Netgate SG-1000 microFirewall

Author Topic: Monitoring IPSec with SNMP  (Read 246 times)

0 Members and 1 Guest are viewing this topic.

Offline mattboston

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Monitoring IPSec with SNMP
« on: March 17, 2017, 06:57:12 am »
I'm running pfSense 2.3.2 and I already have existing monitors setup in my Icinga system to monitor remote IP addresses of my client's system, but I'd like to be able to monitor if the Phase 1 or Phase 2 tunnels drop.  Is this possible with SNMP?  The reason the IP monitor isn't ideal is because our client sometimes takes the remote server offline for maintenance and doesn't tell us.  So we'd like to be alerted if the server goes down (server ping/port connection) and IPSec monitor if tunnel drops.  If not, can a script be written to give me the same details that I can have Icinga/NRPE execute?

Online jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 20310
  • Karma: +1220/-8
    • View Profile
Re: Monitoring IPSec with SNMP
« Reply #1 on: March 20, 2017, 10:19:49 am »
It is not possible via the built-in SNMP, but it can be done with the net-snmp package using extended commands. You'd have to setup one extended command per tunnel that would check the output of, for example "ipsec status con1000" for the first P2 of the first P1, "ipsec status con1001" for the second P2 of the first P1, "ipsec status con2000" for the first P2 of the second P1 and so on. Not so simple, but it can be done.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline mattboston

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Monitoring IPSec with SNMP
« Reply #2 on: March 20, 2017, 10:20:41 am »
Ok, let me take a look at the ipsec command.  Thanks