbin/ping -c 1 -t 1 8.8.8.8",$ret4,$exit4); //googles DNS server but any external pingable site will do
      print  $exit1."\n";
      print  $exit2."\n";
      print  $exit4."\n";
      if ($exit1 == null){
      Print "ping1 Success \n";
      $value += 1;
      }
      Else{
      Print "ping1 Fail \n";}
      if ($exit2 == null){
      Print "ping2 Success \n";
      $value += 1;
      }
      Else{
      Print "ping2 Fail \n";}
      if ($exit4 == null){
      Print "ping4 Success \n";
      $outside += 1;}
      Else{
      Print "ping4 Fail \n";}
      print "Value is ".$value."\n";
      if ($value == 2){
      print "All is Well in Asthland \n";
      }
      Else {
      if ($outside == 1){
      print "All is Well outside the relm , but not at home \n";
      vpn_ipsec_force_reload();
      print "IPsec restarted accrodngly \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "GRE is down restarting VPN ";
      $mail->Body = "IPsec has been restarted check for problems";
      if(!$mail->Send())
      {
      echo 'Message was not sent.';
      echo 'Mailer error: ' . $mail->ErrorInfo;
      }
      }
      if ($outside == 0){
      print "Not the VPN fault wait for internet \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "Internet is down";
      $mail->Body = "could not ping outside";
      if(!$mail->Send())
      {
      echo 'Message was not sent.';
      echo 'Mailer error: ' . $mail->ErrorInfo;
      }
      }
      }
      exit(1);
      ?>

      1 Reply Last reply Reply Quote 0
      • T
        ttblum
        last edited by

        I know when I've set up tunnels to Cisco PIX or ASA I've had to disable DPD before the tunnel was stable.

        1 Reply Last reply Reply Quote 0
        • P
          parsalog
          last edited by

          thank you for taking the time to follow up, DPD is disabled for the IPsec, as I found that same conclusion, but my "GRE" tunnels are what's failing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.