-#!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001 Henry Spencer.
-# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $
-#
-# ipsec init.d script for starting and stopping
-# the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown). Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 76
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup' # for messages
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
-IPSEC_CONFS="${IPSEC_CONFS-/etc}"
-
-if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command
-then
- # we must establish a suitable PATH ourselves
- PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
- export PATH
-
- IPSEC_DIR="$IPSEC_LIBDIR"
- export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
- if test -f $dir/ipsec -a -x $dir/ipsec
- then
- found=yes
- break # NOTE BREAK OUT
- fi
-done
-if ! test "$found"
-then
- echo "cannot find ipsec command -- \`$1' aborted" |
- logger -s -p daemon.error -t ipsec_setup
- exit 1
-fi
-
-# accept a few flags
-
-export IPSEC_setupflags
-IPSEC_setupflags=""
-
-config=""
-
-for dummy
-do
- case "$1" in
- --showonly|--show) IPSEC_setupflags="$1" ;;
- --config) config="--config $2" ; shift ;;
- *) break ;;
- esac
- shift
-done
-
-
-# Pick up IPsec configuration (until we have done this, successfully, we
-# do not know where errors should go, hence the explicit "daemon.error"s.)
-# Note the "--export", which exports the variables created.
-eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
-
-if test " $IPSEC_confreadstatus" != " "
-then
- case $1 in
- stop|--stop|_autostop)
- echo "$IPSEC_confreadstatus -- \`$1' may not work" |
- logger -s -p daemon.error -t ipsec_setup;;
-
- *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
- logger -s -p daemon.error -t ipsec_setup;
- exit 1;;
- esac
-fi
-
-IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
-export IPSEC_confreadsection
-
-IPSECsyslog=${IPSECsyslog-daemon.error}
-export IPSECsyslog
-
-# misc setup
-umask 022
-
-mkdir -p /var/run/pluto
-
-
-# do it
-case "$1" in
- start|--start|stop|--stop|_autostop|_autostart)
- wanttodo=$1
- if test " `id -u`" != " 0"
- then
- echo "permission denied (must be superuser)" |
- logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
- exit 1
- fi
- tmp=/var/run/pluto/ipsec_setup.st
- outtmp=/var/run/pluto/ipsec_setup.out
- (
- ipsec _realsetup $1
- echo "$?" >$tmp
- ) > ${outtmp} 2>&1
- st=$?
- if test -f $tmp
- then
- st=`cat $tmp`
- rm -f $tmp
- fi
- if [ -f ${outtmp} ]; then
- cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
- rm -f ${outtmp}
- fi
- if [ "$wanttodo" = "start" -o "$wanttodo" = "--start" -o "$wanttodo" = "_autostart" ]; then
- sleep 20 && chown root:nobody /var/run/pluto -R && chmod 770 /var/run/pluto -R && ln -f /var/run/pluto/pluto.pid /var/run/pluto.pid 2>&1 &
- fi
- exit $st
- ;;
-
- restart|--restart|force-reload)
- $0 $IPSEC_setupflags stop
- $0 $IPSEC_setupflags start
- ;;
-
- _autorestart) # for internal use only
- $0 $IPSEC_setupflags _autostop
- $0 $IPSEC_setupflags _autostart
- ;;
-
- status|--status)
- ipsec _realsetup $1
- exit
- ;;
-
- --version)
- echo "$me $IPSEC_VERSION"
- exit 0
- ;;
-
- --help)
- echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
- echo " $me --status"
- exit 0
- ;;
-
- *)
- echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
- echo " $me --status"
- exit 2
-esac
-
-exit 0
+#!/usr/bin/perl
+##################################################
+##### VPN-Watch.pl Version 0.6 #####
+##################################################
+# #
+# VPN-Watch is part of the IPFire Firewall #
+# #
+##################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+my @vpnsettings;
+my $i = 0;
+my $file = "/var/run/vpn-watch.pid";
+my $debug = 0;
+
+if ( -e $file ){
+ logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process.");
+ open(FILE, "<$file");
+ my $PID = <FILE>;
+ close(FILE);
+ system("kill -9 $PID");
+ }
+
+system("echo $$ > $file");
+my $round=0;
+while ( $i == 0){
+ if ($debug){logger("We will wait 60 seconds before next action.");}
+ sleep(60);
+
+ $round++;
+
+ # Reset roundcounter after 10 min. To do established check.
+ if ($round > 9) { $round==0 }
+
+ if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
+ close(FILE);
+ unless(@vpnsettings) {exit 1;}
+ }
+
+my $status = `ipsec whack --status`;
+foreach (@vpnsettings){
+ my @settings = split(/,/,$_);
+
+ if ($settings[27] ne 'RED'){next;}
+ if ($settings[4] ne 'net'){next;}
+ if ($settings[1] ne 'on'){next;}chomp($settings[29]);
+ if ($settings[29] ne 'on'){next;}
+
+ my $remotehostname = $settings[11];
+
+ if ($debug){logger("Checking connection to $remotehostname.");}
+
+ my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
+ if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
+ my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
+ my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
+
+ if ( $ipmatch eq '' && $status ne ''){
+ logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
+ system("/usr/local/bin/ipsecctrl S $settings[0]");
+ $round=0;
+ last; #all connections will reloaded
+ #remove this if ipsecctrl can restart single con again
+ }
+
+ if ($debug){logger("Round=".$round." and established=".$established);}
+
+ if ( ($round == 0) && ($established eq '')) {
+ logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
+ system("/usr/local/bin/ipsecctrl S $settings[0]");
+ $round=0;
+ last; #all connections will reloaded
+ #remove this if ipsecctrl can restart single con again
+
+ }
+ }
+ if ($debug){logger("All connections may be fine nothing was done.");}
+}
+
+sub logger {
+ my $log = shift;
+ system("logger -t vpnwatch \"$log\"");
+}