[SOVLED] How to restart ipsec service from command line



  • Hello,

    I stumbled upon this http://forum.pfsense.org/index.php/topic,23327.0.html forum message where jimp suggested a script to be able to reload ipsec racoon service from command line.

    Here's the slightly modified version that works for pfSense 2.1

    Create a file called /root/reset_ipsec.php with the following content

    
    #!/usr/local/bin/php -q
    
    require_once("service-utils.inc"); 
    require_once('vpn.inc');
    vpn_ipsec_force_reload();
    
    exit;
    ?>
    

    Make it executable with```
    chmod +x /root/reset_ipsec.php

    Now you can run /root/reset_ipsec.php directly from cron.
    
    Cheers.

  • Rebel Alliance Developer Netgate

    2.1 has one built in:

    pfSsh.php playback restartipsec
    


  • Didn't read the fine manual yet, i guess i should :)
    Thanks.



  • Hi!

    Thanks for your script, it worked well with 2.1.5.

    With 2.2. it doesn't work?! Could you post an update, please?

    The script works when I stop the service before.

    Best regards,
    esquire1968


  • Rebel Alliance Developer Netgate

    Unfortunately it's not a simple fix, I pushed a corrected to the code repository, it will work again in 2.2.1.

    Once the commit shows up on github it could be applied with the system patches package.



  • Hi!

    Sorry, it doesn't work. With the command pfSsh.php playback restartipsec, I get the following error:

    Warning: Invalid argument supplied for foreach() in /etc/inc/vpn.inc on line 50

    Starting with line 46 of /etc/inc/vpn.inc:

    46 {
    47	global $config, $ipsec_loglevels;
    48
    49	$cfgtext = array();
    50	foreach ($ipsec_loglevels as $lkey => $ldescr) {
    51		if (!isset($config['ipsec']["ipsec_{$lkey}"]) && !$forconfig)
    52			mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} -- -1", false);
    53		else if (is_numeric($config['ipsec']["ipsec_{$lkey}"]) &&
    54		    intval($config['ipsec']["ipsec_{$lkey}"]) >= 0 && intval($config['ipsec']["ipsec_{$lkey}"]) <= 5)
    55			$forconfig ? $cfgtext[] = "${lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) :
    56				mwexec("/usr/local/sbin/ipsec stroke loglevel {$lkey} " . (intval($config['ipsec']["ipsec_{$lkey}"]) - 1) , false);
    57	}
    58	if ($forconfig)
    59		return implode(',', $cfgtext);
    60 }
    

    What's wrong?

    Best regards,
    esquire1968


  • Banned



  • Hi!

    Thanks for your answer. With the patch, I get no error-message. But it doesn't work- I get the following log:

    Feb 7 08:59:49 charon: 08[NET] error writing to socket: Can't assign requested address 
    Feb 7 08:59:49 charon: 10[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
    Feb 7 08:59:49 charon: 10[IKE] sending retransmit 5 of request message ID 0, seq 1 
    Feb 7 08:59:49 charon: 10[IKE] <con1|2>sending retransmit 5 of request message ID 0, seq 1 
    Feb 7 08:59:07 charon: 08[NET] error writing to socket: Can't assign requested address 
    Feb 7 08:59:07 charon: 10[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
    Feb 7 08:59:07 charon: 10[IKE] sending retransmit 4 of request message ID 0, seq 1 
    Feb 7 08:59:07 charon: 10[IKE] <con1|2>sending retransmit 4 of request message ID 0, seq 1 
    Feb 7 08:58:46 ipsec_starter[22573]:  
    Feb 7 08:58:46 ipsec_starter[22573]: 'con1' routed 
    Feb 7 08:58:46 charon: 10[CFG] received stroke: route 'con1' 
    Feb 7 08:58:46 charon: 11[CFG] added configuration 'con1' 
    Feb 7 08:58:46 charon: 11[CFG] left nor right host is our side, assuming left=local 
    Feb 7 08:58:46 charon: 11[CFG] received stroke: add connection 'con1' 
    Feb 7 08:58:46 charon: 10[CFG] deleted connection 'con1' 
    Feb 7 08:58:46 charon: 10[CFG] received stroke: delete connection 'con1' 
    Feb 7 08:58:46 ipsec_starter[22573]:  
    Feb 7 08:58:46 charon: 16[CFG] received stroke: unroute 'con1' 
    Feb 7 08:58:46 charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' 
    Feb 7 08:58:46 charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
    Feb 7 08:58:46 charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
    Feb 7 08:58:46 charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
    Feb 7 08:58:46 charon: 11[CFG] loaded ca certificate "C=CA, ST=XX, L=XXX, O=XXX, CN=XX CA, E=xx.xx@xx.com" from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
    Feb 7 08:58:46 charon: 11[CFG] loaded ca certificate "C=AT, ST=XX, L=XX, O=XX, E=xxx.xxx@xxx.com, CN=XX" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
    Feb 7 08:58:46 charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
    Feb 7 08:58:46 charon: 11[CFG] loaded IKE secret for %any xxx.xxx.xxx.xxx 
    Feb 7 08:58:46 charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
    Feb 7 08:58:46 charon: 11[CFG] rereading secrets 
    Feb 7 08:58:44 charon: 08[NET] error writing to socket: Can't assign requested address 
    Feb 7 08:58:44 charon: 16[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (200 bytes) 
    Feb 7 08:58:44 charon: 16[IKE] sending retransmit 3 of request message ID 0, seq 1</con1|2></con1|2> 
    

