Hi All,
Please forgive me if I have re-invented the wheel! But I have been looking for a Script that would monitor an IPSec tunnel and if it couldn't reach the endpoint it would force the tunnel to restart, unfortunately I couldn't find any script to do quite what i wanted, so I borrowed some peoples code from other scripts and had a go myself, the below is what I have come up with constructive comments are welcome but please remember that this is the first script I have ever written.
{
:log info "IPSec Watchdog Started"
##### The host you want to ping######
:local HOST "Type IP Here"
##### Location of host########
:local LOCATION "Name of location"
##### Interface to Remote Network#######
:local GW "interface with route to host"
#### Ping Time out Increase or decrease as Required #####
:local TIMEOUT "100ms"
#### How Many try's ######
:local COUNT "10"
### If less than 8 successful reply's Restart IPSec#####
:local LESSTHAN "8"
##################################DONT EDIT BELOW###################################
:log info "Looking for $HOST at $LOCATION"
:log info "Route to IPSec endpoint in $LOCATION is via $GW"
:if ([/ping interface=$GW $HOST interval=$TIMEOUT count=$COUNT]<$LESSTHAN) \
do={log error "$HOST at $LOCATION is unreachable Tunnel to $LOCATION is Down Forcing IPSec Restart"; /ip ipsec installed-sa flush} \
else {:log warning "IPSec Tunnel to $LOCATION is OK Nothing to do"}
}
Re: IPSec Monitoring Script
explore it: /tool netwatch
/p
/p
Re: IPSec Monitoring Script
I have this, I know I need to improve, but it works for me.
/system script
add name=ping-ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\
\n:if ([/ping 10.1.1.1 src-address=172.16.1.1 count=5] = 0) do={ \r\
\n:log warning \"VPN DOWN\";\r\
\n/ip ipsec peer disable 0;\r\
\n/ip ipsec remote-peers kill-connections;\r\
\n/ip ipsec installed-sa flush;\r\
\n:delay 200;\r\
\n/ip ipsec peer enable 0;\r\
\n/ip cloud force-update;\r\
\n:delay 15;\r\
\n/ping 10.1.1.1 src-address=172.16.1.1 count=5;\r\
\n} else={\r\
\n:log warning \"VPN UP\";\r\
\n/ip cloud force-update;\r\
\n}\r\
\n}\r\
\n"
/system scheduler
add interval=10m name=schedule1 on-event=ping-ipsec policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
sep/27/2015 start-time=12:50:36
/system script
add name=ping-ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\
\n:if ([/ping 10.1.1.1 src-address=172.16.1.1 count=5] = 0) do={ \r\
\n:log warning \"VPN DOWN\";\r\
\n/ip ipsec peer disable 0;\r\
\n/ip ipsec remote-peers kill-connections;\r\
\n/ip ipsec installed-sa flush;\r\
\n:delay 200;\r\
\n/ip ipsec peer enable 0;\r\
\n/ip cloud force-update;\r\
\n:delay 15;\r\
\n/ping 10.1.1.1 src-address=172.16.1.1 count=5;\r\
\n} else={\r\
\n:log warning \"VPN UP\";\r\
\n/ip cloud force-update;\r\
\n}\r\
\n}\r\
\n"
/system scheduler
add interval=10m name=schedule1 on-event=ping-ipsec policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
sep/27/2015 start-time=12:50:36
Re: IPSec Monitoring Script
@martking
Your script is quite useful, thanks for sharing
@panisk0
Netwatch doesn't work on IPsec VPN's - at least not for me - you need to be able to specify the interface - and with Netwatch you can't
Your script is quite useful, thanks for sharing
@panisk0
Netwatch doesn't work on IPsec VPN's - at least not for me - you need to be able to specify the interface - and with Netwatch you can't
Re: IPSec Monitoring Script
Thanks, this is exactly what I needed,
and its working on current release - model: RouterBOARD M33G - firmware: 6.43.1
and its working on current release - model: RouterBOARD M33G - firmware: 6.43.1
Re: IPSec Monitoring Script
Glad the script was of use to you both, the other good thing about the script, is generates interesting traffic to Start/Keep tunnels alive
Re: IPSec Monitoring Script
Just i'm willing to know more dip what this script does.
