Netgate SG-1000 microFirewall

Author Topic: Use Ipsec as a backup route  (Read 5229 times)

0 Members and 1 Guest are viewing this topic.

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13699
  • Karma: +609/-8
    • View Profile
Use Ipsec as a backup route
« on: October 14, 2011, 09:34:01 am »
There is something already done to use ipsec as a backup route? When private links fails, establish ipsec using internet.

If so, how to enable it on pfsense2?

If not, this is the first try on doing it by crontab + php script.
Current stage is beta

Code: [Select]
<?php
require_once("util.inc");
require_once(
"functions.inc");
require_once(
"pkg-utils.inc");
require_once(
"globals.inc");
require_once(
"filter.inc");
require_once(
"shaper.inc");
require_once(
"ipsec.inc");
require_once(
"vpn.inc");

$ipsec=$config['ipsec'];
$host=array_pop($argv);
if (! 
is_ipaddr($host)){
        print 
"invalid ip address!\n";
        exit(
1);
}
array_shift($argv);
$args=implode(" "$argv);
exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit1);
if (
$exit1 == 0exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit2);
if (
$exit2 == 0exec("/sbin/ping -c 1 -t 1 $args $host",$ret,$exit3);
$exit = ($exit1 $exit2 $exit3);
if (
$exit == 0){
        
#link online
        
if (array_key_exists("enable",$ipsec)){
                print 
"link online, disabling ipsec\n";
                unset (
$config['ipsec']['enable']);
                
write_config();
                
vpn_ipsec_configure();
                
vpn_ipsec_refresh_policies();
                
filter_configure();
        }
        else
                print 
"link online\n";
}
else{
        if (! 
array_key_exists("enable",$ipsec)){
                print 
"link offline, enabling ipsec\n";
                
$config['ipsec']['enable']="";
                
write_config();
                
vpn_ipsec_configure();
                
vpn_ipsec_refresh_policies();
                
filter_configure();
                }
        else
                print 
"link offline\n";
}
?>

save it on /var/www/checklink.php and run it at cron. Pass any icmp args and the host you want to check as last argument.

sample: php -q  /var/www/checklink.php -s 172.16.5.6 172.16.2.7 (if 172.16.2.7 ping fails, then ipsec will be enabled)


Thanks for any help on answering or testing

att,
Marcello Coutinho
« Last Edit: October 14, 2011, 09:36:10 am by marcelloc »