Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Automatically restart IPSec on gateway status change
« previous
next »
Print
Pages: [
1
]
Author
Topic: Automatically restart IPSec on gateway status change (Read 8197 times)
nwildner
Newbie
Posts: 16
Karma: 4
Automatically restart IPSec on gateway status change
«
on:
July 19, 2019, 02:17:10 pm »
Hi
I have an IPSec scenario where OPNSense is the client and the server is a Checkpoint appliance.
The problem i have is: Every time OPNSense side ISP gets down the tunnel hangs, and when the ISP gateway gets up again, i have to restart strongswan. I have even created an user with only "services view" so a local support guy can restart the service when needed.
But the question is. Can i automate in a way that when OPNSense gateway changes from down to up, strongswan is restarted? I've already changed the "Monitor IP" to a external one since i have a dhcp wan.
Cheers.
Logged
nwildner
Newbie
Posts: 16
Karma: 4
Re: Automatically restart IPSec on gateway status change
«
Reply #1 on:
July 23, 2019, 08:30:21 pm »
Well, this is how we've created a solution to this case: Ping a host inside our main site that is only reachable through ipsec, if it isn't reachable, restart ipsec.
Steps:
Services > Monit > Settings
General Setings:
Set
Polling Interval
to 120 and
Start Delay
to 60. This will make monit checks to execute each 2 minutes. Check
Enable Monit
.
Service Test Settings > Add New
Name:
IPSEC_ICMP_MONITOR
Condition:
failed ping4 count 5 address 10.x.x.254
Action:
Restart
10.x.x.254 is the IP Address of this firewall LAN interface. This will ensure that i'm using a source address that will be able to reach that host inside the IPsec tunnel. Keep in mind that i have a specific SPD rule that will deal with delivering traffic.
Service Settings > Add New
Name:
REDIAL_IPSEC
Type:
Remote Host
Address:
172.y.y.y
Start:
/usr/local/sbin/configctl ipsec start
Stop:
/usr/local/sbin/configctl ipsec stop
Tests:
IPSEC_ICMP_MONITOR
172.y.y.y is our main AD server. Could be any host with real importance and that you know will be always up-and-running inside your main site.
Done. No more manual intervention on this host.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Automatically restart IPSec on gateway status change
«
Reply #2 on:
April 23, 2020, 09:32:54 am »
Great write-up, I added it to the official docs!
Thx!
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
Guybrush
Newbie
Posts: 6
Karma: 0
Re: Automatically restart IPSec on gateway status change
«
Reply #3 on:
May 05, 2020, 09:09:24 pm »
Thank you nwilder, this is a really great way to keep the connections up and running.
just to clarify:
172.y.y.y is an address in the headquarter, that is pinged through the tunnel
10.x.x.254 is the lan ip from the branch office opnsense, that is restarting the ipsec
is this correct?
do you know a way to show the target address in the monit status page? and is there a way of changing the monit sender address for the email notifications?
thanks a lot in advance
Guybrush
Logged
nwildner
Newbie
Posts: 16
Karma: 4
Re: Automatically restart IPSec on gateway status change
«
Reply #4 on:
September 23, 2020, 02:50:51 pm »
Sorry to necrobump this post, but this is just a feedback on why i've stopped posting about this reconnection method.
Since we moved from Checkpoint to Fortigate to manage our sdwan solution at the main site, things got a lot better. Checkpoint ipsec implementation is GARBAGE and require you to use a lot of kludges to make it work.
Tunnel isolation, ikev1 only, no dpd(btw, dead peer detection only works with site2site checkpoint only) and other stuff that this proprietary firewall does to cripple third-party integration. It was deliberately designed to integrate badly with other firewalls.
With Fortigate on our main site, is just a matter of configuring dpd counters to keep the tunnel reconnecting on WAN outages, and with tunnel restart on ou main site.
Maybe this info could be useful to others trying to integrate with this garbage IPSec provided by Checkpoint.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Automatically restart IPSec on gateway status change