The counter was pending between 0 and 1 and not going up to 9.
If ipsec whack is returning and empty page we do not need to check
if the remoteip has changed because the tunnel is not up.
If ipsec is restarted the counter can be reset.
All these facts causes that on low powered system the tunnels are
intable if you have a lot of them. But we need to check if the
convergation timer is okay because with these bugs the tunnels
were minutly restarted and with correct handling after 10.
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/sbin/updxlrator
var/ipfire/outgoing/bin/outgoingfw.pl
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/sbin/updxlrator
var/ipfire/outgoing/bin/outgoingfw.pl
-srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
\ No newline at end of file
+srv/web/ipfire/cgi-bin/logs.cgi/firewalllog.dat
+usr/local/bin/vpn-watch
\ No newline at end of file
#Stop services
echo Stopping Proxy
/etc/init.d/squid stop 2>/dev/null
#Stop services
echo Stopping Proxy
/etc/init.d/squid stop 2>/dev/null
+echo Stopping vpn-watch
+killall vpn-watch
/etc/init.d/squid start 2>/dev/null
echo Rewriting Outgoing FW Rules
/var/ipfire/outgoing/bin/outgoingfw.pl
/etc/init.d/squid start 2>/dev/null
echo Rewriting Outgoing FW Rules
/var/ipfire/outgoing/bin/outgoingfw.pl
+echo Starting vpn-watch
+/usr/local/bin/vpn-watch &
#!/usr/bin/perl
##################################################
#!/usr/bin/perl
##################################################
-##### VPN-Watch.pl Version 0.5 #####
+##### VPN-Watch.pl Version 0.6 #####
##################################################
# #
# VPN-Watch is part of the IPFire Firewall #
##################################################
# #
# VPN-Watch is part of the IPFire Firewall #
$round++;
# Reset roundcounter after 10 min. To do established check.
$round++;
# Reset roundcounter after 10 min. To do established check.
- if ($round > 9) { $round=0 }
+ if ($round > 9) { $round==0 }
if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
close(FILE);
if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
close(FILE);
my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
- my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
+ my $established= `echo "$status" | grep '$settings[2]' | grep 'erouted;'`;
+ if ( $ipmatch eq '' && $status ne ''){
logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
}
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
}
- if ( ($round = 0) && ($established eq '')) {
+
+ if ($debug){logger("Round=".$round." and established=".$established);}
+
+ if ( ($round == 0) && ($established eq '')) {
logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
system("/usr/local/bin/ipsecctrl S $settings[0]");
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again
last; #all connections will reloaded
#remove this if ipsecctrl can restart single con again