- Manually or use my pfSense/OPNsense Ansible playbooks
pip3.11 install textfsm
pip3.11 install tabulate
item | filename | install to | post-install steps |
---|---|---|---|
FSM template | ipsec_status.template |
/opt/check_mk/lib/check_mk_agent |
|
local check | ipsec-status.local |
/opt/check_mk/lib/check_mk_agent/local |
chmod 750 <file> |
Run as root:
# /opt/check_mk/lib/check_mk_agent/local/ipsec-status.local
It should output one line per VPN connection.
It should find services of type "local". Add those.
Example output
OK
VPN Endpoint 80.CEN.SOR.ED Open the action menu Connection is ESTABLISHED 231 m 47.4 s
OK
VPN Endpoint 87.CEN.SOR.ED Open the action menu Connection is ESTABLISHED 231 m 47.4 s
OK
VPN Endpoint fw1.CEN.SOR.EDtaCEN.SOR.EDrsaCEN.SOR.ED Open the action menu Connection is ESTABLISHED 219 m 47.4 s
- The check is generally made to output a
WARNING
state if your connection has an issue - There are many exceptions to that
- The StrongSWAN cli drops the connection entries if there's no negotiated connection
- This means that the check will only turn to
UNKNOWN
An inventory based check can work around this since it has a known good state to compare to. I'll keep this check here available in any case as an example for a leaner check that the others that were available when I checked. The processing is done client-side since you're not supposed to include python libs in server based checks. Since the authors of StrongSWAN cannot provide a stable CLI (so far) this is a situation with many tradeoffs. The choice taken here is to install TextFSM and one dependency locally on the firewall. TextFSM is the (imo) best approach to have a stable interface between the different toolstacks, for the time being. It can also return tabular output which would then be perfect for server-side processing by Check_MK.
There's also not too many practical examples for using TextFSM, so I hope this also helps a bit.
References:
- Network to Code FSM templates
- Python for Network Engineers Getting started with TextFSM