2021-10-15 11:55:46 +02:00
#!/bin/sh
2021-10-20 16:05:27 +02:00
# Use : ./check_ipsecctl_critiques.sh
# check_ipsecctl.sh must be installed
# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in"
2021-11-18 14:53:45 +01:00
# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used).
2021-10-20 16:05:27 +02:00
2021-10-15 11:55:46 +02:00
# Variables
2021-11-18 14:53:45 +01:00
CHECK_IPSECCTL = "/usr/local/libexec/nagios/plugins/check_ipsecctl.sh"
2021-10-15 11:55:46 +02:00
STATUS = 0
VPN_KO = ""
2021-11-18 14:53:45 +01:00
default_int = $( route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0)
2022-06-16 17:25:52 +02:00
default_ip = $( ifconfig " $default_int " | grep inet | head -1 | awk '{ print $2 }' )
2021-10-15 11:55:46 +02:00
# No check if CARP backup
carp = $( /sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2)
if [ " $carp " = "backup" ] ; then
echo "It's alright I'm just a backup!"
exit 0
fi
# First check that isakmpd is running
if ! /usr/sbin/rcctl check isakmpd >/dev/null; then
echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf"
STATUS = 2
fi
# Make sure "0.0.0.0" is not configured
2022-10-19 15:24:17 +02:00
if /sbin/ipsecctl -sa | grep -qF " 0.0.0.0" ; then
2021-10-15 11:55:46 +02:00
echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem."
STATUS = 2
fi
# Check with "ipsecctl -sa"
for vpn in $( cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}' ) ; do
2022-06-16 17:25:52 +02:00
vpn = $( basename " $vpn " .conf\" )
2021-11-18 14:53:45 +01:00
local_ip = $default_ip
2022-06-16 17:25:52 +02:00
remote_ip = $( grep -E "remote_ip" /etc/ipsec/" ${ vpn } " .conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" )
if ! " $CHECK_IPSECCTL " " $local_ip " " $remote_ip " " $vpn " > /dev/null; then
2021-11-18 14:53:45 +01:00
STATUS = 2
VPN_KO = " $VPN_KO $vpn "
fi
2021-10-15 11:55:46 +02:00
done
# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail
if [ $STATUS -eq 0 ] ; then
# Definition of VPNs to be checked
VPNS = "A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2"
2022-09-12 14:31:30 +02:00
# Definition of destination IPs (client side) to ping for each VPN ; multiples IPs can be given, the check will be OK if at least one IP is answering for each VPN
A_from_vlan1_IP = "192.168.1.1 192.168.1.50 192.168.1.254"
A_from_vlan2_IP = "192.168.2.1 192.168.2.10"
2021-10-15 11:55:46 +02:00
B_from_vlan1_IP = "172.16.1.1"
2022-09-12 14:31:30 +02:00
C_from_vlan2_IP = "10.0.1.1 10.0.1.5"
2021-10-15 11:55:46 +02:00
for vpn in $VPNS ; do
# dst_ip takes the value of VPNS_IP
2022-06-16 17:25:52 +02:00
eval dst_ip = \$ " ${ vpn } " _IP
2022-09-12 14:31:30 +02:00
pingok = 0
2021-10-15 11:55:46 +02:00
# Definition of the source IP of the ping according to the source network used (our side, adjust the -I option)
case $vpn in
2022-09-12 14:31:30 +02:00
*vlan1*)
for i in $dst_ip ; do
ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 " $dst_ip " >/dev/null
if [ $? -eq 0 ] ; then
pingok = $(( $pingok + 1 ))
fi
done
; ;
*vlan2*)
for i in $dst_ip ; do
ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 " $dst_ip " >/dev/null
if [ $? -eq 0 ] ; then
pingok = $(( $pingok + 1 ))
fi
done
; ;
2021-10-15 11:55:46 +02:00
esac
2022-09-12 14:31:30 +02:00
if [ " $pingok " -eq 0 ] ; then
2021-10-15 11:55:46 +02:00
VPN_KO = " $VPN_KO $vpn "
fi
done
fi
if [ -n " $VPN_KO " ] ; then
echo " VPNs down: $VPN_KO "
exit 2
else
if [ " $STATUS " -eq 0 ] ; then
echo "ALL VPN(s) UP(s)"
exit 0
else
exit $STATUS
fi
fi