Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Script to check the status of ipsec tunnels and refresh them if they're down. This should be run from cron every minute. To add monitoring on a tunnel, add a commented-out `monitor` line with the IP and port to use for establishing connection status. eg. `#monitor 172.17.105.80 9898` Adapted from a script posted by user "c b" on Strongswan [issu…
#!/bin/bash
function main()
{
monitor_from_file $*
}
function monitor_vpn_ip_port()
{
local CONN_NAME=$1
local IP=$2
local PORT=$3
nc -w 10 -z $IP $PORT || ( \
echo "$IP $PORT did not respond, resetting connection $CONN_NAME"; \
ipsec auto --refresh $CONN_NAME;)
}
function monitor_from_file()
{
local FILE=$1
if [[ ! -e $FILE ]]; then
echo "Can not find file $FILE."
return 1
fi
# load the file into memory. Hope it's not too big. :)
# -t strips out the newlines on each line.
mapfile -t MYARRAY < $FILE
# init local variable to contain the current connection name.
local CONN=
for LINE in "${MYARRAY[@]}"; do
# Skip over any lines that have the comment at the very beginning.
if [[ $LINE =~ ^\# ]]; then continue
# Look for a line that looks like this which defines a VPN connection:
# conn CONNECTION-NAME
elif [[ $LINE =~ ^conn[\ ] ]]; then
# extract the part after the "conn " to get the name.
CONN=`echo $LINE | sed 's/^conn //'`
# Look for a line where we have the commented 'monitor' keyword.
# Example: #monitor 172.17.105.80 9898
elif [[ $LINE =~ \#monitor ]]; then
# Remove everything from the beginning up to and including the "#monitor "
IP_PORT=`echo $LINE | sed 's/^.*#monitor //'`
printf "`date` monitoring $CONN \t $IP_PORT\n"
# IP_PORT should be space delimited and hence should work as separate parameters.
monitor_vpn_ip_port $CONN $IP_PORT
# if we have a blank line, that ends any connection configuration.
elif [[ $LINE =~ ^$ ]]; then
CONN=
fi
done
}
# now start running the script by calling main() with all parameters.
main $*
@paulophagula

This comment has been minimized.

Copy link

@paulophagula paulophagula commented May 16, 2017

Hello,

thank you for sharing this script. I've been using it on a few projects

I'd like to point out that depending on the system the ipsec command may not be available when the script is run from CRON, due to the $PATH variable being redefined to the default value of the system. And as such it's advisable to set $PATH on the top of the script according to your configuration or to use the full path to the ipsec command,

@soakes

This comment has been minimized.

Copy link

@soakes soakes commented Jun 7, 2017

@dareenzo

If you just add the following to the top of your crontab file, you won't need to adjust the script.

SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=noc@example.com

Its the same as any other crontab file, if you want a different set of paths or different users to get the cron mails, then you need to do this.

https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-autotasks-cron-configuring.html

or read the man pages in most linux distros will give you some more example of variables that you can use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment