Community discussions

MikroTik App
 
martking
just joined
Topic Author
Posts: 17
Joined: Mon Apr 03, 2017 8:54 pm

IPSec Monitoring Script

Mon Mar 12, 2018 12:27 pm

Hi All,

Please forgive me if I have re-invented the wheel! But I have been looking for a Script that would monitor an IPSec tunnel and if it couldn't reach the endpoint it would force the tunnel to restart, unfortunately I couldn't find any script to do quite what i wanted, so I borrowed some peoples code from other scripts and had a go myself, the below is what I have come up with constructive comments are welcome but please remember that this is the first script I have ever written.

{
:log info "IPSec Watchdog Started"
##### The host you want to ping######
:local HOST "Type IP Here"
##### Location of host########
:local LOCATION "Name of location"
##### Interface to Remote Network#######
:local GW "interface with route to host"
#### Ping Time out Increase or decrease as Required #####
:local TIMEOUT "100ms"
#### How Many try's ######
:local COUNT "10"
### If less than 8 successful reply's Restart IPSec#####
:local LESSTHAN "8"


##################################DONT EDIT BELOW###################################
:log info "Looking for $HOST at $LOCATION"
:log info "Route to IPSec endpoint in $LOCATION is via $GW"
:if ([/ping interface=$GW $HOST interval=$TIMEOUT count=$COUNT]<$LESSTHAN) \
do={log error "$HOST at $LOCATION is unreachable Tunnel to $LOCATION is Down Forcing IPSec Restart"; /ip ipsec installed-sa flush} \
else {:log warning "IPSec Tunnel to $LOCATION is OK Nothing to do"}
}
 
User avatar
panisk0
newbie
Posts: 25
Joined: Sun Mar 06, 2016 10:36 pm
Location: Cracow
Contact:

Re: IPSec Monitoring Script

Tue Apr 03, 2018 12:27 am

explore it: /tool netwatch

/p
 
User avatar
juliokato
Member Candidate
Member Candidate
Posts: 228
Joined: Mon Oct 26, 2015 4:27 pm
Location: Brazil

Re: IPSec Monitoring Script

Tue Apr 03, 2018 5:07 pm

I have this, I know I need to improve, but it works for me.

/system script
add name=ping-ipsec owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="{\r\
\n:if ([/ping 10.1.1.1 src-address=172.16.1.1 count=5] = 0) do={ \r\
\n:log warning \"VPN DOWN\";\r\
\n/ip ipsec peer disable 0;\r\
\n/ip ipsec remote-peers kill-connections;\r\
\n/ip ipsec installed-sa flush;\r\
\n:delay 200;\r\
\n/ip ipsec peer enable 0;\r\
\n/ip cloud force-update;\r\
\n:delay 15;\r\
\n/ping 10.1.1.1 src-address=172.16.1.1 count=5;\r\
\n} else={\r\
\n:log warning \"VPN UP\";\r\
\n/ip cloud force-update;\r\
\n}\r\
\n}\r\
\n"
/system scheduler
add interval=10m name=schedule1 on-event=ping-ipsec policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
sep/27/2015 start-time=12:50:36
 
VeeDub
just joined
Posts: 7
Joined: Fri Jun 02, 2017 4:11 pm

Re: IPSec Monitoring Script

Thu Sep 13, 2018 7:05 am

@martking
Your script is quite useful, thanks for sharing

@panisk0
Netwatch doesn't work on IPsec VPN's - at least not for me - you need to be able to specify the interface - and with Netwatch you can't
 
matho
just joined
Posts: 1
Joined: Sat Sep 01, 2018 10:29 am

Re: IPSec Monitoring Script

Thu Sep 20, 2018 10:32 am

Thanks, this is exactly what I needed,
and its working on current release - model: RouterBOARD M33G - firmware: 6.43.1
 
martking
just joined
Topic Author
Posts: 17
Joined: Mon Apr 03, 2017 8:54 pm

Re: IPSec Monitoring Script

Tue Feb 19, 2019 5:47 pm

Glad the script was of use to you both, the other good thing about the script, is generates interesting traffic to Start/Keep tunnels alive
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: IPSec Monitoring Script

Tue Feb 19, 2019 11:36 pm

Just i'm willing to know more dip what this script does.

