bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f0ce7a823fd379296f273dadb732816b293ffbf9
docs/Networking/Sophos/Site-to-Site VPNs/IPSec/Automatic Tunnel Resetting.md

3.3 KiB
Raw Blame History

Purpose: Generally speaking, when you have site-to-site VPN tunnels, you have to ensure that the health of the tunnel is operating as-expected. Sometimes VPN tunnels will report that they are online and connected, but in reality, no traffic is flowing to the remote side of the tunnel. In these instances, we can create a script that pings a device on the remote end, and if it does not respond in a timely manner, the script restart the VPN tunnel automatically.

!!! note "Assumptions" This document assumes that you will be running a powershell script on a Windows environment. The curl commands can be used interchangably in Linux, but the example script provided here will be using curl.exe within a powershell script, and instead of running on a schedule using crontab, it will be using Windows Task Scheduler.

I will attempt to provide Linux-equivalant commands where-possible.

Configure Sophos XGS Firewall ACLs

You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall

Prepare the Script Folder

You need a place to put the script (and if on Windows, curl.exe). Follow the instructions specific to your platform below:

=== "Windows" Download curl.exe from this location: Download and place it somewhere on the operating system, such as C:\Scripts\VPN_Tunnel_Checker. Then copy this script into that same folder and call it Tunnel_Checker.ps1 with the content below:

``` powershell
    function Reset-VPN-Tunnel {
    Write-Host "VPN Tunnel Broken - Bringing VPN Tunnel Down..."
    .\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><DeActive><Name>VPN_TUNNEL_NAME</Name></DeActive></VPNIPSecConnection></Set></Request>

    Start-Sleep -Seconds 5

    Write-Host "Bringing VPN Tunnel Up..."
    .\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><Active><Name>VPN_TUNNEL_NAME</Name></Active></VPNIPSecConnection></Set></Request>
    }

    function Check-VPN-Tunnel {
    # Server Connectivity Check
    Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
    if (-not (Test-Connection '10.0.0.29' -Quiet)) {
            Reset-VPN-Tunnel
        }

    # Server Connectivity Check
    Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
    if (-not (Test-Connection '10.0.0.30' -Quiet)) {
            Reset-VPN-Tunnel
        }
    }

    function Trace-VPN-Tunnel {
        Write-Host "Tracing Path to PLACEHOLDER:"
        pathping -n -w 500 -p 100 10.0.0.29

        Write-Host "Tracing Path to PLACEHOLDER:"
        pathping -n -w 500 -p 100 10.0.0.30
    }

    CD "C:\Scripts\VPN_Tunnel_Checker"
    Check-VPN-Tunnel

    #Write-Host "Checking Tunnel Quality After Running Script..."
    #Trace-VPN-Tunnel
```

=== "Linux"

``` sh
sudo dnf check-update
```