From fe3d2035f53e054dd6a272d7f5f6c0fe3816cbfb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Fri, 15 Oct 2021 11:55:46 +0200 Subject: [PATCH] Add full ipsecctl check script Different ipsecctl checks are currently used one the servers with no convention, so I created one template with all that has to be checked. --- .../plugins_bsd/check_ipsecctl_critiques.sh | 89 +++++++++++++++++++ roles/nagios-nrpe/tasks/main.yml | 1 + 2 files changed, 90 insertions(+) create mode 100755 roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh diff --git a/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh new file mode 100755 index 0000000..4428d74 --- /dev/null +++ b/roles/nagios-nrpe/files/plugins_bsd/check_ipsecctl_critiques.sh @@ -0,0 +1,89 @@ +#!/bin/sh + +# Variables + +CHECK_IPSECCTL="/usr/local/libexec/nagios/check_ipsecctl.sh" +STATUS=0 +VPN_KO="" + +default_int=$(route -n show | grep default | awk '{ print $8 }' | grep -v pppoe0) +default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }') + +# No check if CARP backup + +carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2) + +if [ "$carp" = "backup" ]; then + echo "It's alright I'm just a backup!" + exit 0 +fi + +# First check that isakmpd is running + +if ! /usr/sbin/rcctl check isakmpd >/dev/null; then + echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf" + STATUS=2 +fi + +# Make sure "0.0.0.0" is not configured + +if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then + echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem." + STATUS=2 +fi + +# Check with "ipsecctl -sa" + +for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do + vpn=$(basename $vpn .conf\") + local_ip=$default_ip + remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*") + $CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null + if [ $? -ne 0 ]; then + STATUS=2 + VPN_KO="$VPN_KO $vpn" + fi +done + +# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail + +if [ $STATUS -eq 0 ]; then + + # Definition of VPNs to be checked + VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2" + + # Definition of destination IPs (client side) to ping for each VPN + A_from_vlan1_IP="192.168.1.1" + A_from_vlan2_IP="192.168.2.1" + + B_from_vlan1_IP="172.16.1.1" + + C_from_vlan2_IP="10.0.1.1" + + for vpn in $VPNS; do + # dst_ip takes the value of VPNS_IP + eval dst_ip=\$${vpn}_IP + + # Definition of the source IP of the ping according to the source network used (our side, adjust the -I option) + case $vpn in + *vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;; + *vlan2*) ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 $dst_ip >/dev/null ;; + esac + + if [ $? -ne 0 ]; then + VPN_KO="$VPN_KO $vpn" + fi + done +fi + +if [ -n "$VPN_KO" ]; then + echo "VPNs down:$VPN_KO" + exit 2 +else + if [ "$STATUS" -eq 0 ]; then + echo "ALL VPN(s) UP(s)" + exit 0 + else + exit $STATUS + fi +fi diff --git a/roles/nagios-nrpe/tasks/main.yml b/roles/nagios-nrpe/tasks/main.yml index 85571ce..e82a151 100644 --- a/roles/nagios-nrpe/tasks/main.yml +++ b/roles/nagios-nrpe/tasks/main.yml @@ -50,6 +50,7 @@ - {name: 'check_carp_if', force: true} - {name: 'check_connections_state.sh', force: false} - {name: 'check_ipsecctl.sh', force: false} + - {name: 'check_ipsecctl_critiques.sh', force: false} - {name: 'check_openbgpd', force: true} - {name: 'check_openvpn', force: false} - {name: 'check_openvpn.pl', force: true}