This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CLI Scripting to restart IPSec VPN

I'm consistently having issues with IPSec VPN not able to reconnect. The VPN connects fine, runs for a while (can be days/week), then disconnects for whatever reason and won't reconnect. Simply restarting the other end (a Sonicwall router) does not fix things. It requires I either shutdown the other end and leave it off for a while (works sometimes) or that I restart the Sophos end (works all the time).

I've read other posts of users with similar issue and a couple pointed to the following series of CLI commands for restarting the VPN, which I want to put into a script and run periodically using cron:

cc get_objects ipsec_connection (to extracts "ref" object)
cc get_object REF_IpsSitxxxxx (to verify info - not sure if this is useful for script but listing here in case it is)
cc change_object REF_IpsSitxxxxx status 0
cc change_object REF_IpsSitxxxxx status 1

Problem now is that my already limited linux scripting experience is with other versions and I'm struggling to put together a script using Sophos flavour of linux.

Logic I want is as follows:

if ("ping -c 1 <remoteip> !=0" and "REF_IpsSitxxxxx is enabled") then

    cc change_object REF_IpsSitxxxxx status 0
    sleep 3
    cc change_object REF_IpsSitxxxxx status 1

endif

I know the following command returns 0 if ping was successful at the command line:

ping -c 1 192.168.0.5 > /dev/nul` ; echo $?

So I think I have that part. Now what would the command be to know if the VPN tunnel is enabled (I don't want to restart it if it's been disabled) as well as the IF THEN ELSE syntax I need to use (using if... fi returned an error)

Any info would be appreciated



This thread was automatically locked due to age.
  • Added email notification and made things easier to customize and test (uncomment or delete as needed)

    #!/bin/sh
    #set -x
    DATUM=$(/bin/date +"%F %T")
    REMOTELANIP="192.168.0.5"
    EMAILTO="youremail@domain.com"
    EMAILVPNIDENTIFIER="RemoteVPN1"
    SCRIPTPATH="/home/login"
    # cc command must be replaced by /usr/local/bin/confd-client.plx
    CC="/usr/local/bin/confd-client.plx"
    
    ping -c 1 $REMOTELANIP > /dev/nul; pingstatus=$?
    if [ $pingstatus != 0 ]; then
         status=$($CC get_object REF_IpsSitJtVpn |grep \'status | grep 1)
         if [ -z "$status" ]; then
            echo "$DATUM - VPN down but not enabled so leaving things alone"
    #        echo "$DATUM - $EMAILVPNIDENTIFIER VPN down but not enabled so leaving things alone" > $SCRIPTPATH/VPNemail.txt
    #        sendmail $EMAILTO < $SCRIPTPATH/VPNemail.txt
         else
            echo "$DATUM - VPN down but enabled so restarting VPN"
            state=$($CC change_object REF_IpsSitJtVpn status 0)
            sleep 3
            state=$($CC change_object REF_IpsSitJtVpn status 1)
    
            echo "$DATUM - $EMAILVPNIDENTIFIER VPN down but enabled so restarting VPN" > $SCRIPTPATH/VPNemail.txt
            sendmail $EMAILTO < $SCRIPTPATH/VPNemail.txt
         fi
    else
         echo "$DATUM - All good on VPN front"
    #     echo "$DATUM - All good on $EMAILVPNIDENTIFIER VPN front" > $SCRIPTPATH/VPNemail.txt
    #     sendmail $EMAILTO  < $SCRIPTPATH/VPNemail.txt
    fi