GESTION DU FAILOVER IPSEC CLIENT
This script has been built from differents intel sources and added some adjustement.
It isnt perfect and might be unfinished for any use cases.
Context:
- IPSEC in client mode
- working uppon a carp IF, isnt capable to switch over when firewall are in master/backup mode
- if no trafic is coming from it.
- When the MASTER fails, the tunnel on the BACKUP stands down while it has previously give up after satying without any response.
This configuration components can make it.
- if you have no trafic source from the client
- if you dont want to create special rules coming from the client
If you want to improve it, welcome.
If i mistake, welcome for sharing.
I've been testing it tonight and it works in the usual case for the specified WAN interface and its VHID status.
I'm now looking for the way to send parameters from the cron job to the action module and then pass it to the script (wich is not describe here)
variables are:
CONN="con#" > connexion ID
VHID="vhid ###" > vhid ID
Ø IPSEC TUNNEL MODE CLIENT + IF CARP VIP
Ø SCRIPT+ACTION + CRON
SCRIPT
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat /home/admin/script-monit/script-monit-carp-wan-ipsec.sh
#!/bin/sh
# TEST un CARP VHID ET AGIT SUR IPSEC SELON ETAT
CONN="con#"
VHID="vhid ###"
ifconfig -a | grep 'carp:' | grep -e "$VHID" > /dev/null
if [ $? = 0 ]; then carp_state="DISABLED" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep BACKUP > /dev/null
if [ $? = 0 ]; then carp_state="BACKUP" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep MASTER > /dev/null
if [ $? = 0 ]; then carp_state="MASTER" ; fi
ifconfig -a | grep 'carp:' | grep -e "$VHID" | grep INIT > /dev/null
if [ $? = 0 ]; then carp_state="INIT" ; fi
echo $carp_state
#exit
IPV4_REGEX="(([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])\.){3}([0-9][0-9]?|[0-1][0-9][0-9]|[2][0-4][0-9]|[2][5][0-5])"
if [ $carp_state == "BACKUP" ]; then ipsec down $CONN ; fi
if [ $carp_state == "INIT" ]; then ipsec down $CONN ; fi
if [ $carp_state == "MASTER" ]; then
#check if tunel exists
ipsec statusall 2>&1 | grep -e "$CONN" > /dev/null 2>&1
#Save the retuned status code
tmp=$?
#If tunnel exists
if [ $tmp -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -i "rekeying" > /dev/null 2>&1
if [ $? -eq 0 ]; then
ipsec statusall | grep -e "$CONN" | grep -v "rekeying" | grep -E "$IPV4_REGEX" > /dev/null 2>&1
#If tunnel is up and match IP REGEX
if [ $? -eq 0 ]; then
echo "Tunnel $CONN look ok"
tunnel=0
fi
else
echo "Tunnel $CONN not ESTABLISHED"
tunnel=1
ipsec down con1
wait 5
ipsec up con1
fi
else
echo "Tunnel $CONN does not EXISTS"
tunnel=2
/usr/local/sbin/configctl ipsec start
fi
echo $tunnel
fi
ACTION
root@fw-slave:/usr/local/opnsense/service/conf/actions.d # cat actions_ipsecfailover.conf
[check]
command:/home/admin/script-monit/script-monit-carp-wan-ipsec.sh
parameters:
type:script_output
message:Ipsec check and reload status and CARP
description: mon_failover_ipsec_carp
service configd restart
configctl ipsecfailover check
CRON
just select the action.
i made it working */5 minutes.
It does the trick during failover.
Looking now for something similar for the openvpn client tunnel wich could fail for some reason after few tries. The the process is stopped and the machine is lost.
Regards all,
James.