Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

check_ipsec2

Current Version
1.0rc1
Last Release Date
2015-03-11
Compatible With
  • Nagios 2.x
  • Nagios 3.x
Owner
E-mail
License
GPL
Hits
38783
Files:
FileDescription
check_ipsec2.shcheck_ipsec2.sh
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Used to check whether StongSwan/OpenSwan IPSEC tunnels are up or not. Can check if a total number of tunnels are up or per tunnel name. Currently has been tested against StrongSwan 5.x. If Earlier versions of StrongSwan need to be supported let me know.

sudoers entry:

nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_ipsec2

nrpe_local.cfg entry:

command[check_ipsec2]=sudo /usr/lib/nagios/plugins/check_ipsec2 $ARG1$

/etc/nagios/ipsec_gateways.txt entry:

CON-192.168.48.0 192.168.48.1

Service definition:

define service {
use generic-service
host_name vpngw.domain.tld
service_description Check CON-192.168.48.0
check_command check_ipsec2!"-c CON-192.168.48.0 -p -s"
}

or

define service {
use generic-service
host_name vpngw.domain.tld
service_description Check Tunnels
check_command check_ipsec2!"-a 4"
}

Command definition:

define command{
command_name check_ipsec2
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ipsec2 -a $ARG1$
}

Usage:
$PROGNAME [-hprsv] [-a number of connections] [-c IPSEC connection name]
-a (Check all connections)
-c (Check specific connection)
-p (Ping remote gateway. Used only with -c)
-r (Restart IPSEC if down)
-s (Reacquire SA for connection. Used only with both -c and -p)
-h (Show this help screen)
-v (Show version)

-a and -c cannot be used together.
-s can only be used with -c.
-p can only be used with -c.
Reviews (2)
Although the script worked flawlessly locally, I had to edit it as follows to correct the logic:

if [[ "$eroutes" -eq "2" ]]
then
echo "OK - All 2 tunnels are up an running"
exit $STATE_OK
elif [[ "$eroutes" -gt "2" ]]
then
echo "WARNING - More than 2 ($eroutes) tunnels are up an running"
exit $STATE_WARNING
else
echo "CRITICAL - Only $eroutes tunnels from 2 are up an running - $(location)"
exit $STATE_CRITICAL
fi

Besides this, I had to do the following to fetch the results via NRPE plugin remotely:

chown nagios /var/run/pluto/pluto.clt

Now I'm able to view the proper results over my NAGIOS monitoring console.

Hope this helps someone.
Hi,

we want to use this script to remotely check VPN tunnels' status, executing this script with NRPE on an IPcop host.

But there is no command which in our IPcop v2.1.9, although http://www.cobin.de/binary.php has a locate addon. We therefore replaced "which " with the full paths of files in check_ipcop2.sh.

Also, in the scripts function check_connection(), in the line:
eroutes=`$IPSECBIN whack --status | grep -e "IPsec SA established" | grep -e "$2" | wc -l`
we believe the $2 should actually read $1.

With these modifications, we were able to use the script locally:
$ /var/ipcop/addons/nrpe/plugins/check_ipsec2_mod.sh -c tunnelname
OK - tunnelname Connection is up and running

Sadly, the same check done remotely on the Nagios host, with that same commandline above defined for NRPE as command check_tunnelname, does return a different result:
/usr/local/nagios/libexec/check_nrpe -H ipcop-hostaddr -c check_tunnelname
CRITICAL - tunnelname Connection is down

This may only be a user rights problem, as the local test was done as root, but the nrpe service runs as user nagios. But there is no command su or sudo in our IPcop v2.1.9 (hence no /etc/sudoers), and we know of no suitable addon.
--
regards,
-- United Networking