script to check ipsec tunnel

miahac · August 17, 2012, 3:20pm

I have a script that flushes the IPSEC SA list if a the other end is not reachable by ping (which happens often and after flushing the SA list the connection reconnects) but I have added a second IPSEC tunnel with the same problem but the peer will not allow ICMP.

Original Ping script i copied from some other place in the forums.

:if ([/ping 10.6.51.11 interval=3 count=3]<2) do={
:log warning "IPSec KO, flushing SAs"
/ip ipsec installed-sa flush sa-type=all
} else={
:log info "IPSec OK"
}

I want to change this script to check how many remote peers are in ipsec instead of ping
/ip ipsec remote-peers print

any ideas?

c0d3rSh3ll · August 17, 2012, 8:37pm

something like this?

{
local peer [len [ip ipsec remote-peers find ]]
put $peer                                      
}

miahac · August 17, 2012, 10:44pm

Thanks for the idea.
I am really bad at this scripting but to test out your idea I did this:

{
local peer [len [/ip ipsec remote-peers print ]]
put $peer
log info $peer                                     
}

No matter if I had an IPSEC connection or not it always put 0 in the log.

c0d3rSh3ll · August 18, 2012, 12:16am

sorry, try this

{
local peer [len [ip ipsec remote-peers find ]]
put $peer   
log info $peer                                  
}

miahac · August 20, 2012, 3:34pm

I think this worked!

[/ping 10.6.51.11 interval=3 count=3]
[/ping 172.21.10.47 interval=3 count=3]
local peer [len [ip ipsec remote-peers find ]]
put $peer   
log info $peer                                 
:if ($peer<2) do={
:log warning "IPSec KO, flushing SAs"
/ip ipsec installed-sa flush sa-type=all
} else={
:log info "IPSec OK"
}

The pings at the beginning are to initiate the connection and are not monitored because the other end is blocking ICMP.