**Purpose**: Generally speaking, when you have site-to-site VPN tunnels, you have to ensure that the *health* of the tunnel is operating as-expected.  Sometimes VPN tunnels will report that they are online and connected, but in reality, no traffic is flowing to the remote side of the tunnel.  In these instances, we can create a script that pings a device on the remote end, and if it does not respond in a timely manner, the script restart the VPN tunnel automatically.

!!! note "Assumptions"
    This document assumes that you will be running a powershell script on a Windows environment.  The `curl` commands can be used interchangably in Linux, but the example script provided here will be using `curl.exe` within a powershell script, and instead of running on a schedule using crontab, it will be using Windows Task Scheduler.

    I will attempt to provide Linux-equivalant commands where-possible.

## Configure Sophos XGS Firewall ACLs
You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s).  At this stage, you need to log into your Sophos XGS Firewall 

## Choose a Server to Put Script On
It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel.  If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel.  

## Prepare the Script Folder
You need a place to put the script (and if on Windows, `curl.exe`).  Follow the instructions specific to your platform below:

=== "Windows"
    Download `curl.exe` from this location: [Download](https://curl.se/windows/dl-8.10.0_1/curl-8.10.0_1-win64-mingw.zip) and place it somewhere on the operating system, such as `C:\Scripts\VPN_Tunnel_Checker`.  Then copy this script into that same folder and call it `Tunnel_Checker.ps1` with the content below:

    !!! note "Curl Files Extraction"
        You will want to extract all of the files included in the zip file's `bin` folder.  Specifically, copy the following files into the `C:\Scripts\VPN_Tunnel_Checker` folder:
        
        - `curl.exe`
        - `curl-ca-bundle`
        - `libcurl-x64.def`
        - `libcurl-x64.dll`

    ``` powershell
    function Reset-VPN-Tunnel {
    Write-Host "VPN Tunnel Broken - Bringing VPN Tunnel Down..."
    .\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><DeActive><Name>VPN_TUNNEL_NAME</Name></DeActive></VPNIPSecConnection></Set></Request>

    Start-Sleep -Seconds 5

    Write-Host "Bringing VPN Tunnel Up..."
    .\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><Active><Name>VPN_TUNNEL_NAME</Name></Active></VPNIPSecConnection></Set></Request>
    }

    function Check-VPN-Tunnel {
    # Server Connectivity Check
    Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
    if (-not (Test-Connection '10.0.0.29' -Quiet)) {
            Reset-VPN-Tunnel
        }

    # Server Connectivity Check
    Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
    if (-not (Test-Connection '10.0.0.30' -Quiet)) {
            Reset-VPN-Tunnel
        }
    }

    function Trace-VPN-Tunnel {
        Write-Host "Tracing Path to PLACEHOLDER:"
        pathping -n -w 500 -p 100 10.0.0.29

        Write-Host "Tracing Path to PLACEHOLDER:"
        pathping -n -w 500 -p 100 10.0.0.30
    }

    CD "C:\Scripts\VPN_Tunnel_Checker"
    Check-VPN-Tunnel

    #Write-Host "Checking Tunnel Quality After Running Script..."
    #Trace-VPN-Tunnel
    ```

    !!! note "Optional Reporting"
        You may find that you want some extra logging enabled so you can track the script doing its job to ensure its working.  You can add the following to the script above to add that functionality.
        
        Add the following to the bottom of each server in the `Check-VPN-Tunnel` function, directly below the `Reset-VPN-Tunnel` function.

        ``` powershell
        Add-Content -Path "C:\Scripts\VPN_Tunnel_Checker\Tunnel.log" -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') PLACEHOLDER Connection Down"
        ```

        Lastly, change the very end of the script under where the `Check-IHS-Tunnel` function is being called to look like this if you want to log heartbeats and not just when a VPN tunnel is down.  The purpose of this is to show the script is actually running.  I recommend only temporarily implementing it during initial deployment.

        ``` powershell
        CD "C:\Scripts"
        Check-VPN-Tunnel
        Add-Content -Path "C:\Scripts\VPN_Tunnel_Checker\Tunnel.log" -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') Heartbeat"
        ```
        
=== "Linux"

    ``` sh
    PLACEHOLDER
    ```