====== check_ipsec2 ======
===== Howto =====
check_ipsec2 v1.0rc1 (nagios-plugins 1.4.15)
The nagios plugins come with ABSOLUTELY NO WARRANTY. You may redistribute
copies of the plugins under the terms of the GNU General Public License.
For more information about these matters, see the file named COPYING.
sudoers entry:
nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_ipsec2
nrpe_local.cfg entry:
command[check_ipsec2]=sudo /usr/lib/nagios/plugins/check_ipsec2 $ARG1$
/etc/nagios/ipsec_gateways.txt entry:
CON-192.168.48.0 192.168.48.1
Service definition:
define service {
use generic-service
host_name vpngw.domain.tld
service_description Check CON-192.168.48.0
check_command check_ipsec2!"-c CON-192.168.48.0 -p -s"
}
or
define service {
use generic-service
host_name vpngw.domain.tld
service_description Check Tunnels
check_command check_ipsec2!"-a 4"
}
Command definition:
define command{
command_name check_ipsec2
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -c check_ipsec2 -a $ARG1$
}
Usage:
$PROGNAME [-hprsv] [-a number of connections] [-c IPSEC connection name]
-a (Check all connections)
-c (Check specific connection)
-p (Ping remote gateway. Used only with -c)
-r (Restart IPSEC if down)
-s (Reacquire SA for connection. Used only with both -c and -p)
-h (Show this help screen)
-v (Show version)
-a and -c cannot be used together.
-s can only be used with -c.
-p can only be used with -c.
===== Changes =====
* 1.0rc1
- integrated getopts
- added ping using fping option
- added reacquire SA option
- added restart ipsec option
- can now check for installed routes
===== ToDo =====
1. Open to ideas
===== Code =====
#!/bin/bash
#set -x
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# Based partially on the work done by By Nicole in the check_ipsec script
#
# Plugin Name: check_ipsec2
# Version: 1.0rc1
# Date: 24/04/2013
#
# Usage: check_ipsec2 -a
# check_ipsec2 -c
#
# ipsec_gateways.txt file must be located in same directory
# and has to look like:
# nameofconn1 192.168.0.1
# nameofconn2 192.168.1.1
#
# ------------Defining Variables------------
PROGNAME=`basename $0`
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
REVISION="1.0rc1"
GATEWAYLIST="/etc/nagios/ipsec_gateways.txt"
DOWN=""
AWKBIN=`which awk`
EGREPBIN=`which egrep`
FPINGBIN=`which fping`
GREPBIN=`which grep`
IPSECBIN=`which ipsec`
WCBIN=`which wc`
PINGIP=0
AUTHOR="Copyright 2013, Charles Williams (chuck@itadmins.net) (http://www.itadmins.net/)"
missing="O"
. $PROGPATH/utils.sh
print_version() {
echo "$VERSION $AUTHOR"
}
print_usage() {
echo "Usage:"
echo " $PROGNAME [-hprsv] [-a number of connections] [-c IPSEC connection name]"
echo " -a (Check all connections)"
echo " -c (Check specific connection)"
echo " -p (Ping remote gateway. Used only with -c)"
echo " -r (Restart IPSEC if down)"
echo " -s (Reacquire SA for connection. Used only with both -c and -p)"
echo " -h (Show this help screen)"
echo " -v (Show version)"
echo
echo "-a and -c cannot be used together."
echo "-s can only be used with -c."
echo "-p can only be used with -c."
