Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
New ListingsDirectory Tree
Monitor an IPsec VPN tunnel on OpenBSD
Theory
The way of getting the status of IPsec on OpenBSD is buy running:
ipsecctl -s s
esp tunnel from x.x.x.x to y.y.y.y spi 0xe58a63d3 auth hmac-md5 enc 3des-cbc
authkey 0xabcdfghijklmnopqrstuvxyz
enckey 0xabcdfghijklmnopqrstuvxyz
esp tunnel from y.y.y.y to x.x.x.x spi 0x555f1f13 auth hmac-md5 enc 3des-cbc
authkey 0xabcdfghijklmnopqrstuvxyz
enckey 0xabcdfghijklmnopqrstuvxyz
This shows that the IPsec tunnel between x.x.x.x and y.y.y.y is up.
Depending of the OpenBSD version the output will be different.
Nrpe config
Nagios run check_ipsecctl via NRPE, it mus run as a privileged user and I use sudo, in /etc/nrpe.cfg
command[vpn_johan]=sudo /opt/plugins/custom/check_ipsecctl x.x.x.x y.y.y.y "VPN Johan"
x.x.x.x and y.y.y.y are the IP-addresses where the VPN tunnel terminates
Sudo
Use sudoedit /etc/sudoers to modify the sudo config file:
nagios ALL=(root) NOPASSWD: /opt/plugins/custom/check_ipsecctl
Nagios configuration
The VPN connection can be treated as a service running on the OpenBSD box, but in my opinion, the VPN should be treated as a host using the plugin above to check that the host is alive, and the hosts at the other end of the VPN connection should have the VPN tunnel as parent. The advantage is that if the VPN tunnel is down the hosts and services behind it is unreachable, which is the correct behavior.
hosts.cfg
# host template 'default-hosttemplate-nrpe'
define host{
name default-hosttemplate-nrpe
check_command check_nrpe
max_check_attempts 5
obsess_over_host 0
check_freshness 0
active_checks_enabled 1
passive_checks_enabled 1
event_handler_enabled 1
flap_detection_enabled 1
flap_detection_options n
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 0
notification_period 24x7
notification_options d,u,r,f
notifications_enabled 1
stalking_options n
register 0
}
# host 'vpn-johan'
define host{
use default-hosttemplate-nrpe
host_name vpn-johan
alias vpn johan
address 10.1.1.1
parents internet
check_command check_nrpe!vpn_johan
contact_groups it-slav_msn,it-slav_mail,call_it-slav
}
10.1.1.1 is the IP-adress to my OpenBSD box.
The way of getting the status of IPsec on OpenBSD is buy running:
ipsecctl -s s
esp tunnel from x.x.x.x to y.y.y.y spi 0xe58a63d3 auth hmac-md5 enc 3des-cbc
authkey 0xabcdfghijklmnopqrstuvxyz
enckey 0xabcdfghijklmnopqrstuvxyz
esp tunnel from y.y.y.y to x.x.x.x spi 0x555f1f13 auth hmac-md5 enc 3des-cbc
authkey 0xabcdfghijklmnopqrstuvxyz
enckey 0xabcdfghijklmnopqrstuvxyz
This shows that the IPsec tunnel between x.x.x.x and y.y.y.y is up.
Depending of the OpenBSD version the output will be different.
Nrpe config
Nagios run check_ipsecctl via NRPE, it mus run as a privileged user and I use sudo, in /etc/nrpe.cfg
command[vpn_johan]=sudo /opt/plugins/custom/check_ipsecctl x.x.x.x y.y.y.y "VPN Johan"
x.x.x.x and y.y.y.y are the IP-addresses where the VPN tunnel terminates
Sudo
Use sudoedit /etc/sudoers to modify the sudo config file:
nagios ALL=(root) NOPASSWD: /opt/plugins/custom/check_ipsecctl
Nagios configuration
The VPN connection can be treated as a service running on the OpenBSD box, but in my opinion, the VPN should be treated as a host using the plugin above to check that the host is alive, and the hosts at the other end of the VPN connection should have the VPN tunnel as parent. The advantage is that if the VPN tunnel is down the hosts and services behind it is unreachable, which is the correct behavior.
hosts.cfg
# host template 'default-hosttemplate-nrpe'
define host{
name default-hosttemplate-nrpe
check_command check_nrpe
max_check_attempts 5
obsess_over_host 0
check_freshness 0
active_checks_enabled 1
passive_checks_enabled 1
event_handler_enabled 1
flap_detection_enabled 1
flap_detection_options n
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 0
notification_period 24x7
notification_options d,u,r,f
notifications_enabled 1
stalking_options n
register 0
}
# host 'vpn-johan'
define host{
use default-hosttemplate-nrpe
host_name vpn-johan
alias vpn johan
address 10.1.1.1
parents internet
check_command check_nrpe!vpn_johan
contact_groups it-slav_msn,it-slav_mail,call_it-slav
}
10.1.1.1 is the IP-adress to my OpenBSD box.
Reviews (0)
Be the first to review this listing!
