IPSec Monitoring Feature not Functional

[burghy86]

great job man. i tested and work ok. the ip status status not work correctly and the phase 2 result disconnect but is connect. 0= disconnect 1=connect you make a trigger for a tunnel status?

[dblanque]

Hi, I assume you're trying to monitor IPSec Tunnel Statuses? I haven't converted that feature from pfSense yet and had it in the backlog but since no one had asked yet I never got to doing it.

I'll see what I can do for you. Regards, Dylan

Edit: Please try to title your issues with something that summarizes the actual issue instead of "hello".

[dblanque]

Hi @burghy86, do you Use Tunnel Settings [legacy] for your IPSec tunnels or the Connections tab? Could you get me an output of the following script (removing any sensitive data):

<?php
// Imports
require_once('plugins.inc');
require_once('config.inc');
require_once('util.inc');

// For Interfaces Discovery
require_once('interfaces.inc');

// For System
require_once('system.inc');

require_once("filter.inc");
require_once("interfaces.inc");
require_once("plugins.inc.d/ipsec.inc");

print_r($config['ipsec']);

?>

And of this script as well:

python3 /usr/local/opnsense/scripts/ipsec/list_status.py

Regards, Dylan

[burghy86]

yes. i use a legacy tunnel

the list_status-py: {"con1":{"local-addrs":"10.10.18.2","remote-addrs":"XXXXXXXXXXXXXXXXXXXX","children":{"con1":{"mode":"TUNNEL","rekey_time":"3272","rekey_bytes":"0","rekey_packets":"0","dpd_action":"start","close_action":"none","local-ts":["192.168.119.0\/24"],"remote-ts":["192.168.20.0\/24"]}},"local-id":"10.10.18.2","remote-id":"XXXXXXXXXXXXXXXXXXXX","version":"IKEv2","sas":[{"uniqueid":"22","version":"2","state":"ESTABLISHED","local-host":"10.10.18.2","local-port":"4500","local-id":"10.10.18.2","remote-host":"13.69.120.150","remote-port":"4500","remote-id":"XXXXXXXXXXXXXXXXXXXX","initiator":"yes","initiator-spi":"8e6f9c64bb5a2b59","responder-spi":"31c6c638e5286575","nat-local":"yes","nat-remote":"yes","nat-any":"yes","encr-alg":"AES_GCM_16","encr-keysize":"256","prf-alg":"PRF_HMAC_SHA2_256","dh-group":"MODP_2048","established":"11125","rekey-time":"3260","child-sas":{"con1-94":{"name":"con1","uniqueid":"94","reqid":"1","state":"INSTALLED","mode":"TUNNEL","protocol":"ESP","encap":"yes","spi-in":"c03d4324","spi-out":"c76b06a8","encr-alg":"AES_CBC","encr-keysize":"256","integ-alg":"HMAC_SHA2_256_128","dh-group":"MODP_2048","bytes-in":"11124501","packets-in":"21234","use-in":"0","bytes-out":"2996904","packets-out":"17458","use-out":"0","rekey-time":"2700","life-time":"3315","install-time":"285","local-ts":["192.168.119.0\/24"],"remote-ts":["192.168.20.0\/24"]}}}],"routed":true,"local-class":"pre-shared key","remote-class":"pre-shared key"}} for the first script you gave me I wouldn't know how to get it to you. do I have to create a php page and put it where to view it?

[dblanque]

Thank you! I'll let you know if I need any more data but that's all for the moment. Will keep you posted on this matter.

[dblanque]

I've done quite a few changes to the script and would recommend that you try out the newest version. Regards, Dylan