Welcome to It-Slav.Net blog
Peter Andersson
peter@it-slav.net

I've already got a female to worry about. Her name is the Enterprise.
-- Kirk, "The Corbomite Maneuver", stardate 1514.0

Background

This article describes how to monitor an IPSEC tunnel running on OpenBSD. I could not find any plugin already done so I created my own.

The pre req. for this article are:

 

Theory

The way of getting the status of IPsec on OpenBSD is buy running:

ipsecctl -s s
esp tunnel from x.x.x.x to y.y.y.y spi 0xe58a63d3 auth hmac-md5 enc 3des-cbc \
       authkey 0xabcdfghijklmnopqrstuvxyz \
       enckey 0xabcdfghijklmnopqrstuvxyz
esp tunnel from y.y.y.y to x.x.x.x spi 0x555f1f13 auth hmac-md5 enc 3des-cbc \
      authkey 0xabcdfghijklmnopqrstuvxyz \
       enckey 0xabcdfghijklmnopqrstuvxyz

This shows that the IPsec tunnel between x.x.x.x and y.y.y.y is up.

Depending of the OpenBSD version the output will be different.

 


Plugin

I put the plugin in /opt/plugins/custom at my OpenBSD box.

#!/bin/sh
#
# Copyright (C) 2009 Peter Andersson, peter@it-slav.net
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
#
# Very simple plugin that checks if a ipsec vpn is up between to ip-adresses
# Tested on OpenBSD 4.0
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see .
#
# Example use of this script:
# ./check_ipsecctl 10.1.1.1 10.2.1.1 "VPN HQ"
# OK: VPN HQ is up
#
# ./check_ipsecctl 10.1.1.1 10.2.1.1 "VPN HQ"
# CRITICAL: VPN HQ is down (No IP-SEC VPN from 10.1.1.1 to 10.2.1.1  No IP-SEC VPN from 10.2.1.1 to 10.1.1.1)
#
#
IPSECCTL="/sbin/ipsecctl -s sa"
STATUS=0

LINE1=`$IPSECCTL | grep "from $1 to $2" `
if [ $? -eq 1 ]; then
        STATUS=2;
        OUTPUT1="No IP-SEC VPN from $1 to $2 "
fi

LINE2=`$IPSECCTL | grep "from $2 to $1" `
if [ $? -eq 1 ]; then
        STATUS=2;
        OUTPUT2="No IP-SEC VPN from $2 to $1"
fi

if [ $STATUS -eq 0 ]; then
        echo "OK: $3 is up"
        exit $STATUS
else
        echo "CRITICAL: $3 is down ($OUTPUT1 $OUTPUT2)"
        exit $STATUS
fi

Nrpe config

Nagios run check_ipsecctl via NRPE, it mus run as a privileged user and I use sudo, in /etc/nrpe.cfg

command[vpn_johan]=sudo /opt/plugins/custom/check_ipsecctl x.x.x.x y.y.y.y "VPN Johan"

x.x.x.x and y.y.y.y are the IP-addresses where the VPN tunnel terminates

 

Sudo

Use sudoedit /etc/sudoers to modify the sudo config file:

nagios  ALL=(root) NOPASSWD: /opt/plugins/custom/check_ipsecctl

 

 

Nagios or op5 Monitor configuration

The VPN connection can be treated as a service running on the OpenBSD box, but in my opinion, the VPN  should be treated as a host using the plugin above to check that the host is alive, and the hosts at the other end of the VPN connection should have the  VPN tunnel as parent. The advantage is that if the VPN tunnel is down the hosts and services behind it is unreachable, which is the correct behavior.

 

hosts.cfg

# host template 'default-hosttemplate-nrpe'
define host{
    name                           default-hosttemplate-nrpe
    check_command                  check_nrpe
    max_check_attempts             5
    obsess_over_host               0
    check_freshness                0
    active_checks_enabled          1
    passive_checks_enabled         1
    event_handler_enabled          1
    flap_detection_enabled         1
    flap_detection_options         n
    process_perf_data              1
    retain_status_information      1
    retain_nonstatus_information   1
    notification_interval          0
    notification_period            24x7
    notification_options           d,u,r,f
    notifications_enabled          1
    stalking_options               n
    register                       0
    }
# host 'vpn-johan'
define host{
    use                            default-hosttemplate-nrpe
    host_name                      vpn-johan
    alias                          vpn johan
    address                        10.1.1.1
    parents                        internet
    check_command                  check_nrpe!vpn_johan
    contact_groups                 it-slav_msn,it-slav_mail,call_it-slav
    }

10.1.1.1 is the IP-adress to my OpenBSD box. The reason for using a template is that I’m using the webbased config tool that comes with op5 Monitor.

The result

vpn-op5monitor

Links

  • Nagios
  • op5 Monitor a Nagios based full supported monitor solution
  • OpenBSD, a FREE, multi-platform 4.4BSD-based UNIX-like operating system.
  • IPsec, a suite of protocols for securing Internet Protocol communications by authenticating and encrypting each IP packet of a data stream.
Share

Leave a Reply


six − = 3





Book reviews
FreePBX 2.5
Powerful Telephony Solutions






Asterisk 1.6
Build a feature rich telephony system with Asterisk






Learning NAGIOS 3.0





Cacti 0.8 Network Monitoring,
Monitor your network with ease!