IPSec Monitoring Script

martking · March 12, 2018, 10:27am

Hi All,

Please forgive me if I have re-invented the wheel! But I have been looking for a Script that would monitor an IPSec tunnel and if it couldn’t reach the endpoint it would force the tunnel to restart, unfortunately I couldn’t find any script to do quite what i wanted, so I borrowed some peoples code from other scripts and had a go myself, the below is what I have come up with constructive comments are welcome but please remember that this is the first script I have ever written.

{
:log info “IPSec Watchdog Started”

The host you want to ping######

:local HOST “Type IP Here”

Location of host########

:local LOCATION “Name of location”

Interface to Remote Network#######

:local GW “interface with route to host”

Ping Time out Increase or decrease as Required

:local TIMEOUT “100ms”

How Many try’s

:local COUNT “10”

If less than 8 successful reply’s Restart IPSec#####

:local LESSTHAN “8”

##################################DONT EDIT BELOW###################################
:log info “Looking for $HOST at $LOCATION”
:log info “Route to IPSec endpoint in $LOCATION is via $GW”
:if ([/ping interface=$GW $HOST interval=$TIMEOUT count=$COUNT]<$LESSTHAN)
do={log error “$HOST at $LOCATION is unreachable Tunnel to $LOCATION is Down Forcing IPSec Restart”; /ip ipsec installed-sa flush}
else {:log warning “IPSec Tunnel to $LOCATION is OK Nothing to do”}
}

panisk0 · April 2, 2018, 9:27pm

explore it: /tool netwatch

/p

juliokato · April 3, 2018, 2:07pm

I have this, I know I need to improve, but it works for me.

/system script
add name=ping-ipsec owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive source=“{\r
\n:if ([/ping 10.1.1.1 src-address=172.16.1.1 count=5] = 0) do={ \r
\n:log warning "VPN DOWN";\r
\n/ip ipsec peer disable 0;\r
\n/ip ipsec remote-peers kill-connections;\r
\n/ip ipsec installed-sa flush;\r
\n:delay 200;\r
\n/ip ipsec peer enable 0;\r
\n/ip cloud force-update;\r
\n:delay 15;\r
\n/ping 10.1.1.1 src-address=172.16.1.1 count=5;\r
\n} else={\r
\n:log warning "VPN UP";\r
\n/ip cloud force-update;\r
\n}\r
\n}\r
\n”
/system scheduler
add interval=10m name=schedule1 on-event=ping-ipsec policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=
sep/27/2015 start-time=12:50:36

VeeDub · September 13, 2018, 4:05am

@martking
Your script is quite useful, thanks for sharing

@panisk0
Netwatch doesn’t work on IPsec VPN’s - at least not for me - you need to be able to specify the interface - and with Netwatch you can’t

matho · September 20, 2018, 7:32am

Thanks, this is exactly what I needed,
and its working on current release - model: RouterBOARD M33G - firmware: 6.43.1

martking · February 19, 2019, 3:47pm

Glad the script was of use to you both, the other good thing about the script, is generates interesting traffic to Start/Keep tunnels alive

nichky · February 19, 2019, 9:36pm

Just i’m willing to know more dip what this script does.

Like you have mentioned " if it couldn’t reach the endpoint it would force the tunnel to restart".

My quastion will be what exactly will restart? Because in IPsec you got features DPD, wich means:

“One the DPD interval has met the Max Failures, it will clear out the SAs to this host and attemt to establish a new SA.”

yushko · February 7, 2023, 2:51pm

Using NordVPN on my Mikrotik router I came across with the same issue - when IPsec tunnel occasionally stucks.
Thanks to all who posted scripts in this thread, it was a good start which helped me to begin learning Mikrotik scripting language.
I added a little dynamics thing in my version of script, perhaps it will help to somebody as well:

#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip/ipsec/policy get [find where tunnel=yes] src-address]

#remove netmask:
:set IPsecSrcIP  [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]

#:log info "IPSec tunnel check: Pinging 8.8.8.8 via $IPsecSrcIP"
if ([/ping 8.8.8.8 src-address=$IPsecSrcIP count=5]=0) do={
    :log warning "IPSec tunnel check: Ping to 8.8.8.8 via $IPsecSrcIP failed. VPN is down, Killing konnections"
    :local enabledpeers [/ip/ipsec/peer find where disabled=no]
    :foreach k,v in=$enabledpeers do={
        /ip/ipsec/peer disable $v
    }
    /ip/ipsec/active-peers/ kill-connections
    /ip/ipsec/installed-sa/ flush 
    :foreach k,v in=$enabledpeers do={
        /ip/ipsec/peer enable $v
    }
} else={
    #:log info "IPSec tunnel check: Ping OK"
}

jerryroy1 · March 23, 2023, 9:13pm

Can someone show me how to modify the script to use the source device lan interface IP address?

jerryroy1 · March 23, 2023, 10:24pm

I have used the following script. I want to source from my inside (LAN) interface. I keep getting an error

invalid value for argument src-address:
invalid value for argument ip-src-address
invalid value for argument ip6-src-address

#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip ipsec policy get [find where tunnel =yes ] src-address]
#remove netmask:
:set value=IPsecSrcIP  [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]

:log info "IPSec tunnel check: Pinging 192.168.100.1 via $IPsecSrcIP"
if ([/ping 192.168.100.1 src-address=$IPsecSrcIP count=5]=0) do={
    :log warning "IPSec tunnel check: Ping to 192.168.100.1 via $IPsecSrcIP failed. VPN is down, Killing konnections"
    :local enabledpeers [ip ipsec peer find where disabled=no]
    :foreach k,v in=$enabledpeers do={
        ip ipsec peer disable $v
    }
    ip ipsec active-peers kill-connections
    ip ipsec installed-sa flush 
    :foreach k,v in=$enabledpeers do={
        ip ipsec peer enable $v
    }
} else={
    #:log info "IPSec tunnel check: Ping OK"
}

rextended · March 24, 2023, 12:32pm

First of all, fix all error you have introduced on the script, like the space here: “tunnel =yes”, second, the script is v7 and you try to use it on v6.