Monitor IPSec VPN Tunnel
I have an IPSec Tunnel built from one of my servers to an integration partner which is used to secure our web service calls. It uses a IPSec, OpenSwan, and Pluto to maintain a private network. Unfortunately I was seeing that this tunnel would for some reason collapse, requiring me to manually restart IPSec to rebuild the tunnel and re-enable our web services. This usually seemed to happen around 1am so despite many, many (MANY), emails, I wouldn’t actually fix it for several hours.
To aid in the process of stopping and then restarting the services, I wrote a bash script to handle all the comments. I only have one IPSec interface of
ipsec0 which is used in my script. Make sure to
chmod +x /usr/local/bin/ipsec-restart.sh.
#!/bin/bash # get the -i or --interface argument value while [[ $# > 1 ]] do key="$1" case $key in -i|--interface) INTERFACE="$2" shift # past argument ;; esac shift # past argument or value done # show an error if the interface isn't specified if [ -z "$INTERFACE" ] then echo "You must provide an interface argument with -i or --interface" exit fi # restart ipsec, then bring up the IPSec tunnel /sbin/service ipsec restart /usr/sbin/ipsec whack --shutdown /usr/sbin/ipsec setup --restart /usr/sbin/ipsec auto --add $INTERFACE sleep 5 /usr/sbin/ipsec auto --up $INTERFACE
Next step is to have the system automatically run the script when the tunnel goes down. Using NetCat (
nc) is a good option for this – it can actually do a crazy number of things I won’t go into here. Basically we want to test the hostname of our service to see if we can open port 80, and if not, run the restart script. Passing in
-w 10 tells it to wait 10 seconds to time out. By redirecting the output we can have this show nothing if it connects successfully, but email the address specified in the
MAILTO with the
ipsec-restart.sh output. Run this script every 5 minutes (and as root) by adding it to crontab while logged in as root, or using
sudo crontab -e to edit.
# Monitor VPN MAILTO="[email protected]" */5 * * * * ( nc -w 10 -z hostname.webservice.com 80 ) >& /dev/null || /usr/local/bin/ipsec-restart.sh -i ipsec0