Skip to content

Instantly share code, notes, and snippets.

Created December 10, 2013 19:55
  • Star 24 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Script to check the status of ipsec tunnels and refresh them if they're down. This should be run from cron every minute. To add monitoring on a tunnel, add a commented-out `monitor` line with the IP and port to use for establishing connection status. eg. `#monitor 9898` Adapted from a script posted by user "c b" on Strongswan [issu…
function main()
monitor_from_file $*
function monitor_vpn_ip_port()
local CONN_NAME=$1
local IP=$2
local PORT=$3
nc -w 10 -z $IP $PORT || ( \
echo "$IP $PORT did not respond, resetting connection $CONN_NAME"; \
ipsec auto --refresh $CONN_NAME;)
function monitor_from_file()
local FILE=$1
if [[ ! -e $FILE ]]; then
echo "Can not find file $FILE."
return 1
# load the file into memory. Hope it's not too big. :)
# -t strips out the newlines on each line.
mapfile -t MYARRAY < $FILE
# init local variable to contain the current connection name.
local CONN=
for LINE in "${MYARRAY[@]}"; do
# Skip over any lines that have the comment at the very beginning.
if [[ $LINE =~ ^\# ]]; then continue
# Look for a line that looks like this which defines a VPN connection:
elif [[ $LINE =~ ^conn[\ ] ]]; then
# extract the part after the "conn " to get the name.
CONN=`echo $LINE | sed 's/^conn //'`
# Look for a line where we have the commented 'monitor' keyword.
# Example: #monitor 9898
elif [[ $LINE =~ \#monitor ]]; then
# Remove everything from the beginning up to and including the "#monitor "
IP_PORT=`echo $LINE | sed 's/^.*#monitor //'`
printf "`date` monitoring $CONN \t $IP_PORT\n"
# IP_PORT should be space delimited and hence should work as separate parameters.
monitor_vpn_ip_port $CONN $IP_PORT
# if we have a blank line, that ends any connection configuration.
elif [[ $LINE =~ ^$ ]]; then
# now start running the script by calling main() with all parameters.
main $*
Copy link


thank you for sharing this script. I've been using it on a few projects

I'd like to point out that depending on the system the ipsec command may not be available when the script is run from CRON, due to the $PATH variable being redefined to the default value of the system. And as such it's advisable to set $PATH on the top of the script according to your configuration or to use the full path to the ipsec command,

Copy link

soakes commented Jun 7, 2017


If you just add the following to the top of your crontab file, you won't need to adjust the script.


Its the same as any other crontab file, if you want a different set of paths or different users to get the cron mails, then you need to do this.

or read the man pages in most linux distros will give you some more example of variables that you can use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment