Hello,
Out of necessity, I modified the check_racoon nagios plugin to work with
PFSense. I wanted to monitor some of my vpn tunnels, and this was the
easiest way I could find to make it work. I'm not even sure if I'm posting
this to the right place, but i figured that someone else might find it
useful. One caveat to making this work was that I needed to add the Nagios
user to the Wheel group in order to be able to run racoonctl and dump the
isakmp status. I'm not sure if that opens up a huge security hole, maybe
someone could let me know.
Anyway, here is the plugin code:
<code>
#!/bin/sh
#
# Adapted from check_racoon by Daniel van den Oord by Jim Spaloss
# Modified to target PFSense 2.1x and higher
# Last Modified 5/31/2014
#PATH=""
ECHO="/bin/echo"
GREP="/bin/egrep"
DIFF="/usr/bin/diff"
TAIL="/usr/bin/tail"
CAT="/bin/cat"
RM="/bin/rm"
CHMOD="/bin/chmod"
TOUCH="/bin/touch"
PROGNAME=`/usr/bin/basename $0`
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
REVISION=`echo '$Revision: 14PF $' | sed -e 's/[^0-9.]//g'`
. $PROGPATH/utils.sh
print_usage() {
echo "Usage: $PROGNAME --ip endpointip"
echo "Usage: $PROGNAME --fqdn endpointhostname"
echo "Usage: $PROGNAME --fqdn6 endpointhostnameAAAA"
echo "Usage: $PROGNAME --help"
echo "Usage: $PROGNAME --version"
}
print_help() {
print_revision $PROGNAME $REVISION
echo ""
print_usage
echo ""
echo "Racoon IPSec VPN (SA) check plugin for Nagios"
echo ""
support
}
# Make sure the correct number of command line
# arguments have been supplied
if [ $# -lt 1 ]; then
print_usage
exit $STATE_UNKNOWN
fi
# Grab the command line arguments
#logfile=$1
#oldlog=$2
#query=$3
exitstatus=$STATE_WARNING #default
while test -n "$1"; do
case "$1" in
--help)
print_help
exit $STATE_OK
;;
-h)
print_help
exit $STATE_OK
;;
--version)
print_revision $PROGNAME $REVISION
exit $STATE_OK
;;
-V)
print_revision $PROGNAME $REVISION
exit $STATE_OK
;;
--ip)
endpoint=$2
shift
;;
--fqdn)
lookup=`host $2 | grep 'has address'`
if [ "$lookup" != "" ]
then
endpoint=`host $2 | grep 'has address' | grep -oE '[^ ]+$'`
else
$ECHO "CRITICAL - FQDN does not resolve: $2\n"
exit $STATE_CRITICAL
fi
shift
;;
--fqdn6)
lookup=`host $2 | grep 'has IPV6 address'`
if [ "$lookup" != "" ]
then
endpoint=`host $2 | grep 'has IPV6 address' | grep -oE '[^
]+$'`
else
$ECHO "CRITICAL - FQDN does not resolve: $2\n"
exit $STATE_CRITICAL
fi
shift
;;
-x)
exitstatus=$STATE_WARNING
shift
;;
--exitstatus)
exitstatus=$STATE_WARNING
shift
;;
*)
echo "Unknown argument: $1"
print_usage
exit $STATE_UNKNOWN
;;
esac
shift
done
# If the source log file doesn't exist, exit
isakmp=`racoonctl -l show-sa isakmp| grep $endpoint`
if [ "$isakmp" != "" ]
then
$ECHO "Racoon vpn tunnel check ok: $endpoint\n"
exitstatus=$STATE_OK
else
$ECHO "CRITICAL - Racoon vpn tunnel not found: $endpoint\n"
exitstatus=$STATE_CRITICAL
fi
exit $exitstatus
</code>
Thanks,
Jim
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