    When I use the "restart ipsec service"-button, it works well! Here is the log:

    
    Feb 7 09:08:55 charon: 03[IKE] IKE_SA con1[1] established between yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
    Feb 7 09:08:55 charon: 03[IKE] <con1|1>IKE_SA con1[1] established between yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
    Feb 7 09:08:55 charon: 03[CFG] selected peer config "con1" 
    Feb 7 09:08:55 charon: 03[CFG] looking for pre-shared key peer configs matching yyy.yyy.yyy.yyy...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 
    Feb 7 09:08:55 charon: 03[ENC] parsed ID_PROT request 0 [ ID HASH ] 
    Feb 7 09:08:55 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (76 bytes) 
    Feb 7 09:08:55 charon: 03[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (260 bytes) 
    Feb 7 09:08:55 charon: 03[ENC] generating ID_PROT response 0 [ KE No ] 
    Feb 7 09:08:55 charon: 03[ENC] parsed ID_PROT request 0 [ KE No ] 
    Feb 7 09:08:55 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (292 bytes) 
    Feb 7 09:08:54 charon: 03[NET] sending packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (136 bytes) 
    Feb 7 09:08:54 charon: 03[ENC] generating ID_PROT response 0 [ SA V V V ] 
    Feb 7 09:08:54 charon: 03[IKE] xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA 
    Feb 7 09:08:54 charon: 03[IKE] <1> xxx.xxx.xxx.xxx is initiating a Main Mode IKE_SA 
    Feb 7 09:08:54 charon: 03[IKE] received DPD vendor ID 
    Feb 7 09:08:54 charon: 03[IKE] <1> received DPD vendor ID 
    Feb 7 09:08:54 charon: 03[ENC] parsed ID_PROT request 0 [ SA V ] 
    Feb 7 09:08:54 charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (104 bytes) 
    Feb 7 09:08:51 ipsec_starter[79219]:  
    Feb 7 09:08:51 ipsec_starter[79219]: 'con1' routed 
    Feb 7 09:08:51 charon: 07[CFG] received stroke: route 'con1' 
    Feb 7 09:08:51 charon: 03[CFG] added configuration 'con1' 
    Feb 7 09:08:51 charon: 03[CFG] received stroke: add connection 'con1' 
    Feb 7 09:08:51 ipsec_starter[79219]: charon (79273) started after 60 ms 
    Feb 7 09:08:51 charon: 00[JOB] spawning 16 worker threads 
    Feb 7 09:08:51 charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies) 
    Feb 7 09:08:51 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity 
    Feb 7 09:08:51 charon: 00[CFG] loaded 0 RADIUS server configurations 
    Feb 7 09:08:51 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory 
    Feb 7 09:08:51 charon: 00[CFG] loaded IKE secret for %any xxx.xxx.xxx.xxx 
    Feb 7 09:08:51 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' 
    Feb 7 09:08:51 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls' 
    Feb 7 09:08:51 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
    Feb 7 09:08:51 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
    Feb 7 09:08:51 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
    Feb 7 09:08:51 charon: 00[CFG] loaded ca certificate "C=EH, ST=XX L=XXX, O=XXX, CN=XXX CA, E=xxx.xxx@xxx.com" from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
    Feb 7 09:08:51 charon: 00[CFG] loaded ca certificate "C=AT, ST=XX, L=XXX, O=XXX, E=xxx.xxx@xxx.com, CN=XXX ca" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
    Feb 7 09:08:51 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
    Feb 7 09:08:51 charon: 00[CFG] ipseckey plugin is disabled 
    Feb 7 09:08:51 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed 
    Feb 7 09:08:51 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument 
    Feb 7 09:08:51 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, FreeBSD 10.1-RELEASE-p4, amd64) 
    Feb 7 09:08:51 ipsec_starter[78836]: no known IPsec stack detected, ignoring! 
    Feb 7 09:08:51 ipsec_starter[78836]: no KLIPS IPsec stack detected 
    Feb 7 09:08:51 ipsec_starter[78836]: no netkey IPsec stack detected 
    Feb 7 09:08:51 ipsec_starter[78836]: Starting strongSwan 5.2.1 IPsec [starter]...</con1|1> 
    

