VPN Monitoring

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jun 13 12:08:22 CEST 2007

Previous message: VPN Monitoring
Next message: VPN Monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2007-06-12 at 19:30 -0700, Anthony Mendoza wrote:
> What are you trying to monitor on the VPN devices?  If you're using SNMP
> you can pretty much monitor anything you know the OID for using the
> check_snmp plugin.  If your Checkpoint VPN is running on a Linux server
> then anything exposed by the SNMP daemon is monitorable.
> 
> On 6/12/2007 9:03 AM, Kerry Milestone had said:
> > Hello,
> >
> > does anyone have any hints on how to monitor Checkpoint VPN status? 
> > Also of interest is how to monitor Sonicwalls, again preferably with
> > SNMP trying to keep scripts and processing simple.  However I am
> > guessing a little more in depth trickery such as checking traceroutes
> > and routing tables may be required?  Am looking at star network
> > topologies with multiple links and VPNs to each site.
> >
> > Any ideas would be kindly recieved.
> >
> > Regards,
> > Kerry.
<snip>
We've found the most difficult part of monitoring VPNs has been tunnel
availability.  Because of the way IPSec works, we cannot trust the VPN
gateway's report that a tunnel is up as authoritative.  The tunnel may
be up from each gateway's perspective but they may be out of sync.  We
have resolved that problem pretty effectively for our environment.

We are not using Checkpoint or Sonicwalls.  Instead, we've been building
highly secure VPNs for both LAN-to-LAN and Remote Access using the ISCS
network security management project (http://iscs.sourceforge.net) with
either SecureComputing SG devices or home grown Linux gateways.

We have a script which pings across the tunnel with service dependencies
of both gateways.  This way, we test the real tunnel availability
instead of what the gateways think is the reality. Finally, we have an
agent which resets the tunnels if it does find them out of syn.  As a
result, even when tunnels go out of sync, the outage is usually between
30 and 180 seconds - less time than it would take us just to ascertain
what was wrong.  Hope that helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: VPN Monitoring
Next message: VPN Monitoring
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list