[Openswan Users] tunnel monitoring and alerting

Paul Wouters paul at xelerance.com
Wed May 27 13:53:40 EDT 2009

On Wed, 27 May 2009, samuel_formulaires wrote:

>> What is everyone else using to alert when tunnels go down? We have
>> MANY site to site tunnels and it seems here lately that some of them
>> tend to drop for some reason and we are not alerted until the next
>> day. I was thinking about just using some kind of regex tool like SEC
>> to monitor the logs and then fire off an alert, but SNMP with nagios
>> or solarwinds would probably be a better solution if we could get
>> those to work
> My suggestions :
> - You can use a modified _updown script, that sends
> email/snmptrap/whatever in case of start) or down) tunnel.
> - And use Dead Peer Detection to really shut them down, othewise tunnels
> may remain stuck in a bad state
> - syslog-ng allows sending emails or launching any command with pattern
> matching in logtext... No need to monitor the logs, no worry if logs
> rotate, it is activated right when the log line is... logged. Try
> syslog-ng on the VPN gateway.
> - Write a script that sends traffic through tunnels (pings, SNMP
> checks...) and does ipsec auto --up/down in case of noresponse

You can also enable HAVE_STATSD and make every tunnel status change go
to a specific binary/script to handle notifications.

>> We would also like the ability to monitor the tunnels for the amount
>> of traffic going across them. We are constantly having to "prove" that
>> the tunnels are working fine and that the "slowness" is actually the
>> applications that are going across the tunnels and their response
>> times. We currently use Cacti to monitor all of our
>> switches/routers/servers for this kind of information but i have not
>> see where we can monitor the tunnel traffic between sites. Any
>> suggestions/help would be appreciated.
> If you use KLIPS, just use Cacti on interface ipsec0, you'll get VPN traffic
> If you don't,

NETKEY does keep track of the amount of traffic, but I don't think we
currently implement a way of obtaining that information in the userland.

Patches or donations welcome :)


More information about the Users mailing list