niemueller.de::home niemueller.de
Open Software. Open Knowledge.


Home
About
Blog
Links
Projects
Software
 • Palm Software
 • Java Programs
 • Perl Scripts
 • Eggdrop Scripts
 • Scripts 'n' Snippets
Webmin
University
Wiki
Imprint


 
Last modified December 08 2008 17:37:43
Simple FreeS/WAN IPSec Monitor
Simple FreeS/WAN IPSec Monitor
Script to monitor dynamic host names in IPSec connections
Introduction
This is a small script that is used for monitoring hostnames for a change and replacing FreeS/WAN IPSec connections accordingly.

I use this for the following setup:
Two boxes (we call them A and B), each on a ADSL line with a dynamic IP. I have a tunnel established using a dynamic DNS provider (using dyndns.org but that should work with any dynamic DNS provider). FreeS/WAN connection might look like the following: 

conn ac-home
        auto=start
        authby=rsasig
        # Left security gateway, subnet behind it
        # left=%defaultroute
        left=left.niemueller.de
        leftid=@left.niemueller.de
        leftsubnet=192.168.1.0/24
        leftrsasigkey=YOUR_LEFT_KEY
        # Right security gateway, subnet behind it
        # right=right.niemueller.de
        right=%defaultroute
        rightid=@right.niemueller.de
        rightsubnet=192.168.2.0/24
        rightrsasigkey=YOUR_RIGHT_KEY

This is my connection from home to university flat. Use the commented out left and right for the other side. This setup was basically taken from c't 16/02, a German computer magazine, good reading!

The problem is now the following: Every 24 hours the providers kicks you out and you have to reconnect to prevent you from using your dynamic IP as a quasi-static IP... So now FreeS/WAN has to reconnect. But it does lookup the names only on ADDING a connection, so a reconnect from another IP is not possible. You will get log entries like

"packet from IP:500: initial Main Mode message received on IP:500 but no connection has been authorized"

So we have to monitor the lookup for the hostname and restart the connection if the address changes. This is what ipsec_monitor does.

Execute the program without argument and it will show you a short usage message. That should be so simple to get you going. If not: "Read the source, Luke".

There is a helper script called ipsec_helper_ac-home. I use that to make it possible to ping the gateways itself.
Download
News script are released and distributed under the terms of the GNU General Public License (GPL).
By downloading and/or using the software you agree to this license!

You may download the news manangement scripts as a .tar.gz file.
Latest version is 0.1.

ipsec_monitor scripts and helper     .tar.gz (3529 Bytes)






Top 5 Pages
Wiki
WebLog
SquidGuard Webmin Module
Friends' blogs
Network Utilities Webmin Module


Palm Software
UniMatrix UniMensa UniSorter
UniChat Onager


My Bookshelf
RSS Copyright © 2000-2025 by Tim Niemueller