I'm consistently having issues with IPSec VPN not able to reconnect. The VPN connects fine, runs for a while (can be days/week), then disconnects for whatever reason and won't reconnect. Simply restarting the other end (a Sonicwall router) does not fix things. It requires I either shutdown the other end and leave it off for a while (works sometimes) or that I restart the Sophos end (works all the time).
I've read other posts of users with similar issue and a couple pointed to the following series of CLI commands for restarting the VPN, which I want to put into a script and run periodically using cron:
cc get_objects ipsec_connection (to extracts "ref" object)
cc get_object REF_IpsSitxxxxx (to verify info - not sure if this is useful for script but listing here in case it is)
cc change_object REF_IpsSitxxxxx status 0
cc change_object REF_IpsSitxxxxx status 1
Problem now is that my already limited linux scripting experience is with other versions and I'm struggling to put together a script using Sophos flavour of linux.
Logic I want is as follows:
if ("ping -c 1 <remoteip> !=0" and "REF_IpsSitxxxxx is enabled") then
cc change_object REF_IpsSitxxxxx status 0
sleep 3
cc change_object REF_IpsSitxxxxx status 1
endif
I know the following command returns 0 if ping was successful at the command line:
ping -c 1 192.168.0.5 > /dev/nul` ; echo $?
So I think I have that part. Now what would the command be to know if the VPN tunnel is enabled (I don't want to restart it if it's been disabled) as well as the IF THEN ELSE syntax I need to use (using if... fi returned an error)
Any info would be appreciated
Using brute force trial and error I wrote the following script. Every line works as expected outside the script at the command line but the CC command is not recognized when I run the script. I get "cc: command not found" each time it's called.
#!/bin/sh ping -c 1 192.168.0.5 > /dev/nul; pingstatus=$? if [ $pingstatus != 0 ]; then status=$(cc get_objects ipsec_connection site_to_site |grep \'status | grep 1) if [ -z "$status" ]; then echo "Restarting VPN" cc change_object REF_IpsSitJtVpn status 0 sleep 3 cc change_object REF_IpsSitJtVpn status 1 else echo "VPN not enabled" fi else echo "all good on VPN front" fi
Is the cc command only for an interactive CLI session? Do I need to use a different shell or special syntax in order to be able to run it within a script?
Great contribution, Jean!
Years ago, from former Astaro developer Ulrich Weber, I learned that, in a script, you must replace cc with:
/usr/local/bin/confd-client.plx
Cheers - Bob
That works! Thanks.
*edited to correct a mistake explained further below.*
Note that the script is only good for a single VPN being active. I wasn't able to extract the status of the actual "REF_IpsSitJtVpn" VPN specifically. It's simply not provided at that level. It's only provided as part of the dump of all VPNs from the "cc get_objects ipsec_connection site_to_site" command.
Right now I don't need more but if there's a way to get the status of a specific VPN I'd like to know for future reference - and it might help others.
I updated the script. I had the logic reversed for if [ -z "$status" ], and I added a date stamp because I output to a log file when running through cron for history
*code edited to fix an issue explained further down*
#!/bin/sh # cc command must be replaced by /usr/local/bin/confd-client.plx #set -x DATUM=$(/bin/date +"%F %T") ping -c 1 192.168.0.5 > /dev/nul; pingstatus=$? if [ $pingstatus != 0 ]; then status=$(/usr/local/bin/confd-client.plx get_object REF_IpsSitJtVpn |grep \'status | grep 1) if [ -z "$status" ]; then echo "$DATUM - VPN down but not enabled so leaving things alone" else echo "$DATUM - VPN down but enabled so restarting VPN" state=$(/usr/local/bin/confd-client.plx change_object REF_IpsSitJtVpn status 0) sleep 3 state=$(/usr/local/bin/confd-client.plx change_object REF_IpsSitJtVpn status 1) fi else echo "$DATUM - All good on VPN front" fi
added the following to /etc/crontab-static:
*/10 * * * * root /home/login/VPNCheckscript.sh >>/home/login/VPNChecklog.txt
Then I set WebAdmin->Up2Date to "manual" then back to automatic so crontab gets reloaded with new row above
In the script, to do this for a specific VPN, replace
get_objects ipsec_connection site_to_site
with
get_object REF_IpsSitJtVpn
Cheers - Bob
Yeah I would thought that would have worked too but it didn't because it doesn't return a status (unless one of the other fields secretly means status):
{
'autoname' => 0,
'class' => 'ipsec',
'data' => {
'authentication' => 'REF_IpsPskThibworlds',
'comment' => '',
'ecn' => 0,
'host' => 'REF_NetDnsJtWanAddr',
'name' => 'JTHQ',
'networks' => [
'REF_NetNetJtLan'
],
'pmtu_discovery' => 0,
'xauth' => 0,
'xauth_password' => '',
'xauth_username' => ''
},
'hidden' => 0,
'lock' => '',
'nodel' => '',
'ref' => 'REF_IpsRemJthq',
'type' => 'remote_gateway'
}
Jean, you used REF_IpsRemJthq, the obect for the Remote Gateway, instead of the REF_ for the IPsec Connection, REF_IpsSitJtVpn.
Cheers - Bob
Would like to send an email when VPN Is restarted but am not finding much about sending email via CLI. Only closed, unanswered posts and one about mutt, which doesn't seem to be installed. I'm referring to using home editions so not worried about support I'm not getting anyway.
Here's the mutt post, FWIW, https://community.sophos.com/community-chat/f/discussions/5573/howto-submit-virus-sample-via-cli-script
Would it be relatively safe to just go ahead and install it? Would I need to re-install it after every system update?
wow, bring up email and the crickets are deafening... but I figured it out:
sendmail youremail@yourdomain.com < emailmessagefile.txt
why is everyone so secretive about this? (posts about this actually say that anyone associated with Sophos can't talk about this)
It doesn't cost anything and uses the GUI configured smtp server used for all system emails.
Added email notification and made things easier to customize and test (uncomment or delete as needed)
#!/bin/sh #set -x DATUM=$(/bin/date +"%F %T") REMOTELANIP="192.168.0.5" EMAILTO="youremail@domain.com" EMAILVPNIDENTIFIER="RemoteVPN1" SCRIPTPATH="/home/login" # cc command must be replaced by /usr/local/bin/confd-client.plx CC="/usr/local/bin/confd-client.plx" ping -c 1 $REMOTELANIP > /dev/nul; pingstatus=$? if [ $pingstatus != 0 ]; then status=$($CC get_object REF_IpsSitJtVpn |grep \'status | grep 1) if [ -z "$status" ]; then echo "$DATUM - VPN down but not enabled so leaving things alone" # echo "$DATUM - $EMAILVPNIDENTIFIER VPN down but not enabled so leaving things alone" > $SCRIPTPATH/VPNemail.txt # sendmail $EMAILTO < $SCRIPTPATH/VPNemail.txt else echo "$DATUM - VPN down but enabled so restarting VPN" state=$($CC change_object REF_IpsSitJtVpn status 0) sleep 3 state=$($CC change_object REF_IpsSitJtVpn status 1) echo "$DATUM - $EMAILVPNIDENTIFIER VPN down but enabled so restarting VPN" > $SCRIPTPATH/VPNemail.txt sendmail $EMAILTO < $SCRIPTPATH/VPNemail.txt fi else echo "$DATUM - All good on VPN front" # echo "$DATUM - All good on $EMAILVPNIDENTIFIER VPN front" > $SCRIPTPATH/VPNemail.txt # sendmail $EMAILTO < $SCRIPTPATH/VPNemail.txt fi