[Openswan Users] tunnel monitoring and alerting

[samuel_formulaires]

richard witt a écrit :

>What is everyone else using to alert when tunnels go down? We have
>MANY site to site tunnels and it seems here lately that some of them
>tend to drop for some reason and we are not alerted until the next
>day. I was thinking about just using some kind of regex tool like SEC
>to monitor the logs and then fire off an alert, but SNMP with nagios
>or solarwinds would probably be a better solution if we could get
>those to work
>  
>
My suggestions :
- You can use a modified _updown script, that sends 
email/snmptrap/whatever in case of start) or down) tunnel.
- And use Dead Peer Detection to really shut them down, othewise tunnels 
may remain stuck in a bad state
- syslog-ng allows sending emails or launching any command with pattern 
matching in logtext... No need to monitor the logs, no worry if logs 
rotate, it is activated right when the log line is... logged. Try 
syslog-ng on the VPN gateway.
- Write a script that sends traffic through tunnels (pings, SNMP 
checks...) and does ipsec auto --up/down in case of noresponse

>We would also like the ability to monitor the tunnels for the amount
>of traffic going across them. We are constantly having to "prove" that
>the tunnels are working fine and that the "slowness" is actually the
>applications that are going across the tunnels and their response
>times. We currently use Cacti to monitor all of our
>switches/routers/servers for this kind of information but i have not
>see where we can monitor the tunnel traffic between sites. Any
>suggestions/help would be appreciated.
>  
>
If you use KLIPS, just use Cacti on interface ipsec0, you'll get VPN traffic
If you don't, or need stats from/to LANx to/from LANy, then try marking 
packets from/to/between sites with iptables+mangle and do a script that 
polls/parses the result of "iptables -nvL -t mangle", this kind of 
script may even be integrated in Cacti, I don't know