Question

Hi,

I need an advice with this job:

The RUT950 with ip 192.168.1.1 has two VPN Tunnel IPsec towards other two RUT 950 (one with IP 192.168.2.1 and the other with IP 192.168.3.1). I need that on default only one tunnel is enabled (for example the tunnel versus the RUT950 with IP 192.168.2.1) and only in case of failure of that router (for example lost of internet connection) the other tunnel goes up and all the traffic need to be sent versus that tunnel (RUT950 with ip 192.168.3.1)

I've already read some info on crontabs, maybe keeping a ping to the Router 192.168.2.1 and when this is not pingable run a command to enable the other IPSec Tunnel. But how to realize that?

Any other suggestion or ideas to make this automatism between the 2 vpn tunnel?

Thank you

Answer 1

Hi,

Currently, such functionality does not exist on Teltonika devices. There is no information regarding whether this will be implemented in the future. However, it is possible to write a script that would achieve something similar.

I have tried to come up with a script for you. It is not perfect, but it should work. You can try using it, just change the IP addresses to ping and the names of the instances to your own (2 IPSec instances and 2 IP addresses at the beginning of the script). I provided some information here and will post the script in the next comment.

To create a script, connect to the device via CLI/SSH and execute the following commands to create a file, allow script execution, and edit the file:

• touch /etc/ipsec_fail.sh
• chmod +x /etc/ipsec_fail.sh
• vi /etc/ipsec_fail.sh

You will open a text editor. Press 'i' to start editing. Copy this script (change the IP addresses and instances as you need) and paste it into the file. Save the script by pressing  'esc' button, typing ':wq' and pressing 'enter'. The script should be created.

Add this script to crontab to execute at specific intervals. (Crontab information here).

To add the script to crontab, execute the following command and add your script:

• crontab -e

Add a line as in the image below (in my example script runs every minute, but you can change it as you wish).

• * * * * * /etc/ipsec_fail.sh >/dev/null 2>&1

Kind Regards,

Andzej

Comments

---

#!/bin/sh


# Define instances and HOSTS. The rest can be left as it is.

# Define the names of the two IPSec instances / IPSec tunnels

instance1='testc'

instance2='testb'


# Define the IP addresses of the two hosts to ping. HOST1 for instance1, HOST2 for instance2.

HOST1=192.168.11.11

HOST2=192.168.3.1


# Define the maximum number of ping failures required to switch instances

fails_max=6  

# Define the number of pings to send

PING_COUNT=4

# Define the interval between pings in seconds

PING_INTERVAL=7

# Define the timeout for each ping in seconds

TIMEOUT=5

# Define the packet size for each ping in bytes

PACKET_SIZE=56



# Initialize other values

fail_count=0

PINGCMD="/bin/ping"

FAIL_FILE="/tmp/ipsec_fail"



# Check if the fail file exists

if [ -f $FAIL_FILE ]; then

    # Read the fail count from the file

    fail_count=$(cat $FAIL_FILE)

else

    # Create file if it does not exist

    echo 0 > $FAIL_FILE

fi



# Check which instances are enabled

instance1_enabled=$(uci get ipsec.$instance1.enabled)

instance2_enabled=$(uci get ipsec.$instance2.enabled)



# Check if both instances are enabled or if instance2 is disabled

if [ $instance1_enabled -eq 1 ] && [ $instance2_enabled -eq 1 ]; then

    echo "Both instances are enabled, setting current_instance to $instance1"

    current_instance=$instance1

elif [ $instance2_enabled -eq 0 ]; then

    echo "Instance2 is disabled, setting current_instance to $instance1"

    current_instance=$instance1

# Check if instance1 is disabled and instance2 is enabled

elif [ $instance1_enabled -eq 0 ] && [ $instance2_enabled -eq 1 ]; then

    echo "Instance1 is disabled and Instance2 is enabled, setting current_instance to $instance2"

    current_instance=$instance2

else

    echo "Invalid configuration - both instances cannot be disabled"

    exit 1

fi



# Set initial host to ping. Do not change.

HOST=$HOST1



# Define the function to perform a ping

perform_ping() {

    local ping_cmd="$PINGCMD"

    alt=$instance2

    # Check if the current instance is instance2 and set the host to ping accordingly

    if [ "$current_instance" = $instance2 ]; then

        HOST=$HOST2

        alt=$instance1

    fi

    if $ping_cmd -W "$TIMEOUT" -s "$PACKET_SIZE" -q -c 1 "$HOST" >/dev/null 2>&1; then

        # If the ping is successful, log the success and reset the fail count

        logger "IPSec tunnel $current_instance to host $HOST: Ping successful."

        fail_count=0

        echo $fail_count > $FAIL_FILE

    else

        # If the ping fails, increment the fail count and log the failure

        fail_count=$((fail_count + 1))

        logger "IPSec tunnel $current_instance to host $HOST: Ping FAILED."

        if [ $fail_count -ge $fails_max ]; then

            logger "Fail count reached, disabling $current_instance and enabling $alt..."

            # Switch to the alternate instance

            if [ "$current_instance" = $instance1 ]; then

                uci set ipsec.$instance1.enabled='0'

                uci set ipsec.$instance2.enabled='1'

                current_instance=$instance2

            else

                uci set ipsec.$instance2.enabled='0'

                uci set ipsec.$instance1.enabled='1'

                current_instance=$instance1

            fi

            # Restart IPSec and reset fail count

            uci commit

            /etc/init.d/ipsec restart

            fail_count=0

            echo $fail_count > $FAIL_FILE

            logger "Switched to $current_instance."

        fi

    fi

}



# Ping for a certain number of times and exit

for i in $(seq 1 $PING_COUNT); do

    perform_ping

    sleep $PING_INTERVAL

done