echo ""
}
print_help() {
print_revision $PROGNAME $REVISION
echo ""
print_usage
echo ""
}
if [ $# -eq 0 ];
then
print_help
exit $STATE_UNKNOWN
fi
test -e $IPSECBIN
if [ $? -ne 0 ];
then
echo CRITICAL - $IPSECBIN not exist
exit $STATE_CRITICAL
else
STRONG=`$IPSECBIN --version |grep strongSwan | wc -l`
fi
check_all() {
if [[ "$STRONG" -eq "1" ]]
then
eroutes=`$IPSECBIN status | $EGREPBIN -e "INSTALLED, |IPsec SA established" | wc -l`
else
eroutes=`$IPSECBIN whack --status | grep -e "IPsec SA established" | grep -e "newest IPSEC" | wc -l`
fi
#if [[ "$PINGIP" -eq "1" ]]
#then
# ping_gateway $1
#fi
if [[ "$eroutes" -eq "$1" ]]
then
echo "OK - All $1 tunnels are up and running"
exit $STATE_OK
elif [[ "$eroutes" -gt "$1" ]]
then
echo "WARNING - More than $1 ($eroutes) tunnels are up and running"
exit $STATE_WARNING
else
echo "CRITICAL - Only $eroutes tunnels from $1 are up and running."
exit $STATE_CRITICAL
fi
}
check_connection() {
if [[ "$STRONG" -eq "1" ]]
then
eroutes=`$IPSECBIN status | grep -e "$1" | $EGREPBIN -e "INSTALLED, |IPsec SA established" | wc -l`
else
eroutes=`$IPSECBIN whack --status | grep -e "IPsec SA established" | grep -e "$2" | wc -l`
fi
if [[ "$PINGIP" -eq "1" ]]
then
ping_gateway $1
fi
if [[ "$eroutes" -eq "1" ]]
then
echo "OK - $1 Connection is up and running"
exit $STATE_OK
else
if [[ "$REACQUIRE" -eq "1" ]]; then
reacquire_sa $1
elif [[ "$RESTART" -eq "1" ]]; then
restart_ipsec
else
echo "CRITICAL - $1 Connection is down"
exit $STATE_CRITICAL
fi
fi
}
ping_gateway() {
GATEWAYIP=`$GREPBIN $1 $GATEWAYLIST| $AWKBIN '{print $2}'`
PING=`$FPINGBIN $GATEWAYIP -r 1 | $GREPBIN alive | $WCBIN -l`
if [[ "$PING" -eq "0" ]]
then
if [[ "$REACQUIRE" -eq "1" ]]; then
reacquire_sa $1
else
echo "CRITICAL - $1 is down (no ping)"
exit $STATE_CRITICAL
fi
fi
}
restart_ipsec() {
RETURN=`$IPSECBIN restart`
echo "WARNING - IPSEC being restarted"
exit $STATE_WARNING
}
reacquire_sa() {
RETURN=`$IPSECBIN down $1; $IPSECBIN up $1`
echo "WARNING - Connection $1 SA Updating"
exit $STATE_WARNING
}
NUMCONN=""
CONNAME=""
CHECKALL=0
CHECKCON=0
while getopts ":a:c:prshv" opt; do
case $opt in
h)
print_help
exit $STATE_OK
;;
v)
print_revision $PLUGIN $REVISION
exit $STATE_OK
;;
a)
NUMCONN=$OPTARG
CHECKALL=1
;;
c)
CONNAME=$OPTARG
CHECKCON=1
;;
p)
PINGIP=1
;;
r)
RESTART=1
;;
s)
REACQUIRE=1
;;
:)
echo "Option -$OPTARG requires an arguement." >&2
print_help
exit $STATE_OK
;;
\?)
print_help
exit $STATE_OK
;;
esac
done
if [ $PINGIP -eq 1 ]
then
test -e $GATEWAYLIST
if [ $? -ne 0 ];
then
echo CRITICAL - $GATEWAYLIST does not exist
exit $STATE_CRITICAL
fi
test -e $FPINGBIN
if [ $? -ne 0 ];
then
echo CRITICAL - $FPINGBIN not installed or not found
exit $STATE_CRITICAL
fi
fi
if [[ ( $CONNAME = "" && $NUMCONN = "" ) || ( $CONNAME != "" && $NUMCONN != "" ) ]]; then
print_help
exit $STATE_OK
fi
if [ $CHECKCON -eq 1 ]; then
check_connection $CONNAME
else
check_all $NUMCONN
fi