Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1


Remember Me


Current Version
Last Release Date
Compatible With
  • Nagios 2.x
  • Nagios 3.x

Help Support Ethan Galstad's New Project:

Help Support Ethan

A Message From The Founder...

As the founder of Nagios, I'm asking for your help in a cause that's dear to my heart.

I'm launching a new project to help better the world by providing the information, ideas, and inspiration that I believe can improve the lives of people everywhere.

I know you're busy managing networks, but I would appreciate it if you would consider liking my Facebook page and showing your support for the content and messages I produce by sharing them with your friends and family.

You can learn more about my project by visiting Thank you for your time. I wish you all the best in your endeavors, whatever they may be.

- Ethan

Used to check whether StongSwan/OpenSwan IPSEC tunnels are up or not. Can check if a total number of tunnels are up or per tunnel name. Currently has been tested against StrongSwan 5.x. If Earlier versions of StrongSwan need to be supported let me know.

sudoers entry:

nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_ipsec2

nrpe_local.cfg entry:

command[check_ipsec2]=sudo /usr/lib/nagios/plugins/check_ipsec2 $ARG1$

/etc/nagios/ipsec_gateways.txt entry:


Service definition:

define service {
use generic-service
host_name vpngw.domain.tld
service_description Check CON-
check_command check_ipsec2!"-c CON- -p -s"


define service {
use generic-service
host_name vpngw.domain.tld
service_description Check Tunnels
check_command check_ipsec2!"-a 4"

Command definition:

define command{
command_name check_ipsec2
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ipsec2 -a $ARG1$

$PROGNAME [-hprsv] [-a number of connections] [-c IPSEC connection name]
-a (Check all connections)
-c (Check specific connection)
-p (Ping remote gateway. Used only with -c)
-r (Restart IPSEC if down)
-s (Reacquire SA for connection. Used only with both -c and -p)
-h (Show this help screen)
-v (Show version)

-a and -c cannot be used together.
-s can only be used with -c.
-p can only be used with -c.
Reviews (2)
Although the script worked flawlessly locally, I had to edit it as follows to correct the logic:

if [[ "$eroutes" -eq "2" ]]
echo "OK - All 2 tunnels are up an running"
exit $STATE_OK
elif [[ "$eroutes" -gt "2" ]]
echo "WARNING - More than 2 ($eroutes) tunnels are up an running"
echo "CRITICAL - Only $eroutes tunnels from 2 are up an running - $(location)"

Besides this, I had to do the following to fetch the results via NRPE plugin remotely:

chown nagios /var/run/pluto/pluto.clt

Now I'm able to view the proper results over my NAGIOS monitoring console.

Hope this helps someone.

we want to use this script to remotely check VPN tunnels' status, executing this script with NRPE on an IPcop host.

But there is no command which in our IPcop v2.1.9, although has a locate addon. We therefore replaced "which " with the full paths of files in

Also, in the scripts function check_connection(), in the line:
eroutes=`$IPSECBIN whack --status | grep -e "IPsec SA established" | grep -e "$2" | wc -l`
we believe the $2 should actually read $1.

With these modifications, we were able to use the script locally:
$ /var/ipcop/addons/nrpe/plugins/ -c tunnelname
OK - tunnelname Connection is up and running

Sadly, the same check done remotely on the Nagios host, with that same commandline above defined for NRPE as command check_tunnelname, does return a different result:
/usr/local/nagios/libexec/check_nrpe -H ipcop-hostaddr -c check_tunnelname
CRITICAL - tunnelname Connection is down

This may only be a user rights problem, as the local test was done as root, but the nrpe service runs as user nagios. But there is no command su or sudo in our IPcop v2.1.9 (hence no /etc/sudoers), and we know of no suitable addon.
-- United Networking