Like you have mentioned " if it couldn't reach the endpoint it would force the tunnel to restart".

My quastion will be what exactly will restart? Because in IPsec you got features DPD, wich means:

"One the DPD interval has met the Max Failures, it will clear out the SAs to this host and attemt to establish a new SA."
 
yushko
just joined
Posts: 1
Joined: Tue Feb 07, 2023 4:42 pm

Re: IPSec Monitoring Script

Tue Feb 07, 2023 4:51 pm

Using NordVPN on my Mikrotik router I came across with the same issue - when IPsec tunnel occasionally stucks.
Thanks to all who posted scripts in this thread, it was a good start which helped me to begin learning Mikrotik scripting language.
I added a little dynamics thing in my version of script, perhaps it will help to somebody as well:
#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip/ipsec/policy get [find where tunnel=yes] src-address]

#remove netmask:
:set IPsecSrcIP  [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]

#:log info "IPSec tunnel check: Pinging 8.8.8.8 via $IPsecSrcIP"
if ([/ping 8.8.8.8 src-address=$IPsecSrcIP count=5]=0) do={
    :log warning "IPSec tunnel check: Ping to 8.8.8.8 via $IPsecSrcIP failed. VPN is down, Killing konnections"
    :local enabledpeers [/ip/ipsec/peer find where disabled=no]
    :foreach k,v in=$enabledpeers do={
        /ip/ipsec/peer disable $v
    }
    /ip/ipsec/active-peers/ kill-connections
    /ip/ipsec/installed-sa/ flush 
    :foreach k,v in=$enabledpeers do={
        /ip/ipsec/peer enable $v
    }
} else={
    #:log info "IPSec tunnel check: Ping OK"
}
Last edited by yushko on Tue Feb 07, 2023 4:56 pm, edited 1 time in total.
 
jerryroy1
Member Candidate
Member Candidate
Posts: 164
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: IPSec Monitoring Script

Thu Mar 23, 2023 11:13 pm

Can someone show me how to modify the script to use the source device lan interface IP address?
 
jerryroy1
Member Candidate
Member Candidate
Posts: 164
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: IPSec Monitoring Script

Fri Mar 24, 2023 12:24 am

I have used the following script. I want to source from my inside (LAN) interface. I keep getting an error

invalid value for argument src-address:
invalid value for argument ip-src-address
invalid value for argument ip6-src-address

#get IPsec src-address from IPsec policies:
:local IPsecSrcIP [/ip ipsec policy get [find where tunnel =yes ] src-address]
#remove netmask:
:set value=IPsecSrcIP  [:pick $IPsecSrcIP 0 [:find $IPsecSrcIP "/"]]

:log info "IPSec tunnel check: Pinging 192.168.100.1 via $IPsecSrcIP"
if ([/ping 192.168.100.1 src-address=$IPsecSrcIP count=5]=0) do={
    :log warning "IPSec tunnel check: Ping to 192.168.100.1 via $IPsecSrcIP failed. VPN is down, Killing konnections"
    :local enabledpeers [ip ipsec peer find where disabled=no]
    :foreach k,v in=$enabledpeers do={
        ip ipsec peer disable $v
    }
    ip ipsec active-peers kill-connections
    ip ipsec installed-sa flush 
    :foreach k,v in=$enabledpeers do={
        ip ipsec peer enable $v
    }
} else={
    #:log info "IPSec tunnel check: Ping OK"
}
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: IPSec Monitoring Script

Fri Mar 24, 2023 2:32 pm

First of all, fix all error you have introduced on the script, like the space here: "tunnel =yes", second, the script is v7 and you try to use it on v6.

Who is online

Users browsing this forum: No registered users and 21 guests