sophos SG restart stalled ipsec tunnels

ipsec.pl

#! /usr/bin/perl -w

use strict;
use warnings;

use Astaro::ConfdPlRPC;
use Data::Dumper;
use Try::Tiny;

my $restartall = 0;
if ($#ARGV >= 0) {
	if ($ARGV[0] eq "--all") {
		$restartall = 1;
	} else {
		die "unhandled arg $ARGV[0]";
	}
}

my $confd = new Astaro::ConfdPlRPC();
$confd->lock or die 'cannot lock';
my $ipsec = $confd->get_ipsec_status();
for my $tun (keys %$ipsec) {
	#print "$tun ...\n";
	if ($restartall or $ipsec->{$tun}->{all_established} != 1) {
		if ($restartall or -f "/tmp/$tun") {
			try {
				my $con = $confd->get_object($tun);
				$con->{data}->{status} = 0;
				$confd->set_object($con);
				$confd->commit;
				sleep 2;
				$con = $confd->get_object($tun);
				$con->{data}->{status} = 1;
				$confd->set_object($con);
				$confd->commit;
				sleep 1;
				$con = $confd->get_object($tun);
				print "$tun aka. $con->{data}->{name} restarted: status: $con->{data}->{status}\n";
				if ( -f "/tmp/$tun") {
					unlink("/tmp/$tun");
				}
			} catch {
				print "ERROR occured while restarting $tun\n";
				print Dumper($confd->err_get_extended()), "\n";
			}
		} else {
			if (!$restartall) {
				open(TFH, ">/tmp/$tun");
				close(TFH);
			}
		}
	} else {
		if ( -f "/tmp/$tun") {
			unlink("/tmp/$tun");
		}
	}
}
$confd->disconnect;
exit 0;

checks the state of all ipsec tunnels on a sophos SG firewall

we run this via cron:

*/5 1-23 * * * root    /root/ipsec.pl 2>&1 | logger  -p cron.info -t ipsec-tunnel-restarted
30 0 * * *     root    /root/ipsec.pl --all | logger  -p cron.info -t ipsec-tunnel-restarted-furced