Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 4 subscribers
  • Views 4264 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CLI Scripting to restart IPSec VPN

Jean Thibodeau

I'm consistently having issues with IPSec VPN not able to reconnect. The VPN connects fine, runs for a while (can be days/week), then disconnects for whatever reason and won't reconnect. Simply restarting the other end (a Sonicwall router) does not fix things. It requires I either shutdown the other end and leave it off for a while (works sometimes) or that I restart the Sophos end (works all the time).

I've read other posts of users with similar issue and a couple pointed to the following series of CLI commands for restarting the VPN, which I want to put into a script and run periodically using cron:

cc get_objects ipsec_connection (to extracts "ref" object)
cc get_object REF_IpsSitxxxxx (to verify info - not sure if this is useful for script but listing here in case it is)
cc change_object REF_IpsSitxxxxx status 0
cc change_object REF_IpsSitxxxxx status 1

Problem now is that my already limited linux scripting experience is with other versions and I'm struggling to put together a script using Sophos flavour of linux.

Logic I want is as follows:

if ("ping -c 1 <remoteip> !=0" and "REF_IpsSitxxxxx is enabled") then

    cc change_object REF_IpsSitxxxxx status 0
    sleep 3
    cc change_object REF_IpsSitxxxxx status 1

endif

I know the following command returns 0 if ping was successful at the command line:

ping -c 1 192.168.0.5 > /dev/nul` ; echo $?

So I think I have that part. Now what would the command be to know if the VPN tunnel is enabled (I don't want to restart it if it's been disabled) as well as the IF THEN ELSE syntax I need to use (using if... fi returned an error)

Any info would be appreciated



This thread was automatically locked due to age.
  • 0

    Using brute force trial and error I wrote the following script. Every line works as expected outside the script at the command line but the CC command is not recognized when I run the script. I get "cc: command not found" each time it's called.

    #!/bin/sh
ping -c 1 192.168.0.5 > /dev/nul; pingstatus=$?
if [ $pingstatus != 0 ]; then
     status=$(cc get_objects ipsec_connection site_to_site |grep \'status | grep 1)
     if [ -z "$status" ]; then 
        echo "Restarting VPN"
        cc change_object REF_IpsSitJtVpn status 0
        sleep 3
        cc change_object REF_IpsSitJtVpn status 1
     else
        echo "VPN not enabled"
     fi
else
     echo "all good on VPN front"
fi

    Is the cc command only for an interactive CLI session? Do I need to use a different shell or special syntax in order to be able to run it within a script? 

  • +1 in reply to Jean Thibodeau

    Great contribution, Jean!

    Years ago, from former Astaro developer Ulrich Weber, I learned that, in a script, you must replace cc with:

        /usr/local/bin/confd-client.plx

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    That works! Thanks.

    *edited to correct a mistake explained further below.*

    Note that the script is only good for a single VPN being active. I wasn't able to extract the status of the actual "REF_IpsSitJtVpn" VPN  specifically. It's simply not provided at that level. It's only provided as part of the dump of all VPNs from the "cc get_objects ipsec_connection site_to_site" command.

    Right now I don't need more but if there's a way to get the status of a specific VPN I'd like to know for future reference - and it might help others.

     

  • +1 in reply to Jean Thibodeau

    I updated the script. I had the logic reversed for  if [ -z "$status" ], and I added a date stamp because I output to a log file when running through cron for history

    *code edited to fix an issue explained further down*

    #!/bin/sh
# cc command must be replaced by /usr/local/bin/confd-client.plx
#set -x
DATUM=$(/bin/date +"%F %T")
ping -c 1 192.168.0.5 > /dev/nul; pingstatus=$?
if [ $pingstatus != 0 ]; then
     status=$(/usr/local/bin/confd-client.plx get_object REF_IpsSitJtVpn |grep \'status | grep 1)
     if [ -z "$status" ]; then
        echo "$DATUM - VPN down but not enabled so leaving things alone"
     else
        echo "$DATUM - VPN down but enabled so restarting VPN"
        state=$(/usr/local/bin/confd-client.plx change_object REF_IpsSitJtVpn status 0)
        sleep 3
        state=$(/usr/local/bin/confd-client.plx change_object REF_IpsSitJtVpn status 1)
     fi
else
     echo "$DATUM - All good on VPN front"
fi

    added the following to /etc/crontab-static:

    */10 * * * * root /home/login/VPNCheckscript.sh >>/home/login/VPNChecklog.txt

    Then I set WebAdmin->Up2Date to "manual" then back to automatic so crontab gets reloaded with new row above

  • 0 in reply to Jean Thibodeau

    In the script, to do this for a specific VPN, replace

         get_objects ipsec_connection site_to_site

    with

         get_object REF_IpsSitJtVpn

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yeah I would thought that would have worked too but it didn't because it doesn't return a status (unless one of the other fields secretly means status):

    {
    'autoname' => 0,
    'class' => 'ipsec',
    'data' => {
    'authentication' => 'REF_IpsPskThibworlds',
    'comment' => '',
    'ecn' => 0,
    'host' => 'REF_NetDnsJtWanAddr',
    'name' => 'JTHQ',
    'networks' => [
    'REF_NetNetJtLan'
    ],
    'pmtu_discovery' => 0,
    'xauth' => 0,
    'xauth_password' => '',
    'xauth_username' => ''
    },
    'hidden' => 0,
    'lock' => '',
    'nodel' => '',
    'ref' => 'REF_IpsRemJthq',
    'type' => 'remote_gateway'
    }

  • 0 in reply to Jean Thibodeau

    Jean, you used REF_IpsRemJthq, the obect for the Remote Gateway, instead of the REF_ for the IPsec Connection, REF_IpsSitJtVpn.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    You're right. I had in my notes wrong. No wonder it didn't quite make sense. I'll edit the post above to put in the proper get_object command.

  • 0 in reply to Jean Thibodeau

    Would like to send an email when VPN Is restarted but am not finding much about sending email via CLI. Only closed, unanswered posts and one about mutt, which doesn't seem to be installed. I'm referring to using home editions so not worried about support I'm not getting anyway. 

    Here's the mutt post, FWIW, https://community.sophos.com/community-chat/f/discussions/5573/howto-submit-virus-sample-via-cli-script

    Would it be relatively safe to just go ahead and install it? Would I need to re-install it after every system update?

  • 0 in reply to Jean Thibodeau

    wow, bring up email and the crickets are deafening... but I figured it out: 

    sendmail youremail@yourdomain.com < emailmessagefile.txt

    why is everyone so secretive about this? (posts about this actually say that anyone associated with Sophos can't talk about this)

    It doesn't cost anything and uses the GUI configured smtp server used for all system emails.

Unfiltered HTML