How can I fully restart an IPsec tunnel from commandline?

Started by Colani1200, April 27, 2022, 09:25:04 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 27, 2022, 09:25:04 AM
Hi all,

before I start digging in source code, can anybody tell me what the "play/stop" buttons on the "VPN: IPsec: Status Overview" page exactly trigger? I sometimes have problems with a specific connection and would like to restart it via monit and a script. I assumed that
Code Select
ipsec down con(x); ipsec up con(x) would work, but it seems that this is not enough to fully restart that specific tunnel. Apparently the buttons on the status page do more than that, those work fine for a tunnel restart.
April 27, 2022, 10:24:35 AM #1
I wrote a (quite brute) script for monit ...
Code Select
#! /bin/sh
/usr/local/sbin/configctl ipsec stop
/usr/local/sbin/ipsec stop
/usr/bin/killall charon
/usr/local/sbin/configctl ipsec start
... hope it helps
April 27, 2022, 10:49:24 AM #2
sorry, forgot to mention for completeness ...
I tried the soft approach first like you using the stop/start command directly like you did
Code Select
ipsec down con1-000
ipsec up con1-000
etc.... or the scripts
Code Select
/usr/local/opnsense/scripts/ipsec/connect.py
/usr/local/opnsense/scripts/ipsec/disconnect.py
(these are IMHO called by the WebUI)
but I encountered some situation were a even a restart of the IPSec service did not bring the tunnel back up due to some loose and lost charon process cloged the re-connection.
So I decided to take a short interruption in the worst case for acceptable in relation to a tunnel that needs manual intervention ...
April 27, 2022, 11:08:12 AM #3
I really need to restart that specific tunnel only without causing interruptions on the others.

Quote from: zerwes on April 27, 2022, 10:49:24 AM
Code Select
/usr/local/opnsense/scripts/ipsec/connect.py
/usr/local/opnsense/scripts/ipsec/disconnect.py
(these are IMHO called by the WebUI)

Thanks, this looks like what I need, will give that a try. These scripts should take e.g. con1 as argument, right?
April 27, 2022, 11:16:53 AM #4
AFAIR it was con1-000 etc. ... but I wouldn't bet on that ... some bits and bytes have gone over my nerve pathways since then ...
April 27, 2022, 11:32:32 AM #5
This would mean that it is possible to start/stop single phase2 SAs. Maybe this is part of my problem. In general, the tunnel was up after doing
Code Select
ipsec down con1; ipsec up con1 but some phase2 SAs were missing. Maybe I should specifically up and down them all one by one?
April 27, 2022, 12:44:35 PM #6
... as I said, I ended up the "brute" way, and since I use the script above I see now problems and here no complains ...
Print
Go Up Pages1
User actions