Script to reset IPSec peer

Hi, I have noticed that for some reason when a GRE/IPSec tunnel between my VyOS 1.1.8 and Mikrotik router is interrupted, the ph2 does not want to re-establish. I do not yet know the cause but I know for a fact that resetting the IPSec peer on the VyOS side, immediately resolves the issue (resetting the peer on the Mikrotik side does not resolve the issue).

Is there a way (until have found a configuration / bug fix) to configure a script on the VyOS side to automatically perform a reset vpn ipsec-peer x.x.x.x when a sh vpn ipsec sa peer state changes to down (or at least run it on a timer)? Thanks

Make a script like this where 1.2.3.4 is the source interface to poll the distant end, and 192.168.1.1 is the address to poll on the distant end. May need some syntax tweaks on the ping depending on your setup. Make sure to make the script executable with chmod.

Then add system task scheduler commands to run at intervals:

set system task-scheduler task vpncheck executable path ‘/config/scripts/vpncheck.sh’
set system task-scheduler task vpncheck interval ‘10m’


vpncheck.sh


#!/bin/bash

/bin/ping -c 3 -W 2 -I 1.2.3.4 192.168.1.1 1>/dev/null 2>&1

if [ $? -ne 0 ]; then
echo “Failed”
/bin/vbash -ic ‘restart vpn’
fi


Thank you for the reply - I will give it a try

Did you try the script? I appreciate sharing your experience…

Hi,

I was able to resolve the issue on my side before I had to implement the script. So unfortunately I cannot provide you feedback on its effectiveness.

Hope it works for you.

Hi ,

Thank you I will give it try.

If you don’t mind how did you resolve it? what was the core of the issue? I am facing similar issue that the IPSEC tunnel between the VyOS and Cisco ASA (cusotmer side) interrupted and it won’t re-establish ph2. Resetting the peer on VyOS resolve the issue.

My implementation is GRE over IPSec for which the protocol needs to be specified in the P2.
The issue on my side was that the VyOS side was set to GRE and the Mikrotik side set to ANY. This seems to have resulted in a temporary mismatch which would then be resolved automatically after random time periods (guessing its comes comes down to which side initiates). Changing both sides to match (e.g. ANY) resolved the issue.