VPN Software

Monitor an IPsec VPN tunnel on OpenBSD

Write a Review

Description:

This article describes how to monitor an IPSEC tunnel running on OpenBSD. I could not find any plugin already done so I created my own.

Current Version

Last Release Date

June 12, 2009

Compatible With

Owner

Nagios Exchange

Copy Page Link Recommend Login to Add to Favorites
Project Files
FileDescription
check_ipsecctl.txt
Project Notes
Theory The way of getting the status of IPsec on OpenBSD is buy running: ipsecctl -s s esp tunnel from x.x.x.x to y.y.y.y spi 0xe58a63d3 auth hmac-md5 enc 3des-cbc authkey 0xabcdfghijklmnopqrstuvxyz enckey 0xabcdfghijklmnopqrstuvxyz esp tunnel from y.y.y.y to x.x.x.x spi 0x555f1f13 auth hmac-md5 enc 3des-cbc authkey 0xabcdfghijklmnopqrstuvxyz enckey 0xabcdfghijklmnopqrstuvxyz This shows that the IPsec tunnel between x.x.x.x and y.y.y.y is up. Depending of the OpenBSD version the output will be different. Nrpe config Nagios run check_ipsecctl via NRPE, it mus run as a privileged user and I use sudo, in /etc/nrpe.cfg command[vpn_johan]=sudo /opt/plugins/custom/check_ipsecctl x.x.x.x y.y.y.y "VPN Johan" x.x.x.x and y.y.y.y are the IP-addresses where the VPN tunnel terminates Sudo Use sudoedit /etc/sudoers to modify the sudo config file: nagios ALL=(root) NOPASSWD: /opt/plugins/custom/check_ipsecctl Nagios configuration The VPN connection can be treated as a service running on the OpenBSD box, but in my opinion, the VPN should be treated as a host using the plugin above to check that the host is alive, and the hosts at the other end of the VPN connection should have the VPN tunnel as parent. The advantage is that if the VPN tunnel is down the hosts and services behind it is unreachable, which is the correct behavior. hosts.cfg # host template 'default-hosttemplate-nrpe' define host{ name default-hosttemplate-nrpe check_command check_nrpe max_check_attempts 5 obsess_over_host 0 check_freshness 0 active_checks_enabled 1 passive_checks_enabled 1 event_handler_enabled 1 flap_detection_enabled 1 flap_detection_options n process_perf_data 1 retain_status_information 1 retain_nonstatus_information 1 notification_interval 0 notification_period 24x7 notification_options d,u,r,f notifications_enabled 1 stalking_options n register 0 } # host 'vpn-johan' define host{ use default-hosttemplate-nrpe host_name vpn-johan alias vpn johan address 10.1.1.1 parents internet check_command check_nrpe!vpn_johan contact_groups it-slav_msn,it-slav_mail,call_it-slav } 10.1.1.1 is the IP-adress to my OpenBSD box.
Reviews (0) Add a Review
Add a Review

You must be logged in to submit a review.

Thank you for your review!

Your review has been submitted and is pending approval.

Recommend

To:


From:


Thank you for your recommendation!

Your recommendation has been sent.

Page Sections
Project Overview Project Files Project Notes Reviews
Project Stats
Rating
0 (0)
Favorites
0
Views
100,582