Like you have mentioned " if it couldn't reach the endpoint it would force the tunnel to restart".
My quastion will be what exactly will restart? Because in IPsec you got features DPD, wich means:
"One the DPD interval has met the Max Failures, it will clear out the SAs to this host and attemt to establish a new SA."
Like you have mentioned " if it couldn't reach the endpoint it would force the tunnel to restart".
My quastion will be what exactly will restart? Because in IPsec you got features DPD, wich means:
"One the DPD interval has met the Max Failures, it will clear out the SAs to this host and attemt to establish a new SA."
Re: IPSec Monitoring Script
Using NordVPN on my Mikrotik router I came across with the same issue - when IPsec tunnel occasionally stucks.
Thanks to all who posted scripts in this thread, it was a good start which helped me to begin learning Mikrotik scripting language.
I added a little dynamics thing in my version of script, perhaps it will help to somebody as well:
Thanks to all who posted scripts in this thread, it was a good start which helped me to begin learning Mikrotik scripting language.
I added a little dynamics thing in my version of script, perhaps it will help to somebody as well:
Code: Select all
#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip/ipsec/policy get [find where tunnel=yes] src-address]
#remove netmask:
:set IPsecSrcIP [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]
#:log info "IPSec tunnel check: Pinging 8.8.8.8 via $IPsecSrcIP"
if ([/ping 8.8.8.8 src-address=$IPsecSrcIP count=5]=0) do={
:log warning "IPSec tunnel check: Ping to 8.8.8.8 via $IPsecSrcIP failed. VPN is down, Killing konnections"
:local enabledpeers [/ip/ipsec/peer find where disabled=no]
:foreach k,v in=$enabledpeers do={
/ip/ipsec/peer disable $v
}
/ip/ipsec/active-peers/ kill-connections
/ip/ipsec/installed-sa/ flush
:foreach k,v in=$enabledpeers do={
/ip/ipsec/peer enable $v
}
} else={
#:log info "IPSec tunnel check: Ping OK"
}
Last edited by yushko on Tue Feb 07, 2023 4:56 pm, edited 1 time in total.
Re: IPSec Monitoring Script
Can someone show me how to modify the script to use the source device lan interface IP address?
Re: IPSec Monitoring Script
I have used the following script. I want to source from my inside (LAN) interface. I keep getting an error
invalid value for argument src-address:
invalid value for argument ip-src-address
invalid value for argument ip6-src-address
invalid value for argument src-address:
invalid value for argument ip-src-address
invalid value for argument ip6-src-address
Code: Select all
#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip ipsec policy get [find where tunnel =yes ] src-address]
#remove netmask:
:set value=IPsecSrcIP [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]
:log info "IPSec tunnel check: Pinging 192.168.100.1 via $IPsecSrcIP"
if ([/ping 192.168.100.1 src-address=$IPsecSrcIP count=5]=0) do={
:log warning "IPSec tunnel check: Ping to 192.168.100.1 via $IPsecSrcIP failed. VPN is down, Killing konnections"
:local enabledpeers [ip ipsec peer find where disabled=no]
:foreach k,v in=$enabledpeers do={
ip ipsec peer disable $v
}
ip ipsec active-peers kill-connections
ip ipsec installed-sa flush
:foreach k,v in=$enabledpeers do={
ip ipsec peer enable $v
}
} else={
#:log info "IPSec tunnel check: Ping OK"
}
Re: IPSec Monitoring Script
First of all, fix all error you have introduced on the script, like the space here: "tunnel =yes", second, the script is v7 and you try to use it on v6.