    Best regards,
    esquire1968


  • Banned

    I frankly have no idea what's the difference between the button and script. The button may work perfectly fine except for the fact it fails to apply changed configuration here so it's totally useless. So, the only workable way to really restart this thing is stop and start (always thought restart would do that but here apparently some reload attempt is made or god knows what…) Cannot see myself getting in love with strongswan any time soon.



  • Hi again!

    The effect of the script and the "restart button" is the same, it doesn't work. See the log as below:

    Feb 11 19:04:57 charon: 13[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' 
    Feb 11 19:04:57 charon: 13[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
    Feb 11 19:04:57 charon: 13[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
    Feb 11 19:04:57 charon: 13[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
    Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=EH, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx@xxx.com from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
    Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=AT, ST=yy, L=yyy, O=yyy, E=yyy@yyy.com, CN=yyy" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
    Feb 11 19:04:57 charon: 13[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
    Feb 11 19:04:57 charon: 13[CFG] loaded IKE secret for %any nnn.nnn.nnn.nnn 
    Feb 11 19:04:57 charon: 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    

    What is wrong here?

    Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.

    Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

    The reason why I need a solution is, that my internet connection stops every 24 hours (daily at 05:10), I get a new IP and the DynDNS will be updated. IPsec tries to establish the tunnel with the old IP - I don't know why.

    I'm thankful for any tipps.

    Best regards
    esquire1968


  • Banned

    @esquire1968:

    What is wrong here?
    Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.
    Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

    No, NFC. Nada. Nothing. Zero. Strongswan suxxx…

    https://redmine.pfsense.org/issues/4268
    https://redmine.pfsense.org/issues/4353


  • Rebel Alliance Developer Netgate

    pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec
    

    The restart action was set to only refresh the configuration, to minimize disruption to running tunnels.



  • Sorry, I'm a Little bit confused!  :-[

    Now, I've 2 links to new files …

    https://redmine.pfsense.org/projects/pfsense/repository/revisions/01f3438e7ab91d29751fc27a4627a98c8cba2b4b

    ... and ...

    https://redmine.pfsense.org/projects/pfsense/repository/revisions/41da54ce14d2d43a5ce9738bd80b73355fa26180

    Witch are the right one?

    Should I set a cron-job with the following command 1 Minute after the new Internet Connection has been started:

    [code]pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

    Best regards
    esquire1968


  • Banned

    @esquire1968:

    Sorry, I'm a Little bit confused!  :-[
    Now, I've 2 links to new files …
    [/quote]

    Does not matter. Plus, the "restart" is apparently useless so just ignore the patch.



  • Hi again!

    When I start the following command via SSH, it works!

    pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec
    

    The same command as a cron-job does nothing!

    12   5   *   *   *   root   pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec
    

    Why? Pls help!

    Thx
    esquire1968


  • Banned

    Always use full paths with cron…


  • Banned

    @doktornotor:

    Always use full paths (like /usr/local/sbin/pfSsh.php) with cron…



  • Thanks! Now it works!

    How can I reduce the log entries für IPsec. I've a lot of logs like this …

    Feb 16 13:35:02 charon: 07[NET] sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 
    Feb 16 13:35:02 charon: 07[ENC] generating INFORMATIONAL_V1 request 851016784 [ HASH N(DPD_ACK) ] 
    Feb 16 13:35:02 charon: 07[ENC] parsed INFORMATIONAL_V1 request 703088055 [ HASH N(DPD) ] 
    Feb 16 13:35:02 charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 
    

    'IPsec debug' is 'silent'.

    Chreers
    esquire1968



  • With the new version 2.3 are we able to take advantage of all the strongswan commands?

    I am running 2.2.6 and I lost all connectivity to the GUI during setup of a VPN.  Since I cannot reboot (Business Hours) I wanted to check the status of the VPN's and I was able to run from shell:  ipsec status and was able to get details on all configured tunnels.

    https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

    Can we use this to restart the ipsec or is that not recommended?