Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1


Remember Me

Directory Tree


Current Version
Last Release Date
Compatible With
  • Nagios 2.x
  • Nagios 3.x
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Used to check whether StongSwan/OpenSwan IPSEC tunnels are up or not. Can check if a total number of tunnels are up or per tunnel name. Currently has been tested against StrongSwan 5.x. If Earlier versions of StrongSwan need to be supported let me know.

sudoers entry:

nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_ipsec2

nrpe_local.cfg entry:

command[check_ipsec2]=sudo /usr/lib/nagios/plugins/check_ipsec2 $ARG1$

/etc/nagios/ipsec_gateways.txt entry:


Service definition:

define service {
use generic-service
host_name vpngw.domain.tld
service_description Check CON-
check_command check_ipsec2!"-c CON- -p -s"


define service {
use generic-service
host_name vpngw.domain.tld
service_description Check Tunnels
check_command check_ipsec2!"-a 4"

Command definition:

define command{
command_name check_ipsec2
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ipsec2 -a $ARG1$

$PROGNAME [-hprsv] [-a number of connections] [-c IPSEC connection name]
-a (Check all connections)
-c (Check specific connection)
-p (Ping remote gateway. Used only with -c)
-r (Restart IPSEC if down)
-s (Reacquire SA for connection. Used only with both -c and -p)
-h (Show this help screen)
-v (Show version)

-a and -c cannot be used together.
-s can only be used with -c.
-p can only be used with -c.
Reviews (2)
Although the script worked flawlessly locally, I had to edit it as follows to correct the logic:

if [[ "$eroutes" -eq "2" ]]
echo "OK - All 2 tunnels are up an running"
exit $STATE_OK
elif [[ "$eroutes" -gt "2" ]]
echo "WARNING - More than 2 ($eroutes) tunnels are up an running"
echo "CRITICAL - Only $eroutes tunnels from 2 are up an running - $(location)"

Besides this, I had to do the following to fetch the results via NRPE plugin remotely:

chown nagios /var/run/pluto/pluto.clt

Now I'm able to view the proper results over my NAGIOS monitoring console.

Hope this helps someone.

we want to use this script to remotely check VPN tunnels' status, executing this script with NRPE on an IPcop host.

But there is no command which in our IPcop v2.1.9, although has a locate addon. We therefore replaced "which " with the full paths of files in

Also, in the scripts function check_connection(), in the line:
eroutes=`$IPSECBIN whack --status | grep -e "IPsec SA established" | grep -e "$2" | wc -l`
we believe the $2 should actually read $1.

With these modifications, we were able to use the script locally:
$ /var/ipcop/addons/nrpe/plugins/ -c tunnelname
OK - tunnelname Connection is up and running

Sadly, the same check done remotely on the Nagios host, with that same commandline above defined for NRPE as command check_tunnelname, does return a different result:
/usr/local/nagios/libexec/check_nrpe -H ipcop-hostaddr -c check_tunnelname
CRITICAL - tunnelname Connection is down

This may only be a user rights problem, as the local test was done as root, but the nrpe service runs as user nagios. But there is no command su or sudo in our IPcop v2.1.9 (hence no /etc/sudoers), and we know of no suitable addon.
-- United Networking